Page

Eurex Repo / SecLend

CVI to SCAP Migration Guide
SWX-XRS-MAN-20100216/E, 16.02.2010 This manual provides a technical overview on how to migrate the VPN infrastructure from the CVI to the SCAP environment.

Unrestricted Documentation marked 'Confidential' is intended only for the parties on the distribution list and may not be supplied or made available to third parties without the express consent of SIX Group Ltd or the companies associated with SIX Group Ltd (referred to below as SIX Group Ltd). The information contained in this document is given without warranty, implies no obligation of any kind on the part of SIX Group Ltd and may be altered by SIX Group Ltd at any time without further notice. To the extent permitted by law, SIX Group Ltd accepts no liability whatsoever for any errors contained in this document. SIX Group Ltd is under no obligation whatsoever to draw attention to such errors. Technical documentation must be used only in conjunction with the correct software version and may be used and copied only in accordance with the terms of the licence. All software described in the technical documentation is supplied on the basis of a licence agreement and may be used or copied only in accordance with the terms of the said licence agreement. © Copyright SIX Group Ltd, 06.2009. All rights reserved. All trademarks observed.

Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction

Page iii SWX-XRS-MAN-20100216/E 16.02.2010

Table of Contents
1 Introduction......................................................................................................................................................... 1 1.1 1.2 1.3 1.4 1.5 1.6 2 Purpose & Scope ................................................................................................................................. 1 Definitions & Abbreviations .................................................................................................................. 1 References........................................................................................................................................... 1 Outstanding Issues .............................................................................................................................. 2 Timescales........................................................................................................................................... 2 Contact................................................................................................................................................. 2

Technical Requirements ..................................................................................................................................... 3 2.1 Cisco VPN Clients................................................................................................................................ 3 2.1.1 Supported Cisco VPN Software Clients ..............................................................................3 2.1.2 Supported Cisco VPN Hardware Clients .............................................................................3

3 4

Connectivity Options........................................................................................................................................... 3 Network & Firewall Considerations ..................................................................................................................... 4 4.1 4.2 4.3 4.4 4.5 4.6 4.7 SIX IPSec Endpoints for IPSec Hardware and Software Clients.......................................................... 4 DNS Servers without IPSec Tunnel Connection .................................................................................. 4 DNS Servers with IPSec Tunnel Connection ....................................................................................... 5 NTP Server for Hardware and Software Clients................................................................................... 5 Web Servers ........................................................................................................................................ 5 Eurex Repo / SecLend Application Servers ......................................................................................... 6 HTTP Proxy Server Exceptions ........................................................................................................... 6

5

Migration in 3 Steps ............................................................................................................................................ 6 5.1 5.2 5.3 Step 1 – Get Old VPN Certificate Information ...................................................................................... 7 Step 2 – Contact Technical Helpdesk .................................................................................................. 7 Step 3 – Set up New VPN Connection to the SCAP Environment ....................................................... 8 5.3.1 Cisco VPN Software Client.................................................................................................. 8 5.3.2 Cisco VPN 3002 Hardware Client ....................................................................................... 8 5.3.3 Cisco ASA 5505 Hardware Client ....................................................................................... 8

6

Connecting Eurex Repo / SecLend Application via New VPN Infrastructure ...................................................... 9 6.1 6.2 Adapt TradingClientGUI.config ............................................................................................................ 9 Update USP Proxy Configuration......................................................................................................... 9

Appendix A – Connectivity Options.............................................................................................................................. 11 A.1 Connectivity Options ............................................................................................................................... 11 A.1.1 Internet Connectivity ................................................................................................................. 11 A.1.2 Managed IP Services................................................................................................................ 12 Appendix B – How to Access the CVI Web.................................................................................................................. 12 B.1 Eurex Repo Sealed Envelope ................................................................................................................. 12 B.2 Accessing the CVI Public Web................................................................................................................ 13 B.3 Accessing the CVI Private Web .............................................................................................................. 13
Unrestricted

Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction

Page iv SWX-XRS-MAN-20100216/E 16.02.2010

Appendix C – Network Setup ....................................................................................................................................... 15 C.1 Network Setup with a Hardware or Software Client ................................................................................ 15 C.1.1 Ports Used for IP Traffic to Hardware or Software Clients........................................................ 16 C.1.2 SIX Swiss Exchange IPSec endpoints for IPSec Hardware and Software Clients ................... 16 C.2 NTP Server for Hardware and Software Clients ..................................................................................... 17 Appendix D – Installation: Cisco VPN Software Client................................................................................................. 17 D.1 Installation Checklist ............................................................................................................................... 17 D.2 Basic Setup............................................................................................................................................. 18 D.2.1 Cisco VPN Software Client Installation..................................................................................... 18 D.2.1.1 Download Cisco VPN Software and Connection Entries ...................................... 18 D.2.1.2 Install Cisco VPN Client Software.........................................................................18 D.2.1.3 Import CA Root Certificate.................................................................................... 18 D.2.1.4 Reinstall the Cisco VPN Software Client .............................................................. 19 D.3 IPSec Tunnel Setup................................................................................................................................ 19 D.3.1 Obtain Personal Certificate....................................................................................................... 19 D.3.2 Import Connection Entry........................................................................................................... 20 D.3.3 Import Personal Certificate ....................................................................................................... 21 D.3.4 Assign Certificate to Connection Entry ..................................................................................... 21 D.3.5 Check IPSec Tunnel................................................................................................................. 21 Appendix E – Installation: Cisco VPN 3002 Hardware Client....................................................................................... 22 E.1 Installation Checklist ............................................................................................................................... 22 E.2 Basic Setup............................................................................................................................................. 23 E.2.1 IPSec Tunnel Setup.................................................................................................................. 23 E.2.2 Check Software Version ........................................................................................................... 23 E.2.3 Configure Group Authentication ............................................................................................... 23 E.2.4 Establish VPN Connection........................................................................................................ 24 E.2.5 Download and Install CA Root Certificate................................................................................. 24 E.2.6 Generate and Send Certificate Enrolment Request.................................................................. 24 E.2.7 Install Certificate and Check IPSec Tunnel............................................................................... 25 E.2.8 Continuing Application Installation ............................................................................................ 26 E.2.8.1 DNS Configuration on Application PC................................................................... 26 Appendix F – Installation: Cisco ASA 5505 Hardware Client ....................................................................................... 27 F.1 Installation Checklist ............................................................................................................................... 27 F.2 Basic Setup ............................................................................................................................................. 27 F.2.1 Cisco ASDM Setup ................................................................................................................... 28 F.2.2 Check Software Version of ASDM ............................................................................................ 28 F.2.3 Cisco ASDM Installation on the ASA 5505 ............................................................................... 28 F.2.4 Cisco ASDM Installation on the PC........................................................................................... 29 F.2.5 IPSec Tunnel Setup .................................................................................................................. 30 F.2.6 Check Software Version of ASA 5505 ...................................................................................... 30 F.2.7 Configure Group Authentication................................................................................................ 30 F.2.8 Configure DNS.......................................................................................................................... 31 F.2.9 Download and Install CA Root Certificate ................................................................................. 32 F.2.10 Generate and Send Certificate Enrolment Request ................................................................ 33 F.2.11 Install Certificate and Check IPSec Tunnel............................................................................. 35 F.2.12 Continuing Application Installation .......................................................................................... 37 F.2.12.1 DNS Configuration on Application PC................................................................. 37
Unrestricted

Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction

Page v SWX-XRS-MAN-20100216/E 16.02.2010

Appendix G – Infrastructure Service Provider (ISP) Contacts...................................................................................... 38 G.1 Internet Connectivity............................................................................................................................... 38 G.2 Managed IP Services ............................................................................................................................. 38

Unrestricted

This manual describes the steps needed to migrate from the Common VPN Infrastructure (CVI) to the SIX Common Access Portal (SCAP) infrastructure. Please note that the SIX Common Access Portal (SCAP) is based on CVI v4 and v5. a migration is required anyway. Support of new VPN hardware client: ASA 5505 Client. Therefore the name CVI is sometimes used in relation with both.02. Higher flexibility to increase/decrease bandwidth in a shorter time period. Since CVI v4 has different root certificates. Benefits of this standardisation for Participants are:    Higher number of carriers who offer lines to our systems.1 Purpose & Scope SIX Swiss Exchange aims for a standardisation of VPN access to its different services. 1.Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction Page 1 SWX-XRS-MAN-20100216/E 16.  1.3 References This document relates to the following documents: Unrestricted . Former name of SIX Swiss Exchange Virtual Private Network 1. the old and the new environment. A high number of CVI certificates expire in February 2010 and have to be renewed.2 Definitions & Abbreviations Term/Abbreviation CVI SCAP SIX SSL SWXess SWX VPN Explanation Common VPN Infrastructure SWX Common Access Portal SIX Swiss Exchange Secure Socket Layer SIX Swiss Exchange Trading Platform SWX Swiss Exchange.2010 1 Introduction SIX Swiss Exchange will replace the current VPN infrastructure called Common VPN Infrastructure (CVI).

  1. Lines connected to SWXess can not be used for connecting to Eurex Repo / SecLend.com/publications/ 1.eurexrepo. MSC Messages are published here: http://www.com/support/news.html http://www.02.5 Timescales The migration period will run for 3 months. SWXess connectivity options like Ethernet Service. please contact your Eurex Repo Technical Helpdesk: Geneva: London: Zurich: +41 58 854 2028 +44 20 7864 4334 +41 58 854 2488 Unrestricted . Optical Link and Proximity Service can not be used for connections to Eurex Repo / SecLend.eurexrepo.SIX Connectivity Guide 2 Hardware and Software Requirements Applicable Reference and Version SWX-SCAP-CNTY-GUID700/E SWX-XRS-HWSW-REQ107/E Location & Link https://www.swx.Eurex Repo / SecLend CVI to SCAP Migration Guide Introduction Page 2 SWX-XRS-MAN-20100216/E 16.2010 Reference & Document Title 1 SCAP .4 Outstanding Issues   Routers can not be used for connections to Eurex Repo / SecLend. Tunnels established for SWXess can not be used for Eurex Repo / SecLend.com/members/cvi/scap. 1. only connections to the SCAP environment will be accepted.6 Contact For further information about specific issues. Please refer to the corresponding MSC Messages for specific dates. SIX Swiss Exchange highly recommends to migrate before the expiry of the old certificate. After that.html A high number of CVI certificates expire in February 2010 and have to be renewed.

1 Supported Cisco VPN Software Clients Cisco VPN Software Client Type Cisco VPN Software Client V5.x Cisco VPN 3002 Hardware Client V4. please contact your Infrastructure Service Provider (ISP) to determine the measures needed.02.7.8.2.1 Cisco VPN Clients The following tables give an overview of the supported Cisco VPN Clients for the old CVI infrastructure and the new SCAP infrastructure.02.J Old (CVI)     New (SCAP)     3 Connectivity Options For an overview and details of the different connectivity options.Eurex Repo / SecLend CVI to SCAP Migration Guide Technical Requirements Page 3 SWX-XRS-MAN-20100216/E 16.2 Supported Cisco VPN Hardware Clients Cisco VPN Hardware Client Type Cisco ASA 5505 Hardware Client V8.1.0(4)28. Please note that SIX Swiss Exchange does not provide any hardware equipment.2010 2 Technical Requirements This chapter will give an overview of the requirements for the old CVI Infrastructure and the new SCAP infrastructure.2. only a software client kit and accompanying software for participants using the Cisco VPN 3002 or Cisco ASA 5505 Hardware Client.0560 Cisco VPN Software Client V4.0. You can find a list of contacts in Appendix G – Infrastructure Service Provider (ISP) Contacts.7.1.3 Cisco VPN 3002 Hardware Client V4.1.03. 2. Unrestricted .0010 Cisco VPN Software Client V4.1 Connectivity Options If you have a Managed IP Service connection to Eurex Repo / SecLend.6.2.0011 Old (CVI)    New (SCAP)    2.P Cisco VPN 3002 Hardware Client V4. see A.02. ASDM 6. 2.7.

109.com 146.10 (virtual IP addresses) vpnzs.66.com 146.244 146.swx.12 New (SCAP) Membertest and Production Data Center A Data Center B vpn.129.com 146.com 146.swx.109.1 SIX IPSec Endpoints for IPSec Hardware and Software Clients The table below gives the FQDN and IP addresses of the SIX Swiss Exchange IPSec endpoints for hardware and software clients for the old CVI infrastructure and the new SCAP infrastructure.129.10 (virtual IP address) vpnprodsn1.109.com 146.109.109.40 (virtual IP address) vpntest1.109.41 vpntest2.2 DNS Servers without IPSec Tunnel Connection The following table gives an overview of the DNS servers without IPSec connection of the old CVI infrastructure and the new SCAP infrastructure.0.com 146.com 146.64.109.10 146.swx.swx.109.11 vpnzs02.109.129.109. Old (CVI) Membertest Data Center A Production Data Center A Data Center B vpnprod. These DNS servers resolve VPN Endpoints.129.109.com 146.0.109.109.42 vpnprodsn.com 146.swx.0.109.250 Unrestricted .swx.64.64.109.109.swx.249 146.10 146.swx.109.250 146.12 4.com 146.109.129.swx.2010 4 Network & Firewall Considerations 4.12 vpnprodht.swx.com 146.11 vpnzh02.com 146.2.128.com 146.109. Data Center Data Center A Data Center A Data Center B Data Center B Old (CVI) 146.11 vpnprodsn2.swx.109.02.com 146.10 (virtual IP address) vpnzs01.109.109.10 (virtual IP addresses) vpntest.129.241 146.swx.com 146.0.128.com 146.128.10 (virtual IP address) vpnprodht1.109.com 146.242 New (SCAP) 146.Eurex Repo / SecLend CVI to SCAP Migration Guide Network & Firewall Considerations Page 4 SWX-XRS-MAN-20100216/E 16.129.swx.109.109.128.12 vpnzh.128.swx.swx.66.249 146.129.129.2.swx.129.109.109.64.244 146.11 vpnprodht2.swx.10 (virtual IP address) vpnzh01.

