Chapter 8 Supporting End Users

The chapter describes the following:

• What you need to do to setup and prepare your end users

• What issues you can expect

• The resolution to the problems

Setting up End Users

Providing support for remote or travelling users will likely occasionally be required, although i-Planet's design and browser-based interface will keep your support requirements to a minimum. Setting up end users involves both the technical setup process and providing your users with the information they need to access the system remotely.

To Set Up an End User

1. Verify that the user is correctly set up and fully functional on your local network.

2. Verify that each end user has a UNIX password.

   End users must have a UNIX password so that they can use i-Planet.

3. Add S/Keys for the end user or activate any other authentication module you chose to use.

   At this point, the end user is technically set up and ready to go. Before the end user can access the system and use it effectively, you must provide several key pieces of information:

   1. Fully qualified URL for the i-Planet system. For example, this will look something like:

      https://i-Planet.acmecorp.com/

   2. If your end users are new to remote access to your corporate system, you will likely need to remind them that the protocol is https, not http.

   3. You will likely have to tell them that they must provide a fully qualified domain name--that is, xyz.acmecorp.com, not just xyz, as they can likely do from within the local network. You can use available redirection technology.

End users can generate their own set of passwords so that they can use the S/Key authentication module before they become remote. They can only use this procedure over the intranet.

For End Users to Generate Passwords

End users can use this procedure to generate their own S/Key passwords over the intranet before they become remote.

1. They start the web browser that they want to use.

2. They type the following as the URL in the browser:

   http://i-Planet_server:8080/cgi-bin/skey/skeylogin.cgi

   8080 is the (default) port for the i-Planet server.

If SSL is being used between the i-Planet server and the i-Planet gateway, they must type the following as the URL in the browser:

https://i-Planet_server/cgi-bin/skey/skeylogin.cgi

Once remotely logged into the i-Planet Desktop, end users can generate more one-time passwords by clicking the Generate SKEYs link on the i-Planet Desktop.

---

Note -

If an end user uses the last password and logs out before generating a new list of passwords. then a new list for that user can only be generated using one of the other two methods. Generating more S/Key passwords supersedes the previously generated list. Also, their UUID will change.

---

Reinstalling the i-Planet software will delete all S/Key user password information.

Access information. The remote end user access information could be:

• Secure Computing's SafeWord token

• Security Dynamics' SecurID token

• RADIUS login and password

• S/Key list of passwords, unique userid, and PIN

• Other authentication tools that you have configured for your users

Connectivity requirements--End users must have full TCP/IP connectivity, either through their own ISPs, through a corporate dialup modem pool, or through some other means (Kinko's, hotels, or any other TCP/IP hookup). Your remote end users will not be able to access your i-Planet installation through non-TCP/IP networks.

Browser requirements--End users must access i-Planet through Internet Explorer 4.0 or higher, Netscape Navigator 4.04 or higher with equivalent SSL, JavaScript, and Java support. Your end users can check their browser versions by choosing Help|About in any browser and reading the version number in the resulting dialog box. Netscape browsers must be set to accept all cookies on the Edit|Preference|Advanced window.

---

Note -

Netscape 4.04 and 4.05 require AWT 1.1 support provided by the JDK 1.1 patch available from Netscape. All versions of Netscape 4.06 and later include the patch.

---

---

Caution -

If end users look at sensitive or classified documents through Internet Explorer, they must be sure to exit the browser when they have finished. Copies of all files that they have looked at are stored on the computer that they are using until they close all Internet Explorer windows.

---

Information specific to your i-Planet installation--Provide any special information that the end user will require, if you have added new applications to your i-Planet installation, or if your end users must use specific software in a particular way to gain access to the information they need, or if there are other special settings.

This is the only information your remote end users should require to access and use your i-Planet installation and to be able to work productively.

Troubleshooting

The following selection of Frequently Asked Questions anticipates many of the most likely issues that your users would have.

• I am unable to start the Netlet. The Java console shows something like:

# Applet exception: class SServer not found java.lang.ClassNotFoundException: java/awt/event/ActionListener

at java.lang.ClassLoader.defineClass(ClassLoader.java) at netscape.applet.AppletClassLoader.findClass(AppletClassLoader.java) at netscape.applet.AppletClassLoader.loadClass1(AppletClassLoader.java) * at netscape.applet.AppletClassLoader.loadClass(AppletClassLoader.java) at netscape.applet.AppletClassLoader.loadClass(AppletClassLoader.java) at netscape.applet.DerivedAppletFrame.run(DerivedAppletFrame.java) at java.lang.Thread.run(Thread.java)

The cause is that the browser does not support Java AWT 1.1. Netscape did not support this until version 4.06. There is an AWT 1.1 patch for the earlier 4.xx version of Netscape.

The solution is to use Netscape, version 4.06 or later or to install the AWT 1.1 patch for the version of Netscape being used. Check the Netscape web site for more information.

