Installation and TroubleshootingGuide for SSL-VPNCONNECTIONS AccessVersion 1Revised 11/29/2007

Table of ContentsJava Installation: .4Browser Configuration: .4Citrix Client Installation: .8Attempting to Access Connections: .10Troubleshooting/Additional Configuration: .15Temporary Internet Files and Cookies Issue: .15SSL-VPN Access for HSEN ID:.17Pop-up Blocking: .17Windows Issues: .19Proxy Server Issues: .19Address Resolution Issues: .21Software Firewall Issues .23Adding Shortcuts to Connections: .23Further Assistance: .24SSL VPN Troubleshooting GuidePage 2

Preface:SSL-VPN is used for computers that have high-speed Internet access and that are not connectedto the New York State network through other means. SSL-VPN allows limited access to the NewYork State computer network to enable use of the CONNECTIONS application. SSL-VPN standsfor “Secure Sockets Layer-Virtual Private Network.” The intention of the guide is to be useable byany person attempting to install SSL-VPN to access CONNECTIONS. The guide is intended forusers who have a medium level of technical expertise, but should be useable as a “paint bynumbers” walkthrough even for those readers who are not as familiar with computers.*These instructions assume that a PC with Windows 2000 or XP is being used with the InternetExplorer web browser.If at any point a message is displayed indicating “You do not have permission to log in.Please contact your administrator,” please refer to the Temporary Internet Files/Cookies andSSL-VPN Access for HSEN ID sections in the Troubleshooting/Configuration section appearinglater in this document.SSL VPN Troubleshooting GuidePage 3

Java InstallationThe first step in setting up your SSL-VPN connection is to ensure that the latest Java software is installedon your PC. Java is a software platform that allows certain types of programs to run. Java may beobtained by accessing the following website: Follow the links to obtain the latestJava client. If presented with several options, the latest JRE (Java runtime environment) for theappropriate system platform should be downloaded and installed. In order to properly install Java anadministrator account for the PC is usually required.Browser ConfigurationAfter installing Java, open a web browser and input the following address: following screen should display:Figure 1: The SSL-VPN Login ScreenIf this screen does not appear, the following screen, or one similar to it may display:SSL VPN Troubleshooting GuidePage 4

Figure 2: ActiveX Control PromptThe message at the top of the browser pane is indicating that the ActiveX control, an internet browserbased piece of code, that launches the Cache Cleaner, a component of SSL-VPN that clears temporaryfiles in your browser to maintain security, was prevented from automatically running. This is due torestrictions established by the security settings in the browsing software.The following permission dialog may also appearSSL VPN Troubleshooting GuidePage 5

Figure 3: Cache Cleaner Permission PromptClick on the Always button to allow your browser to install the Juniper Networks Cache Cleaner, arequired component for SSL-VPN access.The gray circle in front of the words Cache Cleaner shown above may also display as a red circle.Additionally, an error message may display stating “You do not have permission to login. Please contactyour administrator” without displaying the Username and Password boxes (if these boxes are presentand you see this error message, the problem is possibly related to the HSEN UserID and will bediscussed later). This may happen due to an outdated version of Java being installed (althoughcompleting the step regarding Java installation would rule this out) or because Java is not being allowedto run properly as a result of restrictive browser security settings.In Internet Explorer, the easiest way to set up the browser to allow Java and ActiveX for SSL-VPN accessis by taking the following steps:From within Internet Explorer, go to Tools - Internet Options - Security. The following screen shoulddisplay:Figure 4: The Security TabFirst, click on the green circle with the white checkmark in it above the words Trusted sites. Then click onthe Sites button, and type https://* into the box where it says Add this Web site to the zone.Click the Add button after this is accomplished, and the screen should now look like the following:SSL VPN Troubleshooting GuidePage 6

Figure 5: The Trusted Sites WindowClick the OK button (which will close the above window), and then click on the Custom Level button onthe next screen. The following screen will display:Figure 6: The Security Settings WindowEnsure that the Low option is selected in the Reset to drop down list, and then press the Reset button. Aconfirmation dialog will now appear. Press Yes on this confirmation screen (which will close theconfirmation dialog) and then the OK button again on the Security Settings screen pictured above.The browser should now permit Java and ActiveX for all websites belonging to the secure state.ny.usdomain, including the Connections SSL-VPN access site.Close out all open browser windows, then re-open the browser, and input address and the Username and Password entry boxes should display.SSL VPN Troubleshooting GuidePage 7the

