VPN 3000 Series Concentrator Reference Volume I: Configuration, Release 3.6
Client Update
Download this chapter
Client Update Client Update
give_us_feedback

Table of Contents

Client Update
 Configuration | System | Client Update
 Configuration | System | Client Update | Enable
 Configuration | System | Client Update | Entries
 Configuration | System | Client Update | Entries | Add or Modify

Client Update

Updating VPN Client software in an environment with a large number of devices in different locations can be a formidable task. For this reason, the VPN 3000 Concentrator includes a client update feature that simplifies the software update process. This feature works differently for VPN software clients and VPN 3002 Hardware Clients.

VPN Software Clients

The client update feature lets administrators at a central location automatically notify VPN Client users when it is time to update the VPN Client software.

When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN Client users about acceptable versions of executable system software. The message includes a location that contains the new version of software for the VPN Client to download. The administrator for that VPN Client can then retrieve the new software version, and update the VPN Client software.

You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time.

VPN 3002 Hardware Clients

The client update feature lets administrators at a central location automatically update software/firmware for VPN 3002 Hardware Clients deployed in diverse locations.

When you enable client update, upon connection the central-site VPN Concentrator sends an IKE packet that contains an encrypted message that notifies VPN 3002 hardware clients about acceptable versions of executable system software and their locations. If the VPN 3002 is not running an acceptable version, its software is automatically updated via TFTP.

To use client update, you need to have a TFTP server that can handle the volume and frequency of updates that your network requires. We recommend that you locate this server inside your network. The client update facility sends notify messages to VPN 3002s in batches of 10 at 5-minutes intervals.

You configure parameters that specify the acceptable versions of software and their locations. Updates are supported per group. This means that all members of a group can obtain the same updates from the same server at approximately the same time.

The VPN 3002 logs event messages at the start of the update. When the update completes, the Hardware Client reboots automatically.

Note   The VPN 3002 stores image files in two locations: the active location, which stores the image currently running on the system; and the backup location. Updating the image overwrites the stored image file in the backup location and makes it the active location for the next reboot. The client update process includes a test to validate the updated image. In the unlikely event that a client update is unsuccessful, the client does not reboot, and the invalid image does not become active. The update facility retries up to twenty times at 3-minute intervals. If an update is unsuccessful, the log files contain information indicating TFTP failures.

Configuration | System | Client Update

This section of the VPN 3000 Concentrator Manager lets you configure the client update feature.

  • Enable: Enables or disables client update.
  • Entries: Configures updates by client type, acceptable firmware and software versions, and their locations.

Figure 12-1   Configuration | System | Client Update Screen


Configuration | System | Client Update | Enable

This screen lets you disable or enable client update.


Figure 12-2   Configuration | System | Client Update | Enable Screen


Enable

Uncheck or check the Enable check box to disable or enable client update (by default, client update is enabled).

Apply or Cancel

To apply your change to client update, click Apply. This action includes your entry in the active configuration. The Manager returns to the Configuration | System | Client Update screen.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | System |Client Update screen, and the settings are unchanged.

Configuration | System | Client Update | Entries

This screen lets you add, modify, or delete client update entries.


Figure 12-3   Configuration | System | Client Update | Entries Screen


Update Entry

The update entry list shows the configured client update entries. Each entry shows the platform and acceptable software/firmware versions. If no updates have been configured, the list shows --Empty--.

Actions

To configure and add a new client update entry, click Add. The Manager opens the Configuration | System | Client Update | Entries | Add screen.

To modify parameters for a client update entry that has been configured, select the entry from the list and click Modify. The Manager opens the Configuration | System | Client Update | Modify screen.

To remove a client update entry that has been configured, select the entry from the list and click Delete.

Note   There is no confirmation or undo.

The Manager refreshes the screen and shows the remaining entries in the list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

Configuration | System | Client Update | Entries | Add or Modify

These screens let you configure and change client update parameters.


Figure 12-4   Configuration | System | Client Update | Entries | Add or Modify Screens


Client Type

Enter the client type you want to update.

  • For the VPN Client: Enter the windows operating systems to notify. The entry must be exact, including case and spacing:
    • Windows includes all Windows-based platforms.
    • Win9X includes Windows 95, Windows 98, and Windows ME platforms.
    • WinNT includes Windows NT 4.0, Windows 2000, and Windows XP platforms.

Note   The VPN Concentrator sends a separate notification message for each entry in a Client Update list. Therefore your client update entries must not overlap. For example, the value Windows includes all Windows platforms, and the value WinNT includes Windows NT 4.0, Windows 2000 and Windows XP platforms. So you would not include both the values Windows and WinNT.
  • For the VPN 3002 Hardware Client: Your entry must be vpn3002, including case and spacing.

URL

Enter the URL for the software/firmware image. This URL must point to a file appropriate for this client.

  • For the VPN Client: To activate the Launch button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS and the server address of the site that contains the update. The format of the URL is: http(s)://server_address:port/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

http://10.10.99.70/vpnclient-win-3.5.Rel-k9.exe

The directory is optional. You need the port number only if you use ports other than 80 for http or 443 for https.

  • For the VPN 3002 Hardware Client: The format of the URL is tftp://server_address/directory/filename. The server address can be either an IP address or a hostname if you have configured a DNS server. For example:

tftp://10.10.99.70/vpn3002-3.5.Rel-k9.bin

The directory is optional.

Revisions

Enter a comma-separated list of software or firmware images appropriate for this client. The following caveats apply:

  • The revision list must include the software version for this update.
  • Your entries must match exactly those on the URL for the VPN Client, or the TFTP server for the VPN 3002.
  • The URL above must point to one of the images you enter.

If the client is already running a software version on the list, it does not need a software update. If the client is not running a software version on the list, an update is in order.

  • A VPN Client user must download an appropriate software version from the listed URL.
  • The VPN 3002 Hardware Client software is automatically updated via TFTP.

Add or Apply / Cancel

To add this client update entry to the list of configured update entries, click Add. Or, to apply your changes, click Apply. Both actions include your entry in the active configuration. The Manager returns to the Configuration | System | Client Update screen. Any new entry appears at the bottom of the Update Entries list.

Reminder:

To save the active configuration and make it the boot configuration, click the Save Needed icon at the top of the Manager window.

To discard your entries, click Cancel. The Manager returns to the Configuration | System | Client Update screen, and the Update Entries list is unchanged.

Tip For more information about VPN Client updates, specifically the VPN Client Launch button, refer to the VPN Client Administrator Guide.