File:            NOTES.TXT
Product:         NCP Secure Communications Software
Manufacturer:    NCP engineering GmbH Nrnberg Germany
-------------------------------------------------------------------------------


Known limitations of the NCP Secure Communications Software

Unless otherwise expressly specified, the following known limitations of 
the NCP Secure Communications Software is valid for all supported operating 
systems.


Contents:

1.   NCP Secure Windows Client
1.1  Operation Systems
1.2  Configuring IPSec compression
1.3  Installation of the Gina DLL
1.4  User Logon and Logoff on Windows XP
1.5  The supplementary program NCP Client Tracer
1.6  120 bytes size limitation of the IP header
1.7  Assignment of pool addresses
1.8  Fixed IP address in the WLAN configuration
1.9  WLAN configuration under Windows 2000
1.10 Automatic Media Detection
1.11 Software Update Package
1.12 International Dial-In
1.13 Firewall Rule bound to an Application 
1.14 Troubles when working with AVM WLAN Stick
1.15 Update from a Network Drive
1.16 Wrong Registry Entries 
1.17 Error in connection establishment with WLAN profile

2.   NCP Secure CE/Mobile/Symbian Client
2.1  Updating the NCP Secure CE Client
2.2  Transferring the telephone book to the PDA
2.3  Limitations when dealing with official address ranges
2.4  Infrared segment
2.5  Data Transfer between PDA and PC
2.6  Incorrect Disconnect
2.7  Tips for using the PDA
2.8  Licensing
2.9  DHCP with Pocket PC 2002 EUU3 (or earlier) 
2.10 Dummy Address with DHCP 
2.11 Error when exchanging profile settings with- and without NCP Dialer
2.12 Unable to establish a connection after restarting the PDA 
     (after power save mode)
2.13 Using the loopback adapter
2.14 Support of Windows Mobile 5.0
2.15 Firewall Log File (Entry CE Client)
2.16 Operation Systems on the PC (Entry CE Client)
2.17 Problem with Activesync
2.18 Address of the Tunnel Endpoint (Enterprise Client Symbian)
2.19 Name of the Destination System (Enterprise Client Symbian)
2.20 No Way for Updating between Symbian Entry- and Enterprise Client
2.21 New Installation after an Upgrade of the Firmware

3.   NCP Secure Linux Client
3.1  Kobil Kaan Reader
3.2  The user interface of the Secure Linux Client
3.3  Connection establishment (alternating)
3.4  Autostart under RedHat
3.5  Configuration Update under RedHat
3.6  Update from version 1.0 to 2.0

4.   NCP Secure Client Manager
4.1  Using the NCP Secure Client Manager
4.2  Log File
4.3  Remote Access
4.4  Display of the network settings using the Remote Monitor

5.   NCP Secure Server / Secure Server Manager
5.1  Uninstalling the Secure Server
5.2  120 bytes size limitation of the IP header
5.3  Assignment of pool addresses
5.4  Configuring IPSec compression
5.5  The error display of the Secure Server Manager
5.6  Activating the Load Balance Mode
5.7  Pool Management
5.8  Uninstalling a Secure Server under Windows NT
5.9  Installation under Operation System Windows 2003

6.   NCP Secure HA Server
6.1  Issue regarding Secure High Availability Server Functionality
6.2  Uninstalling the HA Server
6.3  Update (HA Server Linux)

7.   NCP Secure Linux Server
7.1  New Installation
7.2  Autostart under RedHat
7.3  Secure Server and HA Server under the 0peration System Fedora Core 3
7.4  Windows Configuration Files under Linux
7.5  Freezing of Linux Systems

8.   NCP Secure Update Server
8.1  Interaction between versions of the Update Server and Secure Client

9.   Firewall settings
9.1. Filter rules that do not permit automatic connection set-up
9.2. Firewall and automatic connection setup in the client configuration

10.  NCP Secure Enterprise Management
10.1 Same user IDs for different clients
10.2 Certificates for login on the Management Server
10.3 Using identical Issuer Certificates for different User Groups (PKI Plug-in)
10.4 Changing the Directory after Update of the Management Console
10.5 Using the Management Server under Linux

11.  Web-Interface
11.1 Configuration of Link Profiles with IPSec over L2TP and L2Sec


-------------------------------------------------------------------------------
1.   NCP Secure Windows Client
-------------------------------------------------------------------------------


1.1  Operation Systems
-------------------------------------------------------------------------------
Enterprise Client

The version 8.31 and later versions of the Secure Client will be tested 
by NCP only according to the operation systems Windows 2000, Windows XP and
Windows Vista. NCP cannot garantee full functionality, when using the client 
under Windows NT, Windows 98 or older Windows versions.


