I am unable to access certain sites intermittently (e.g https://webmail.nyc.gov).

You may be running the old version of the checkpoint VPN client. Please follow the steps below to upgrade to the latest version.

1. Uninstall the old checkpoint VPN client using the "CPclean" utility and procedure on the http://www.nyc.gov/download/vpn/downloads.html page
2. Download the latest Checkpoint client from http://www.nyc.gov/download/vpn/sc.html and save it to you PC.
3. Install the downloaded software and reboot your PC ( If your PC doesn't reboot automatically after the installation)

Can I use Desktop Firewall software like ICF, Zone Alarm with CityNET VPN client?

The CityNET VPN client includes a Desktop firewall client , the policy of which is administered by DoITT . Refer to the FAQ on Desktop Firewall software. There may be some reasons why might want to use your own personal firewall software.

Zone Alarm can be co-exist with the VPN Client. You need to configure Zone Alarm as follows. If you other firewall products please contact CityNET VPN support.

NOTE: The order in which VPN-1/FireWall-1 and Zone Labs products are downloaded and installed is not important.

1. Right-click the ZoneAlarm icon and select Security > Advanced.

2. Select Add and choose the appropriate field (Host/Site, IP address, IP range, Subnet).

3. Create a host for the destination VPN-1/FireWall-1 Module and its IP address.

4. Create an IP range for the destination's internal network.

5. Click OK.

To configure ZoneAlarm Pro to allow SecuRemote/SecureClient VPN and connections, proceed as follows:

NOTE: The order in which VPN-1/FireWall-1 and Zone Labs products are downloaded and installed is not important.

1. Right-click the ZoneAlarm icon and select Security > Advanced.

2. Select Add and choose the appropriate fie! ld (Host/Site, IP address, IP range, Subnet).

3. Create a host for the destination VPN-1/FireWall-1 Module and its IP address.

4. Create an IP range for the destination Module's internal network.

6. Click OK or Finish as prompted.

To allow VPN protocols to pass through ZoneAlarm, proceed as follows:

1. Select Advanced at the Security Panel and then click on the General Tab.

2. The "Allow VPN protocols at high security" permits GRE (Generic Route Encapsulation), ESP (Encapsulating Security Protocol), and AH (Authentication Header).

NOTE: When attempting to use SecuRemote/SecureClient, ZoneAlarm will prompt to allow SecuRemote/SecureClient as a server; select Yes. If prompted to allow a connection to the destination VPN-1/FireWall-1 Module, select Yes.

Why can’t I share my local resources on the PC where CityNET VPN client is loaded when I am connected or disconnected from CityNET VPN?

Symptom is you may not be able to share printers and access network drives from another computer on your LAN to the PC where CityNET VPN client is loaded.

The CityNET VPN client includes a Desktop firewall software whose policy is explained in Desktop Firewall Software . This policy does not allow any inbound access whether you are connected or disconnected to the VPN. This is to protect your computer from intruders. If you like, you may completely disable the VPN client by stopping the client by right clicking on the System Tray “Secure Client” icon.

Why is my Internet access is slow when I am access Internet while I am connected to CityNET VPN?

When you are connected to CityNET VPN, you will be assigned an DNS server by the VPN and DNS name resolutions for both CityNET and Internet names will be resolved by the CityNET DNS servers. This may sometimes be slower than resolving using your ISP. We recommend DISCONNECTING from CityNET VPN when you do not have a need to use it, during which time you will start using your ISPs DNS server.

Can I have multiple VPN clients loaded on my computer like Cisco VPN and Nortel VPN in addition to CityNET VPN client?

CityNET VPN client is based on Checkpoint NG AI Secure Client software. As per Checkpoint, the Secure Client can run with ANY existing VPN solution, since Secure Client binds to a port different from 500 (used for IKE). Some basic tests with Nortel and Cisco VPN did not show any problem with our Clients.

What ports do I have to open if there are firewalls in my path to Internet?

CityNET VPN needs UDP/500, UDP/2746 between the VPN client PC and the CityNET VPN servers.

CityNET VPN client takes care of most issues with NAT and firewall filtering for home users by tunneling IPSec over UDP packets on port UDP/2746. However, there may be situations where you have to enable IPSec passthru, port forwarding, creation of DMZ host on the home firewall devices. Refer to the documentation of your device to find out how to do this.

Are there any known issues for AOL users?

If AOLnet connections cannot be used, please use MtuAdjust.exe (located in the
SecuRemote/SecureClient installation directory, under \bin) and reduce the MTU to 800, prior to using SecuRemote/SecureClient. MtuAdjust.exe is available for Windows 2000/XP only.

I get a message “ Not all adapters are protected” and my VPN does not work.

CityNET VPN client enforces a policy on all network adapters that are attached to your computer and verifies this before connecting you to the VPN. This is to make sure you are protected on all interfaces.

If you had installed a new network adapter after VPN client was installed or a new driver, you need to re-install CityNET VPN software. If you need the latest version of CityNET VPN software go to the Download page.

Verify that all adapters are protected by checking in the Secure Client Diagnostics tool accessed by right clicking on the System tray Secure Client icon.

I get a message “ Non TCP/IP protocols used ” and my VPN does not work.

CityNET VPN client enforces a policy that only TCP/IP protocols should be used on the computers where the VPN software is installed. This is due to the fact that the VPN client cannot protect non TCP/IP protocols. Please uninstall any non TCP/IP protocols from your computer like NetBEUI, Novell IPX etc., before connecting to the VPN.

I get a message "Check if SecureClient is running".

Make sure system tray has the SC client activated. If not, go to Program > Secure Client > Secure Client to start the client.
If you are still getting errors, you may try reinstalling using CDROM or from the Download page.

After installing the software and rebooting the computer, user is asked to update site "DoITT". We recommend that the user connect to Internet and then select Update site the first time. This will download the "CityNET VPN connection" profile which has all required parameters to connect successfully. Please note "CityNET VPN connection" should be the only profile used to connect to the VPN.

If the above is not followed and user chooses to select "cancel" it may cause connection problems for the user. The user may get errors similar to this : "Unable to connection using connection profile"

The procedure to fix the problem is:

1. Right click on System Tray (envelope and key icon) Secure Client Icon --> select configure --> right click on "DoITT" icon --> select Update --> click on "Update" --> Enter the VPN user-id and password when prompted. Click "OK" and put the screen away.

2. Now the user can use the VPN by clicking the "CityNET_VPN" desktop icon.