Frequently Asked Questions

Any Connect is the new Honeywell Remote Access [HRA] solutions VPN client that offers optimal gateway selection, integrated network access management including Wired Ethernet, Home/Public Wi-Fi, and Campus Wireless on the Enterprise2 WLAN.
It will be automatically pushed out to all existing remote access users via Landesk in Q3/Q4 2011. All contractors, customers and vendors with remote access will be able to download the software.
Any Connect has significant functional and security enhancements from Checkpoint.
  1. No User Certificate configuration or Visitor mode required
  2. Utilizes the same ports as HTTPS for VPN which are open on most home and corporate networks
  3. Integrates a Network Access Manager instead of adding complexity with 3rd party software
  4. Enhanced Security and Diagnostic functions for more end point protection and troubleshooting functionality 
Any Connect will support the following versions of Windows Operating systems:
  1. Windows 7 x86 (32-bit) and x64 (64-bit)
  2. Windows Vista SP2 x86 (32-bit) and x64 (64-bit)
  3. Windows XP SP3 x86 (32-bit) 
There is no monthly subscription cost to use the Any Connect Network Access Manager to connect to Free Public Wi-Fi hotspots at coffee houses, restaurants, hotels and other locations. You will be able to use it to manage connections at fee based Wi-fi hotspots, but there will access charges per the terms of use for the location. [i.e. hotels without fee base Wi-Fi added to the room charge or which require a credit card]
Please contact your nearest Honeywell Service desk. The service desk contact information can be found at Contact Us
You can do so by sending an email to hrasupport@honeywell.com requesting service is stopped.
No. The client will check for those softwares acceptable by HON standards before you are allowed to access the network.
With the new HRA, you will be automatically re-routed to the next nearest remote access gateway
The software requires Administrator rights to perform the install. If you have those permissions or have desktop support assistance, you can install the software from this. Honeywell employees with out Administrator rights on their Honeywell Laptop can manually install the software package from the ESD [electronic software distribution site].
The AnyConnect software will be push via Landesk. As part of the process, the Checkpoint software[ gold key] will be deactivated and a new graphical user interface and icon will appear in your system tray. Below are illustrations of the system tray icons and several examples of what they mean:
  1. System tray icon indicating client components are operating correctly.
        icon indicating client components operating correctly
  2. System tray icon indicating the VPN is connected.
        icon indicating the VPN connected
  3. System tray icon alerting the user to a condition requiring attention or interaction. For example, a dialog about the user credentials.
        icon alerting user to a condition requiring attention
  4. System tray icons that indicate one or more client components are transitioning between states (for example, when the VPN is connecting or when NAM is connecting). The three icon files display in succession, appearing to be a single icon bouncing from left to right.
        icons indicate one or more client components transitioning
  5. System tray icon will launch the user interface used to manage network connections and connect to the VPN gateway.
        system tray icon Double click on the the system tray icon and the Any Connect Client will launch

        Any Connect Client
    Note: AnyConnect does not display more than one icon at a time. The icon with the highest priority takes precedence.
802.1X over Ethernet (802.3) and Wi-Fi (802.11) is available as a separate module in AnyConnect: the Network Access Manager. This separately loadable module will be installed as part of the install package for AnyConnect to perform 802.1X authentication.
Yes. The Network Access Manager associated with AnyConnect Version 3.0 and later supports wireless connectivity using a wireless network interface card.
No. The Cisco software does not support dialup connectivity. If you need dialup connectivity, please contact the remote access team at hrasupport@honeywell.com with this requirement and we will review the connectivity options for dialup with you.
Yes. The Network Access Manager in AnyConnect Version 3.0 and later supports WPA2; provided WPA2 is supported by the wireless network interface card.
Yes. The AnyConnect Network Access Manager supports 802.1AE, also known as MACsec, which encrypts traffic over the wired LAN. 
There are no hardware requirements for MACsec on the local machine. If the network interface card does not support MACsec, the encryption is done on the main processor on the local computer. A MACsec-capable switch is required on the network side.
Yes. All of the components in the AnyConnect Secure Mobility Client can be used independently. If you are not using the AnyConnect VPN functionality, you can install the AnyConnect Secure Mobility Client so that functionality is not enabled.
  • Intranet / Internet access.
  • Business partners must allow network traffic over ports 9100, 9101, and 9102.
  • The Symantec PKI client must be installed on the PC (laptop / desktop).
  • If you do not have a Honeywell-managed device, you will need Admin privileges for that device for installing the PKI Client software from the Symantec website.
Most Honeywell standard browsers are supported. Please refer to the following list for specific details.
  • Google Chrome is qualified by Symantec for certificate enrollment.
  • Mozilla Firefox is qualified by Symantec for certificate enrollment.
  • Internet Explorer:
     IE8:  Not supported. Please use Google Chrome or Mozilla Firefox.
     IE9:  Not Supported. Please use Google Chrome or Mozilla Firefox.
     IE10: Supported. End of support is October 2016
     IE11: Supported (new in PKI Service v2.1).
     Microsoft Edge has limited support in Win10 as of Jan 2016.

