Trusted Partner Access v5.01 build 100 for Windows XP

Includes Nortel Contivity VPN client and CyberGatekeeper client

Copyright 2004 FMR Corp. November 2004 Trusted Partner Access Pre-Installation Worksheet

This worksheet guides you through steps to collect required information that you’ll need to complete the installation.

If you have trouble with the pre-installation tasks, contact Techline at 800-525-3274.

 You must be using Windows XP

If you are not on Windows XP please contact your Fidelity Business unit sponsor to research options for getting the Windows XP Operating System. If ha

 Locate your Local Administrator Password

You need your local workstation’s (Laptop, Desktop or Remote Access Desktop) administrator password to begin the install. If you do not know this password, or you do not have local Administrator rights to your PC contact your Desktop Coordinator or your local LAN Administrator .

 Order a Hard Token (RSA SecurID)

If you do not have a Hard Token or no one has not requested a Hard Token for you please have your Business Unit Sponsor go to the site below and follow the necessary procedures: http://trustedpartner.fmr.com

If you have trouble with the installation tasks, contact the Help Desk at 800-525-3274 ii Table of Contents

About Trusted Partner Access...... 1 Terms Used in this Guide...... 1 What software is included in Trusted Partner Access?...... 1 Can I use other Internet Service Providers (ISP’s) with Trusted Partner Access?...... 1 Do I have to uninstall any existing software on my Computer?...... 1 Do I need a Firewall if I am using a Cable or DSL connection?...... 1 Install Trusted Partner Access Software...... 3 Run the Trusted Partner Access Auto-Installation Program...... 3 Log In to Fidelity and Test the Installation...... 5 Overview of the Log-In Process...... 5 Connect to Your Company’s Fidelity Access Portal...... 6 Identify Yourself as a Valid Fidelity User...... 7 Access applications on Fidelity’s Network...... 9

If you have trouble with the installation tasks, contact the Help Desk at 800-525-3274 iii About Trusted Partner Access

About Trusted Partner Access

Terms Used in this Guide

 Trusted Partner Access is a Fidelity (Internet Based) remote access product, which gives Trusted Partners (non-full-time employees) access to applications and devices on Fidelity’s Network. These applications must be specifically requested through the Trusted Partner website – http://trustedpartner.fmr.com . This product must be installed on a Windows XP build.  VPN, or “Virtual Private Networking,” is the common term for software used to ensure secure communications over the Internet. VPN is sometimes referred to as a “tunnel.” Contivity VPN Client is the Fidelity-chosen VPN software used for this purpose.  SSL VPN – This is the new software package that will allow Trusted Partners to access Fidelity from behind a Corporate Firewall.  IPSec VPN – This is also part of the software package, but does NOT always work while sitting on a remote Corporate Network. This method is best used when working from home or at a hotel on a DSL, Cable or dial-up connection directly to the Internet  ISP is a common abbreviation for “Internet Service Provider,” which provides connectivity to the Internet. AT&T Global Dialer maybe the ISP provided by Fidelity; however you may choose to use another ISP like a broadband provider who provides Cable Internet Access or DSL.  A Hard Token is a small, separate device which generates a unique code which is combined with the user’s secret PIN to allow secure access onto the Fidelity network.

 CGK, or CyberGateKeeper, increases our security by requiring all Trusted Partner Access users to follow a new procedure to access the network. This process will install the InfoExpress CyberGatekeeper product providing a method to enforce policy management for our remote access users who access Fidelity's enterprise network using Virtual Private Networking (VPN). CyberGatekeeper will provide a mechanism to determine whether remote access system configurations are in compliance with Corporate Security standards, and if not will stop potentially harmful systems from accessing Fidelity’s network What software is included in Trusted Partner Access? Based on your selections during the install, you will have two software applications (or “clients”) loaded onto your system. These clients include the Contivity VPN client (VPN) and the CyberGateKeeper client for Windows XP users only. Can I use other Internet Service Providers (ISP’s) with Trusted Partner Access? Yes, you can also use other dial-up, Cable or DSL Internet connections with Trusted Partner Access. AOL will not work with Trusted Partner Access. For more information on Internet Connection go to: http://trustedpartner.fmr.com Do I have to uninstall any existing software on my Computer? The Trusted Partner Access Installation automatically uninstalls older software if it is detected on your Computer. If you have installed the Aventail Connect client, you can uninstall that software once you are successfully running on the new Trusted Partner Access Nortel solution. Do I need a Firewall if I am using a Cable or DSL connection? No, no firewall is required at this time. You will be notified in the future when a Software Firewall will be required. For details go to http://trustedpartner.fmr.com