• When I try to start NetFile, I get the message: "Incorrect URL to Apps server."

The end user is not connecting through the gateway. End users must connect through the gateway using https to the i-Planet Desktop.

• When I try to use an application on the i-Planet Desktop, I get the message: "You do not have a valid user name. You must EDIT preferences on the i-Planet Desktop."

The cause is that there is no valid UNIX user ID for the end user in the user name field on the Edit Preferences page of the i-Planet Desktop.

The solution is to have the end user add the valid UNIX user ID in the user name field on the Edit Preference page of the i-Planet Desktop.

• I cannot access the server. I get only a "No response" message, error messages, or nothing at all.

Assuming that you have verified that the server is up and that you can log into the server as an end user, the following process may be helpful.

1. Verify that your end user is using the correct URL. In particular, make sure that the URL uses https:// as the protocol, not http://, and that they are entering a fully-qualified domain name. If the problem persists, continue through this process.

2. Verify that the web browser is working correctly by surfing to a popular and consistently responsive site. If the alternative sites do not come up, they likely have a TCP/IP issue and should check with their local support staff for their ISP or other TCP/IP access provider. If the alternative sites do come up, continue through the process.

3. Verify that the user is using the correct version of the browser by looking at Help|About and checking the version number provided there. If the user is using the correct version (Internet Explorer 4.0 or Netscape Navigator 4.04 with AWT 1.1 support or better), continue through the process.

4. Verify security settings in the browser (Edit|Preferences|Advanced in Navigator, and View|Options|Security in Internet Explorer). Cookies must be accepted (with or without warnings) for i-Planet to work properly. Enabling Java and JavaScript is strongly recommended, but not essential.

• How do I use this application?

Online help is available for every application and every screen delivered with i-Planet. Clicking the help link on any page will access help about that particular application or page, and your users can then navigate back to the main help page and then to any other i-Planet help pages.

If you have added other applications to your i-Planet installation, add the online help links and files to the existing help pages.

• When systems are added in the HTML or Java user interfaces of NetFile, they do not appear in the following session, the cause is that the HTML UI or the Java GUI do not "end" correctly.

For the HTML UI, the end user must end the session by clicking the End Session button. This is the action that actually writes the preferences.

For the Java GUI, the end user must choose the End Session option in the menu. However, for the Java GUI only, if the end user shuts down the small window (Netlet page) in which the NetFile link resides too quickly, the NetFile applet cannot connect to the server anymore and the preferences may not be stored.

• Why do I keep timing out and having to log back in?

i-Planet default settings call for a very short time-out to ensure that open (authenticated) sessions are not left running and unattended because of the particular danger of intrusions into the network. If you are, for example, checking mail, then return to work on a document in a word processor, you will almost inevitably timeout. End users could use the offline NetMail (Java) client to avoid part of this issue, but in general the inconvenience is required to ensure proper corporate security.

---

Note -

As an administrator, you can increase the system-wide time-out interval.

---

• When using NetFile, what does the error message Error: Session request failed (131,130) with myname-=SKWASH destname=<machine> mean?

This error message means that you are trying to add a windows machine and the name for that machine does not match the DNS or Host file entry.

• What can I do if the browser Internet Explorer hangs when I choose X-Windows on NetFile?

If Internet Explorer hangs after you click Enter after typing the password when you are using X windows on NetFile, click the login button.

• How can I read and compose my email without being connected to the Internet all the time?

If the NetMail Local Installer is visible on the Advance Options page of the i-Planet Desktop, you can install the NetMail applet on your local disk. (Click the Advanced link on the navigation bar on the front page of the i-Planet Desktop to move to the Advanced Options page.)

When you click on the NetMail Local Installer link, a browser window appears that explains that this functionality allows you to install the NetMail applet on your local disk so that you can use NetMail to read and compose email without being connected to the Internet. This is known as disconnected mode.

Once you have installed the NetMail applet locally, you can connect and read your email without having to download the applet each time. You also can save your email to an encrypted file on disk, so that you can continue working while you are disconnected from the server. When you reconnect, all your changes to the local email cache will be made to the server and their states synchronized. Any email that you have composed and want sent will be sent when you reconnect.

• What do I do when I get an error message saying that a license is not available?

You should contact your i-Planet administrator who may have to restart the license server.

• When I log in using Netscape and click the NetMail or NetFile link, the correct page comes up but it contains the i-Planet Desktop, not the correct page, and it does not open the applet.

This typically happens when the user preferences for Netscape are set to "Only accept cookies originating from the same server as the page being viewed." The user preferences for Netscape must be set to "Accept all cookies."

• The dialog boxes often appear to be empty. I am using Netscape as my browser.

When using Netscape as your browser, if your dialog boxes appear to be empty, move your mouse slightly to cause Netscape to display properly.