Cisco VPN Client Readme file
============================

This file describes the contents of the Cisco VPN Client files for the Windows platform.

Refer to the Bug Navigator on Cisco Connection Online for open issues:
http://www.cisco.com/support/bugtools/bugtool.shtml

Revisions: 

Release 4.8.00.0440 InstallShield
Release 4.8.00.0440 MSI

Files:

vpnclient-win-is-4.8.00.0440-k9.zip    
vpnclient-win-msi-4.8.00.0440-k9.zip

update-4.8.00.0440-major-k9.zip (to be posted on 16 December 2005)

Advisory:

The Windows VPN Client version 4.6.04.0043 was the final version that will officially
support the Windows NT operating systems.

New Features:

Two new Certificate features have been added to further support dynamically mapped Certificates 
to profiles without manual selection by the user.  See the Certificate notes at the end of this 
document for details.

A new GUI customization feature allows masking of VPN Client features from the user.  See notes 
at the end of this document for details.


Resolved Issues:

CSCsb35946  Rebootless client upgrade for MSI installer only (see below)
CSCsb35979  Feature: Dual processor support
CSCsb35996  Feature: Multi-threaded CPU Windows support
CSCsb73916  Feature: Tear down tunnel when smartcard is removed
CSCsb73927  Feature: Notify user when smartcard blocked for too many incorrect PINs
CSCsb73937  Feature: Smartcard password reprompt for new connections
CSCeh20734  vpngui error occurs when toggling from simple to advanced mode
CSCsa82051  Feature Req: Allow users not using Stateful Firewall to NOT install firewall files (see below)
CSCdz63183  Stateful FW traffic blocked w/new adaptor
CSCef18509  unity autoupdate should update with concentrator manual push
CSCeg81066  feature unity windows should launch installer directly from zip
CSCeh67124  unity clients should not filter local multi/broadcast beside firewall
CSCeh72721  gui crash when verifying newly enrolled certificate.
CSCei23559  unity windows install fails to modify client language (see below)
CSCei56209  unity windows unable to retrieve certificates from pending scep
CSCei68854  feature unity GUI cert tab gray out delete from vpnclient.ini (see below)
CSCsb11355  VPN Client Silent Install fails to install Root Cert on Low CPU
CSCsb71922  Interface metric changes to 1 on both NICs after disconnect
CSCsb79246  unity windows certmatcheku with gui fails (see below)
CSCsb80280  unity windows rootcert does not import on install with msi
CSCsc32638  VPN Client auto select certificate needs key usage selection option (see below)


Open Issues:
CSCeh78592  VPN Client memory leak with Exclude Local LAN
CSCeh12314  unity windows 98 log window blank when log is running
CSCsc31174  excludelocallan doe not work under windows 98

Revision: 

Release 4.7.00.0533.Rel

Files:    

vpnclient-win-msi-4.76.00.0533-k9.zip
vpnclient-win-is-4.7.00.0533-k9.zip

Contents: - See Release Notes for Release 4.6 at:
            http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/index.htm


1. Cerificate Extended Key Usage Matching
Profile Keyword: CertMatchEKU

Description:
This parameter specifies the list of Extended Key Usage fields that the client should honor. When 
this profile keyword is specified, the client looks only at those certs (irrespective of certificate 
store) whose Extended Key Usage fields match those that are specified by the profile keyword, during 
a connection attempt.

ie. When this profile keyword is specified, for any given cert, at least one of the Extended Key 
Usage fields specified in the profile keyword must be present in the certificate's Extended Key 
Usage field.

This keyword applies to connection attempts only and not to any other 
certificate-related operation (viz. listing certs, viewing certs, etc).
This keyword applies of all forms of certificate selection 
( viz. CertSerialHash, CertMatchDN, CertSubjectName, CertName).
The value of this keyword is a comma separated list of Extended Key Usage OID strings.

Example:
CertMatchEKU=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
1.3.6.1.5.5.7.3.2 => Client Authentication
1.3.6.1.5.5.7.3.1 => Server Authentication

Custom Extended Key Usage Strings must be of the form 
1.3.6.1.5.5.7.3.X, where X can be any number.


2. Certificate Key Usage Matching
Profile Keyword: CertMatchKU

Description:
The feature allows the profile selection of Certificates based on the Key Usage as well as the DN and 
Extended Key Usage fields.  This keyword overrides the vpnclient.ini keyword "CertificateKeyUsage".

CertMatchKU=0,3,4,5

DIGITAL_SIGNATURE  8
NON_REPUDIATION    7
KEY_ENCIPHERMENT   6
DATA_ENCIPHERMENT  5
KEY_AGREEMENT      4
KEY_CERT_SIGN      3
CRL_SIGN           2
ENCIPHER_ONLY      1
DECIPHER_ONLY      0

If the Certificate matches any of the usages in the CertMatchKU field, it will pass on to the next 
criteria.  Otherwise the Certificate will not be selected.