If you have trouble with the installation tasks, contact the Help Desk at 800-525-3274 1 Trusted Partner Access Installation Guide

Install Trusted Partner Access Software

 Before You Begin

Before you get started installing Trusted Partner Access, make sure that you have the following:

 Your Desktop or Laptop MUST be running a build of Windows XP  If you are on a corporate network please contact your company’s Network Administrator to identify the name of your Network Proxy (ex. something.proxy.company.com). The Fidelity Remote Access team will need this proxy information before you can connect to Fidelity Trusted Partner from a Corporate Network.

You’ll need approximately 20 minutes to completely install & set up  Trusted Partner Access.

Run the Trusted Partner Access Auto-Installation Program  Your installation CD or download will lead you through the steps of installing the Trusted Partner Access product - Contivity (VPN) client and install the CyberGateKeeper client.

To install Trusted Partner Access 1. Close any open applications and log off your computer.

2. Login to your workstation as Administrator. (You must have administrative rights to load Trusted Partner Access on our system.)

Note: You can also use a local personal account if you have Administrator rights.

On the Windows login screen: a. Type Administrator into the Username field (if it is not already listed). b. Enter your Administrator password in the Password field (you gathered this information when completing your Pre-Installation Worksheet). c. Click OK to log into your local workstation. Your local Administrator workstation desktop will appear.

3. Locate the downloaded file and double-click on – TrustedPartnerAccess501_r0101.EXE.

The installation program begins automatically. A number of automated checks are conducted on your system to verify that it is prepared for the software.

2 Log-in to Fidelity and Test the Installation

4. The first screen that will appear is the screen below.

NOTE: If you want to Map Network drives or log on to a Domain (ex. DMN1, DSDOM1, etc.) after you connect to Fidelity, please select “Install as a Service.” Otherwise, select “Install as an Application”, click the check-box “I’ve closed all applications…” and click Next.

5. The rest of the installation is automated.

Please wait till you see the following screen and then you will be asked to reboot. Make sure you close all your applications and save all your files because the reboot will be automatic in 30 seconds after you click Finish

If you have trouble with the installation tasks, contact the Help Desk at 800-525-3274 3 Trusted Partner Access Installation Guide

Log In to Fidelity and Test the Installation

Now that the installation is complete, you will test that the software and your configurations are working correctly. This is also the process you will follow each time you connect remotely to the Fidelity network.

Overview of the Log-In Process Here are the steps you will follow to test the software that you have just installed and configured.

Connect to Your Company’s Fidelity Access Portal  Go to the correct URL to launch your connection  Identify Yourself as a Valid Fidelity User  Login with your Hard Token  Access the Applications on Fidelity’s Network  Login to applications on Fidelity’s Network

4 Log-in to Fidelity and Test the Installation

 Connect to Your Company’s Fidelity Access Portal

NOTE: If you are directly connected to the Internet, most likely you will want to open Fidelity Remote Access and connect to Trusted Partner Marlboro or Merrimack by going to Start > Programs > Fidelity Remote Access and select: 1. Trusted Partner IPSec – Marlboro 2. Trusted Partner IPSec - Merrimack. 3. Go to page 8, step 4

To connect to the Company Portal from your Corporate Network

1. Make sure you are connected to the Internet via you Corporate Network. Try http://www.google.com 2. Open a Browser (ex. Internet Explorer) 3. Enter https://ivpn01.fidelity.com or https://ivpn06.fidelity.com into the destination URL 4. Enter your username and password into the site below:

Username =  This should be your company name, lowercase, withOUT spaces Password =  This should be your company name, lowercase, withOUT spaces

NOTE: If you do not know your OU Field, please contact your BU Sponsor. They can look up your OU Field on Fidelity’s Network by going to: a. Using a browser on Fidelity’s Network go to http://funk.fmr.com b. Click on Query UserID c. Enter in the ID that is associated with the Trusted Partner Hard Token. The result will give the “OU=” This is your login to the site above.