1.2  Configuring IPSec compression
-------------------------------------------------------------------------------
Secure Client (all versions)

The encryption types configured in the IPSec policy can only be individually 
compressed. To do this, a dummy line must be inserted under the encryption 
type that is to be compressed. After the dummy line has been inserted, set 
the protocol on "Comp" for this line. The IPSec compression displayed in this 
line then applies only for the encryption of the line above.


1.3  Installation of the Gina DLL under Windows 2000/XP
-------------------------------------------------------------------------------
Secure Client (Win 32/64)

If the Gina DLL of another manufacturer is already loaded and started 
before the NCP Windows Logon, this Gina DLL must be disabled before the
installation of the NCP Secure Client.

Alternatively, the reference to the NCP Gina DLL must be manually changed in the 
registry of the other manufacturer.
(NCPGINAx.DLL -> NCPGINA1.DLL)
  
Important Note: If the Gina DLL, referred to in the registry does not exist, the
system cannot be started (blue Screen)!


1.4  User Logon and Logoff under Windows 2000/XP and Vista
-------------------------------------------------------------------------------
Secure Client (Win 32/64)

1. Logon and Change
Windows XP/Vista has the option to change users. In that case several users
exist in the Windows start menu and all of them can be logged on.

2. Logoff and Logon with a New User
If a user logs off in the Windows start menu, while no other user is active at
the same time, the user account is deleted and a prompt for a new user appears.

This user change (see 1.) is not supported by the NCP Secure Client.

Note: To change a user simply logoff an then logon with another user (see 2.)


1.5  The supplementary program NCP Client Tracer
-------------------------------------------------------------------------------
Secure Client (Win 32/64)

It is possible to save the log data from the supplemental program NCP Client 
Tracer in order to log a trace. The file name can be freely chosen and bears the 
extension LOG.

Please be aware that the Trace Program does NOT inform you when overwriting a 
previously existing LOG file!

Please make sure to choose new names for the LOG files when saving new 
traces!


1.6  120 Bytes size limitation of the IP header 
-------------------------------------------------------------------------------
Secure Client (all versions)

Using the command "ping -r x" causes the responsible NCP services to be
terminated when the IP header exceeds the size of 120 bytes.
In earlier releases (Server before 5.21, Client before 7.21) the services
terminated already when the header exceeded 20 bytes. Versions 5.01 and below 
(Server) and 7.01 and below (Client) will cause a system halt (blue screen).


1.7  Assignment of pool addresses
-------------------------------------------------------------------------------
Secure Client (all versions)

If the NCP Secure Server runs out of IP addresses from the pool, it can no 
longer assign IP addresses to incoming requests, consequently, it not will be 
possible to establish a connection. The requesting client will not be informed 
by a message, for security reasons, as to why his connection request was 
rejected. This is also why the NCP Secure Client doesn't display connection 
setup messages in the graphic status field.


1.8  Fixed IP address in the WLAN configuration
-------------------------------------------------------------------------------
Secure Client 

If the IP address in the configuration of the WLAN settings is assigned  
automatically via DHCP for one WLAN profile, you must reboot your system after  
changing this setting to a fixed IP address. Otherwise the fixed IP address from 
the "WLAN profile / IP addresses" will not be accepted. This problem exists only 
under Windows 2000.


1.9  WLAN configuration under Windows 2000
-------------------------------------------------------------------------------
Secure Client 

The use without reservation of WLAN profiles under Windows 2000 is only possible
when installing service pack 4.0 for windows.


1.10 Automatic Media Detection
---------------------------------------------------------------------------
Secure Client 

If a phonebook entry has been configured in the such a manner for "Automatic 
Media Detection" then it is strictly required that an (NAS) password be entered 
in the "Network dial-in" parameter field, otherwise the connection will not be 
setup.


1.11 Software Update Package
---------------------------------------------------------------------------
Secure Client 

At the present time for the Windows operating systems XP 64 bits and Vista 64 
bits no software update packages are available.


1.12 International Dial-In
---------------------------------------------------------------------------
Secure Client 

Using clients with additional connection manager for international dial-in, the 
software update package for the verion 9.0 has to be modified via the management 
server.