Citrix Client InstallationThe Citrix Presentation Agent (PN Agent) must be downloaded and installed in order to reach theConnections application. This can be downloaded from within the SSL-VPN interface, after successfullylogging in to After a valid HSEN login and password which has beengranted permission to access SSL-VPN has been entered, the following screen appears:Figure 7: The Web Bookmarks Screen - Citrix Client DownloadScrolling to the bottom of that page displays a section entitled “Files”. In the files section, click on the“Citrix Client” link. A page will now display with two files available for download, Citrix.exe and VPN Troubleshooting GuidePage 8

Figure 8: The Citrix.exe download linkClick on the Citrix.exe link. A prompt should now appear with the choices of Run, Save, or Cancel.Select Save and download the file to a convenient location, such as the Windows Desktop or MyDocuments folder.The Citrix.exe file will now be downloaded and stored to that location. The download may take severalminutes to complete. Once the download has finished, navigate to the Citrix.exe file that was justdownloaded.SSL VPN Troubleshooting GuidePage 9

Figure 9: The downloaded Citrix.exe fileDouble click on the Citrix.exe file, which should appear as above. Several windows will pop up anddisappear on their own, and after they complete, the PN Agent should be installed successfully,completing this step. Note that it may be necessary to be logged in with administrative credentials tosuccessfully install the PN Agent.Attempting to Access ConnectionsOnce the above setup steps have been taken, the computer should now be properly configured foraccessing Connections.Open Internet Explorer, and again go to, where the login screen willappear.[Note: If a message is displayed indicating, “You do not have permission to log in. Please contact youradministrator”, refer to the Temporary Internet Files/Cookies and SSL-VPN Access for HSEN ID sectionsin the Troubleshooting/Configuration section appearing later in this document.]The SSL-VPN login screen should now appear, and the next step will be to enter a valid HSEN UserIDand password and press the Enter key, or click the Sign In button. The following page will then load:SSL VPN Troubleshooting GuidePage 10

Figure 10: Launching the Secure Session ManagerThis page will load the Secure Session Manager, which is necessary for maintaining a secure connectionto the state network. The Secure Session Manager will appear in the lower right corner of the screen, asshown in the above picture.Do not click on the “click here to continue” link unless there has been an extremely long delay (overtwo minutes) without the Secure Session Manager window appearing or signs of activity. Also do notclose the Secure Session Manager window when it appears.[Note: If the Secure Session Manager window fails to appear, or a message is received indicating that aPop-up was blocked, refer to the Pop-up Blocking section in the Troubleshooting/Configuration sectionappearing later in this document.]After the Secure Session Manager loads, the Web Bookmarks page should be displayed. To get toConnections, click on the Connections Application link, as shown below:SSL VPN Troubleshooting GuidePage 11

Figure 11 - Selecting the Connections Application Link from the Web Bookmarks PageA new window should be open, displaying another login screen and entitled Web Interface for MetaFramePresentation Server, as shown below:SSL VPN Troubleshooting GuidePage 12

Figure 12: The Web Interface for MetaFrame Presentation Server login screen[Note: If the Web Interface for MetaFrame Presentation Server window does not appear, and insteadthere is a window with an error message stating “The page cannot be displayed” or “Action cancelled”please refer to the Proxy Server Issues, Windows Issues, and Address Resolution Issues sections of theTroubleshooting/Configuration section appearing later in this document.]Enter the HSEN UserID and password of the person whose Connections session is to be accessed, andthen press the Enter key or click the Log In button.A screen displaying several icons will appear, as shown below. The message stating “Your applicationshave not been reconnected. Your farms do not support workspace control or do not trust the server”appears, but may be ignored since it does not impact the ability to access Connections. [As a side note,the term “farm” refers to a collection of servers.]Figure 13: The Connections Application Icons screenSelect either the Connections Desktop 95 Percent or the Connections Desktop Full Screen icon. Bothicons will launch the Connections application, but in different resolution modes. The 95 Percent icon willcause the Connections session to occupy 95% of the desktop, leaving the Windows toolbar and StartMenu visible. In full screen mode, Connections will occupy the entire screen. Which display mode to useis a matter of personal preference, however, if the desktop resolution is set a size less than 1024 by 768,it may be necessary to use the full screen mode in order to view all buttons within Connections.Upon clicking either of the icons, a progress indicator window will appear, as shown below.SSL VPN Troubleshooting GuidePage 13

Figure 14: Indicator of Connections application launch progressAfter the progress bar is filled, the Citrix session containing the Connections application will appear. Afterclicking the OK button on the confidentiality notice that appears, the Connections desktop will appear, asshown below.SSL VPN Troubleshooting GuidePage 14