Google Chrome is qualified by Symantec for certificate enrollment. However, Chrome requires an extension before you can enroll for a PKI certificate. If the PKI client is installed but the Chrome extension is missing when you enroll for a PKI certificate, Chrome will prompt you for the missing component. If you are prompted because the Chrome extension is missing, the steps below describe how to enable the missing extension: 
  1. Open Chrome and navigate to the tools pull-down menu to open the settings option.
  2. Click Tools > Extensions.
  3. Ensure the Symantec PKI Client Plugin Extension option is enabled.
  4. Close and re-open Chrome, then proceed to the certificate enrollment link to continue. 
Please use the Google Chrome browser instead of Internet Explorer. If Chrome is not already installed on your machine, you can download and install it from the Software Center (Start > All Programs > Microsoft System Center 2012 R2 > Software Center). After launching Chrome, you may be prompted to enable the PKI Client extension. If so, please accept. 
Please use Google Chrome or Mozilla Firefox to enroll for PKI certificates. Both of these alternative standard browsers are available for download from the System Software Center store (Start > All Programs > Microsoft System Center 2012 R2 > Software Center).

  • For VPN (HRA AnyConnect remote) and Internal Honeywell Wi-Fi authentication certificates, enroll for the HON Private Identity certificate.
  • For Secure Email, enroll for the HON Public Identity certificate. This certificate is used for sending and receiving encrypted and or digitally-signed email messages between internal employees, as well as external or third parties with compatible encryption capabilities.
  • For electronic document signing (such as Adobe Acrobat files and others that are capable of allowing digital signing), enroll for the HON Adobe CDS Signing certificate. This certificate differs from the Email encryption certificate whereas it is provisioned to and stored on a smart card. You MUST have a FIPS 140-2 compatible card reader, smartcard token, and compatible software to successfully enroll and use this type of certificate.

All certificates are renewed every 3 years.
Certificates are setup when the new computer is delivered. Certificates are configured to be active for 3 years. Because computers are typically replaced every 3 years, certificate renewal is generally not needed.
However, in the case of some contractors, certificate renewal may be required. When that happens, a message will display on the computer, starting 30 days before the certificate expires. Click the link in the message to start the renewal. After completing the renewal, your certificate will automatically be issued to your PC and the renewal prompts will cease at that time.
Yes. The Honeywell standards require password protection for both compliance and security guidance. The password is actually what Symantec calls a PIN or the Symantec PKI Client PIN. This PIN must be at least 8 alpha-numeric characters and may include non-ASCII characters.
While each certificate is “unlocked” separately, the PKI PIN is generated upon your initial certificate enrollment and will be the same for all certificates that are issued on the same device.
You do not have to change your PKI PIN, but you can. Use the Symantec PKI client < change="" pin=""> option. This will change the pin for all PKI certificates on the device.
No, you do not have to change your PKI PIN. 
The PKI PIN reset function is used if you have forgotten your PKI PIN. Only use this option if you cannot recall what your PKI PIN is as the reset function will actually remove your PKI certificate(s) from your PC and you will then browse to the PKI 2 websiteto re-enroll for all PKI 2 certificates and complete HRA or Outlook configuration steps.
Yes. While English is the standard global language at Honeywell, the Symantec PKI client offers limited language choices. The menu to change the language format to your choice is available in the initial certificate enrollment window of the PKI Certificate Service.Click on the dropdown button in the upper right-hand corner to change the default to your choice.
  1. No. Exporting the certificate is no longer an option in PKI service, for security and compliance purposes, as recommended by Honeywell Global Security and industry standards. Certificates are now effective for 36 months, rather than 12 months, making such exports largely unnecessary.
  2. While authentication certificates are not exportable, duplicate enrollment is allowed. Individuals whose role requires multiple devices can enroll for PKI certificates on each device.
  3. The Secure Email (encryption) certificates are NOT exportable, but duplicate enrollment is allowed by using the certificate enrollment process for use on multiple PC’s if needed. This option allows for one certificate managing all sent and received encrypted / signed messages from multiple devices using the same certificate.
  4. The Mobile Device Management team provisions certificates to your mobile device for you, eliminating the need for you to export certificates.
Yes, please visit the links below for the specific device listed and the individual FAQs for each.
This error message can occur while attempting to send or receive an encrypted email message. The message occurs because the PKI 2 HON Public Identity certificate on the device has not been provisioned and configured to your Microsoft Outlook email client on the device that received the error message. To resolve this issue:
  1. Navigate to the PKI 2 website using the device where the error occurred.
  2. Click Step 2 to open the PKI 2 Secure Email (encryption) Standard End-User Guide.
  3. Follow all the steps in that document to provision the HON Public Identity certificate to your device and guide you through the Outlook Configuration steps.
The steps above will enable your new certificate for use with encryption. If you have previously enrolled for the certificate from a different device, this process will simply download a copy of the current valid certificate, not provision a new certificate.
If problems do continue, please contact the Honeywell Service Desk.
Click Here to obtain instructions to reset your PKI client software on your computer. This will re-publish your certificate to your PKI client. If problems do continue, please contact the Honeywell Service Desk.
Please call your local service desk to have a ticket opened with the appropriate PKI support group.
Please Click Here and go to page 3 for instructions to manually change the 
Outlook Security Settings.