iPassConnect 3.66 Administrator's Guide

iPassConnect 3.66 Administrator's Guide

Version: 5.0; February, 2009

Corporate Headquarters iPass Inc. 3800 Bridge Parkway Redwood Shores, CA 94065 USA www.ipass.com +1 650-232-4100 +1 650-232-0227 fx

Introduction 5

Types of Network Service 6

iPass Networks ......................................................................................................................................... 6

Customer Networks .................................................................................................................................. 6

Personal Wi-Fi Networks .......................................................................................................................... 6

Connectivity Types 7

Wi-Fi (also known as WLAN) ................................................................................................................... 7

Summary of actions (WZC): ............................................................................................................. 7

Auto-Connect .................................................................................................................................... 8

Ethernet .................................................................................................................................................... 9

Mobile Data .............................................................................................................................................. 9

Digital Subscriber Line (DSL) ................................................................................................................. 10

Home Broadband ................................................................................................................................... 10

Dial-up .................................................................................................................................................... 11

Dial Options .................................................................................................................................... 11

The iPassConnect Interface 12

Launching iPassConnect ........................................................................................................................ 13

Selecting a Connection........................................................................................................................... 13

Available Networks ......................................................................................................................... 13

Phonebook Search by Location ...................................................................................................... 14

Default Country ............................................................................................................................... 14

Local Number Lookup..................................................................................................................... 14

Search by Keyword......................................................................................................................... 15

Bookmarks ...................................................................................................................................... 15

Phonebooks 16

Filtering Content ..................................................................................................................................... 16

Custom Phonebooks .............................................................................................................................. 16

Connection Information 17

Connection Status .................................................................................................................................. 17

Status tab ........................................................................................................................................ 18

Usage tab ....................................................................................................................................... 18

Offline Cumulative Usage ............................................................................................................... 19

Connection Log ...................................................................................................................................... 19

SQM Data ............................................................................................................................................... 20

Appearance 21

iPassConnect 3.66 Administra tor 's Guide 2009 iPass Inc. iii

Banner Image ......................................................................................................................................... 21

Desktop Shortcut Name ......................................................................................................................... 21

Default Installation Path.......................................................................................................................... 21

Custom Help Menu Items ....................................................................................................................... 21

Technical Support Message ........................................................................................................... 21

Supplementary Help ....................................................................................................................... 22

Display Dial-up Pricing ........................................................................................................................... 22

Configuration Options 23

Profiles .................................................................................................................................................... 23

About iPassConnect ............................................................................................................................... 23

Languages Supported ............................................................................................................................ 24

Selecting Installation Language ...................................................................................................... 24

Session Management Options ............................................................................................................... 24

Idle Timeout .................................................................................................................................... 24

Session Limit .................................................................................................................................. 25

Username Options .................................................................................................................................. 25

Domains .......................................................................................................................................... 25

Non-editable Domain ...................................................................................................................... 25

Domain Hidden ............................................................................................................................... 25

Department/Project Code ............................................................................................................... 25

Password Options .................................................................................................................................. 26

Save Password ............................................................................................................................... 26

Cache Password ............................................................................................................................. 26

iPass Encrypted Login (formerly iSEEL) ........................................................................................ 26

Unique Session ID (USID) ...................................................................................................................... 26

Certificate Authentication ....................................................................................................................... 27

Trusted Root CAs ........................................................................................................................... 27

PEAP-GTC Protocol ....................................................................................................................... 27

TTLS-PAP Protocol ........................................................................................................................ 28

TTLS-GTC Protocol ........................................................................................................................ 28

Live Logon .............................................................................................................................................. 29

Live Logon feature for Windows Vista ............................................................................................ 29

Timeout ........................................................................................................................................... 29

Single Sign On ................................................................................................................................ 29

Mobile Data Features ............................................................................................................................. 30

PIN Management ............................................................................................................................ 30

Administrator-Provisioned Networks .............................................................................................. 30

User-Configured Networks ............................................................................................................. 31

Admin Network Control ................................................................................................................... 31

Phonebook and Software Updates 32

iPassConnect 3.66 Administra tor 's Guide 2009 iPass Inc. iv

Background Updates .............................................................................................................................. 32

Software Updates ................................................................................................................................... 32

Speed Prioritized Update ................................................................................................................ 32

Integration 33

Connect Actions ..................................................................................................................................... 33

Connect Action Types..................................................................................................................... 33

Connect Action Parameters ............................................................................................................ 34

FlexVPN ................................................................................................................................................. 34

User-Defined Post Connect Actions ............................................................................................... 35

Supported Third Party Applications ........................................................................................................ 35

VPN Integration .............................................................................................................................. 35

VPN Gateway Selection ................................................................................................................. 36

Personal Firewall (PFW) Integration ...................................................................................................... 36

Antivirus (AV) Integration........................................................................................................................ 36

Copyright © 2009, iPass Inc. All rights reserved.

Trademarks

iPass, iPassConnect , and the iPass logo are trademarks of iPass Inc. All other brand or product names are trademarks or registered

trademarks of their respective companies.

Warranty

No part of this document may be reproduced, disclosed, electronically distributed, or used without the prior consent of the copyright

holder.

Use of the software and documentation is governed by the terms and conditions of the iPass Corporate Remote Access Agreement, or

Channel Partner Reseller Agreement.

Information in this guide is subject to change without notice.

Every effort has been made to use fictional companies and locations in this manual. Any actual company names or locations are strictly

coincidental and do not constitute endorsement.

Introduction

iPassConnect 3.66 Administra tor 's Guide 5

2009 iPass Inc.

Introduction

iPassConnect™ makes secure, simple and effective network connectivity a reality. No matter the

location or access type, iPassConnect users have on-demand connectivity to the corporate network

through thousands of WLAN, Ethernet, Dial-up, ISDN, PHS, GSM, and Mobile Broadband access

points in over 100 countries. This comprehensive network includes over 100,000 Wi-Fi and Ethernet

access points in iPass-enabled airports, hotels, conference centers and coffee shops.

The iPassConnect universal client enables professionals to access corporate networks using virtually

any computing device, and connect to Wi-Fi securely. IT managers can implement centrally-managed

policies for access, security and usage to control how the users connect to the Internet.

What's more, iPassConnect allows the IT staff to deploy the client with minimal user intervention and

at lower total enterprise cost.