Figure 15: The Connections desktopClicking on the Connections icon will open the Connections toolbar, and the application is available foruse.Troubleshooting/Additional ConfigurationTemporary Internet Files and Cookies IssueWhen attempting to login to the SSL-VPN login screen, an error message indicating, “You do not havepermission to login. Please contact your administrator” may appear before the login box is presented, asshown below:Figure 16: The Lack of Permission error messageThis is caused by “congestion” in the temporary files stored by Internet Explorer. In order to remedy this,go to Tools - Internet Options. This will display the General settings tab. Press the Delete Cookiesbutton. A box will appear asking permission to delete all cookies, as shown below.SSL VPN Troubleshooting GuidePage 15

Figure 17: The Delete Cookies button and permission dialogPress the OK button. This will close the dialog and return to the General settings tab.Next press the Delete Files button. A dialog will appear asking permission to delete to temporary files, asshown below.SSL VPN Troubleshooting GuidePage 16

Figure 18: The Delete Files Button and Delete Offline Content dialogCheck the check box for Delete all offline content, and then click the OK button. An hourglass mayappear and there may be a delay of several minutes while the temporary internet files are cleared. Waituntil the hourglass goes away.Click on the OK button, which will close the Internet Options screen and return to the browser window.Press the F5 key on the keyboard to refresh the screen, and the SSL-VPN login screen should appear. Ifit does not, close all open browser windows and re-open Internet Explorer and go to again. If this does not successfully display the login screen, repeat theabove steps and try once more.Using the Sign Out button on the Web Bookmarks screen (shown below) when finished with Connectionswill greatly reduce the occurrence of temporary internet file and cookie problems.Figure 19: The Sign Out button should be used when finished with Connections (see top right)SSL-VPN Access for HSEN IDIf a user attempts to login to the SSL-VPN login window and receives the “You do not have permission tologin. Contact your administrator” error message, it indicates that the HSEN UserID for that user has notbeen granted SSL-VPN access. Access can be granted by obtaining the application for SSL-VPN accessfrom The application form and instructions for completing it areavailable at that link. The Security Coordinator, Local Security Administrator, or other authorizedrequestor must submit the form.Pop-up BlockingMany pop-up blocking utilities will prevent the Secure Session Manager from opening. These pop-upblockers can include the native Pop-Up Blocker contained in Internet Explorer, the Yahoo Toolbar, theSSL VPN Troubleshooting GuidePage 17

Google Toolbar, or other third-party spam/pop-up/adware blocking software. These pop-up blockersmust either be disabled, or configured to allow the Secure Session Manager.Most third-party toolbars have a setting to permit pop-ups for certain sites, but if that cannot be located,the toolbar will need to be uninstalled or removed. This can usually be done by going to Start Menu - Settings - Control Panel - Add or Remove Programs and then selecting the offending toolbar andchoosing Remove. If the offending toolbar cannot be located in this listing, it may be necessary to contactcomputer support personnel or the toolbar’s vendor (e.g. Google, Yahoo, AOL).Internet Explorer’s built in Pop-Up Blocker can be configured to allow the Secure Session Manager toload from within Internet Explorer. Go to Tools - Internet Options - Privacy, which will display thefollowing screen if the version of Internet Explorer installed on this PC has built-in pop-up blocking.Figure 20: The Privacy Tab and Pop-Up Blocker Settings ButtonClick on the Settings button, which will display the screen below.SSL VPN Troubleshooting GuidePage 18

Figure 21: The Pop-Up Blocker Settings windowEnter * into the Address of Web site to allow box and then click on the Add button. Next, clickon the Close button, followed by the OK button on the next screen.Internet Explorer should no longer prevent the Secure Session Manager window from opening. Ifsomething is still preventing the window from opening, continue to look for third-party software that maybe blocking pop-ups.Windows IssuesIf after clicking the Connections Application link on the Web Bookmarks page, a window appears andstates “The page cannot be displayed” or “Action cancelled”, it could possibly be the result of Windowsneeding to be updated.Windows can be updated by going to Start - Windows Update and selecting Custom, followed by thedownloading and installation of all High Priority Updates and any Windows XP Updates listed underSoftware, Optional. In order to run Windows Update, an administrative account for the local PC is usuallyrequired. If the current account does not have administrative privileges, the LAN administrator orcomputer support staff at the site may be able to perform the necessary steps or grant administrativerights, if appropriate.Proxy Server IssuesIf the “Page cannot be displayed” or “Action cancelled” message is still appearing after clicking theConnections Application link on the Web Bookmarks page, there may be an issue with the proxy server, atool used to filter out certain types of undesired internet traffic, at the site blocking access to Connections.To set up Internet Explorer’s proxy setting to allow Connections access, go to Tools - Internet Options - Connections. The following window will appear:SSL VPN Troubleshooting GuidePage 19

Figure 22: The LAN Settings button on the Connections tab in Internet ExplorerClick on the LAN Settings button, and the following window will appear:SSL VPN Troubleshooting GuidePage 20