4 NTP Server for Hardware and Software Clients Please refer to C.com/members/cvi/software_en. These DNS servers resolve Eurex Repo / SecLend application servers.swx.39.3 DNS Servers with IPSec Tunnel Connection The following table gives an overview of the DNS servers in IPSec connection tunnels in the old CVI infrastructure and the new SCAP infrastructure.109.com Unrestricted .5 Web Servers To access the SCAP public and private websites you need to have access to the following URLs: Old (CVI) CVI Public Web login page: https://www.2010 4.ch/prvweb/login (Production) New (SCAP) SCAP Public Web login page (SSL): https://www.29.prd.0.157 172.109.cvi.55.29.5.com/members/cvi/scap.140 172.html CVI Private Web via enrolment tunnel: http://www.251 146.4.251 146.252 146.109.157 172.55.mbt.39.139 New (SCAP) 146.0.31.252 4.02.swx.cvi.31.swx.html SCAP Private Web (SSL): https://vpn.109.Eurex Repo / SecLend CVI to SCAP Migration Guide Network & Firewall Considerations Page 5 SWX-XRS-MAN-20100216/E 16. Data Center Data Center A Data Center A Data Center B Data Center B Old (CVI) 172.six-swiss-exchange.six-swiss-exchange.2 NTP Server for Hardware and Software Clients 4.ch/prvweb/login (Membertest) http://www.

swx (for application servers) (for SCAP Private Web) 5 Migration in 3 Steps For the migration period you can run VPN connections to the old CVI environment and to the new SCAP environment in parallel.prd.mbt.erm.pn.62 172.02.61 172.1.erm.33.48.4.109.erm.31.erm.29.erm.swx rmtws1.pn.ps. Online Help and Statistics.1.180 New (SCAP) rmtws.swx.109.swx rmtws2. for these specific websites.pn.swx *. Environment Membertest Old (CVI) www.254 146.ch Production www.mbt.254 146.32.ch rprws2.109.pn.2010 4. Unrestricted .swx rprws2.254 146.29.61 172.pn.ch New (SCAP) *.ch IP Address 172.swx.180 172.ch rmtws.swx. The following HTTP proxy server exceptions have to be set in your webbrowser: Old (CVI) *.31.109.prd.254 146.swx.mbt. you need to ensure that you have disabled any potential HTTP proxy server on the client PC. Therefore.erm.31. This allows you to set up the new VPN connections while the traders still connect via the old CVI environment.mbt.ch www1.6 Eurex Repo / SecLend Application Servers The table below gives the FQDN and IP addresses of the Eurex Repo / SecLend application servers for the old CVI infrastructure and the new SCAP infrastructure.29.180 172.swx.ch rprws. (Membertest / Production) is not possible via a web-proxy server.swx.swx IP Address 146.erm. You do not have to inform us about your migration.prd.49.ch www1.254 4.254 146.prd.erm.prd.32.swx.7 HTTP Proxy Server Exceptions Access to the various online features provided by Eurex Repo / SecLend like: Member Page with Newsboard.4.swx rprws.swx.109.180 172.109.1.ch rmtws1.1.swx.109.pn.swx.swx.erm.29.mbt.ch rprws1.Eurex Repo / SecLend CVI to SCAP Migration Guide Migration in 3 Steps Page 6 SWX-XRS-MAN-20100216/E 16.swx rprws1. due to the use of Cisco VPN Client.pn.ch rmtws2.254 146.erm.prd.109.33.31.254 146.49.5.mbt.5.ch www2.swx.ch www2.62 172.erm.48.swx.erm.

Only the VPN Entrypoint ID and the Username will change.Eurex Repo / SecLend CVI to SCAP Migration Guide Migration in 3 Steps Page 7 SWX-XRS-MAN-20100216/E 16.x.2 Step 2 – Contact Technical Helpdesk CVI Group Authentication Name: cvienvusr CVI Group Authentication Password:enrlpasswd VPN Entrypoint ID: Certificate Type: Username: Password: 123 0 ERMM01123 cvipassword VPN Entrypoint ID: Certificate Type: Username: Password: 789 0 ERMM016789 cvipassword Environment Membertest Production Old CVI Certificate Name ERMM01abcd ERMP01abcd IP Address 172.x.2010 5.x New SCAP Certificate Name ERMM01efgh ERMP01efgh IP Address 10.x. SIX Swiss Exchange will not send out the sealed envelopes again.x.x.x) assigned. The certificate with the lowest number in the old CVI name will correspond to the one with the lowest number in the new SCAP name.2 Step 2 – Contact Technical Helpdesk As soon as you have assembled all the VPN Entrypoint information. The credentials for your current CVI certificates will automatically be renamed and migrated to SCAP. Passwords will remain the same for the new certificates as for the corresponding old ones (see sealed envelope). as illustrated below: Old CVI Credentials in Sealed Envelope CVI Personal Certificate Download Information Environment: Participant Name: Membertest / Production Participant Full Name New SCAP Credentials The information from your sealed envelope is still valid.x.x. “VPN Entrypoint ID” and “Username” will change to a higher number. 5.x. Unrestricted . If you do not remember your passwords you can request new sealed envelopes with the technical helpdesk.1 Step 1 – Get Old VPN Certificate Information The sealed envelope containing the “CVI Personal Certificate Download Information” is still valid for your SCAP credentials.x.x 172. See: 5.02.x. please contact the Eurex Repo Technical Helpdesk to get an e-mail with a list of your current and your new certificates (without passwords).x Your current certificates will be “renamed” to a higher number and will get a different IP address (10. You will get an e-mail from the technical helpdesk with these updates.x 10.

