DB Secure-Access-Portal User Guide for RAS VPN

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−DB Systel GmbH

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−User Guide for RAS VPN

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−Version 1.5

−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−As at: 17th of June 2019

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 2 / 12

Contents:

1. Introduction 3

2. Preparing Your Non-BKU Device 4

2.1 Internet Access 4

2.2 Virus Protection 4

2.3 Firewall 4

2.4 Installation Pulse Secure Client 4

3. Using the RAS VPN Solution 5

3.1 Connect with Pulse Secure on BKU Device 5

3.2 Logging in to the DB Secure-Access-Portal for RAC-VPN 6

3.3 Accessing Corporate Resources 8

3.4 Closing the RAS VPN Session 8

3.5 Closing the RAC VPN Session 8

4. Further Information on the RAS VPN Solution 9

4.1 Changing the BKU Password 9

4.2 IT Support 9

4.3 Helpdesk DB Systel 9

5. System Requirements 10

5.1 Operating Systems and Web Browsers Supported 10

5.2 Operating Systems for Host Checker, Cache Cleaner and Network Connect Supported 10

5.3 Operating Systems for Pulse Secure Client 10

5.4 Virus Protection Software Supported 10

5.4.1 Products Supported 10

5.4.2 Enabled Products without Support 11

6. Questions and Answers 12

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 3 / 12

1. Introduction

Deutsche Bahn offers an RAS VPN solution based on SSL technology that enables users to dial into the corporate network from any terminal.

The new RAS VPN solution is available in two variants:

1. RAS VPN (Remote Access Service – Virtual Private Network)

The RAS VPN variant offers secure access to the corporate network via the Internet. For this pur-pose, a special VPN client (Pulse Secure) is available, which thus connects the terminal to the corporate network as if it was connected in the local network.

2. RAC VPN (Remote Application Connect – Virtual Private Network)

The RAC VPN variant offers secure partial access to the corporate network via the Internet. Here, you can use the Web browser to access applications.

The functional differences between RAS and RAC VPN are listed in the following table:

Function RAS VPN RAC VPN

Access to Local Network Drives No Yes

Usage with BKU-Client possible Yes Yes

Usage with Non-BKU Client possible Yes *) Yes

Unrestricted Internet Access Non-BKU: No BKU: Yes

Yes

Lotus Notes Yes Via DB Mail

Local Connected Network Printer No Yes

Central Printing (Network Printer DB) Non-BKU: No BKU: Yes

No

„Clientless“ Access No Yes

Admin privileges required Yes No

*) A remote access VPN connection can be established by a non-BKU client, if the endpoint security check could be carried out successfully. This assumes that on the client a supported operating system (see sec-tion 5.2 on page 10) and a supported virus scanner (see section 5.4 on page 10) are installed, the virus scanner is started with the real-time scanning, and the virus and spyware definitions are not older than 5 days. This document is intended, in particular, for users who work with clients not managed by DB Systel. In or-der to use remote access effectively, you are strongly advised to carry out the preparatory steps for your terminal as described in chapter 2. Administrator rights are required for this purpose. If you do not already have these rights, contact the administrator responsible. To use the RAS VPN solution, you require:

➢ Your activated ActivIdentity token (ActivIdentity Mini Token or SMS Token) and the associated PIN1 you assigned yourself when you activated the token

➢ A computer with an Internet connection and Web browser

For comprehensive instructions to activate your token, see

https://db.de/token

in the "Token User Guides" section at the bottom of the page.

1 You will not be sent a PIN/password letter for the PIN you assigned yourself.

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 4 / 12

2. Preparing Your Non-BKU Device

To be able to use RAS-VPN or RAC-VPN with your Non-BKU terminal, please read the following notes.

2.1 Internet Access

Make sure that the terminal you are using is connected to the Internet or is suitably equipped to be able to connect to the Internet as and when required.

2.2 Virus Protection

Remote access to the IP network of Deutsche Bahn is only possible if virus protection software (see section 5.4 on page 10) has been installed on the terminal.

In addition, all of the following conditions must be fulfilled:

1. Virus scanner is active

2. Realtime scanning is activated

3. Virus and spyware definitions are up to date

Make sure that virus protection that fulfils the specified requirements is installed on the terminal.

Important: Before you upgrade your virus scanner to a new version (e.g. from 9.x to 10.x), please refer to the latest version of the User Guide to determine whether this version is supported by the DB Secure-Access-Portal.

2.3 Firewall

Terminals deployed in corporate networks are usually protected by a central firewall. Access to the DB Se-cure-Access-Portal (https://vpn.extranet.deutschebahn.com) via port 443 TCP is a minimum requirement. Experience has shown that Internet Web sites protected via SSL are generally activated, which means that no further action is required here.

If a personal firewall in installed on the terminal, please check whether this type of communication is permit-ted. If necessary, the firewall rule set must be modified accordingly.

