Remote Access (FortiClient Virtual Private Network (VPN), AppGate, Entrust)

Topics

FortiClient Virtual Private Network (VPN)

AppGate

Employment and Social Development Canada (ESDC) is currently migrating from AppGate version 11, also known as Classic, to a new, more efficient and secure version called AppGate SDP. If you are not already using the SDP version, you should upgrade by November 30, 2020, as version 11 is no longer supported by the vendor and is being retired.

AppGate SDP

Remote VPN access

Secure Access Virtual Environment – Desktop (SAVE-D)

Entrust

GCProfile

  • How do I connect remotely to the ESDC network using FortiClient?  Updated! 2021-06-04

    There are two ways to log into the VPN service (FortiClient). Method one is to log into both Windows and the VPN service at the same time. Method two is to log into Windows and then into the VPN service.

    Note: If your network password expires you will be unable to log into the VPN service. You will need to visit https://srv745.services.gc.ca/ from an active Internet connection to update your password.

    Method one (preferred method)

    1. After pressing Ctrl+Alt+Del, select the Sign-in options
    2. In the lower middle of the main Windows login screen, there will be the VPN icon orange taskbar icon.
    3. Select the icon and select the tunnel to connect to: KEC ( 1- srv542.services.gc.ca - King Edward), to MTL (2-srv543.services.gc.ca - Montreal) or MCT (3-srv541.services.gc.ca- Moncton).
    4. Enter your network (Windows) username and password. Check the radio box "Use my Windows credentials for VPN". Select the arrow arrow pointing right to proceed.
    5. Use your Entrust eGrid to enter the corresponding number/letter combinations from the challenge grid, then select OK.

    Method two

    1. Log into Windows with your username and password.
    2. Look for the VPN icon FortiClient - Disconnected in your taskbar. If the icon is not immediately visible, use the open arrow arrow pointing up to display all the icons.
    3. Right-click on the VPN icon and select the tunnel to connect to: KEC (1- srv542.services.gc.ca - King Edward), to MTL (2-srv543.services.gc.ca - Montreal) or MCT (3-srv541.services.gc.ca- Moncton)
    4. Enter your network (Windows) username and password. Select Connect.
    5. Use your Entrust eGrid to enter the corresponding number/letter combinations from the challenge grid, then select OK.
  • How do I use the Internet without using FortiClient?  Updated! 2021-06-04

    You do not need a network connection to be able to access SABA, WebEx and other Internet sites. Follow the instructions below to do this and other work offline (i.e. without being connected to the ESDC network). You must choose the correct set of steps, depending on your situation:

    1. If you are NOT already connected to the ESDC network:
      1. Log in to your ESDC laptop or tablet as per usual, but without VPN.
      2. Make sure you are connected to your local Internet connection (follow the instructions in the connection assistant if required).
      3. If you are asked to connect to the ESDC network or VPN, select "No" (or "Cancel") and close any related windows that may have remained open (i.e. GCProfile or FortiClient).
    2. If you ARE already connected to the ESDC network:
      1. Save any documents that you have opened from a network location (e.g. your F Drive, SharePoint, etc.).
      2. Find the small green FortiClient VPN icon in your system tray (bottom-right corner of your screen, by the clock; You may need to select the small up arrow to see this icon).
      3. Right-click on FortiClient - Connected to... and select "Disconnect", as shown below, to disconnect from VPN. You will know you are disconnected as the system tray image will change. FortiClient - Disconnected

    Reminders:

  • How do I request remote access (VPN connection)?

    FortiClient is the VPN solution for ESDC.

    All new VPN requests need to be submitted by your authorized requestor (Manager (not acting), Director or Director General) via the web form located at http://narf-fwdar.prv.

  • What are the end-of-day procedures while working outside of the office (with VPN connection)?

    Make sure you Logoff your laptop computer at the end of your work day every day. Important software updates, security updates/patches and security scans are applied overnight and only laptops connected to the network (powered on and connected via VPN) receive these updates.

    To sign off when working outside of the office using VPN, at the end of your workday:

    1. Open the Windows Start menu. On the left-hand margin, select the Accounts icon. vpn icon
    2. Select the option Sign out to close your account but stay connected to the network via VPN.
    3. On the next day, please restart your computer prior to logging in to VPN. (Getting Started with VPN)
  • How do I repair Forticlient installation?  New! 2021-06-04
    1. Go to the Windows start menu.
    2. In the search window type "software center".
    3. Select the Software Centre app.
    4. Find the FortiClient software listed.
    5. Select "Forticlient".
    6. Select 'repair'.
  • Why do I have multiple user name fields available after the new version of Forticlient was installed?  New! 2021-06-04

    If the "Use my Windows credentials for VPN" option is checked and the VPN Username and VPN Password fields are still showing, please reboot your computer again. The settings will properly reset after the reboot. Log in following the normal procedures.

    other user, connect a VPN tunnel & login to Windows.
  • What's the difference between the shield icons I see on my computer for the old FortiClient software and the new version?
    Difference Between the Shield Icons
    FortiClient 5.6.6 (old version, retired June 2021)FortiClient 6.4.2 (new version, starting June 2021)
    Login Screen
    Login Screen
    Desktop icon
    Desktop icon
    System Tray icon (disconnected from VPN)
    System Tray icon (disconnected from VPN)
    System Tray icon (connected to VPN)
    System Tray icon (connected to VPN)
  • Am I allowed to access the employer’s network while on vacation within or outside of Canada (e.g. check emails, etc.)?