This document gives an overview of the capabilities of iPassConnect 3.66 for Windows. You will find

information on general usage, product features and benefits, installation and upgrading, configuration

options, and administrator-controlled policies.

Types of Network Service

iPassConnect 3.66 Administra tor 's Guide 2009 iPass Inc. 6

Types of Network Service

iPassConnect is configurable for a wide variety of service types. This includes the iPass networks,

customer networks and personal Wi-Fi hotspots as defined by the user.

iPass Networks

Enterprise users can rely on highly available, secure, global iPass network connections. iPass

maintains agreements with service providers worldwide, aggregating networks into a single virtual

network with over 100,000 Wi-Fi access points.

Customer Networks

Customers may add their own access points to iPassConnect by providing the list of customer

networks to be added to their specific profile. A list of customer networks is also known as a CBook.

Inclusion of customer networks in iPassConnect is subject to commercial agreement.

The customer networks can be accessed in the same way as standard iPass access points.

The iPassConnect user interface sniffs and automatically displays the available Wi-Fi, Ethernet and

Mobile Broadband networks under the Available Networks section on the iPassConnect main

window. Users can search for any of these networks by location, by local number (Dial-up), or by

keyword.

The customer administrator can specify the order in which the access points are to be displayed.

Customer networks can include the full range of iPassConnect connection technologies and security

options, including Auto-Connect to customer Wi-Fi and 802.1X Ethernet.

Please raise a Support Ticket for any further assistance.

Personal Wi-Fi Networks

Administrators may allow users to include their own personally selected Wi-Fi access points in

iPassConnect. Users can easily access home services and other frequently used access points other

than the iPass networks and customer networks.

Examples of personal Wi-Fi networks may include a home, hotspot at a local coffee shop without

iPass service. iPassConnect supports display of both broadcast and non-broadcast Wi-Fi networks.

An Internet connectivity test at connection time determines whether Internet access is available, or if a Web browser should be launched to allow the user to navigate out of a walled garden (for example, by signing up for service at a non-iPass venue).

An administrator can choose to allow personal networks to Auto-Connect. See the Auto-Connect

section for more information.

Connect ivi ty Types


Connectivity Types

You can configure iPassConnect with any combination of the connection types available in

iPassConnect. (Subject to commercial agreement)

Wi-Fi (also known as WLAN)

iPassConnect is a full service Wi-Fi connection manager and 802.1X supplicant. The client supports

all 802.11b and 802.11g devices which offer an NDIS 5.1 interface. iPassConnect can connect to

public iPass hotspots, private administrator-provisioned (CBook) services or personal (user-defined)

services.

iPassConnect

automatically detects

locally broadcast Service

Set Identifiers (SSIDs), as

well as specified non-

broadcast SSIDs. The

Available Networks list

displays

SSID

Security level of each automatically detected hotspot

Signal strength

The icon for iPass network

On clicking icon, it displays all details about the network.

On launch, iPassConnect unbinds the Windows Zero Configuration (WZC) WLAN utility from the

interface. If there is already an association in place (when iPassConnect starts up), then active

detection of non-broadcast networks is suppressed, so as not to disrupt the existing connection. WZC

will be restored to its initial state when the user exits iPassConnect.

Summary of actions (WZC):

On Startup:

iPassConnect unbinds the WZC utility from the interface.

WZC service is not stopped or disabled.

On Connect:

WZC service is not stopped.

Unbinding is done only with respect to that specific network adapter.

On Disconnect:



No actions.

On Exit:

iPassConnect binds the WZC utility to the interface.

WZC service is not restarted.

The available networks can be seen by clicking the “Refresh Networks” link in the WZC screen.

Auto-Connect

Auto-Connect is a configurable option that simplifies the Wi-Fi connection process, by automatically

initiating a connection attempt to networks from a pre-defined list of preferred networks. This feature

can be configured:

In the customer access point list.

As a Personal Wi-Fi service (indicated by the icon).

iPassConnect also Auto-Connects to customer-defined 802.1X Ethernet services.

You may configure any number of your Personal and Customer Wi-Fi networks for Auto-Connect.

However, only one of these configured networks can be connected at a time.

All services with a common SSID must be configured with the same Auto-Connect behavior.

Auto-Connect will commence only when iPassConnect detects an eligible network; and when the

current state of the client indicates a connection would be appropriate.

For instance, iPassConnect will not Auto-Connect

If an Ethernet connection with open Internet access is detected.

If an explicit disconnect has occurred since the last connection or restart of iPassConnect (a

user disconnect or VPN teardown).

When multiple Auto-Connect networks are detected simultaneously, iPassConnect will determine

which one to connect to, based on prioritization logic.

Customer networks are each defined with a relative priority, from 0 (lowest priority) to 255 (highest). If

multiple customer networks have the same priority, then the network with the highest signal strength

will be selected. Customer networks always take priority over personal networks, which are prioritized

by signal strength alone.

Currently, the Auto-Connect feature can only be applied to campus and personal Wi-Fi and 802.1X

Ethernet services.



To enable Auto-Connect,

Select Connection Settings > WLAN and then check Automatically connect to preferred

networks.

Ethernet

When the user connects an Ethernet cable to the laptop, iPassConnect automatically detects the

Ethernet connection. It then characterizes the network, by displaying it at the top of the Available

Networks list as any one of the following:

Ethernet (802.1X): This indicates that iPassConnect detected a service that responds to an

EAPOL Start request.

There must be one or more access points in the customer access point list for 802.1X over Ethernet.

If Auto-Connect is active, then the user will be automatically connected.

Ethernet (iPass): iPassConnect received a response from the access point indicating the

option to authenticate using a known access procedure (such as GIS) and iPassConnect is

able to establish the availability of the iPass authentication infrastructure.

Ethernet (Authentication Required): If authentication is required, one of the following is

true:

iPassConnect received a response from the access point indicating the option to

authenticate using a known access procedure (such as GIS) but could not authoritatively

establish a link to the iPass authentication infrastructure. iPassConnect will prompt the

user to connect using iPass credentials.

iPassConnect received a response from the access point indicating a walled garden

without a known access procedure. iPassConnect will launch a Web browser when

connecting, and continue to test for Internet connectivity to assist the user in navigating

out of the walled garden.