For this the file conman.dl_ has to be copied once more as conman.dll into the 
same directory at the management server. This file islocated in the installation 
directory of the management servers under 
installdir%\client\win32\v_900_0\ncple.

If an installed client can not be started anymore after a software update, 
because the renaming of the file conman.dl_ has been missed, the existing 
conman.dll in the installationdirectory of the client must be deleted and the 
new conman.dl_ must be copied into this directory as conman.dll.


1.13 Firewall Rule bound to an Application 
---------------------------------------------------------------------------
Secure Client 

Using the Secure Client (Entry/Enterprise) under Windows 2000 SP4, one of the
following patches for this operating system can cause a block of communication 
inside of the personal firewall, if a rule bound to an application has been 
configured. This means that the binding of the rule failed because of the 
function AllocateAndGetTcpExTableFromStack and no more application can 
communicate to the outside.


1.14 Troubles when working with AVM WLAN Stick
---------------------------------------------------------------------------
Secure Client 

Using the Enterprise or Entry Client with an AVM WLAN Stick and WPA2 encryption 
under the Windows 64 bit operating systems XP or Vista the client monitor could 
freeze after establishing the connection (WLAN and VPN tunnel) with activated 
link firewall for several times. The operating system must be rebooted.


1.15 Update from a Network Drive
---------------------------------------------------------------------------
Secure Client 

If the option "Active Firewall after Client has been terminated" (Firewall 
Settings / Options) is switched on, an update of the Secure Client can not be 
executed. First this option has to be deactivated before executing an update. 


1.16 Wrong Registry Entries
---------------------------------------------------------------------------
Secure Client 

By executing an update or installating once more a Secure Client, wrong registry 
entries can cause errors. In this case a message box will be displayed which 
must be closed with "OK". As a result the errors will be removed. After that the 
system has to be rebooted and the installation or the update has to be started 
once more.


1.17 Error in connection establishment with WLAN profile
---------------------------------------------------------------------------
Secure Client

If the connection of a WLAN profile to an access point is tested by quickly
pressing the buttons for connecting and separating then this may lead to an 
error in the connection establishment.


-------------------------------------------------------------------------------
2.   NCP Secure CE Client
-------------------------------------------------------------------------------


2.1  Updating the NCP Secure CE Client
-------------------------------------------------------------------------------
Secure CE Client

If an update of the PC components should be executed, then make sure 
that the software is not loaded.

2.2  Transferring the telephone book to the PDA
-------------------------------------------------------------------------------
Secure CE Client 

Please note that even an empty telephone book can be transferred to the PDA. In
doing so, a previously existing telephone book residing on the PDA may possibly 
be deleted!

If a connection should already be active during the transfer of the telephone 
book or of a certificate to the PDA, then this will be terminated without 
warning.


2.3  Limitations when dealing with official address ranges
-------------------------------------------------------------------------------
Secure CE Client with RAS-Dialer 

Please note that access via VPN to systems with official IP addresses from 
the range of the selected ISP is currently not possible, because the RAS adapter 
from Microsoft directly establishes this access itself.


2.4  Infrared segment
-------------------------------------------------------------------------------
Secure CE Client 

If defective connections occur, then this can be due to the infrared segment. 
Therefore, please insure that the mobile phone you are using is not too far away 
from the PDA.

If the PDA is switched off while the modem is connected over the infrared
interface, Microsoft's infrared stack will not be re-initialized. The PDA
requires a soft reset, thereby reinitializing the infrared stack before
connections using the modem over this interface can take place.


2.5  Data Transfer between PDA and PC
-------------------------------------------------------------------------------
Secure CE Client 

When using the automatic connection mode, an ActiveSync connection via the USB 
interface can not be established because of routing problems.


2.6  Incorrect Disconnect
------------------------------------------------------------------------------- 
Secure Entry CE Client 

After a disconnect caused by switching off the PDA (also by itself) and a 
restart of the PDA, the Client Monitor will display the green connection bar, as 
if the connection were still established. The bar will disappear when the 
Timeout has run down. 
- After a disconnect of a LAN connection: Is the LAN adapter or the LAN cable 
removed after the PDA is restarted, the green bar will disappear after 10 
seconds.

- After a disconnect of a modem connection: Is the Infrared connection aborted 
after the PDA is restarted, the green bar will disappear after 10 seconds.