    No you are not allowed to use the employer’s network while on vacation due to security risks. You are not allowed to bring any government issued equipment or assets (laptop, tablet, cellphone, etc.) while on personal travel and/or on vacation.

  • Am I allowed to work remotely using VPN (AppGate or FortiClient) if I am travelling outside Canada for work?

    Yes, you are allowed to use VPN outside Canada if you are travelling for work. You must review the instructions on the Security Briefings for International Travel page and schedule a briefing with your Regional Security Officer (RSO). Depending on the country you are visiting, you may be provided with temporary devices to use while travelling.

    If you are going to be overseas for an extended period of time for work, a telework agreement is required and must be signed by the Chief Security Officer.

  • How do I enable sound on my personal computer while connected to AppGate?

    After connecting to AppGate and before selecting the remote device, do the following on the AppGate Client window:

    1. From the menu, select Connection then choose Preferences…
    2. Select the RDP Client tab.
    3. From the “Remote computer sound” section, choose Bring to this computer.
    4. Click Close.

    Proceed to connect the device remotely as normal.

  • How do I create an encrypted e-mail and/or a digital signature?

    Entrust is to be used to send encrypted files/emails internally and between other Government of Canada (GoC) departments. The recipient of the encrypted material must be listed in your GoC Outlook address book.

    Create an encrypted email:

    1. Ensure you are logged into Entrust.
    2. Open a new email and complete it as necessary (content and attachments).
    3. Under the Security section, click to highlight Encrypt and/or Digital Signature.
    4. Click Send.
  • How do I create an encrypted file and/or a digital signature?
    1. Right Click on the file you want to encrypt/sign. Select the option you require:
      • Encrypt File
      • Digitally Sign File
      • Encrypt and Digitally Sign File.
    2. The Entrust Entelligence Security Provider Wizard will launch and will guide you to the completion of the encryption process.
    3. During the encryption wizard you have an option to add recipients.
      • Select the checkbox Encrypt the files for other people in addition to myself then click Next. You will then be presented with a screen to Add users. The recipient(s) must have their own valid Entrust Certificate to be able to open and decrypt the file, and be a valid Entrust PKI user.
  • How do I log into Entrust (Entelligence Security Provider)?
    1. In the system tray (in the taskbar), right click on the Entrust icon and choose Log In.
    2. Click Browse.
    3. Navigate to your F: drive location and open the maCLÉ-myKEY folder.
    4. Click to highlight the only file in the folder (username.epf).
    5. Click Open. This will fill in the name field in the Entrust Entelligence Security Provider box.
    6. Enter your MyKEY password (the same as you use to access Compensation Web Applications) and click OK. This will complete the authentication process.
  • How do I open/edit an encrypted file?

    In order to decrypt a file, you must have been included as a recipient during the encryption process. You will be prompted to login to Entrust when you attempt to open an encrypted file.

    1. Right-click on the file and select: Decrypt, Verify and Open.
    2. In the Entrust login screen, Browse to your F: drive location and select the "maCLÉ-myKEY" folder.
    3. Click to highlight the EPF file in the folder (username.epf).
    4. Click "Open". This will fill the name field in the Entrust Entelligence Security Provider box.
    5. Enter your myKEY password (the same as you use to access Compensation Web Applications i.e. your paystub), then click OK to complete the authentication process.
    6. The file will open. Perform required edits.
    7. When saving your file, use Save As to save a new version of the file. This will ensure that the original document will remain intact.
    8. An Entrust pop-up window will appear asking if you want to delete the original, encrypted file. Select Yes. This will delete the decrypted version of the file.
    9. Re-encrypt your file following the Encrypt your file instructions.
  • How do I read an encrypted e-mail?

    You have received an encrypted email (there's a small lock on the unopened email icon)

    1. Double-click on the encrypted email and the Entrust login window will appear.
    2. Your username will be prefilled if you have previously logged onto Entrust.
    3. Enter your MyKey password.
    4. Click on OK. This will decrypt the email and open it.
    5. If you receive an error message: This message cannot be decoded. It could not be decrypted because you do not have a certificate for which it was encrypted. If your digital ID is on a removable media, ensure it is available before trying the operation again.

    Follow the steps for the Entrust Login

  • How do I view and/or amend my safe senders list?