3 Cisco ASA 5505 Hardware Client To establish a Cisco ASA 5505 Hardware Client connection please refer to Appendix F – Installation: Cisco ASA 5505 Hardware Client Unrestricted .1 Cisco VPN Software Client To establish a Cisco VPN Software Client connection please refer to Appendix D – Installation: Cisco VPN Software Client 5.2 Cisco VPN 3002 Hardware Client To establish a Cisco VPN 3002 Hardware Client connection please refer to Appendix E – Installation: Cisco VPN 3002 Hardware Client 5.3 Step 3 – Set up New VPN Connection to the SCAP Environment You have to do a full enrolment process for each certificate to establish a connection to the new SCAP environment.Eurex Repo / SecLend CVI to SCAP Migration Guide Migration in 3 Steps Page 8 SWX-XRS-MAN-20100216/E 16.2010 5.3.02.3. 5.3.

config To connect a Eurex Repo / SecLend Trading Client GUI directly via the new SCAP infrastructure.reg (Configuration for Membertest M01 environment) SCAP_M02_USP_Proxy_config.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 9 SWX-XRS-MAN-20100216/E 16. proceed as follows: Unrestricted .1 Adapt TradingClientGUI. In the TradingClientGUI.2 Update USP Proxy Configuration If you connect your Trading Client GUI through a USP Proxy (Concentrator).reg (Configuration for Membertest M02 environment) SCAP_P01_USP_Proxy_config.IPaddress = rmtws. you have to adapt the TradingClientGUI.TradingClientGUI.ric. Please note that you have to logon as a member of the administrator group to adapt the settings in the .ric.02.config file (by default located “C:\Program Files\SWX Swiss Exchange\Eurex Repo Trading GUI [environment]”) change the following parameter:   For the Membertest environment: swx. You only have to adapt either the TradingClientGUI. Please note that you have to logon as a member of the administrator group to update the registry files.config file or the USP Proxy (Concentrator) registry files. In our download section we will provide new registry files to configure your USP Proxy.swx 6.    SCAP_M01_USP_Proxy_config. 6. Download the new registry files and execute the appropriate one (Membertest or Production).pn.swx = rprws. depending on how you connect. you do not have to change the GUI settings but update the registry entries of the USP Proxy with the new Eurex Repo / SecLend application servers.reg (Configuration for Production P01 environment) To connect the USP Proxy to the appropriate environment.IPaddress For the Production environment: swx.config file.pn.2010 6 Connecting Eurex Repo / SecLend Application via New VPN Infrastructure As soon as you have set up the new VPN connections you can connect your Eurex Repo / SecLend trading applications via the new infrastructure.config file with the new Eurex Repo / SecLend application servers.

proceed as above in steps 1 . Unrestricted . This will update the system registry.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 10 SWX-XRS-MAN-20100216/E 16.2010 1. 3. Stop both USP processes (USP-RPC and USP-BCT). Execute the appropriate registry file for the Membertest or the Production environment.02. Restart both USP processes using the desktop icons or restart the PC to automatically start the processes. 2. by closing the DOS windows. 4.3. To reconnect the USP Proxy to the other environment.

2010 Appendix A – Connectivity Options A.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 11 SWX-XRS-MAN-20100216/E 16. Unrestricted . Participants order the service with an Internet Service Provider and handle all maintenance issues themselves.1 Internet Connectivity This connectivity option offers a simple and cost-effective solution designed to meet the needs of participants with low bandwidth requirements.1. Please note that bandwidth availability can never be guaranteed for Internet connections Establishing multiple IPSec tunnels by deploying multiple hardware or software clients is possible.02.1 Connectivity Options There are two connectivity options: Internet or Managed IP Service. A. such as participants with a low daily trading volume.

You should have received a separate communication entitled "CVI . However the procurement of the required hardware. Providers with a POP at SIX that offer Managed IP service are:    BT Radianz Deutsche Börse Systemes Swisscom-Verizon Appendix B – How to Access the CVI Web B.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 12 SWX-XRS-MAN-20100216/E 16.g. setup and maintenance of the IPSec tunnel is the participant’s responsibility. For further information. which explains how to establish a VPN connection using the VPN details below.Common VPN Infrastructure Setup".02. Eurex Repo Technical Helpdesk Zürich +41 (0)58 854 24 88 Geneva +41 (0)58 854 20 28 London +44 (0)20 7864 4334 E-Mail: techhelp@eurexrepo. see the Eurex Repo Installation Guide or contact the Eurex Repo Technical Helpdesk.2 Managed IP Services This connectivity option is designed for participants who want to outsource their network activities e. Below is an example using fictional values: This envelope contains important information for downloading your CVI Personal Certificate.1. The monitoring is hosted by a Managed IP Service provider.2010 A.com CVI Personal Certificate Download Information Environment: Participant Name: CVI Group Authentication Name: CVI Group Authentication Password: VPN Entrypoint ID: Certificate Type: Username: Password: Production Participant Full Name cvienvusr enrlpasswd 123 0 cviuser cvipassword Unrestricted .1 Eurex Repo Sealed Envelope You should have received a sealed envelope containing the “CVI Personal Certificate Download Information”. monitoring.

com. In the Security Alert dialog boxes.02. proceed as follows (an Internet connection is required): 1. 1.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 13 SWX-XRS-MAN-20100216/E 16.six-swiss-exchange.2 Accessing the CVI Public Web To access the CVI Public Web. B.swx. Log in to the CVI Public Web with your Group Authentication Username [ ] and Password [ ] provided in the sealed envelope. Start the browser and enter the following address to open the SCAP login page: https://vpn.2010 B. 2.html 2.com/members/cvi/scap. The “SCAP – SWX Common Access Portal” login page is displayed.3 Accessing the CVI Private Web To be able to access the CVI Private Web via SSL. Unrestricted . click Yes. You are now logged in to the CVI Public Web (see figure below). you must be able to access the Internet. Start the browser and enter the following address to open the CVI Public Web login page: https://www.

Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 14 SWX-XRS-MAN-20100216/E 16. Log in to the CVI Private Web with your VPN entrypoint account Username [ ] and Password [ ] provided in the sealed envelope.2010 3. Log in to SCAP using the Username [ A ] and Password [ B ] from the Sealed Envelope. You are now logged in to the CVI Private Web. Unrestricted .02. The CVI Private Web login page is displayed. 4.

Unrestricted . They do not offer OSI layer 3 network redundancies.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 15 SWX-XRS-MAN-20100216/E 16.02.2010 Appendix C – Network Setup C.1 Network Setup with a Hardware or Software Client Hardware and software clients are connected through a point-to-point connection. However. it is possible to setup manual network failover on the client upstream.

swx.com 146. IP Protocol No.12 Data Center B vpnzs.0.swx.com 146.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 16 SWX-XRS-MAN-20100216/E 16.swx.com 146.1. Connecting with url request https://vpn.1.109.2010 C.11 vpnzh02.109.swx.1 Ports Used for IP Traffic to Hardware or Software Clients The table below indicates what IP traffic must be permitted through which ports between the hardware or software client and the SIX IPSec endpoint.10 (virtual IP address) vpnzh01.swx.64.swx.com will load balance to one or the other datacenter.64.109.swx.109.64.109.11 vpnzs02.2 SIX Swiss Exchange IPSec endpoints for IPSec Hardware and Software Clients The table below gives the FQDN and IP addresses of the SIX IPSec endpoints for hardware and software clients.02.com 146. Name Port Purpose Required for IPSec IPSec Over UDP IPSec Over TCP 17 50 17 17 6 UDP IPSec UDP UDP TCP 500 None 4500 4501 4501 IKE ESP IPSec via NAT-T IPSec via UDP IPSec via TCP                C. Data Center A vpnzh.0.12 Unrestricted .109.com 146.com 146.10 (virtual IP address) vpnzs01.0.