2.7  Tips for using the PDA
-------------------------------------------------------------------------------
Secure CE Client 

General PocketPC 2002:
Use the COM3 interface for infrared connection via the NCP dialer (COM2 "IRDA 
Connection" usually does not work).

MDA from T-Mobile (xda from 02 is probably similar):
GSM and GPRS connections are possible using the RAS dialer, however not via the 
NCP dialer. Use "Cellular Line" as device.

A special telephone number is required for GPRS: 
+~GPRS!internet.t-d1.de
(The "+~GPRS!" must always be at the beginning, then comes the APN suitable for 
T-D1.)

The Secure CE Client does not work together with the Odyssey Client. The Odyssey 
Client is often used with Del PDAs and alraedy installed wireless LAN.


2.8  Licensing
-------------------------------------------------------------------------------
Secure CE Client 

The following functions are only available with 2.0 license keys: 
- IPSec Tunneling
- IP address of an Update Server in the telephone book 
- EAP (not yet serviceable even with V2 keys)
- Firewall: IPNat (if firewall is activated -> all ports will always be blocked 
- incoming and outgoing)

This is indicated as follows: when uploading the telephone book / the CNF file, 
all telephone book entries are searched and the above options are deactivated 
WITHOUT warning. 


2.9  DHCP with Pocket PC 2002 EUU3 (or earlier) 
------------------------------------------------------------------------------- 
Secure CE Client 

Due to deficiencies of the operating system Pocket PC 2002 EUU3 in connection 
with DHCP the following errors may occur: 
- The first connection setup will usually fail if DHCP is configured on the 
Ethernet adapter of the PDA and a digital certificate is used.
- No connection will be established if the Tunnel End Point (dest.) is entered 
as DNS Name, and the Ethernet adapter of the PDA gets its IP address via DHCP 
(if the IP address is assigned to the PDA by DHCP, the DNS Server must also be 
assigned by DHCP).
These problems will not occur with a fixed IP address for the LAN adapter.

 
2.10 Dummy Address with DHCP 
------------------------------------------------------------------------------- 
Secure CE Client 

With DHCP configured the Entry CE Client gets the dummy address 192.168.254.2, 
which may already be assigned in the LAN. This will cause an address error. 
Carry out a soft reset and assign a fixed IP address to the Entry CE Client. 


2.11 Error when exchanging profile settings with- and without NCP Dialer
-------------------------------------------------------------------------------
Secure CE Client

The PDA's WAN adapter(s) support can be configured with the program
NCPCONFIG.EXE. By default, the RAS adapter is active and will be used to set 
up the connections. The NCP (loopback-) adapter can only be used for certain
connections (see Manual, Profile Settings, Basic Settings) and is activated by 
default.

When the loopback adapter is disabled (using the ncpconfig.exe) all existing - 
including the profile entry presently selected - and newly defined profiles 
using the NCP-Dialer will be hidden from the list of available destinations. 
In other words, profiles will simply not show up in the list of available 
destination profiles, including the profile that is/was active when uploading 
new profiles; resulting in the user having to select an alternative (valid) 
profile. (The "missing" profiles and the reason for their omission are shown 
in the log.)

Solution: Either activate the NCP Dialer or configure the modem in the
profile for RAS.

2.12 Unable to establish a connection after restarting the PDA 
(after power save mode)
-------------------------------------------------------------------------------
Secure CE Client

The extended installation with AUTOINSTALL.EXE determines how an existing
connection is dealt with after a restart. Call autoinstall.exe in the 
installation directory on the PC: 
autoinstall-disconnectafterpoweron 0 [or] 1 
0 = the connection will not be dropped after the restart.
1 = the connection will be dropped after the restart

After the registry modification has been transferred to the PDA, the
respective setting is made there, provided that DHCP is not active on the
NCP (loopback-) Adapter. Default setting on the PDA = 1.

If the parameter is set to 0 on the PDA, the connection may be dropped after 
the PDA is switched off in power save mode and then restarted. This is a result 
of Dead Peer Detection (DPD) polling.

Solution: Wait for about 30 seconds. Then, a new connection attempt ispossible 
and DPD polling will work again. Alternatively - disable DPD in
the configuration of the profile settings under "IPSec Settings".