Ethernet (Open): iPassConnect detected live Internet connectivity after receiving expected

content from a known Web service. The user can usually connect to this service without

credentials although iPassConnect will still prompt for them if needed, for possible use in a

VPN launch command or other integration action.

When iPassConnect is in the process of determining the Ethernet type (this may take a few

moments), it displays Ethernet (Identifying).

In addition to automatically detecting the Ethernet, iPassConnect lists Ethernet services in the iPass

Phonebook for manual selection by the user.

Mobile Data

Mobile Data connectivity supports both the 3GSM (such as GPRS, EDGE, UMTS and

HSDPA/HSUPA) and cdma2000 (1xRTT, CDMA, EVDO) families of networks.



In order to use Mobile Data connectivity, you must have an active subscription with a Mobile Data

provider. iPass offers Mobile Data subscriptions in several major markets, including the US, UK,

Netherlands, Japan, China, Hong Kong and Singapore.

iPassConnect will automatically detect Mobile Data devices that are connected to a user’s laptop.

Around 100 different cards/devices are currently supported and new cards are added frequently.

If the user has a Mobile Data service, and a card is installed in the laptop, then locally detected

Mobile Data networks are by default displayed at the bottom of the Available Networks list. There

are no Phonebook entries for Mobile Data services although for 3GSM networks, an Access Point

Name (APN) configuration is required. iPassConnect contains APN settings for many known

networks around the world and iPassConnect 3.66 allows users and administrators to create and

customize APN configurations to suit their own carrier relationships.

See the “List of Supported Mobile Broadband Devices” document for the current list of supported Mobile Data cards.

Unlike other services in the iPass footprint, the default Mobile Data configuration involves

authentication by the cellular provider only, using either authentication from the device or SIM,

although authentication using iPass user credentials is also supported. If your provider supports

authentication through the iPass network, you may choose to submit the iPass credentials for this

authentication.

Digital Subscriber Line (DSL)

DSL allows connection to the MS-DUN PPPoE interface for MSCHAP authentication to a compatible

DSL provider. These authentication requests do not necessarily traverse the iPass authentication

infrastructure.

The iPass DSL integration is limited in scope and therefore not enabled by default.

Please contact your Account Manager and DSL provider regarding the suitability of this offering for your needs.

Home Broadband

You can use iPassConnect to connect to the iPass network through an existing broadband Internet

connection, such as cable modem or WLAN router. In this case, iPassConnect does not establish a

new connection to the Internet, since your broadband connection is already connected. However,

iPassConnect will launch your VPN and other integrated applications like your personal firewall.

Although this is referred to as a Home Broadband connection, it can include any pre-existing Internet

connection, such as a connection over an office LAN or hotel Ethernet port.

For example: A telecommuter may already be connected to the Internet using a cable modem at

home. By launching iPassConnect and using the Home Broadband feature, the VPN client and

personal firewall can be launched, giving the telecommuter a secure connection to company

resources over the existing connection.



Dial-up

Supported iPassConnect Dial-up technologies include standard modem, ISDN, GSM, and PHS.

Modem v.90/v.92. (Modem on hold not supported)

ISDN Single or dual channel PPP/MLPPP ISDN access

GSM Support for v.110 capable dial providers

PHS Support for PIAFS 2.1 standards

iPass uses Dial-up Networking (DUN), a standard component of the Windows operating system, to

ensure consistent access across different modems. The client establishes a Dial-up session by

creating and invoking a DUN connectoid, typically named "iPassConnect".

iPassConnect overrides Microsoft Telephony Application Programming Interface (TAPI) dialing rules,

because dialing rules such as US 7, 10 and 11 digit dialing and international dialing rules change

frequently and do not offer sufficient flexibility for global dialing of all cities and toll free numbering

schemes. Dialing rules are published as part of the regular Phonebook update process and are

overlaid on top of the regular TAPI rules. If an iPassConnect dialing rule is not present then the

underlying TAPI rule is used.

Dial Options

iPassConnect supports the following configurable options for all Dial-up connections:

Dial Properties Support for outside lines, disabling of call waiting, tone or pulse dialing, dialing from a different location

Dialing Rules Supports 7,10 and 11 digit dialing, including area code

Calling cards Can store information about a single calling card

Redialing attempts Can set number of redial attempts on failed connection

Smart Redial Automatically tries another access point in the same city and the same area code if the previous connection attempt failed. Saves the user time by connecting to the next access point in the Phonebook without user intervention.

City-level dialing Can attempt to connect to a set of access points in a city, one after another, until connected. Specific modem numbers will not be displayed. Helpful if you do not have a particular access point in mind but simply wish to connect to any nearby one. (This feature is disabled by default.)

The iPassConnect Inter face


The iPassConnect Interface

See iPassConnect User Guide for installation procedure. This document is available on iPass portal.



Launching iPassConnect

iPassConnect can be configured to launch at Windows startup. This can be done by setting the “Run

iPC at startup” option to “yes” while creating the customer profile. The client runs in the

background, and an iPassConnect icon ( ) is displayed in the Windows system tray.

Please note that, “Launch at startup” option is only configurable through iPass Customer Care. Please open a support ticket to enable this option.

To launch the application,

Double-click the icon in system tray.

OR

Start > All Programs >iPass > iPassConnect.

Upon launch, iPassConnect begins scanning for available broadband networks, including Wi-Fi,

Mobile Data and Ethernet, and displays the scan results under Available Networks. If Auto-Connect

is configured, iPassConnect will immediately connect to any of the detected networks that are

designated as preferred. (See Auto-Connect for more information.)

When a user disconnects from a connection, iPassConnect will continue to run in the system tray

unless the user exits the application.

Software Update: The iPassConnect update service runs on system startup independently of the

iPassConnect application. (See Phonebook and Software Updates for more information on Updates.)

Selecting a Connection

iPassConnect presents a variety of methods for users to select a connection.

Available Networks

The Available Networks list makes it easy to connect to automatically detected networks. The

display of WLAN hotspots, Mobile Data networks, and Ethernet connections depends on the

Connectivity Type that is enabled for the profile.

iPassConnect scans for available networks without the user’s intervention. A pop-up bubble informs

the presence of available networks. The user can select the desired access point, login using

required credentials, and get connected.