    In Outlook:

    1. Home tab > Delete group: Junk > Junk E-mail Options…
    2. Under the Safe Senders tab, you can Add or Remove senders.
    3. Click Apply and/or OK to save the changes.
  • Simple and automatic connection method with GCProfile’s connection assistant
    1. To use GCProfile’s connection assistant, first normally log in to your computer with your standard username and password.
    2. Once you are logged in, wait for GCProfile to appear.
    3. Now follow the steps suggested by the connection assistant. (The assistant should automatically take care of proxy settings, start external Internet connection pages, launch FortiClient and give you information about possible connection problems).
  • What should I do if I open an application and the window does not appear on my screen while I’m using AppGate?

    If you try to open an application and the window does not appear on your screen, but it appears in your task bar as being open, this may be because the application is opening by default on your second screen at the office while you are using AppGate at home on your personal computer.

    To move the application window to your active screen:

    1. While holding down the SHIFT key, right click on the application in the task bar
    2. In the shortcut menu, select Move while holding down the SHIFT key
      • If the option to Move is not available, click on Restore and try again
    3. To make it visible on your screen, keep pressing down the SHIFT key and use your cursor to move your application window.
    4. Click on your application window.
  • How do I change my password while I am using Appgate?

    Important: Review the Passwords DOs and DON'Ts to become acquainted with the security rules that you need to follow when creating a new network password.

    Information on how to create a strong password (PDF Version, 1.4 MB) is also found there.

    To change your password:

    1. Press CTRL+ALT+END [note: the END key is used rather than the DELETE key when connected via AppGate]
    2. Select Change a Password…
    3. Enter your Old Password. Then enter and confirm your new password
    4. Click on the arrow button to submit the change
    5. You will receive a message indicating that your password has been changed

    Note: If you have a departmental BlackBerry, you also need to update the password on your device.

  • How do I change the password of my Admin account while I am using AppGate?

    Important: Review the Passwords DOs and DON'Ts to become acquainted with the security rules that you need to follow when creating a new network password.

    Information on how to create a strong password (PDF Version, 1.4 MB) is also found there.

    To change your password:

    1. Press CTRL+ALT+END [note: the END key is used rather than the DELETE key when connected via AppGate].
    2. Select Change a Password…
    3. By default, your username will appear. Please change this default username with the username of the account you wish to change the password for (i.e. admin.jane.doe).
    4. Enter your Old Password. Then enter and confirm your new password.
    5. Click on the arrow button to submit the change.
    6. You will receive a message indicating that your password has been changed.

    Note: If you have a departmental BlackBerry, you also need to update the password on your device.

  • What should I do if the blue "R" icon appears grey during the login process?

    The blue "R" icon may not appear during the login process. It may appear grey instead.

    If you encounter this problem, do not wait for the blue "R" icon to appear. Instead, follow these instructions:

    1. Proceed to Step 5 of Log In to AppGate SDP (every time) in the AppGate SDP Quick Reference to open the "Remote Desktop Connection".
    2. After selecting "Connect" (Step 7):
      1. Close the error message that will be opened
      2. Open AppGate SDP again and the blue "R" icon will appear, or a small red circle at the bottom of the AppGate screen.
    3. Select the red circle. You should see the "One-Time Password" box. Enter your two-factor authentication, using the corresponding characters from your eGrid/token, as it says in Step 4.

    After successfully entering the eGrid/Token, try to connect again with the Remote Desktop Connection. You may need to enter your Windows password a second time. This should allow you to connect to your ESDC computer remotely.

  • How do I troubleshoot Entrust?

    If you are having issues with Entrust, follow the below instructions to update Entrust prior to contacting the National Service Desk.

    1. Select the magnifying glass on the lower left hand corner of your screen or press the Windows key + S to search.
    2. Type Software Center
    3. Select the Software Center app.
    4. Select the icon for SRU R73679.
    5. You may see a message that the software is downloading. If so, please wait until you see the Logoff Screen within the Software Center. During the day, download speeds are restricted, so this could take a substantial amount of time.
    6. When you are ready to start the install, select Logoff.
    7. You will be logged off and your device will reboot after the software installation has completed.
    8. After your device reboots, log back in and verify that Entrust now works.
    9. If it still does not work, please repeat the steps above.
    10. If after the second attempt, the problem has still not been resolved, please open a ticket with the National Service Desk.

    Still need assistance? Submit an online service request to the National Service Desk.

  • AppGate SDP Requirements
    • You must have a designated computer in an ESDC office, and know its computer name.
    • You must have a personal computer (Windows 10 or MAC 10.12) and high-speed Internet access at home. If you are using a MAC computer at home, you will also need to know the IP address of your designated work computer.
    • Your supervisor must submit a request on your behalf, using the Access Management Portal.
    • You must acquire (generate) an Entrust eGrid file with its own unique ID. See the AppGate SDP Quick Reference for instructions.

    Please note that AppGate SDP is intended as an interim measure for employees who require remote connectivity to the ESDC network, until they can receive an ESDC portable device that will provide FortiClient VPN access.