2.13 Using the loopback adapter
-------------------------------------------------------------------------------
Secure CE Client

Note: On Windows CE devices of the PocketPC platform, the virtual network 
adapter "NCP Loopback" is deactivated with new installation (standard). This 
means that profile settings with NCP Dialer, and to some extent automatic mode 
as well, cannot be implemented. These profiles are automatically hidden on the 
PDA after an upload from the Configurator. In this case a text appears in the 
log window, stating that the profiles are not compatible with the current 
setting on the PDA.
Operation without virtual network adapter is recommended on devices with Pocket 
PC 2003 (Phone Edition).
If the virtual network adapter "NCP Loopback" is deactivated - standard with new 
installation - you have to notice when generating a "Filter rule / local":
The firewall blocks the communication, if you don't configure the setting "All 
IP addresses". A "Unique IP address" or "Multiple IP addresses" from the local 
IP range can only be used by activating the loopback adapter. This can be done 
via the configuration program NCPCONFIG.EXE on the PDA. The configuration 
program is located normally in the installation directory:
\Programs\NCP Secure CE Client\

2.14 Support of Windows Mobile 5.0
-------------------------------------------------------------------------------

On Pocket PCs and MDA Pro from T-Moile the client supports the Windows operation 
system Mobile 5.0. In this case you have to note that only the driver of the 
loopback adapter and the media driver have a signature, but not all the other 
executable files. On the MDA Pro the prompt is switched off when installing 
files without signature. Other manufacturers can display special message boxes 
which can be closed. Only when using devices with two-tier security can not 
execute files without a signature.

2.15 Firewall Log File (Entry CE Client)
-------------------------------------------------------------------------------

The path of the firewall log file will be ignored. The PDA always writes the log 
data into the root directory. Normally the path of the firewall log file should 
be entered in the Configurator menu of the pc component under "Configuration / 
Firewall Settings / Logging / Path for the log files".

2.16 Operation Systems on the PC (Entry CE Client)
-------------------------------------------------------------------------------

The actual version and further versions of the PC componente of the Secure 
Client 
will only be tested for the Windows systems Windows 2000, Windwos XP and Windows 
Vista. 

For using the PC componente (Configurator) under these operation systems you 
need
administrator rights.

The full functionallity of the client software under Windows NT or Windwos 98/95 
can not be garanted.

2.17 Problem with Activesync
-------------------------------------------------------------------------------
Secure CE Client

Description: The User wants to enable an ActiveSync connection to a PC via
Bluetooth in order to Download a configuration file. The Configurator of the 
CE Client is installed on the PC and in addition another NCP Client is 
installed.

Problem: If the MDA is connected at the same time via a WLAN, then possibly
the ActiveSync connection via Bluetooth will not work.

Workaround: Either close the WLAN connection or stop the UDP Prefiltering on
the PC.

2.18 Address of the Tunnel Endpoint (Enterprise Client Symbian)
-------------------------------------------------------------------------------

In the configuration manager's phonebook the tunnel endpoint must not be 
entered as DNS name, only as IP address!

2.19 Name of the Destination System (Enterprise Client Symbian)
-------------------------------------------------------------------------------

It is not allowed to enter the character "+" in the name of the destination 
system!

2.20 No Way for Updating between Symbian Entry- and Enterprise Client
-------------------------------------------------------------------------------

If you want to change from one Symbian version to the other, it is unavoidable 
to remove the installed software. After that the other version can be installed.
Otherwise a message with "Update Error" will appear!

2.21 New Installation after an Upgrade of the Firmware
-------------------------------------------------------------------------------

After an upgarde of the Nokia firmware it could occur that the connection to 
the internet will not be available anymore (message: "unavailable connection").
If this is the case, you have to install the NCP Symbian software once more!


-------------------------------------------------------------------------------
3.   NCP Secure Linux Client
-------------------------------------------------------------------------------

Please note that the following Linux programs must always be installed in the 
system.

- dhcpcd    (DHCP Client daemon)
- ifconfig  (network configuration tool)


3.1  Kobil Kaan Reader
-------------------------------------------------------------------------------
Secure Linux Client

The Kobil B0/B1 chip card readers can be configured for the implementation, 
however they have not been tested.


3.2  The user interface of the Secure Linux Client
-------------------------------------------------------------------------------
Secure Linux Client

- If the Client Monitor has been started from within a console, and this 
console is then closed, the system will also close the Client Monitor without
warning the user.
- An online help has not yet been implemented.


3.3  Connection establishment (alternating)
-------------------------------------------------------------------------------
Secure Linux Client

If, when configuring the connection establishment (see -> Telephone book, 
Connection control), the mode is switched from "automatic" to "alternating" 
and the IP addresses are not allocated from an address pool, then although a 
connection may be established, no communication will actually take place.

