VPN

Gecis IT ServicesTraining Team

Aug 2005

Virtual Private Network Training Team, GECIS IT Services


Aug 2005

Contents

VPNGE VPN RequirementsRSARemote Office FAQ’S


Aug 2005

What is Virtual Private Network?Why do we require VPN ?Understanding the advantages of VPN.Understanding how does VPN Technology work ?Uses of VPN . What is Tunneling ?Understanding the VPN Connectivity.

Purpose of the Module


Aug 2005

What is Virtual Private Network

What is Virtual Private Network (VPN) ?

A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this by allowing the user to tunnel through the Internet or another public network in a manner that provides the same security and features formerly available only in private networks

The secure connection across the public network appears to the user as a private communication – despite the fact that this communication occurs over a public network – hence the name Virtual Private Network

Transit Internetwork

LogicalEquivalent

Virtual Private Network


Aug 2005

Why Virtual Private Network ?

VPN technology is designed to address issues surrounding the current business trend toward increased telecommuting and widely distributed global operations, where workers must be able to connect to central resources and must be able to communicate with each other .

Advantages of VPN :

1. Cost Effective

2. Secured

3. Increased Productivity

4. Flexible Working Hours

5. Scalable Infrastructure

6. Centralization of Shared Data

7. Network Policy Enforcement


Aug 2005

How does VPN Technology work ?

VPN accomplish this by allowing user to tunnel through the public network in a manner that provides the same security and features as available only in private networks .

The VPN connection across the Internet logically operates as a Wide Area Network (WAN) link between the sites .

The secure connection across the public network appears to the user as a private communication – despite the fact that this communication occurs over a public network hence the name Virtual Private Network

Laptop

Server

Server

Internet

Intranet

ISP

VPN

Server


Aug 2005

Common Uses of VPN :

1. Remote User over the Internet :

The user calls the local ISP and using that connection to the ISP,the VPN software creates a virtual private network between the dial up user and the corporate VPN server across the Internet .

2. Connecting Networks Over the Internet :

The Branch office hub router and the Corporate hub router make a connection to the local ISP . The VPN software uses the connection to the local ISP to create a VPN between the branch office router and the corporate hub router across the internet .


Aug 2005

Tunneling

VPN works on the concept of tunneling .

Tunneling is a method of using an public network infrastructure to transfer data for one network over another network .

The logical path through which the encapsulated packets travel through the internetwork is called a tunnel .

Tunneling Technologies :

1. Point-to-Point Tunneling Protocol (PPTP) :

PPTP allows IP, IPX or NetBEUI traffic to be encrypted, and then encapsulated in an IP header to be sent across public IP internetwork such as the Internet .


Aug 2005

2. Layer 2 Tunneling Protocol :

L2TP allows IP , IPX or NetBEUI traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. X.25. Frame Relay or ATM .

3. IP Security (IPSec) Tunnel Mode :

IPSec Tunnel Mode allows IP payloads to be encrypted, and then encapsulated in an IP header to be sent across a public IP internetwork such as the Internet .


Aug 2005

VPN Connectivity

There are two ways of connecting to the VPN .

- By connecting to an ISP (Dial up)

- By connecting directly to Internet (Cable Modem)

By connecting to an ISP :

The VPN connection first makes a call to an ISP. After the connection is established, the connection then makes another call to the remote access server that establishes the PPTP or L2TP tunnel. After authentication, you can access the corporate network, as shown in the following illustration.


Aug 2005

By directly connecting to Internet :

A user who is already connected to the Internet uses a VPN connection to dial the number for the remote access server. Examples of this type of user include a person whose computer is connected to a local area network, a cable modem user, or a subscriber of a service such as ADSL, where IP connectivity is established immediately after the user's computer is turned on.


Aug 2005


• Understand the requirements for a GE Employee to get connected to GE Network from a Remote location.

• What is Fiberlink ?

• How to get connected to Internet using Fiberlink ?

• What is a Token ?

• Different types of Tokens.

• What is Nortel Network Extranet Access Client ?

• How to setup a new PIN ?


Aug 2005

GE VPN Requirements

What do GE Employees need to connect remotely ?

- Fiberlink

- Token

- Nortel Network Extranet Access Client


Aug 2005

Fiberlink

Fiberlink is a dialer used to connect to the Internet .

- Fiberlink Icon

Fiberlink Screen


Aug 2005

Steps to connect to Internet using Fiberlink

Step 1: Click on the Fiberlink Icon on the desktop.

Step 2:User name: Enter your Username in the Fiberlink dialer Username field

Step 3:Password: First 8 letters of your last name.(If less than 8 then your last name)(If you are a VPN Admin, you will use your VPN Admin password)

Save User name and Password: Check this box

Step 4:Service:Select Dialup if you are using your phone and modem to dial into the service Select LAN/DSL/Cable Modem if you are using a broadband connection

Step 5 : Dial : Click on the button View/Change to select the number .


Aug 2005

Step 6 :

We can select the phone number by

a) By Country, State, City

b) By Area Code, Exchange Code

Step 7 :

Select the phone number .