Phonebook Search by Location

An alternate method for connecting to an access point is to Search the Phonebook by location. In

most countries, the user selects the country

and city. (In the US, Australia, Canada and

Japan, the user can also select the state,

territory, province or prefecture.)

iPassConnect will scan the Phonebook for

access points meeting the geographic

selection criteria and present them for

connection. This includes modem, ISDN,

GSM, WLAN, PHS, and Ethernet access

points.

Search by location is generally used for

connecting to networks that cannot be

automatically detected, for example:

modem, ISDN, PHS, GSM, and DSL. It is

helpful for trip planning purposes. Roaming

users can search the Phonebook before a trip, to find local access points near their destination, and

plan their itinerary accordingly.

Mobile Data services and some types of automatically detected Ethernet service are not shown in the

Phonebook search but are presented in Available Networks when detected.

Default Country

Users can set a default country for Phonebook searches, which will pre-populate the Country drop-

down in the Search criteria. (Users can select a different country if needed.) This is helpful for users

who roam primarily within a single country.

Local Number Lookup

Local Number Lookup helps users find a

local Dial-up access point in the United

States. Users enter the area code and

phone number of the US location they

are connecting from and iPassConnect

will return a list of the closest dial access

points.

If no local access points are found, any

available US Toll-Free numbers will be

displayed instead.

If the customer has filtered Toll-Free

numbers out of the Phonebook, the user

will be informed that no local access is



available.

iPassConnect can be configured to display customer access points located in a Local Number

Lookup search at the top of the list of returned access points.

(See Custom Phonebooks for more information on customer access points.)

Search by Keyword

The Keyword search helps the users to

search a given country for broadband

access points containing one or more

specified keywords.

A keyword may be a complete word

(e.g. "Starbucks") or a partial word (e.g.

"bucks").

Multiple keywords may be combined by

typing them with a space between each

one to create a more specific search

(e.g. "Starbucks San Fran Sutter").

The Keyword field remains disabled

until a country is selected. A keyword

search can be further constrained by the

state and city fields if desired.

Keyword search and Local Number

Lookup are mutually exclusive. If a

value is typed in one of these fields, the

other will be disabled.

Bookmarks

Bookmarks provide a convenient method for users to store their favorite access points for quick

retrieval. The Bookmarks menu displays all of the user’s Bookmarks for easy selection. In addition,

the user can right-click the System Tray icon to access the Bookmarks list.

You can bookmark both Dial-up and Wi-Fi access points. Bookmarks for Dial-up access points also

include the access point dialing rules.

By bookmarking a non-broadcast access point, a user can quickly initiate a new connection from the Bookmark menu without waiting for iPassConnect to detect the service.

Phonebooks


Phonebooks

The complete collection of global iPass access points is known as a Phonebook. It includes

thousands of worldwide Dial-up, ISDN, PHS, GSM, WLAN, Mobile Data, and Ethernet access points.

In addition, customers can add their own access points to the standard Phonebook.

Filtering Content

It is possible to filter the Phonebook content to display a subset of all access points to users and

thereby restrict connections to some access points. Customers may request removal of access points

in specific cities or countries, at certain price points, or removal of toll-free access points.

Custom Phonebooks

You can add your own list of custom access points to the standard iPassConnect Phonebook. This

list of customer access points is sometimes known as a CBook.

The list of customer access points includes the following information:

Access types: modem, ISDN, PHS, GSM, Wi-Fi, Ethernet

Access procedure: includes PAP, CHAP, GIS, 802.1X

Encryption mode: includes WEP, WPA, WPA2

Presentation details: before or after standard iPass access points

Authentication rules: includes user login format, certificate requirements

For instructions on how to create a list of customer access points, see the document - Creating a Customer Access Point List, available on the iPass Portal.

iPass Customer Care is not equipped to help in creating CBooks.

Connect ion Information


Connection Information

iPassConnect displays and stores a wide variety of information about user connections.

Connection Status

The Connection Status window displays the details of the current user connection. The details

include activity, link type, duration, and signal strength.

Activity: This field indicates the traffic generated by this connection at a given point in time.

i.e. data being transmitted or received or both. There are four possible states:

No activity

Download (Receive) only

Upload (Transmit) only

Simultaneous Download and Upload

Link Type: This field is displayed as label to the link speed. For Mobile Data connections, the

network bearer type is displayed instead of link speed.

Duration: This field displays the duration of the current connection.

Signal strength: This field displays the same signal strength information seen in the

Available Networks area of the main iPassConnect dialog. This field is visible only for

wireless connections, WLAN and Mobile Data.



Status tab

The Status tab displays the username, the name of the access point, and the status of the

connection.

Usage tab

The Usage tab displays the usage details.

This session: This

column displays usage

for the current

connection. Data

sent/received for

current session is sent

in the SQM record at

the end of the session.

Cumulative: This

column displays the

cumulative usage for

this device interface.

For 3GSM Mobile

Data devices,

cumulative usage is

tracked per device and SIM card combination, allowing users with multiple subscriptions to

track activity independently. The cumulative usage per device can be reviewed and reset

from the Settings menu when not connected.

Data Rate: This column displays the current data rate per second as reported by Windows.

Duration: This row displays duration of connection for This session and Cumulative.

Sent: This row displays the number of bytes sent in this session and cumulative sent since

the last reset.

Received: This row displays the number of bytes received in this session and cumulative

received since the last reset.

Total: This row displays the total number of bytes sent/received in this session and

cumulative data sent/received since the last reset.

Reset: The Reset button will reset all statistics for the device currently in use.

A note has been included in Connection Status dialog, to inform the user that, “Data routed through some VPNs via virtual adapter may not be displayed in iPassConnect.”



Offline Cumulative Usage

The Cumulative Usage dialog displays the cumulative usage statistics for every network interface

when the user is not connected. This is very useful to Mobile Data users for planning their usage. You

can review and also reset the cumulative

statistics.

The statistics include:

Choose Network Media: This list-box

displays a list of devices and network

entries that were used to make a

connection using iPassConnect. The

client will automatically add a device or

network to this list when the user makes

a connection. The user can remove any

network media using the Delete button.

Cumulative usage for selected

device: This group box contains the

usage for selected network media from

the list box. It contains the following

fields.

Network Name: It is populated only

for GSM Mobile Data connections.