2.4 Installation Pulse Secure Client

To use RAS-VPN on Non-BKU devices, we recommend installing the Pulse Secure Client. This variant is intended for users who use network access via RAS-VPN (Layer 3 VPN tunnel) in the network of DB AG. The Pulse Secure Client is not suitable for users who only want to access web bookmarks via RAC-VPN.

After logging in to the DB Secure Access Portal, users without a BKU device can download a current ver-sion of the VPN Client by clicking on "Pulse Secure Client" in the "Files" section.

On the download page, choose the version that is necessary for your environment:

• ps pulse-mac .... for MacOS devices

• ps-pulse -win-....-32bit for 32 bit Windows devices

• ps-pulse -win-....-64bit for 64 bit Windows devices

For details on installation and configuration, please refer to the installation instructions in the download folder.

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 5 / 12

3. Using the RAS VPN Solution

3.1 Connect with Pulse Secure on BKU Device

On devices with BKU X and BKU 7, the Pulse Secure Client is preinstalled for convenient access to RAS VPN. To do this, please start the Pulse Secure Client in the program menu:

You can now connect to the Pulse Secure Client. Please select “Anmeldung mit Zertifikat” (Authentication with Certificate) only if you are using a BKU X ter-minal with an initialized “Virtual Smart Card”. Alternatively, select the " Anmeldung mit Token " option:

If the Pulse Secure displays an empty mask (no connection profiles), please start the function "Repair Pulse" or "Repair Pulse Secure" in the program menu. Further information on using Pulse Secure Client can be found here: https://db.de/psop_en

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 6 / 12

3.2 Logging in to the DB Secure-Access-Portal for RAC-VPN

Note: Login via browser is only supported for RAC-VPN users. These users are provided access to com-pany resources via web bookmarks.

Start the browser (preferably Internet Explorer) and enter the following link:

https://vpn.extranet.deutschebahn.com

This calls the login page for the DB Secure-Access-Portal. Log in with your DB User Accountname, PIN and token code:

Note: The label of the second input field is focused on the use of a hardware token. Users with SMS token should follow the instructions in the specific token user manuals.

Enter your DB User Accountname in the first field. Generate a one-time password (token code) by pressing the button on your ActivIdentity token and enter your token PIN, followed by the token code in the relevant field. Then click the "Log in" button.

If you are logging in with a token for the first time, the required software component Host Checker is down-loaded automatically and installed on your terminal. This takes place once and is only repeated if neces-sary, for example, if the software components are updated.

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 7 / 12

If you have a slow Internet connection, it may take more than ten minutes to download the software com-ponents. For this reason, it is strongly recommended that you use a LAN, DSL or WLAN connection.

Important: Depending on your system configuration, you may be prompted to enter an administrator pass-word. You do not need to do this to gain access to individual applications (RAC VPN). Leave the adminis-trator password field empty and close the window by clicking the relevant button ("No" or "Cancel"). Further messages/warnings/requests may then be displayed that must be confirmed (Digital signature - Run?, Ju-niper script requests authorization - Allow?, Trust content of initiator vpn.extranet.deutschebahn.com - Yes/No?, Install Cache Cleaner and Host Checker software - Yes/No?).

The load operation for the Host Checker is displayed in the browser window:

A green dot appears in front of the component name to indicate that the component has been successfully loaded.

Important: If you have not connected your terminal to the corporate network for some time, the virus scan-ner may not fulfil the prerequisites due to an obsolete virus signature. In this case, an appropriate error message is displayed in the browser.

Update the virus scanner and make sure that realtime protection is activated. Then click "Try again".

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 8 / 12

The corporate resources activated for a particular context are shown as links in the browser window as in the following example:

3.3 Accessing Corporate Resources

Without Pulse Secure (RAC VPN), you can only access resources displayed in the browser window. When you click the relevant application, this is started in a new browser window. Note that the browser window does not contain toolbars.

With Pulse Secure (RAS VPN), your terminal is connected to the corporate network as though connected on the local network. You can access network resources in the usual way.

3.4 Closing the RAS VPN Session

To terminate the RAS VPN session, please disconnect the session in the Pulse Secure Client.

3.5 Closing the RAC VPN Session

To close the RAC VPN session, click "Log out" in the top right of the browser window:

You will then be logged out of the DB Secure-Access-Portal.

Click here

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 9 / 12

4. Further Information on the RAS VPN Solution

4.1 Changing the DB User Password

You must change your DB User password at regular intervals. Unexpected problems that occur logging into certain applications may be due to the fact that your password has expired.

The change of the DB User Password is possible via the "Password Self-Service" portal:

https://db.de/password

4.2 IT Support

If you have problems using RAS VPN, we recommend using the IT Support Community:

https://db.de/it-support

4.3 Helpdesk DB Systel

If you have any further questions or problems, please contact the Helpdesk DB Systel on +49 (0)361-4308200.

You can also contact the Helpdesk DB Systel by e-mail at db.systel.helpdesk@deutschebahn.com.