Cause:
The tap0 virtual VPN interface is not active.

Remedy:
Reconfiguring from "automatic" to "alternating" connection establishment must
be carried out via the "manual" intermediate step.

It is also possible to manually activate the device with the "ifconfig tap0 up" 
command.


3.4  Autostart under RedHat
-------------------------------------------------------------------------------
Secure Linux Client

The autostart folder will not be found under RedHat 8.0 / 9.0 with Gnome.
Therefore after a reset of the PC the popup und the monitor must be started 
manually.


3.5  Configuration Update under RedHat
-------------------------------------------------------------------------------
Secure Linux Client

Actually under RedHat an automatic Configuration Update of the Client is not
available.


3.6  Update from version 1.0 to 2.0
-------------------------------------------------------------------------------
Secure Linux Client

Before an Update from version 1.0 to 2.0 the client must be uninstalled und the
PC must be rebooted. (When uninstalling the client there rest following files: 
under SuSe 8.2 etc/rc.config.ncp and etc/rc.config, under RedHat the file 
etc/modules.conf.ncp stehen).




-------------------------------------------------------------------------------
4.   NCP Secure Client Manager
-------------------------------------------------------------------------------


4.1  Using the NCP Secure Client Manager
-------------------------------------------------------------------------------
Secure Client Manager

Up to now the installation program is only available in English!


4.2  Log File
-------------------------------------------------------------------------------
Remote Monitor

The "Remote LOG" menu item in the Remote Monitor can only be opened if the 
logbook has been opened at least once via the Remote Monitor on the Client to 
read in data. Otherwise it is empty.


4.3  Remote Access
-------------------------------------------------------------------------------
Remote Monitor

The statistic bar cannot be displayed [jfw2]for Remote Access on Client Version 
7.20 (in this version the data are not completely transferred). If a change has 
been made in the RAS dialer, then only the information "Data could not be 
changed!" appears.


4.4  Display of the network settings using the Remote Monitor
-------------------------------------------------------------------------------
Remote Monitor

The Properties of the TCP/IP protocol (e.g. IP address) can not be displayed 
in the Windows network settings using the  Remote Monitor when the client runs
under Windows 2000 or Windows NT.



-------------------------------------------------------------------------------
5.   NCP Secure Server / Secure Server Manager
-------------------------------------------------------------------------------


5.1  Uninstalling the Secure Server
-------------------------------------------------------------------------------
Secure Server

After uninstalling the NCP Secure Server, a SNMP error message appears. This 
error has no impact on the system.


5.2  120 bytes size limitation of the IP header
-------------------------------------------------------------------------------
Secure Server

Using the command "ping -r x" causes the applicable NCP services to be
terminated if the IP header exceeds the size of 120 bytes.
In earlier releases (Server before 5.21, Client before 7.21) the services
terminated already when the header exceeded 20 bytes. Versions 5.01 and below 
(Server) and 7.01 and below (Client) will cause a system halt (blue screen).


5.3  Assignment of pool addresses
-------------------------------------------------------------------------------
Secure Server

If the NCP Secure Server runs out of IP addresses from the pool, it can no 
longer assign IP addresses to incoming requests, consequently, it not will be 
possible to establish a connection. The requesting client will not be informed 
by a message as to why his connection request was rejected, -this for security
reasons. This is also why the NCP Secure Client doesn't display connection 
setup messages in the graphic status field.

5.4  Configuring IPSec compression
-------------------------------------------------------------------------------
Secure Server Manager

The encryption types configured in the IPSec policy can only be compressed 
individually. To do this, a dummy line must be inserted under the encryption 
type that is to be compressed. After the dummy line has been inserted, set 
the protocol on "Comp" for this line. The IPSec compression displayed in this 
line then applies only for the encryption of the line above.


5.5  The error display of the Secure Server Manager
-------------------------------------------------------------------------------
Secure Server Manager

The error display in the NCP Server Manager error log is executed only after a 
repeated opening of the error log.


5.6  Activating the Load Balance Mode
-------------------------------------------------------------------------------
Secure Server

After activating the Load Balance Mode the Gateway must be rebootet two times,
otherwise this Mode will not be active!