Duration: Displays the sum of

duration for all the connections that are made from Since timestamp.

Send: Displays the cumulative number of bytes sent since the last reset.

Received: Displays the cumulative number of bytes received since last reset.

Total: Displays the cumulative number of bytes sent and received totally since last reset.

Since: Displays the Timestamp when the usage data was last reset.

Connection Log

iPassConnect tracks connection information in a Connection Log, viewable in iPassConnect on the

Help menu. The connection log displays the details of the most recent successful connections and

connection attempts. Error codes are included for failed connections. This information can be useful

for troubleshooting user connection issues.



SQM Data

Service Quality Management (SQM) is an iPassConnect software module that lets iPass measure

service delivery proactively, to identify potential user training issues or access point issues. SQM

tracks and logs all user connection attempts. These results are periodically sent to an iPass

database, which generates statistics showing the connection performance of every access point. The

SQM data is made available to customers through an optional iPass service called IOQ (Intelligent

Online Quality.)

Data is sent to iPass for every successful connection through iPassConnect client. If the user has previously made attempts to connect to the Internet using the client but was unsuccessful, then the data will be sent to iPass on the next successful connection, even if that connection is not facilitated by iPassConnect client.

Appearance


Appearance

The appearance of iPassConnect can be configured in several ways.

Banner Image

The standard iPass banner image appears at the top of the main iPassConnect interface and takes

up two-thirds of the width of the dialog.

Customers can replace the default banner with a banner image of their own choosing. The new

banner must be a Windows bitmap (.bmp) file 267 pixels wide by 59 pixels high.

Customers can also add a second image to the right of the first image. This is called a partner brand

image and is a Windows bitmap (.bmp) file 152 pixels wide by 59 pixels high.

In place of the banner and partner brand images, customers may elect to use a single banner image

across the entire width of the main dialog. This is called a full co-brand image and is a Windows

bitmap (.bmp) file 419 pixels wide by 59 pixels high.

Desktop Shortcut Name

The label of the iPassConnect desktop shortcut name can be modified with an

additional suffix to the name iPassConnect. iPassConnect <Your Choice>.

For example, iPassConnect Acme, or iPassConnect Cisco VPN.

Default Installation Path

You can customize the iPassConnect default installation path. The default is: C:\Program

Files\iPass\iPassConnect

Custom Help Menu Items

Help content in iPassConnect cannot be customized. However, customers have two alternate

methods to add customized help information.

Technical Support Message

iPassConnect can be configured with a custom support message (found in Help > Technical

Support). See the Tech Note: Customizing the iPassConnect Technical Support Message, on the

iPass Portal, for more information.

One tech support message can be uploaded per supported language; the appropriate message will

be displayed with English used where there is no other match. The customer is responsible for

providing the localized tech support messages.

Appearance


Supplementary Help

Customer can submit an HTML Help (.chm) file which will be linked to the standard iPassConnect

Help file. This optional file, which must be created and compiled by the customer, can contain special

instructions or contact information for your own users. See the Tech Note: Creating a Supplementary

Help File, on the iPass Portal, for more information.

Display Dial-up Pricing

iPassConnect can be configured to display modem, ISDN, PHS and GSM pricing for each Dial-up

access point. The currency symbol and conversion rate from US dollars are both configurable.

iPassConnect users can choose any one of the following currency types for pricing:

Dollar ($)

Pound (£)

Yen (¥)

iPass offers a range of options for customized pricing. Please raise a Support Ticket for more information.

Pricing display is disabled by default. iPass does not offer pricing display for other network access

types.

Configurat ion Options


Configuration Options

iPassConnect is highly configurable and includes many features that can be adapted for customer

requirements.

Configuration of some features or services may incur an additional fee. Please contact your Account Manager for more details.

Profiles

A profile describes the complete set of options included in your build of iPassConnect. Each profile is

distinguished by a unique identifying number called the profile ID.

A customer may have multiple iPassConnect profiles which is Subject to commercial agreement. This

allows for testing of different configuration options and new releases. It also assists user communities

with different configurations within the customer's user base. For example, you could create distinct

profiles which uses specific authentication for end-points, or you could also assign VPN integrations

to separate user communities.

You can view the options included in a particular profile using the Profile Viewer tool on the iPass

Portal. To make changes to your profile, submit a Support Ticket on the Portal.

About iPassConnect

You can view the complete technical details for a given version of iPassConnect.

Select Help > About iPassConnect.

The User Interface includes the Mobile Data build numbers for Services and Device Support in the

About iPassConnect dialog.



In addition, the iPassConnect version and build date, profile number, Phonebook number, and

Copyright are included.

The Mobile Data build number is visible only when the client is configured for Mobile Data, GSM and/or 3G-Mobile connections.

The version number, profile ID, Phonebook ID and timestamp of the last Phonebook update are all

critical information, which are needed to be included in any support ticket when contacting iPass

Customer Care.

Languages Supported

iPassConnect supports nine languages:

Brazilian Portuguese

English

French

German

Japanese

Korean

Simplified Chinese

Spanish

Traditional Chinese

Selecting Installation Language

A single installer executable supports all nine languages. iPassConnect can be configured for one of

three language installation options:

Automatic: The locale setting on the end user’s PC will be used as the language for

installation.

User select: Allows the end user to determine which language to use for installation.

Force language install: The application will force the user to install in a chosen language.

Session Management Options

Idle Timeout

The idle timeout option automatically disconnects the session, if the network traffic consistently

remains below a given threshold for a pre-determined period. (1024 bps is recommended for Dial-up,

2048 bps for broadband connections).

After the pre-determined time period (2 minutes), the user will be prompted with a warning message.

The user can either choose to stay connected to the Internet or terminate the existing connection, by



selecting the appropriate option from the warning message box. If the user does not respond to this

warning message within the specified time, the Internet connection will be terminated.

The Idle Timeout settings can be configured while creating the customer profile.

Session Limit

The session limit option automatically disconnects the session, if the connection duration exceeds a

given time limit.

An optional countdown warning message can be displayed after the predetermined period has

elapsed. This feature is disabled by default.

Username Options

These options allow configuration of the username (or NAI: network access identifier).

Domains

The domain name, also known as a realm, is used to uniquely identify a user with a specific customer

or group within an enterprise. (An example would be @example.com).

