Upload
dilip
View
204
Download
5
Tags:
Embed Size (px)
Citation preview
Gecis IT ServicesTraining Team
Aug 2005
Virtual Private Network Training Team, GECIS IT Services
Gecis IT ServicesTraining Team
Aug 2005
Contents
VPNGE VPN RequirementsRSARemote Office FAQ’S
Gecis IT ServicesTraining Team
Aug 2005
What is Virtual Private Network?Why do we require VPN ?Understanding the advantages of VPN.Understanding how does VPN Technology work ?Uses of VPN . What is Tunneling ?Understanding the VPN Connectivity.
Purpose of the Module
Gecis IT ServicesTraining Team
Aug 2005
What is Virtual Private Network
What is Virtual Private Network (VPN) ?
A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this by allowing the user to tunnel through the Internet or another public network in a manner that provides the same security and features formerly available only in private networks
The secure connection across the public network appears to the user as a private communication – despite the fact that this communication occurs over a public network – hence the name Virtual Private Network
Transit Internetwork
LogicalEquivalent
Virtual Private Network
Gecis IT ServicesTraining Team
Aug 2005
Why Virtual Private Network ?
VPN technology is designed to address issues surrounding the current business trend toward increased telecommuting and widely distributed global operations, where workers must be able to connect to central resources and must be able to communicate with each other .
Advantages of VPN :
1. Cost Effective
2. Secured
3. Increased Productivity
4. Flexible Working Hours
5. Scalable Infrastructure
6. Centralization of Shared Data
7. Network Policy Enforcement
Gecis IT ServicesTraining Team
Aug 2005
How does VPN Technology work ?
VPN accomplish this by allowing user to tunnel through the public network in a manner that provides the same security and features as available only in private networks .
The VPN connection across the Internet logically operates as a Wide Area Network (WAN) link between the sites .
The secure connection across the public network appears to the user as a private communication – despite the fact that this communication occurs over a public network hence the name Virtual Private Network
Laptop
Server
Server
Internet
Intranet
ISP
VPN
Server
Gecis IT ServicesTraining Team
Aug 2005
Common Uses of VPN :
1. Remote User over the Internet :
The user calls the local ISP and using that connection to the ISP,the VPN software creates a virtual private network between the dial up user and the corporate VPN server across the Internet .
2. Connecting Networks Over the Internet :
The Branch office hub router and the Corporate hub router make a connection to the local ISP . The VPN software uses the connection to the local ISP to create a VPN between the branch office router and the corporate hub router across the internet .
Gecis IT ServicesTraining Team
Aug 2005
Tunneling
VPN works on the concept of tunneling .
Tunneling is a method of using an public network infrastructure to transfer data for one network over another network .
The logical path through which the encapsulated packets travel through the internetwork is called a tunnel .
Tunneling Technologies :
1. Point-to-Point Tunneling Protocol (PPTP) :
PPTP allows IP, IPX or NetBEUI traffic to be encrypted, and then encapsulated in an IP header to be sent across public IP internetwork such as the Internet .
Gecis IT ServicesTraining Team
Aug 2005
2. Layer 2 Tunneling Protocol :
L2TP allows IP , IPX or NetBEUI traffic to be encrypted, and then sent over any medium that supports point-to-point datagram delivery, such as IP. X.25. Frame Relay or ATM .
3. IP Security (IPSec) Tunnel Mode :
IPSec Tunnel Mode allows IP payloads to be encrypted, and then encapsulated in an IP header to be sent across a public IP internetwork such as the Internet .
Gecis IT ServicesTraining Team
Aug 2005
VPN Connectivity
There are two ways of connecting to the VPN .
- By connecting to an ISP (Dial up)
- By connecting directly to Internet (Cable Modem)
By connecting to an ISP :
The VPN connection first makes a call to an ISP. After the connection is established, the connection then makes another call to the remote access server that establishes the PPTP or L2TP tunnel. After authentication, you can access the corporate network, as shown in the following illustration.
Gecis IT ServicesTraining Team
Aug 2005
By directly connecting to Internet :
A user who is already connected to the Internet uses a VPN connection to dial the number for the remote access server. Examples of this type of user include a person whose computer is connected to a local area network, a cable modem user, or a subscriber of a service such as ADSL, where IP connectivity is established immediately after the user's computer is turned on.
Gecis IT ServicesTraining Team
Aug 2005
Purpose of the Module
• Understand the requirements for a GE Employee to get connected to GE Network from a Remote location.
• What is Fiberlink ?
• How to get connected to Internet using Fiberlink ?
• What is a Token ?
• Different types of Tokens.
• What is Nortel Network Extranet Access Client ?
• How to setup a new PIN ?