5.7  Pool Management
-------------------------------------------------------------------------------
Secure Server

When all IP addresses of a pool are already assigned for remote links, a client 
in which link profile the same IP pool is configured should not be able to 
establish a connection to the Secure Server. In spite of this the client 
receives an address which is not in the range of this address pool and a 
connection will be established without the possibility of any data transfer. 


5.8  Uninstalling a Secure Server under Windows NT
-------------------------------------------------------------------------------
Secure Server

Before uninstalling a Secure Server the service snmp.exe must be stopped. 
Otherwise an error message appears that SNMP.exe has caused a fault and will be 
closed.


5.9  Installation under Operation System Windows 2003
-------------------------------------------------------------------------------

If the Secure Server should be installed under the operation system Windows 
2003, you should deactivate the service "IPSec Driver" manually, because this 
service generates after a reboot a message on the display which must be finished 
manually.

The function "System / Reboot System" in the menue of the Server Manager can not 
be used under Windows 2003.


-------------------------------------------------------------------------------
6.   NCP Secure HA Server
-------------------------------------------------------------------------------


6.1  Issue regarding Secure High Availability Server Functionality
-------------------------------------------------------------------------------
Secure HA Server

If the NCP HA server is operated in failsafe mode and the first gateway goes 
down, then all connections will be rerouted to the second gateway. When the 
first gateway returns to service, then the HA server will automatically 
dismantle all connections to the second gateway so that it can route these 
connections to the standard gateway for a subsequent dial-in. For a client 
maintaining a connection to the second replacement gateway this means that once 
the first gateway is again operable, that the connection to the second gateway 
will be disconnected for no apparent reason, and that the Client will have to 
dial in again.


6.2  Uninstalling the HA Server
-------------------------------------------------------------------------------
Secure HA Server

After uninstalling the HA Server one is prompted whether shared files should be 
deleted or not (Remove shared file). These files should not be deleted, if 
another NCP product is installed on the PC.


6.3  Update (HA Server Linux)
-------------------------------------------------------------------------
HA Server Linux

A Update from Versions < 1.07 to Version 1.07 is only available on request.



-------------------------------------------------------------------------------
7.   NCP Secure Linux Server
-------------------------------------------------------------------------------


7.1  New Installation
-------------------------------------------------------------------------------
Secure Linux Server

In order for addresses (taken from the Pool) to be correctly assigned to the 
clients as configured, the services have to be stopped and restarted (rcncpsvr) 
at least twice! After the second start, the assignment of addresses will 
function normally.


7.2  Autostart under RedHat
-------------------------------------------------------------------------------
Secure Linux Server

An Autostart under Red Hat 7.3 will fail. Because of this, the deamon "ncpsnmpd" 
must be manually started after rebooting the Secure Server.


7.3  Secure Server and HA Server under the 0peration System Fedora Core 3
-------------------------------------------------------------------------------
Secure Linux Server

When the Secure Server works together with a HA Server under Fedora Core 3, the 
service srvrsud (responsible for updates) should be uncommented. Thus prevents 
that the service ncpdved (responsible for the HA Server) will not be started 
when the service srvrsud has been started incomplete after a reboot. 


7.4  Windows Configuration Files under Linux
-------------------------------------------------------------------------------
Secure Linux Server

The configuration files of an Secure Server under Windows can also be used under 
Linux. For that purpose the configuration files under Windows (vpnpki.cfg, 
vpngw.cfg, vpnlink.cfg, ipsec.cfg) have to be copied to the Linux Server 
directory etc/ncp/vpn/cfg as vpnpkix.cfg, vpngwx.cfg, vpnlinkx.cfg, ipsecx.cfg.

Excepted is the configuration file vpnadmins.cfg! If this file is used under 
Linux, the logon to the server via the Server Manager will be faile!

When the Secure Server under Linux is started without the vpnadmins file, this 
file will be created for new. In this case the administrator management for the 
server must be reconfigured.


7.5  Freezing of Linux Systems
-------------------------------------------------------------------------------
Secure Linux Server

Linux Systems with kernelversion 2.6.11-4-smp (SuSE 9.3 is based on this) 
can freeze totally under certain circumstances.

This status can occur under load, when a data packet from the User-Space 
will be transmitted to the kernel module netfilter over the interface ipqueue.
This problem has been fixed with kernel 2.6.11-4-smp. It is possible that also
other kernels react in the same way.

Solution:
An other kernel version has to be used. With version 2.6.13-4-smp 
the described performace could not be observed any longer.