Customers may choose to have multiple domains to segment user communities or to display extra

information in Call Detail Records (CDRs). These domains can be selected from a list of preset

domains, or the domain list can be configured to be editable by users.

The default for domain is a single non-editable domain, which can be hidden from the user view and

will not appear in the user interface.

Non-editable Domain

iPassConnect can be configured to make the domain non-editable. In fact, to limit the use of the client

profile to a particular customer account, it is strongly recommended that the domain list be non

editable. This configuration may prevent a user from accidentally changing or deleting the domain

and having difficulty connecting. The domain will appear disabled. The customer can only have one

preset domain while using this feature.

Domain Hidden

iPassConnect can be configured to completely hide the domain. This feature requires one valid

preset roaming domain name. This feature can be used to avoid confusion when a user’s e-mail

address is not the same as iPass logon information.

Department/Project Code

iPassConnect supports the use of optional department/project codes, sometimes referred to as billing

codes. Some enterprises use these codes to uniquely identify departments or subsets of users, such

as Sales or Product Marketing, especially when billing back charges to individual departments.



At the end of each month, iPass will provide call detail records (CDRs), indicating connections used

by the various billing codes to allow for easy segmentation and dissemination (for example,

[email protected]). Department/project codes are not used in the authentication process.

Each code can be a maximum of 16 single-byte alphanumeric characters and has a 1024 character

limit. As with domains, department codes can be selected from a list of preset domains, or the domain

list can be configured to be editable by users.

Password Options

Save Password

iPassConnect can be configured to save the user’s password to disk in encrypted form for future use.

Save Password option is disabled by default.

The Save Password check box will be enabled in Login Information dialog only if

AllowSavePassword attribute is set to Yes in config.ini file.

Cache Password

The Cache Password feature allows iPassConnect to retain the user’s password in memory for re-

use on further connections attempts within the same iPassConnect session (defined as the period

between startup and shutdown of the iPassConnect client application), Cache Password is enabled

by default.

iPass Encrypted Login (formerly iSEEL)

iPass Encrypted Login, an optional, fee-based service, uses public key cryptography to further

encrypt passwords while in transit over the iPass authentication infrastructure. iPass encrypts the

user password at the client using elliptic curve cryptography and the password remains encrypted

until it reaches the iPass Transaction Center.

Not all iPass access points support iPass Encrypted Login, as some providers do not support the

username and password lengths and special characters utilized by the encryption algorithm.

iPass Encrypted Login can be configured in one of the following modes:

Mixed Mode Enabled: iPassConnect will use iPass Encrypted Login with all access points

that are known to support it, but will fall back to regular authentication on other iPass services

Mixed Mode Disabled: iPassConnect will only display access points known to support iPass

Encrypted Login

Mandatory Mode: As an extension to Mixed Mode disabled, the iPass Transaction Centers

can optionally be configured to accept only iPass Encrypted Login authentication requests.

Unique Session ID (USID)

USID is a non-configurable feature of iPassConnect which inserts a unique 11 character serial

number into each authentication request for the purposes of matching individual billing records (CDRs



: Call Detail Records) and IOQ records. iPassConnect retrieves the seed of the unique serial number

from an iPass server at the earliest opportunity following initial installation.

Certificate Authentication

iPassConnect can use EAP-TLS and PEAP-TLS authentication

methods for authentication of private Wi-Fi and Ethernet connections

using mutual certificate authentication.

When configured, iPassConnect will display a Certificates tab on

the Login Information dialog to allow the user to select the

certificate, and optionally the certificate identity, to be used for each

connect attempt. This uses the Internet Explorer certificate store.

Normally, this is applicable for the current user, but in Live Logon, it would be applicable for the local machine.

Trusted Root CAs

The administrator can specify that only a subset of available trusted root certificate authorities (CAs)

be used for TLS authentication modes, by defining rules for them in iPassConnect.

For instructions on how to create a list of customer access points, see the document - Creating a Customer Access Point List, available on the iPass Portal.

PEAP-GTC Protocol

iPassConnect supports PEAP-GTC protocol thereby ensuring secured private enterprise network

connectivity. In the client, this is being established with the support of One Time Password (OTP)

tokens.

Token Integration is not GA feature. Please contact iPass Professional Services to enable this feature.

The PEAP-GTC protocol is supported on:

Windows XP (Professional) Service Pack 2 and Service Pack 3.

Windows Vista (All versions) Service Pack 1

Only Static Password and RSA token/ One Time Password (OTP) are supported on Windows Vista. However, RSA Next Token is not supported in Vista platform.

Testing involved validation on both Standard and Administrative user account privileges. The authentication parameters have not been validated for Windows Vista Home editions.

While connecting to a PEAP-GTC enabled hotspot, the server challenges the user with a response

window. The user interface of iPassConnect client has been enhanced with this Provide Response

dialog.



Here, the challenge message is sent by the server and user is required to enter the response. Based

on the response, the user is re-authenticated for valid credentials.

Please raise a Support Ticket for any clarifications with respect to the server message settings.

TTLS-PAP Protocol

iPassConnect supports Tunneled Transport Layer Security-Password Authentication Protocol (TTLS-

PAP) protocol which ensures secured private enterprise network connectivity and provides two factor

authentication. The Tunneled Transport Layer Security (TTLS) protocol helps to secure the outer

tunnel and PAP secures the inner tunnel. The authentication process is simple, since only the Server

is authenticated by the client. It supports the use of static and dynamic passwords.

The logon procedure for using the hot spot with TTLS-PAP is similar to the normal iPassConnect

logon process.

TTLS-GTC Protocol

TTLS- GTC protocol provides secure two factor authentication for connectivity to private networks.

The TTLS protocol provides the security for the inner tunnel and the Generic Token Card provides the

security for the outer tunnel.

The logon process for TTLS-GTC protocol is similar to the logon process of PEAP-GTC

Token Integration is not GA feature. Please contact iPass Professional Services to enable this feature.

Please note that TTLS-PAP and TTLS-GTC are not supported when used with Live Logon mode on the Windows Vista.



Live Logon

iPassConnect offers the Windows Live Logon option. This option inserts a new GINA (Graphical

Identification and Authentication) module at the start of the Windows logon sequence, which includes

an option to logon with iPassConnect (in place of the Log on using Dial-up Networking option in the

regular Windows GINA).