251 146. D.1 Installation Checklist A summary of the required steps is given in the table below.109.2010 C.02. The NTP server addresses are given below: NTP Server Addresses 146.55.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 17 SWX-XRS-MAN-20100216/E 16.251 146. which can be used as a checklist: Task Basic Setup Enrolment Description How to Set up a New Software Client Download Software Download Connection Entry and Root Certificate Install Software Import Root Certificate IPSec Tunnel Setup Generate and Send Certificate Enrolment Request Download Personal Certificate Import Connection Entry Import Root & Personal Certificate Assign Certificate to Environment Connection Entry Check IPSec Tunnel Done            Unrestricted .109. Both hardware and software clients will be able to access the SIX Swiss Exchange Public NTP time server via the IPSec tunnel.39.109.2 NTP Server for Hardware and Software Clients We recommend synchronizing your application system times with SIX Swiss Exchange time.252 146.252 Appendix D – Installation: Cisco VPN Software Client This section explains how to install the Cisco VPN Software Client as well as the associated configuration files and certificates.55.39.109.

Cisco Systems VPN Client and click VPN Client).swx. proceed with section D.2. Start the Cisco VPN Client (click the Start button.1.66.2010 D.249 146.02. as described above. Download and save the following items: Cisco VPN Tunnel Software Connection entry file (SWX_CVI.109.3 Import CA Root Certificate Double click the Cisco VPN Software Client file you downloaded in the previous step and follow the prompts.3 Import CA Root Certificate 1. they will resolve the hostname (vpn.2 Basic Setup Please follow the official documentation from Cisco to complete the basic setup of the software client.249 146.com) used by SCAP.1.2.109.1.250 These DNS can be entered when configuring the software client.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 18 SWX-XRS-MAN-20100216/E 16.109.2. D.pcf) CVI Root Certificate (SWXVPNROOTCA. then point to All Programs. After the installation is finished.2. 2. If the Cisco VPN software is already installed. you may be prompted to reboot the PC. SIX provides four public DNS servers (without an IPSec tunnel) for participants who are using Managed IP Services and do not have DNS support: Data Center A 146.1 Cisco VPN Software Client Installation D.2.1 Download Cisco VPN Software and Connection Entries 1.2.2 Install Cisco VPN Client Software On your PC.cer) D.1. Please do so before proceeding.2.66. D.109. you only need to install the Cisco VPN Software Client once.250 Data Center B 146. Unrestricted . Access the CVI Public Website.

Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 19 SWX-XRS-MAN-20100216/E 16. Click the Import button to finish importing the certificate.3. connection entries as well as certificates are backed up and automatically re-imported upon installation of either the same. click the Import icon and click the Browse button to select the CA Root Certificate (SWXVPNROOTCA. it is advisable to reinstall the software. c:\ERMP01xxxx. 4.2. D. D.3 IPSec Tunnel Setup This section describes the steps required to establish a connection. prior to installation. It is strongly recommended to uninstall the software and reboot the system.1 Obtain Personal Certificate 1. resulting in an old and not functional setting of the Cisco Virtual Adapter. The Cisco VPN Software Client will not automatically detect a new interface. Reinstallation is also necessary when a new NIC (network interface card) has been installed. To display the CA Root Certificate in the VPN Client. This makes it mandatory to reinstall the software.2010 2. Click the OK button. A dialog box confirms the success of this operation.1. Select the Certificates tab in the VPN client.cer) you downloaded before. click the Enroll icon. 3. When reinstalling. Do not specify any password in the various Password fields. select the Certificates menu and click on Show CA/RA Certificates to enable this option.4 Reinstall the Cisco VPN Software Client In case of any failures of the Cisco VPN Subsystem. Select the Certificates tab in the VPN client.g.02. D.csr) A freely chosen password (minimum length 6 characters) Unrestricted . please note that all settings. In the Certificate Enrolment window select File and enter the following parameters: Parameter File encoding Filename New Password Value Base-64 A freely chosen filename having the . or a newer version of the Cisco VPN Software Client.csr extension (e.

copy the generated certificate including the delimiters into a text file and save this file on the PC with a . Go to the Public CVI web as described and click the link Private CVI VPN Homepage (via SSL connection). On the next page.2010 2. 4. 5. Enter the following parameters to generate the certificate request: Parameter Name (CN)* Value Username (provided in the sealed envelope [ ]) ermp01csw ermm01csw Name of your company (neither umlauts nor special characters) The state where your company is located (without umlaut) Country two letter abbreviation as used in the internet (neither umlauts nor special characters) Leave blank Leave blank Leave blank Department (OU) (Repo Production) Department (OU) (Repo Membertest) Company (O) State (ST) Country (C) E-Mail (E) IP Address Domain Fields marked with * should contain meaningful values. 7. click the Import icon and select the connection entry file that you downloaded. A dialog box confirms the success of this operation. Click the Enroll button to generate a certificate enrolment request. However.g. they are not validated.02.cer). Open the Certificate enrolment request file created in the previous step with a text editor. click download certificate in the menu Certificate. and copy the entire content with the delimiters to the clipboard. Click the Next button. This will open a new Certificate Enrolment window. 6. Unrestricted . D. Click send request in the menu Certificate and paste the certificate into the provided form. Click Send to confirm. ERMP012345.2 Import Connection Entry Select the Connection Entries tab in the VPN client. Click the OK button. 3.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 20 SWX-XRS-MAN-20100216/E 16.3.cer extension (e.