-------------------------------------------------------------------------------
8.   NCP Secure Update Server
-------------------------------------------------------------------------------

8.1 Interaction between versions of the Update Server and Secure Client

The Secure Client Version 8.10 (and above) can be installed in a user-defined
subdirectory (instadir). Former releases could have been installed only in the 
ncple subdirectory of Windows-Root-Directory. According to this the Update-
Server-Komponents < 2.05 and his rwsrsu-Services have been designed for.

If now the current Client Software Version 8.10 is used with a former release 
of the Update Server version 2.05, and if the client has be installed in a 
user-defined subdirectory the Update-Functionality can not be used.


-------------------------------------------------------------------------------
9.   Firewall settings
-------------------------------------------------------------------------------

9.1. Filter rules that do not permit automatic connection set-up

If a rule is generated in the firewall that excludes automatic connection setup, 
then no data can flow over a connection from the client to the other side if the 
connection set-up type has been set to "Automatic" or "Alternating" in the 
client telephone book (profile settings), under the header "Connection control"

Remedy: Either change the firewall rule so that automatic connection set-up is 
not excluded, or set "Manual" connection set-up in the client configuration.

9.2. Firewall and automatic connection setup in the client configuration

If a rule is generated in the firewall that only permits data traffic over 
"familiar" networks and/or VPN networks, then automatic connection set-up cannot 
occur, even if it has been set in the client configuration (telephone book, 
profile settings) under the header "Connection control".

Remedy: Either allow data traffic over "unfamiliar" networks in the firewall 
rule, or set the connection set-up to "Manual" in the client configuration.


-------------------------------------------------------------------------------
10.  NCP Secure Enterprise Management
-------------------------------------------------------------------------------

10.1 Same user IDs for different clients

If you want to use the option that a user's client software will be 
preconfigured for different operating systems so that you can implement the user 
on different computer platforms, then the same user ID can be assigned, e.g. for 
Linux and Windows and Windows CE software. If there is a configuration change 
and subsequent update, then all appropriate client configurations will be edited 
concurrently.
This option can only be used for different operating systems.

If the same procedure is also desired with the software for different product 
versions like GovNet Client and Enterprise Client within the Windows CE 
operating system, then errors will occur in the management procedure.


10.2 Certificates for login on the Management Server

For login and authentication via Console against the Management Server you can 
use certificates. The configuration of the user certificate can be executed over 
the menu item "Settings / SSL Configuration" of the console. For authentication 
purposes the issuer certificate on the server is required. The path of this 
issuer certificate must be entered correctly in the file ncprsu.conf. The file 
ncprsu.conf is located on the Management Server under Programs\ncp\ncpmgmsrv.


10.3 Using identical Issuer Certificates for different User Groups (PKI Plug-in)

If the same issuer certificate for several groups get imported seperately each 
time mistakes can occur. Issuer certificates which should be used by several 
user groups of the same level of the groups hierarchy, must get imported in the 
next higher user group and be inherited to the according subgroups.


10.4 Changing the Directory after Update of the Management Console

When a profile was generated with the PKI Management Plug-in of the Console 
version 1.04, whose P12 certificates are stored in the installation directory of 
the console software (e.g. under C:\Program Files\NCP\Mgm Console\DEMOCA\CERTS)
you have to change the path in the profile when the Management Console has been 
updated to version 2.00 to:
C:\Documents and Settings\Admin\Application Data\NCP\Mgm Console\DEMOCA\CERTS
Only in this way a certificate can be created and stored with this profile.


10.5 Using the Management Server under Linux

The Secure Enterprise Management Server can only be started under Linux when 
depending on the Linux version the following software packages have been installed:
- under Red Hat Enterprise Server 5: package compat-libstdc++-296-2.96-138.i386.rpm.
- under Ubuntu 6.06 - 7.10: package libstdc++2.10-glibc2.2
- under Ubuntu 8.04: package libstdc++2.10-glibc2.2 from Ubuntu version 7.10.


-------------------------------------------------------------------------------
11.  Web-Interface
-------------------------------------------------------------------------------

11.1 Configuration of Link Profiles with IPSec over L2TP and L2Sec
-------------------------------------------------------------------------------

If a link profil should be configured with IPSec over L2TP the Secure Server 
Manager or the Secure Enterprise Management must be used. A configuration over 
the Web-Interface is actually not possible. The configuration of a L2Sec link 
will be displyed in a falsely.


===============================================================================
NCP engineering GmbH,
12/19/2008