[Main]
Host=1.2.3.4
AuthType=3
CertStore=2
CertName=myMultipleCerts
CertMatchKU=7
!CertSubjectName=
!CertSerialHash=

If two identical Certificates except for Key Usage were available to the profile above, only the one 
with Non-Repudiation would be chosen.


3. Certificate Fall Through.
This behavior is implicit and does not have any profile keyword associated with it. For a given 
connection attempt, a certificate can be selected using one or more of four keywords given below 
(in order of precedence).

a) CertMatchEKU and CertMatchKU
b) CertSerialHash
c) CertMatchDN
d) CertSubjectName
e) CertName

If the client cannot find a cert in the given cert store using all four Certificate keywords noted above, 
the connection attempt fails.

Sample profile:

[Main]
Host=10.10.10.10
AuthType=3
CertStore=2
!UserName=
!UserPassword=
CertMatchKU=7
CertMatchEKU=1.3.6.1.5.5.7.3.2,1.3.6.1.5.5.7.3.1
CertMatchDN=issuer-ou*"vpn group",ea*"Cisco.com"
!CertSerialHash=

The profile above will only match certificates that have a Key Usage of "Non-Repudiation" AND have EITHER 
Client or Server Authentication in the Extended Key Usage.  The Issuer-ou field MUST contain "vpn group" 
and the email address for the user Certificate MUST contain "cisco.com" (case insensitive). 

The scenario above would allow a common workstation to connect users based on their smart card 
certificates.  A user could walk up, put in their card, and hit connect.  The generic profile above would
find the proper certificate on their card (without restarting the client or modifying the profile) and 
prompt them for their Certificate password, username, and password.  The concentrator could also be 
configured to connect without a username and rely entirely upon the Certificates for authentication.

Note the use of the "!" character in the profile.  This prevents the previous user's information from 
being retained between connections.


4. Bypassing the installation of firewall files when the Stateful Firewall is not required

In some cases, the Stateful Firewall files of the VPN Client conflict with other third party applications.  
In order to minimize this conflict, the VPN Client may be installed without its Stateful Firewall files 
using the following procedures:

NOTE: DO NOT USE THIS PROCEDURE IF YOU ARE USING A ZONE ALARM PRODUCT BECAUSE THEY SHARE SIMILAR FILES.

If the workstation does NOT have the vsdata.dll file (no former Cisco VPN Client installation or Zone Alarm 
products), then delete or rename this file before proceeding.


IS installer:

A new oem.ini keyword "DisableFirewallInstall=1" should be placed under the [main] section heading.

MSI installer:

MSI must use the novsdata.zip transform posted on CCO.  


After a proper installation using the above procedure the VPN Client will NOT show the stateful firewall under the options pulldown.  


5. MSI Installation with the Japanese language Help Files

The Japanese help files for the MSI transform have been removed from the VPN Client installation package.  They are now posted 
separately on CCO as "vpnclient_help_jp_4.8.00.0440.zip".


6. GUI customization feature to mask VPN Client tabs and features
vpnclient.ini [GUI] section keywords:  ShowProfileTab, ShowCertTab, ShowLogTab, ShowCertDelete, ShowCertTabChangePasswd

These new keywords may be used in the vpnclient.ini under [GUI] section to mask tabs and features from the VPN Client.

ShowConnectionTab
Set equal to 0 to remove the "Connection Entries" tab.  Defaults to 1.

ShowCertificatesTab
Set equal to 0 to remove the "Certificates" tab.  Defaults to 1.

ShowLogTab
Set equal to 0 to remove the "Log" tab.  Defaults to 1.

ShowCertTabDelete
Set equal to 0 to remove the "Delete" option for deleting Certificates.  Defaults to 1.

ShowCertTabChangePasswd 
Set equal to 0 to remove the "Change Certificate Password..." option for changing Certificate passwords.  Defaults to 1.


7. Rebootless client upgrade for MSI installer only

The MSI installer for the VPN Client installation now allows the VPN Client to be upgraded without rebooting under the following circumstances:

a) If a previous MSI version of the VPN Client has been installed, overwriting with the 4.8.00.0440 MSI VPN Client installation will only require 
a reboot to uninstall the previous VPN Client installation.  (Prior installations had required an additional reboot that is no longer required.)

b) A new installation of the 4.8.00.0440 MSI VPN Client installation will require a reboot.

c) Future upgrades from the 4.8.00.0440 MSI VPN Client with later MSI installations will NOT require any reboots.