Select the Certificates tab in the VPN client. Depending on your network. It is strongly recommended to enter a New Password in the fields at the bottom of the dialog .2010 By default. click the OK button without entering a password.4 Assign Certificate to Connection Entry 3. select Certificate Authentication and in the Name drop down list. Select the Connection Entry you have just imported & configured and click the Connect button. select the connection entry you imported and click the Modify icon. If you did not enter a new password when importing the certificate.02. click the Import icon and click the Browse button to select the personal certificate you downloaded. The Import Password in the upper section is the one you entered before. please enter a new name in the Connection Entry field on this screen.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 21 SWX-XRS-MAN-20100216/E 16. You may wish to give the connection entry a more meaningful name.if you do not enter a New Password. the connection entry is called SWX_CVI. If so.3 Import Personal Certificate 1. 3. If your VPN Client is still connected. then your password is blank i.e.3. Click the Continue button and the VPN Client minimises to the System Tray. 5. 2. click the Disconnect button. Select the Authentication tab. Click the Save button to store your changes. You can double click System Tray to restore the application. it will be blank and therefore your certificate will not be protected. Unrestricted . Enter the password to authenticate your certificate (this is the password that you entered in the New Password field).3. select the certificate you imported in the previous step. D. you may be required to change the Transport settings. By default. 2. If connection is successful.3. D. 4. the connection entry is configured to use Transparent Tunnelling (IPSec over UDP). a dialog box appears with two buttons. D.5 Check IPSec Tunnel 1. Select the Connection Entries tab in the VPN client. Continue and Disconnect. Click the Import button to finish importing the certificate. 4.

E.02. please see the Cisco documentation for the appropriate commands.2010 Appendix E – Installation: Cisco VPN 3002 Hardware Client This section explains how to configure the Cisco VPN 3002 Hardware Client.1 Installation Checklist A summary of the required steps is given in the table below. Unrestricted .Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 22 SWX-XRS-MAN-20100216/E 16. If you are using the Console Port. including enrolment and installation of the certificate. which can be used as a checklist: Task Basic Setup IPSec Tunnel Setup Description How to setup a new hardware client Configure Group Authentication Establish VPN Connection Download & Install SIX CA Root Certificate Generate & Send Certificate Request Retrieve and Install Personal Certificate Check IPSec Tunnel Done        The instructions in this section are based on using a browser to configure the hardware client.

109.249 146. connect and logon to the hardware client.109. From the menu.com Choose the appropriate value for your network.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 23 SWX-XRS-MAN-20100216/E 16.250 Data Center B 146.109.66. E.2 Basic Setup Please follow the official documentation from Cisco to complete the basic setup of the hardware client. they will resolve the hostname (vpn.2 Check Software Version Check that the software version of your Cisco 3002 meets our recommendations listed in section 2.3 Configure Group Authentication Using a browser.2.2.swx. If it does not you should download the correct version from the CVI Public Web and apply it on your device.109.1 IPSec Tunnel Setup The following section shows step-by-step instructions for the Cisco 3002 Hardware Client configuration.1.66.swx. E. E. 4501 (if IPSec over TCP is selected) Leave cleared Select “Identity certificate only” Username (see [ A ] .02.2010 E. SIX provides four public DNS for participants who are using Managed IP Services and do not have DNS support: Data Center A 146. select Configuration > System > Tunneling Protocols > IPSec and enter the following parameters to enable group authentication: Parameter Remote Server IPSec over TCP IPSec over TCP Port Use Certificate Certificate transmission Group Name Value vpn.2.com) used by SCAP.2. enrolment and certificate handling.250 These DNS can be entered when configuring the hardware client.2.2 Supported Cisco VPN Hardware Clients.neither umlauts nor special characters) Unrestricted .249 146.

02.2. Generate a certificate request by selecting Administration > Certificate Management > Enrolment.4 Establish VPN Connection Check the VPN Connection by selecting Monitoring > System Status from the menu. as described above. Switch back to the hardware client administration in the other browser window. Additionally.2. The displayed System Status should change and show that the tunnel has been established.6 Generate and Send Certificate Enrolment Request 1. Upload the root certificate by selecting Administration > Certificate Management > Installation. 5. click Connect Now. 3. Click the link CVI Root Certificate and save the file on the PC (SWXVPNROOTCA. clicking Enroll via PKCS10 Request (Manual). clicking Upload file from workstation and selecting the file you saved before). on the hardware client the LED labelled VPN should switch to green (via amber which shows that the connection is being initiated).2010 Parameter Group Password & Group Verify Username and Password Value Password (see [ B ]) Leave both blank E. E.cer).2. 2. Access the CVI Public Website.5 Download and Install CA Root Certificate 1. If the tunnel is not already connected (“No Tunnel Established” is displayed). clicking Install CA certificate. Enter the following parameters to generate the certificate request: Parameter Common Name (CN) Value Username (provided in the sealed envelope [ C ]) ermp01chv ermm01chv Name of your company (neither umlauts nor special characters) The place where your company is located (neither umlauts nor special characters) Organizational Unit (OU) (Repo Production) Organizational Unit (OU) (Repo Membertest) Organisation (O) * Locality (L) * Unrestricted . 4.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 24 SWX-XRS-MAN-20100216/E 16. Click Install to confirm. E.

3. 2. 5. you delete the old one before installing a new one. Unrestricted . choose Cut & Paste Text and paste the copied certificate with the delimiters into the provided form. Using the PC browser. 6. Click Install for the appropriate request. However. If the tunnel is not already connected (“No Tunnel Established” displayed). 4.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 25 SWX-XRS-MAN-20100216/E 16. Install the certificate by selecting Administration > Certificate Management > Installation and clicking Install certificate obtained via enrolment. Click send request in the menu Certificate and paste the certificate into the provided form. connect and logon to the hardware client. click Connect Now. The LED labelled VPN will turn off. 2. Confirm by clicking Install. selecting the checkbox Use Certificate and confirming by clicking Apply.7 Install Certificate and Check IPSec Tunnel 1. Switch from the pre-shared key (Group Authentication) to your installed certificate by selecting Configuration > System > Tunneling Protocols > IPSec. One private certificate can be installed at a time only. Make sure.2010 Parameter State/Province (SP) * Value The state or province where your company is located (neither umlauts nor special characters) Country two letter abbreviation as used in the internet (neither umlauts nor special characters) Leave blank Leave blank RSA 1024 bits Country (C)* Subject Alternative Name (FQDN) Subject Alternative Name (E-Mail Address) * Key Size Fields marked with * should contain meaningful values. E. they are not validated. The Certificate Management page should now display the certificate under Identity Certificates.02. Click Send to confirm. 3. Retrieve the certificate by clicking download certificate in the menu Certificate and copying the certificate with the delimiters belonging to your request. Check the IPSec tunnel by selecting Monitoring > System Status from the menu. Go to the Public CVI web as described before and click the link Private CVI VPN Homepage (via SSL connection). Switch back to the hardware client administration in the other browser window.2. Click Enroll to generate a certificate request and copy it to the clipboard. The System Status displayed should 4. Go to the Private CVI VPN Homepage (via SSL connection) as described above. 7.