When selected, iPassConnect will be launched before the

Win Logon sequence, to allow a live Windows domain

logon without further user input.

This fully-featured GINA offers fully configurable credential

handling, including Single Sign On (SSO).

Live Logon feature for Windows Vista

Windows Vista does not support the GINA module.

Hence, the Windows Live Logon option is achieved by creating a DLL which is a Credential Provider

(CP) or a Pre-Logon Access Provider (PLAP). The Live Logon DLL will behave as a CP or a PLAP

based on how it is registered with the OS.

When Vista Live Logon implementation collects the OS credentials, the DLL is implemented

as a Credential Provider (CP). The CP DLL will work in the same way as the iPass GINA on

Windows XP.

When Vista Live Logon implementation does not collect the OS credentials, the DLL is

implemented as a PLAP. The PLAP DLL will invoke iPassConnect to make a connection and

the Logon process is done by Credential Provider.

The Live Logon feature is not supported for 802.1X CBook access points on Windows Vista.

Timeout

Windows Live Logon includes a configurable timeout option. If the user presses Ctrl+Alt+Del and

does not login within the specified timeout interval (default 5 minutes), the iPassConnect session is

terminated and Windows reverts to the welcome screen.

Single Sign On

With Single Sign On, iPassConnect can be configured to reuse the Windows username or network

username and password for authentication of network connectivity. It can also be configured to use

the Windows username and password to authenticate a VPN connection.

To ensure security, by default, the Windows password is not retained by iPassConnect and is not

propagated to a VPN client. If iPassConnect is configured to reuse the password then it will store it in

encrypted form and will decrypt for the shortest possible interval when needed.



Mobile Data Features

PIN Management

When a user inserts a SIM-based 3GSM device, iPassConnect automatically displays the PIN menu

to allow the user to perform all PIN management functions from within the iPass interface. The

options include:

Enable PIN

Unlock the SIM

Unblock (sometimes called "un-PUK") the SIM

Disable PIN (subject to administrator approval)

Change PIN (subject to administrator approval)

Save PIN (subject to administrator approval)

The current SIM lock status is shown on the Info dialog, under connection settings, and by implication

from the available menu options.

Administrator-Provisioned Networks

iPass supplies an extensive directory of global 3GSM Mobile Data services (CDMA service

information is contained within the device and is not exposed to the client) and iPassConnect will

generally select the appropriate configuration for the detected network in the supplied APN file.

The APN settings may include any of the following configuration elements:

Network number

Network name

APN server access point

Bearer network credentials

Bearer network domain

DNS information

QOS levels

The dial string for access



In some situations, the administrator may wish to customize these settings to suit specific

requirements e.g. a private network contract between the customer and the carrier.

This can be achieved by supplying iPass Customer Care with an "adminapn.ini" file describing the

custom configuration elements. In instances where the same network is defined twice, the

administrator-supplied file takes precedence over the iPass default file.

User-Configured Networks

The user may also create a custom network

definition by filling-out the "Network

Information" settings under the Mobile Data

Connection Settings dialog. The information

shown here is essentially the same as

described for administrator-provisioned

networks above.

Users are initially presented with the iPass

"public APN" configuration settings for

modification although a "Default" button is

available in case the user needs to revert to

the original iPass settings.

This option is useful in situations where a user

has a subscription to a Mobile Data service not

yet covered by the iPass APN file.

Please raise a Support Ticket for any further assistance

Admin Network Control

Administrators have the option to control whether

Users can use a given iPassConnect profile to attach to the networks, described in the iPass

public APN file.

Users are constrained to use only the admin-supplied network configurations.

By default, users are permitted to connect to all networks subject to a suitable subscription.

Administrators can also control whether users can use a given iPassConnect profile to connect to

networks flagged as "roaming networks". This feature is intended to provide the option to limit access

to high-cost international roaming services when travelling abroad but an important footnote is

needed here:

iPass has observed that the Mobile Data roaming flag is often enabled for the home service on US-based 3GSM networks. Disabling roaming would prevent access to the home service in such a situation.

Roaming control is therefore recommended only for administrators with explicit knowledge of the

roaming settings that apply to their user community's home networks.

Phonebook and Software Updates


Phonebook and Software Updates

A key feature in iPassConnect is its capability to automatically receive Phonebook and configuration

updates. iPass typically publishes a new version of the Phonebook each week.

Background Updates

iPassConnect has an update mechanism called background update. This runs as a separate service

distinct from the iPassConnect client. It periodically checks for Phonebook updates or SQM data to

upload using any connection available at that time (even those that are not made using

iPassConnect). In particular, the feature enables automatic updates over the LAN. Updates are

downloaded and installed in the background, using trickle download technology with bandwidth

throttling and support for interrupted downloads.

The background update module automatically discovers proxy settings as needed. iPassConnect

works with the full range of proxy configurations that can be specified through the Internet Explorer

interface, and will display a dialog to request user proxy credentials or allow the user to defer the

update attempt.

For updates, iPassConnect tries establish outbound network sessions to iPass servers using HTTP

on port 80 and HTTPS on port 443.

For broadband connections (other than 802.1X), HTTP and HTTPS are also used but some providers

use redirectors to non-standard ports. iPass therefore recommends outbound access is permitted on

all TCP ports for the following iPassConnect service components: iPassConnectEngine.exe,

BrowserLogin.exe, iPassPeriodicUpdateApp.exe and iPCCheck.exe. iPass may add other

network-aware components in the future.

Software Updates

Users of earlier releases of iPassConnect can upgrade to version 3.66 using the integral software

update capabilities. The software upgrade process automatically uninstalls the old version and

installs the new one, while preserving user configuration settings such as saved passwords,

Bookmarks, Personal Wi-Fi networks and user preferences.

Please raise a Support Ticket for any further assistance on Software updates.

Speed Prioritized Update

This feature allows iPassConnect to take advantage of the times when the user is connected over a

broadband connection, to optimize the update experience. If enabled, iPassConnect will only perform

a software update when the user is connected to a high-speed connection (the threshold is

configurable). Typically this is a LAN or broadband connection connected at 128kbps or greater.

Integrat ion


Integration

Connect Actions

Connect actions are program activities that execute at predetermined points in the iPassConnect

connection sequence. A typical connect action would involve the launch of a VPN application

following a successful connection to the Internet. Administrators may specify as many connect

actions as needed for a given client profile.