If you have trouble with the installation tasks, contact the Help Desk at 800-525-3274 5 Trusted Partner Access Installation Guide

Identify Yourself as a Valid Fidelity User  Go to your Companies portal

Now that you are connected to the Company Portal, you must identify yourself as a valid Fidelity user. This will use the VPN software that you installed and configured ensuring secure communications to Fidelity over the Internet.

To identify yourself as a valid user 1. Select the Type of Connection you will be making to Fidelity. There are two types:  Connect to Fidelity from Corporate Network: This is what you would select if you were connecting to Fidelity from behind a Corporate Network that uses a firewall or a proxy to access the Internet. If you are unsure, please contact your Company’s network administrator.  Connect to Fidelity from the Internet (dial, DSL or Cable): This is essentially all other connections. If you are unsure, please contact your Company’s network administrator.

2. Based on your browser settings you might be prompted with some “Yes/No” Security questions to agree to connect to Fidelity. Always choose “Yes”

3. You will see a Port Forwarder window like the one below in the background. DO NOT CLOSE THIS WINDOW while you are connected to Fidelity’s Network.

6 Log-in to Fidelity and Test the Installation 4. For New/First-Time Trusted Partner Access Users prompted with this:

a) You might be prompted to update your Group ID and Group Password. To enter this information, go to the Options menu, select Authentication Options from the Contivity VPN client window. a. Enter ivpn in the ‘Group Password’ field.

a) Click OK b) You should then be prompted with the window below. Click OK.

c) If you already have established a PIN skip to step 5 . Otherwise: I. Enter your User ID in the User Name field and your Hard Token Code in the appropriate fields. (This is the 6-digit code displayed on the screen of your hard token). II. Click the Connect button to launch your connection. III. You will be prompted to setup your personal identification number (PIN) for your hard token. Enter a PIN between 4 and 8 characters and click OK.

If you have trouble with the installation tasks, contact the Help Desk at 800-525-3274 7 Trusted Partner Access Installation Guide IV. You will be prompted to confirm your new PIN again. Enter it again and click OK V. Once you have successfully set up your PIN, you will be prompted to enter your Passcode (this is your PIN followed by the six digit number on your hard token). Click OK. Note: The authentication process requires that you wait for a new six-digit number to appear on your hard token before entering the passcode. Enter your pin and hard token number without spaces.

VI. Read the Security Banner message and then click OK. 5. For Active Hard Token Users: a. Simply enter your PIN and Token. (This is the personal PIN you created when you first got your hard token and the 6-digit code displayed on the screen of your hard token). b. Click the Connect button to launch your Extranet Connection

c. You know you are connected to the Fidelity network when you see the login banner.

You can now access the applications and ONLY the applications that have been provided by your Business Unit sponsor. If you cannot access applications that you think you should have access to, please contact your Fidelity Business Unit contact and have them open a request at http://trustedpartner.fmr.com/ordering

Access applications on Fidelity’s Network  You will have access to only the applications provided to you by your Fidelity Business Unit Sponsor

Accessing applications Application access to servers or logins to servers MUST be obtained by the Fidelity Business Unit sponsor. The Fidelity Remote Access Team is NOT responsible for getting username and passwords for devices on the network. You can test that the firewall access to a device has been granted by telneting to that IP address or server on the application port. For example:

1. Open a Command Prompt a. Start > Run > Type ‘cmd’ 2. At the prompt type: a. telnet b. For example, if you want to test Remote Desktop access type in the IP address of the PC and substitute 3389 for the in 2a.

For all questions, comments or concerns please contact your Fidelity Business Unit sponsor

8