swx. the Cisco Hardware Client can push the needed DNS via the DHCP protocol to the client and no further configuration is needed.g. e.8 Continuing Application Installation Assuming you have successfully connected to the Cisco VPN Hardware Client as instructed in the preceding section. to the DNS in the tunnel.252 146. you have now completed the installation of the Cisco VPN Hardware Client.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 26 SWX-XRS-MAN-20100216/E 16. The tunnel DNS can be reached using the IP addresses shown below. before proceeding to install the application.55.02. either the client PC or the respective DNS have to be configured to forward domain name requests for the application server’s name spaces. e. the client PC (which will run the application) needs to know the virtual IP address of the application servers in the tunnel. E. one final step may be required: E.252 Data Center Data Center B Data Center B Data Center A Data Center A Unrestricted .251 146. *pn.1 DNS Configuration on Application PC To access the application servers through the Cisco VPN Hardware Client.109.251 146.39. In this case.109.39.109.g.2010 change to show that the tunnel is established (“Tunnel Established to: …”).2. In this case.55.2.  The client PC is directly attached to the Cisco VPN Hardware Client and the interface connecting the PC to the Cisco VPN Hardware Client is set to DHCP.  There is a device. Domain Name Servers in IPSec Connection Tunnel 146.109. located between the Cisco Hardware Client and the client PC or the interface connecting the PC to the Cisco VPN Hardware Client is not set to DHCP. However. firewall.8. There are two different scenarios that have different requirements.

250 Data Center B 146.com) used by SCAP. F.249 146.2.66.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 27 SWX-XRS-MAN-20100216/E 16.249 146.109.1 Installation Checklist A summary of the required steps is given in the table below. SIX Swiss Exchange provides four public DNS for participants who are using Managed IP Services and do not have DNS support: Data Center A 146.2 Basic Setup Please follow the official documentation from Cisco to complete the basic setup of the Hardware Client.109. F. they will resolve the hostname (vpn.2. which can be used as a checklist: Task Basic Setup ASDM Setup IPSec Tunnel Setup Description How to Setup a New Hardware Client Cisco ASDM Setup Configure Group Authentication Establish VPN Connection Download & Install SIX CA Root Certificate Generate & Send Certificate Request Retrieve and Install Personal Certificate Check IPSec Tunnel Done         The instructions in this section are based on using both the Cisco ASDM and the Console Port.swx.02.109.66.2010 Appendix F – Installation: Cisco ASA 5505 Hardware Client This section explains how to configure the Cisco ASA 5505 Hardware Client.109. including enrolment and installation of the certificate.250 These DNS can be entered when configuring the Hardware Client. Unrestricted .

F.bin) to the Cisco ASA 5505.3 Cisco ASDM Installation on the ASA 5505 1.2010 F.pkg 65 -rwx 398305 1.1. Reboot the ASA 5505: ciscoasa> enable Password: ****** ciscoasa# reload 4.bin asdm-611. If it does not you should download the correct version from the CVI Public Web and install it on the ASA 5505 as described below.02.2.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 28 SWX-XRS-MAN-20100216/E 16.g.154. The content of Disk0:/ should look like this: ciscoasa> enable Password: ****** ciscoasa# dir Directory of disk0:/ 2 drwx 4096 64 -rwx 1868412 3. Copy the recommended ASDM version file (e. This can be done either via ASDM or via ftp.1 Cisco ASDM Setup The following section gives step-by-step instructions about installing and starting the Cisco ASDM tool.bin Unrestricted .2.2.0.2 Supported Cisco VPN Hardware Clients.1.1.29-k9. Set the newly loaded ASDM file before you reboot with the following command: ciscoasa> enable ciscoasa# configure terminal ciscoasa(conf)# asdm image disk0:/asdm-611. 5. Validate that the new ASDM version is working. F.2 Check Software Version of ASDM Check that the software version of your Cisco ASDM meets our recommendations listed in section 2. tftp.… Consult the official documentation from Cisco for the procedure. 2.pkg 7 drwx 4096 67 -rwx 14635008 82 -rwx 7295568 07:56:58 May 08 2008 06:30:52 Sep 17 2007 06:31:04 Sep 17 2007 06:35:22 Sep 17 2007 07:40:38 May 08 2008 08:43:16 Jun 05 2008 log securedesktop-asasslclient-wincrypto_archive asa803-k8.1. On the ASA 5505.bin ciscoasa(conf)# exit ciscoasa# write memory 3. remove any versions of the ASDM except the recommended one. asdm-611.

2. 2.1.02. 12. Start ASDM by clicking the Cisco ASDM Launcher icon located on the desktop.g. Click Install to begin the installation. The Cisco ASDM Launcher installation starts. click Yes. Click Next. 8. Click Install ASDM Launcher and Run ASDM. 7. 11.4 Cisco ASDM Installation on the PC 1. 6. 3.168.1). 5. Click Finish to exit the installation wizard.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 29 SWX-XRS-MAN-20100216/E 16. https://192. browse to https://<ASA5505 IP Address>/ (e. Proceed with the Security Alert. Select the default Destination Folder or click Change. 10. (Hint: default is blank for both) Click Open. 4. 9. In the login window enter User Name and Password of the ASA 5505 and click OK. Unrestricted . Click Next. On the PC on which the configuration of the ASA 5505 will be performed. Accept the web site’s certificate by clicking Yes and by selecting Always trust content from this publisher.2010 F. Make sure that the Run in Demo Mode option is not selected. Username and Password of the ASA 5505 and click OK. In the Cisco ASDM Launcher login window enter the IP Address.

b. you must download the correct version from the CVI Public Web and apply it on your device via the ASDM tool. click Pre-shared Key and enter the following parameters: a. 5. Select Enable Easy VPN Remote. Using ASDM. F.2. Before rebooting the Cisco ASA 5505. enter vpn. In the Group Settings area. Unrestricted . Go to the Configuration > Remote Access VPN > Easy VPN Remote pane.1. enrolment and certificate handling.swx.02. click Client mode. connect and logon to the hardware client. enter the value of Password (see [ B ]) In the Easy VPN Server To Be Added area. 2. 4.6 Check Software Version of ASA 5505 Check that the software version of your Cisco ASA 5505 meets our recommendations listed in section 2.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 30 SWX-XRS-MAN-20100216/E 16. 3.2. enter the value of Username (see [ A ]). delete the file of the old version.2 Supported Cisco VPN Hardware Clients.2010 F. 6. If it does not.2. F.com in the field Name or IP Address and click Add. In the Mode area. In the Group Name field.5 IPSec Tunnel Setup The following section gives step-by-step instructions about Cisco ASA 5505 Hardware Client configuration.7 Configure Group Authentication 1. In the Group Password and Confirm Group Password fields.