Step 8 :

Click on the button OK

Step 9 :

Click on the button Connect on the Fiberlink Screen .


Aug 2005

Token Code• Randomly generated number on ACE

Authenticators. This number changes every 60 seconds.

• Two Types of Authenticators– Hard ID (Hardware Token)– Soft ID (Software Token)

Key Fob Pin Pad

http://www.rsasecurity.com/products/securid/demos/SecurIDTour/RSASecurIDTour.html


Aug 2005

What is Nortel Network Extranet Access Client ?Lets put things in perspective………

So far we understand this………

Fiber link – Helps Access – Internet

With the help of an ISP.

Once connected to the Internet, we need something more to connect to the Corporate Intranet……

Nortel Contivity Client – a software that is installed on the users machine – Helps access – INTRANET

With the help of the existing connection to the internet, provided by the ISP, by “ Tunneling” through it.


Aug 2005

Contivity VPN Client

Business Specific description given during the Software Installation

Username: SSO ID

Pin: As set by the customer

Token: 6 digit number displayed on the token

Destination: Name of the server to which the authentication happens.


Aug 2005

Setting up a New PIN

Step 1:

-Enter the username

-Leave the pin blank

-Enter the 6 digit number displayed on the token.

Step 2:

Click on the button Connect.

Step 3:

Enter the PIN of choice

Step 4:

Click on the button OK


Aug 2005

Step 5:

Enter the Passcode

(Passcode = Pin+Token)

Step 6:

Click on the button OK .

Step 7:

Click on the button OK.


Aug 2005

Fiberlink Installation Guide:

Microsoft Word

Document


Aug 2005


• What is ACE Admin ?

• How to loginto ACE Server ?

• How to Reset a PIN ?

• How to Synchronize a Token ?

•Different status of the Token.


Aug 2005

The administrative tools to troubleshoot issues with respect to Intranet connectivity using the Nortel Contivity Client Software.

The L1 agent has a limited access to administer the Token.

1. Reset PIN

2. Resynchronize Token

3. Edit Lost Status

ACE ADMIN


Aug 2005

Ace Admin.exe

After double-clicking on the icon the application is launched. Next, a prompt will appear for Login: and PASSCODE: The NT login username is placed in the Login: box automatically. If this value is not the same as your SecurID login, change it.Enter your PIN and current tokencode and click the OK button. After a moment, a message box will appear informing you that you were successfully authenticated. Click the OK button

ACE Admin Server Interface


Aug 2005



Aug 2005



Aug 2005


By default, a person’s login ID will be the first (7) characters of their last name followed by their first initial. Example: George Washington’s login ID would be washingg. To verify the caller, follow these steps: In the ACE/Server vx.x.x Administration application, choose, User. Choose, Edit User...


Aug 2005


Enter the user’s last name. Note: You may enter part of a person’s name followed by an asterisk *. The system will display any matches beginning with that string of characters and ending with anything. In addition, you may precede a name with an asterisk * as well as end one to display names which contain certain characters.Double click on the user’s last name.The Select User window will appear.


Aug 2005



Aug 2005


Verify the token serial number by asking the user to read the imprinted number (not the current tokencode) on the back of their token.Check off the Enabled check box.Click on the Set PIN to Next Tokencode... button.


Aug 2005


In the Set PIN to Next Tokencode, ask the user for their current tokencode (the value in the LCD window on their SecurIDtoken). Enter the tokencode in the box provided. Click on the OK button.Tell the user that when the current tokencode (the one they just gave you) changes, they should write down the first (4) digits of the next tokencode. These first (4) digits will be the user’s PIN. The user should not read the PIN to you. The PIN is secret.Click the OK button.Click the OK button.


Aug 2005


Setting PINs: A user has the option of changing their PIN from the one assigned by the system in step 1.4.8 to a PIN of their choice. The user PIN must be 4-8 characters in length, and may contain numbers or letters. The following steps describe how to let a user choose their own PIN.Place the user’s token in new PIN mode: In the ACE/Server vx.x.x Administration application, choose, User. Choose, Edit User... Enter the user’s last name. Double click on the user’s last name. The Select User window will appear. In the Tokens: window, double-click on the serial number text to bring up the Edit Token window. Click on the Clear PIN button.


Aug 2005


Lost tokens: A user may call stating that they have lost or misplaced their SecurID token. The following procedure will allow you to assign a group of ten one-time passwords to get them connected to the network. These one time passwords must be used in succession and can only be used once each. All of these passwords will expire in seven days. If the user has misplaced their token, they have ten logons or seven days to find it, whichever comes first. If the user has lost their token, they must arrange for a new one to be sent as soon as possible so it will arrive within seven days.


Aug 2005

Issue one-time passwordsUncheck the Enable box. Click on the Edit Lost Status button. Click on the Lost radio button. Make sure One-Time Password Set is selected, then click on the Set Up Password(s)... button. Select Use Numbers and Use Letters, then click on the Generate New Passwords button. A list of passwords will appear on the right. Read the first two passwords to the user and explain to them that each may only be used once and must beused in the sequence given. E-mail the remaining passwords to the user.