Connect Action Types

You can specify any of the following types of connect actions.

Action Type Runs when... Comments

OnStartup During the iPassConnect startup sequence

PreDial Immediately before connection dial attempt.

PreTunnel Immediately after IP connectivity is established.

If configured, BrowserLogin and Policy Enforcement integrations run as PreTunnel actions

Tunnel After PreTunnel actions. Recommended for VPN integrations where configured.

PostConnect After a connection is established and following updates and VPN launch.

Steady state. Recommended for most network- aware customer applications.

Disconnect Before a controlled disconnect occurs (for example, when the user clicks Disconnect or after a VPN teardown event.) Also, on a Windows suspend event.

Disconnect events can be triggered if the user clicks Disconnect, through teardown events, or due to unexpected errors (such as an unplugged cable).

OnCancel User clicks Cancel.

OnError A connection attempt fails.

Miscellaneous N/A Usually used to include files needed by other actions to run properly. For example, if certain connect action requires a DLL, and then a Miscellaneous action would be used.

OnExit During the iPassConnect shutdown sequence

Integrat ion


Connect Action Parameters

This table lists several parameters that can be defined for each connect action. Connect actions are

implemented by iPass Customer Care.

Parameter Definition

Description Short description of the Connect Action you are adding.

Sequence # Indicates the relative order in which synchronous Connect Actions will execute. Sequence numbers are needed for version management, so never leave this field blank. Sequence numbers must be unique within each Connect Action type.

Program Path name of the program that will be launched with this Connect Action (if any). You may use the Browse button to locate this program and specify a path.

Include Program with Dialer

This option, allows the users to include a specific file, which will be included along with the iPassConnect client.

Run Mode Run Mode defines when how the action will execute.

A synchronous action will execute and wait for the return value before

proceeding to the next action. If one action has trouble running or completing,

the actions after it cannot run. A synchronous action is also called a Launch and

Wait action.

An asynchronous action will execute in sequence but not wait for a return value.

However, OS multitasking and the complexity of binary will determine which

action completes first. An asynchronous action is also called a Launch and

Proceed action.

Target Target indicates the access point type associated with a given connect action. You may

choose iPass POPs, Customer POPs, or Both. In iPassConnect 3.66, the scope can be

further modified by the FlexVPN Network Types options.

Monitor iPassConnect can be configured to respond to the return code of the called application by

either skipping the VPN launch (in response to a return code of 1) or initiating a complete

disconnect (in the event of a return code of -1). You should contact your iPass technical

representative for further details

Type This is a label used to indicate types such as "VPN", "PFW" and "AV" and is used in to ensure accurate user messaging.

Run Context iPassConnect can run applications in the context of the logged-in user or in the SYSTEM

context. For security reasons, the former should be used whenever possible.

FlexVPN

FlexVPN provides the fine-grained control necessary for determining when a VPN (or any other

connect action integration) should be invoked, according to the network type used for the connection.

One example of this feature’s use would be to launch a VPN in all instances except on a private

secure Wi-Fi connection (such as an 802.1X authenticated WPA2 service).

There are eight distinct network types that can be independently configured as required.

Integrat ion


iPass Broadband

iPass Dial

Customer Dial

Customer Encrypted 802.1X Wi-Fi

Customer Wi-Fi other

Customer Ethernet

Mobile Data: The FlexVPN has been enhanced to provide distinct options for different

treatment of Private and Public Mobile Data networks.

All Other Networks

User-Defined Post Connect Actions

iPassConnect can be configured to allow users to enter their own post-connect actions. These are

usually used to launch useful Internet applications. User-defined post-connect actions can include

launching the default Web browser, or launching any application on

a user’s computer, such as an email client.

User-defined connect actions are applied following all successful

connections, regardless of whether a user accesses a customer-

owned access point or an iPass access point, and regardless of

connection type.

To configure post-connect actions, the user clicks Connection

Settings > General, and then selects the appropriate actions as

needed.

Supported Third Party Applications

iPassConnect supports a wide and ever-increasing variety of VPN, Anti-Virus and Personal Firewall

products. See the iPass Portal for the latest information on compatible integrations.

VPN Integration

VPN integration allows different procedures for entering user credentials into iPassConnect and the

VPN client. This table describes the various kinds of VPN Integration possible in iPassConnect.

Type Description

VPN Auto-connect

User enters only one set of credentials into iPassConnect, to establish both the Internet and the VPN connection. The iPass RoamServer authentication and the VPN switch authentication must either point to the same common user database, or else must have the identical active username and password resident in each respective user database.

VPN Auto-Launch

User enters credentials into iPassConnect, and then can choose which server to connect to using the VPN client, but must enter VPN credentials separately. This allows the customer to use separate credentials for iPassConnect and VPN

Integrat ion


authentication.

VPN Monitor Following an initial grace period, iPassConnect can monitor for the continued presence of a VPN tunnel and can be configured to gracefully disconnect the network connection if the VPN tunnel should drop.

VPN Graceful Disconnect

iPassConnect can be configured to gracefully terminate the VPN connection before the network is disconnected in response to a user disconnect request.

VPN Gateway Selection

iPassConnect currently supports VPN gateway selection from the iPassConnect Login Information

dialog for Cisco and Nortel VPN services.

Personal Firewall (PFW) Integration

iPassConnect can be integrated with a number of personal firewall (PFW) solutions to allow for

increased security while using remote access. If this feature is enabled, the client will monitor the

user's firewall solution to guarantee protection while connected. The protection is guaranteed in the

two following ways:

iPassConnect will require the user to have the selected firewall software loaded and running

before initiating a connection. (Subject to user permissions, iPassConnect can also launch

the PFW software at connect time.)

iPassConnect will terminate the session if the firewall goes down while the user is connected.

Antivirus (AV) Integration

iPassConnect can be integrated with a number of AV products to allow for increased security while

using remote access.

If this feature is enabled, the client will launch and monitor a user's antivirus solution to guarantee

protection while connected and to disconnect the connection if the AV client should cease to respond.

E N D O F D O C U M E N T

iPassConnect 3.66 Administrator's Guide

Documents

Transcript of iPassConnect 3.66 Administrator's Guide