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 10 / 12

5. System Requirements

5.1 Operating Systems and Web Browsers Supported

• Windows 10* Enterprise/Professional/Home, 64 Bit: Internet Explorer 11

• Windows 8.1* Enterprise 64 Bit: Internet Explorer 11

• Windows 7 SP1 Enterprise 32/64 Bit: Internet Explorer 8, 9, 10, 11

• Mac OS X 64 Bit: Safari 9.x, 8.x, 7.x Oracle; JRE 8

5.2 Operating Systems for Host Checker, Cache Cleaner and Network Connect Supported

• Windows 10 all editions on 64 bit

• Windows 8.x all editions on 32 bit or 64 bit

• Windows 7 all editions on 32 bit or 64 bit

5.3 Operating Systems for Pulse Secure Client

• Windows 10 all editions on 64 bit

• Windows 8.x all editions on 32 bit or 64 bit

• Windows 7 all editions on 32 bit or 64 bit

• Mac OS X on 64 Bit

*) On Windows 8, 8.1 and 10 platforms the endpoint must use desktop mode and enable plug-ins in the Internet Explorer configuration.

5.4 Virus Protection Software Supported

Notes:

• The Helpdesk DB Systel can only provide support for anti-virus products listed in section 5.4.1.

• DB Systel provides at a cost-effective anti-virus service for client operating systems Windows 7 and Windows Vista that is guaranteed to be compatible with the Secure Access platform and is sup-ported by the Helpdesk DB Systel. The anti-virus service can be ordered via Serviceportal (https://db.de/sp). To find the product use the ID PROD0000802 „Anti-virus software for devices outside the DB Network“.

• Antivirus products listed in section are enabled for use with the DB Secure Access Portal, but the compatibility cannot be guaranteed, and the Helpdesk DB Systel does not support VPN dial-in is-sues with these products. In case of VPN dial-in issues it may be an option to try another virus scanner from the list or you may order the DB Systel anti-virus service.

5.4.1 Products Supported

Windows OS:

• Kaspersky Endpoint Security (8.x)

• Kaspersky Endpoint Security (10.x)

• Kaspersky Endpoint Security (11.x)

Mac OS:

• Kaspersky Anti-Virus (8.x)

• Kaspersky Endpoint Security (10.x)

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 11 / 12

5.4.2 Enabled Products without Support

Windows OS:

• AVG AntiVirus (2016.x)

• Avira Antivirus Pro (15.x)

• Avira Antivirus Suite (14.x)

• Avira Free Antivirus (15.x)

• Avira Internet Security & Avira Internet Security Suite (14.x)

• Avira Professional Security (13.x), (14.x)

• CylancePROTECT (2.x)

• ESET Endpoint Antivirus (5.x), (6.x)

• ESET NOD32 Antivirus (8.x), (9.x), (10.x), (11.x)

• ESET Smart Security (7.x), (8.x), (9.x), (10.x)

• F-Secure Client Security (10.x), (11.x), (12.x), (13.x)

• G Data AntiVirus (24.x), (25.x)

• G Data InternetSecurity (24.x), (25.x)

• G Data Security Client (14.x)

• G Data TotalProtection (25.x)

• G Data TotalSecurity (25.x)

• Kaspersky Anti-Virus (15.x), (16.x), (17.x), (18.x)

• Kaspersky Endpoint Security (8.x), (10.x)

• Kaspersky Internet Security (15.x), (16.x), (17.x) , (18.x)

• McAfee Endpoint Security (10.x)

• McAfee VirusScan Enterprise (8.x), (8.8.x)

• Microsoft Security Essentials (4.x)

• Norton 360 (21.x), (22.x)

• Norton AntiVirus (21.x), (22.x)

• Norton Internet Security (21.x), (22.x)

• Norton Security (22.x)

• Norton Security with Backup (22.x)

• Sophos Endpoint Security and Control (10.x), (11.x)

• Symantec Endpoint Protection (11.0.x), (12.1.x), (14.0.x) , (14.2.x)

• Symantec Endpoint Protection Cloud (22.1.x), (22.8.x), (22.9.x)

• System Center Endpoint Protection (4.x)

• Trend Micro OfficeScan Client (11.x), (12.x)

• Trend Micro Worry Free Business Security Agent (20.x)

• Windows Defender (4.x)

Mac-Betriebssysteme:

• Avira Mac Security (2.x), (3.x)

• Kaspersky Internet Security (15.x), (16.x)

• Sophos Anti-Virus (8.x), (9.x)

• Sophos Home (2.x)

• Symantec Endpoint Protection (12.0.x), (12.1.x), (14.0.x)

DB Secure-Access-Portal / Version 1.5 / As at: 17th of June 2019 Page 12 / 12

6. Questions and Answers

How much bandwidth is available in the RAS VPN?

For every user a bandwidth ranging from 5 up to 10 Mbit/s is available. The usable bandwidth is not guar-anteed and may be reduced significantly due to a software distribution on BKU clients. A full utilization of the bandwidth of the domestic DSL / cable connection (e.g. 50 Mbit/s) is not possible for technical reasons. Depending on the type and stability of the network connection, the transmission speed varies, for example in the use of UMTS/LTE or Wi-Fi.