Aug 2005

Tip: The one-time password list can be saved as a text file by clicking on the Save New Set As... button, opened, and then easily pasted in an email message. If you save a password list to your hard drive, save it in a temporary directory and make sure you delete the file when finished. Explain to the user that if the user has misplaced their token, they have ten logons or seven days to find it, whichever comes first. If the user has lost their token, they must request a new one as soon as possible so it may be sent to them within seven days. Click on the Exit button. Click on the OK button until you are out of all Edit screens. You should end up back at the main ACE/Server Administration screen.



Aug 2005

The user is receiving ACCESS DENIED, PASSCODE IncorrectA record giving this description of the event but listing the user’s login correctly can be logged for a number of reasons. The most common reason is the user entered his PASSCODE inaccurately. If the user tried to authenticate only once or twice before calling you, tell him to try again. If the user still is denied access, it may be that the token’s clock and the system’s clock are out of synch. If the system time is correct and the user is being denied access, perform the Resynchronize Token operation.



Aug 2005


To Resynchronize a token:Select Edit Token on the Token menu. The Select Token dialog box opens. Specify the user’s token serial number, and click the OK button. When the Edit Token dialog box opens, click Resynchronize Token. The Resynchronize Token dialog box opens. Ask the user for the code currently displayed by his or her token. Enter this code (without including any PIN) in the blank field of the Resynchronize Token dialog box. Click the OK button.


Aug 2005

If you entered the first code correctly, the system recognizes it as valid for the token and prompts for the next code. Tell the user to wait for the tokencode to change and then to read the new code to you. Enter this code, and click OK. If the second code is valid, the operation is completed and you are returned to the Edit Token dialog box. Click OK in the Edit Token dialog box to save the resynchronization information.


If the operation was not successful, the system displays an error message. If this occurs,re-initiate the operation and carefully enter the SecurID codes.Synchronization will fail:· if either code is entered incorrectly· if the two codes are not successive· or if the codes are not current


Aug 2005

How do I know it's a problem with SecurID?If the user is receiving a prompt for PASSCODE, then they are connecting to the ACE/Server and the problem is either user error, a token problem, or a problem with the ACE/Server. If the user is receiving a prompt for Password instead of PASSCODE, they are not connecting to the ACE/Server and the problem is most likely elsewhere in the network.

What is the user accessing?Never assume that a user is attempting to use their SecurID for Dial/PPP. Find out exactly what message the user is receiving before proceeding with a resolution. Failed login attempts on the firewalls will result in a “Login incorrect” message. In addition, another sign of a user accessing a firewall is the fact that they will most likely being using a Telnet application rather than Dial Up Networking (DUN).



Aug 2005


• What is Remote Office ?

• Requirements for accessing Remote Office.

• Accessing Remote Office.

• Limitations of Remote Office.


Aug 2005

RemoteOffice

• Clientless VPN• Less administration (no definition of aliases)• More reliable serving of web pages• Additional functionality

• Group-defined bookmarks• User-defined bookmarks• Saved cookies/passwords• Access to network shares (Gen 2)• Support for non-web applications including MAPI

(Gen 2+)

What is it?


Aug 2005

RemoteOffice

• Internet access• Workstation with browser• ACE token• VPN account

• Users time out if inactive for 10 minutes or session length exceeds 60 minutes

• Only one logon per user permitted – second logon knocks off the first

What does a user need to access it ?


Aug 2005

RemoteOffice

•Users access as remoteoffice.ge.com•Two servers – remoteoffice1.ge.com (Cincinnati) and remoteoffice2.ge.com (Alpharetta)•Will probably use Enhanced DNS in Gen 2 for failover and load balancing


Aug 2005

RemoteOffice

•User logs on with VPN ID and SecurID tokencode (PIN+token)•User assigned to business group based on VPN group parameter in VPN directory


Aug 2005

RemoteOffice

•User receives customized list of bookmarks – can add to bookmarks•User can also type in any Intranet/Internet URL•Major administrative task expected is bookmark definition


Aug 2005

RemoteOffice

Exit

Re

turnM

ov

e

Move Move browsing toolbar to top left (or top right)

Return Return to bookmark page

Exit Exit Remote Office


Aug 2005

RemoteOffice

• HTTPS to external sites not permitted• Users cannot access https://benefits.ge.com or other

secured external sites• Users should go to these sites directly – not through

Remote Office

Limitations


Aug 2005

We have discussed …..

• What is VPN ?

• How does VPN Work ?

• Advantages of VPN

• How does a GE employee connect to GE Network remotely ?

• What is Fiberlink ?

• How do we connect to Internet using Fiberlink ?

• What is a Token ?

• Different types of Token ?

• What is Nortel Contivity VPN Client ?

• How do we connect to GE Intranet using Contivity VPN Client ?

• Setting up a New Pin

• What is ACE Admin ?

• Administering the Token.

• Remote Office.


Aug 2005

FAQ’s

Microsoft Word

Document

VPN

Documents

virtual private network

vpn connection

public network gecis

corporate network

ge network

services gecis

vpn software

advantages of vpn