In the DNS Server Groups area. In the DNS Servers area. If not click Enable.8 Configure DNS Click Apply. b. c.02. Click Apply.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 31 SWX-XRS-MAN-20100216/E 16. 1. In the Name field enter a name. Save the configuration by clicking Save. Perform this step for all IP Addresses listed in section 4 Network & Firewall Considerations and/or for the ones you are using. In the DNS lookup area. 4. enter the IP address of the DNS Server in the field Server IP Address to Add and click Add. Click OK. make sure that both interfaces have the DNS Enabled parameter set to Yes.2010 7. Go to the Configuration > Remote Access VPN > DNS pane. 8. click Add and enter the following parameters: a.2. 2. Unrestricted . 3. F.

Click Add. Access the CVI Public Website. 2. Click the link CVI Root Certificate and save the file on the PC (SWXVPNROOTCA. You can either type the pathname of the file that you saved in step 2 in the box or you can click Browse and navigate to the file.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 32 SWX-XRS-MAN-20100216/E 16. 3. Click Install from a file.02.cer).2. Go to the Configuration > Remote Access VPN > Certificate Management > CA Certificates pane. 6.2010 F. 4. Using ASDM. Unrestricted . connect and logon to the hardware client.9 Download and Install CA Root Certificate 1. as described above. 5.

Click Add. F. 3. Click Install Certificate. Go to the Configuration > Remote Access VPN > Certificate Management > Identity Certificates pane. Click OK. Unrestricted . If the installation was successful. 8. Select the Add a new identity certificate option. 2. the following dialog box is displayed.2.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 33 SWX-XRS-MAN-20100216/E 16.02.2010 7.10 Generate and Send Certificate Enrolment Request 1.

In the Value box. b. 9. Click Generate Now.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 34 SWX-XRS-MAN-20100216/E 16. select 1024. 5. Click New. select an attribute from the Attribute pull-down menu. In the DN Attribute to be Added area. 10. In the Size box. 7. Unrestricted .02. type the correct value (see table above) and click Add. Select General purpose. In the Certificate Subject DN dialog box. Select Enter new key pair name and type SWX-SCAP-PRD-key in the box. proceed as follows for each attribute: a. 6. 8. Click Select.2010 4. enter the following X509 attributes: Attribute Common Name (CN) Value Username (provided in the sealed envelope [ ]) ermp01chv ermm01chv Name of your company (neither umlauts nor special characters)) The place where your company is located (neither umlauts nor special characters)) The state or province where your company is located (neither umlauts nor special characters)) Two-letter country abbreviation as used on the Internet (neither umlauts nor special characters)) Organizational Unit (OU) (Repo Production) Organizational Unit (OU) (Repo Membertest) Company Name (O) * Location (L) * State (St) * Country (C)* To enter these attributes.

Using ASDM. Click Add Certificate 13. The Identity Certificate Request dialog box opens.2. Unrestricted . 14.csr. Retrieve the certificate by clicking download certificate in the menu Certificate and copying the certificate with the delimiters belonging to your request. You can either type the pathname of the file in the box or you can click Browse. 12. 16. Go to the Public CVI web as described above. connect and logon to the hardware client. Click send request in the menu Certificate and paste the certificate into the form provided. Click Send to confirm. click OK. 17. 4. Select the Identity Certificate and click Install. Open the . 3.11 Install Certificate and Check IPSec Tunnel 1.02. Go to the Private CVI web as described above. Please note that the file extension has to be . Click OK. F.csr file with your editor and copy the content to the clipboard. When you have entered all attributes. 15. 5.2010 11. 2. Go to the Configuration > Remote Access VPN > Certificate Management > Identity Certificates pane.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 35 SWX-XRS-MAN-20100216/E 16.

the following dialog box is displayed. Click Apply. 12.509 Certificate and choose your certificate from the drop-down list.2010 6. The LED on the hardware client labelled VPN will turn off. click X. 10.02. Click OK. 13. If the import was successful. 8. Click Install Certificate. 11. Go to the Configuration > Remote Access VPN > Easy VPN Remote pane. Unrestricted . In the Group Settings area.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 36 SWX-XRS-MAN-20100216/E 16. Switch from the pre-shared key (Group Authentication) to your installed certificate. Save the configuration by clicking Save. 7. 9. Select Paste the certificate data in base-64 format and paste it with the delimiters in the box.

2.erm. The tunnel DNS can be reached under the IP addresses given below.39. one final step may be required: F.g.swx. Confirm Security Warning d. e.109. before proceeding to install the application. Go to Monitoring > VPN > Easy VPN Client > VPN Connection Status b. It has to be restarted manually as described above. However. Please note that if for any reason the tunnel stops. Click "Connect" c. *prd. F. it will not restart automatically.02. located between the Cisco Hardware Client and the client PC or the interface connecting the PC to the Cisco ASA 5505 Hardware Client is not set to DHCP.12.g. In this case. Start the tunnel as follows: a.  The client PC is directly attached to the Cisco ASA 5505 Hardware Client and the interface connecting the PC to the Cisco ASA 5505 Hardware Client is set to DHCP. In this case.12 Continuing Application Installation Assuming you have successfully connected to the Cisco ASA 5505 Hardware Client as instructed in the preceding chapter.2010 14. There are two different scenarios that have different requirements. Domain Name Servers in IPSec Connection Tunnel 146. the Cisco Hardware Client can push the needed DNS via the DHCP protocol to the client and no further configuration is needed. firewall.2.  There is a device.1 DNS Configuration on Application PC To access the application servers through the Cisco ASA 5505 Hardware Client. you have now completed the installation of the Cisco ASA 5505 Hardware Client. Click "Connect Now" e.ch. the client PC (which will run the application) needs to know the virtual IP address of the application servers in the tunnel. to the DNS in the tunnel. e. either the client PC or the respective DNS have to be configured to forward domain name requests for the application server’s name spaces.251 Data Center Data Center B Unrestricted . Close Browser Window (hint: click "Refresh" to update status) 15.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 37 SWX-XRS-MAN-20100216/E 16.

109.com accessproducts@deutsche-boerse.1 Internet Connectivity Contact your Internet Service Provider.251 146.2010 146.com All countries Officer Harry Weder Tim Brackrock Thomas Rathgeb Phone No. G.verizon-scap-swx@swisscom. +41 44 543 18 33 +49 69 2111 1690 +41 44 294 82 88 E-mail harry.Eurex Repo / SecLend CVI to SCAP Migration Guide Connecting Eurex Repo / SecLend Application via New VPN Infrastructure Page 38 SWX-XRS-MAN-20100216/E 16.2 Managed IP Services Provider BT Radianz Deutsche Börse Systems SwisscomVerizon Andreas Ferrario +41 79 818 14 93 group.com group.verizon-scap-swx@swisscom. please refer to the applicationspecific installation guide.55.02.109.weder@bt.39.55.252 Data Center B Data Center A Data Center A To continue with the installation process. Appendix G – Infrastructure Service Provider (ISP) Contacts G.252 146.com Scope All countries All countries All countries Unrestricted .109.