Figure 23: The LAN Settings Window with Proxy Server enabledIf the “Use a proxy server for your LAN” box is not checked, there is no locally configurable proxy serveroption that will resolve this issue. Do not check this box if it was not already checked, as it may disruptthe network connectivity of the PC.If the “Use a proxy server for your LAN” is checked, click on the Advanced button, and the windowpictured below will appear.Figure 24: The Proxy Settings Window with *citrix* as an added exceptionIn the “Do not use proxy server for addresses beginning with:” box, type *citrix*.Connections to bypass the proxy server and be able to be opened.This will permit[Note: Do not make any other changes to the proxy server settings other than the one listed above. Thiscould affect internet connectivity on this PC.]Finish this step by clicking the OK button on this screen followed by clicking the OK button on the nextscreen. It may be necessary to close all open browser windows and re-open Internet Explorer after thisstep.Address Resolution IssuesIf the “Page cannot be displayed” or “Action cancelled” message is still appearing after clicking theConnections Application link on the Web Bookmarks page, there may be an issue with the networkconfiguration at the site blocking access to Connections.A modification to the hosts file in Windows can sometimes fix this. Administrative access to the PC isusually necessary to attempt this fix. Additionally, care must be taken when modifying the Hosts file, as itcan disable access to network resources if not configured properly.SSL VPN Troubleshooting GuidePage 21

Open My Computer and navigate to C:\Windows\System32\Drivers\Etc. This will display the folder shownbelow:Figure 25: The C:\Windows\System32\Drivers\Etc folder with Hosts fileDouble-click on the file named Hosts. If prompted to choose what application is to be used to open thisfile, select Notepad.This will open the Hosts file, which will most likely appear as shown below:Figure 26: The Unmodified Hosts filePlace the cursor below the last line in the Hosts file, which is the line in this case. Next, typethe following without quotation marks “ [Press the Tab key on the keyboard]”. The Hosts file should now appear as below:SSL VPN Troubleshooting GuidePage 22

Figure 27: The Modified Hosts file[Note: Do not modify or remove any lines already in the Hosts file. If there are more entries in theHosts file than the ones pictured above, that is fine. Incorrect changes to the Hosts file can causenetwork resources to become unavailable.]Go to File - Save. Close all open browser windows, re-open Internet Explorer, and attempt accessingConnections again. If this does not work, reboot the PC and try again.If the same “Page cannot be displayed” or “Action cancelled” screen continues to appear, then theproblem lies somewhere in the connection between this site and the state network. The networkadministrator for this site will need to be contacted, as it may be necessary to add permissions for accessto the link to the firewall, routing tables, or proxy server of the agencynetwork.Software Firewall IssuesFor PCs with software firewalls installed (such as Zonealarm or Norton Internet Security), it may benecessary to permit access to the internet for the Jupiter Networks Cache Cleaner component.Typically, if a software firewall is uncertain how to process a request by the Cache Cleaner component toaccess the internet, a prompt will be displayed asking whether to allow or deny access. There is usuallya check box to indicate that the software firewall should remember the decision. If this prompt appearsand there is an option to store the setting, select that option and choose to allow access.If that option is not presented, please refer to the documentation for the software firewall being used todetermine the steps necessary to permit access of a specified component to the internet.Adding Shortcuts to ConnectionsIf Connections will be used frequently on this computer, it may be useful to create a shortcut to thisaddress on the Windows desktop or to save this address to the list of Favorites. This is not a requiredstep, but it may make getting to Connections easier for the person using this computer.To save this address to the Favorites list, go to Favorites- Add to Favorites. A prompt will appearindicating that this address will be added to the list of Favorites under the name “New York State Officefor Technology”. This name can be renamed to anything that will make it easier to determine what thislink is to by replacing the “New York State Office for Technology” text with anything else, such as“Connections” or “SSL-VPN Login”.To place a shortcut to the SSL-VPN login screen on the Windows desktop, go to File - Send - Shortcutto Desktop. An icon entitled “New York State Office for Technology” will now appear on the desktop. Ifdesired, right clicking on the icon and choosing Rename will enable the icon name to be changed.SSL VPN Troubleshooting GuidePage 23

Further AssistanceIf you are still encountering problems using or configuring SSL-VPN, please contact the New York StateEnterprise Help Desk at (800) 697-1323. This resource is provided as a free service by New York Stateand will not incur any costs to the agency or site.SSL VPN Troubleshooting GuidePage 24

Figure 5: The Trusted Sites Window . Click the OK button (which will close the above window), and then click on the Custom Level button on the next screen. The following screen will display: Figure 6: The Security Settings Window . Ensure that the Low option is selected in the Reset to drop down list, and then press the Reset button. A