Gecis IT ServicesTraining Team
Aug 2005
GE VPN Requirements
What do GE Employees need to connect remotely ?
- Fiberlink
- Token
- Nortel Network Extranet Access Client
Gecis IT ServicesTraining Team
Aug 2005
Fiberlink
Fiberlink is a dialer used to connect to the Internet .
- Fiberlink Icon
Fiberlink Screen
Gecis IT ServicesTraining Team
Aug 2005
Steps to connect to Internet using Fiberlink
Step 1: Click on the Fiberlink Icon on the desktop.
Step 2:User name: Enter your Username in the Fiberlink dialer Username field
Step 3:Password: First 8 letters of your last name.(If less than 8 then your last name)(If you are a VPN Admin, you will use your VPN Admin password)
Save User name and Password: Check this box
Step 4:Service:Select Dialup if you are using your phone and modem to dial into the service Select LAN/DSL/Cable Modem if you are using a broadband connection
Step 5 : Dial : Click on the button View/Change to select the number .
Gecis IT ServicesTraining Team
Aug 2005
Step 6 :
We can select the phone number by
a) By Country, State, City
b) By Area Code, Exchange Code
Step 7 :
Select the phone number .
Step 8 :
Click on the button OK
Step 9 :
Click on the button Connect on the Fiberlink Screen .
Gecis IT ServicesTraining Team
Aug 2005
Token Code• Randomly generated number on ACE
Authenticators. This number changes every 60 seconds.
• Two Types of Authenticators– Hard ID (Hardware Token)– Soft ID (Software Token)
Key Fob Pin Pad
http://www.rsasecurity.com/products/securid/demos/SecurIDTour/RSASecurIDTour.html
Gecis IT ServicesTraining Team
Aug 2005
What is Nortel Network Extranet Access Client ?Lets put things in perspective………
So far we understand this………
Fiber link – Helps Access – Internet
With the help of an ISP.
Once connected to the Internet, we need something more to connect to the Corporate Intranet……
Nortel Contivity Client – a software that is installed on the users machine – Helps access – INTRANET
With the help of the existing connection to the internet, provided by the ISP, by “ Tunneling” through it.
Gecis IT ServicesTraining Team
Aug 2005
Contivity VPN Client
Business Specific description given during the Software Installation
Username: SSO ID
Pin: As set by the customer
Token: 6 digit number displayed on the token
Destination: Name of the server to which the authentication happens.
Gecis IT ServicesTraining Team
Aug 2005
Setting up a New PIN
Step 1:
-Enter the username
-Leave the pin blank
-Enter the 6 digit number displayed on the token.
Step 2:
Click on the button Connect.
Step 3:
Enter the PIN of choice
Step 4:
Click on the button OK
Gecis IT ServicesTraining Team
Aug 2005
Step 5:
Enter the Passcode
(Passcode = Pin+Token)
Step 6:
Click on the button OK .
Step 7:
Click on the button OK.
Gecis IT ServicesTraining Team
Aug 2005
Fiberlink Installation Guide:
Microsoft Word
Document
Gecis IT ServicesTraining Team
Aug 2005
Purpose of the Module
• What is ACE Admin ?
• How to loginto ACE Server ?
• How to Reset a PIN ?
• How to Synchronize a Token ?
•Different status of the Token.
Gecis IT ServicesTraining Team
Aug 2005
The administrative tools to troubleshoot issues with respect to Intranet connectivity using the Nortel Contivity Client Software.
The L1 agent has a limited access to administer the Token.
1. Reset PIN
2. Resynchronize Token
3. Edit Lost Status
ACE ADMIN
Gecis IT ServicesTraining Team
Aug 2005
Ace Admin.exe
After double-clicking on the icon the application is launched. Next, a prompt will appear for Login: and PASSCODE: The NT login username is placed in the Login: box automatically. If this value is not the same as your SecurID login, change it.Enter your PIN and current tokencode and click the OK button. After a moment, a message box will appear informing you that you were successfully authenticated. Click the OK button
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
By default, a person’s login ID will be the first (7) characters of their last name followed by their first initial. Example: George Washington’s login ID would be washingg. To verify the caller, follow these steps: In the ACE/Server vx.x.x Administration application, choose, User. Choose, Edit User...
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
Enter the user’s last name. Note: You may enter part of a person’s name followed by an asterisk *. The system will display any matches beginning with that string of characters and ending with anything. In addition, you may precede a name with an asterisk * as well as end one to display names which contain certain characters.Double click on the user’s last name.The Select User window will appear.
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
Verify the token serial number by asking the user to read the imprinted number (not the current tokencode) on the back of their token.Check off the Enabled check box.Click on the Set PIN to Next Tokencode... button.
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
In the Set PIN to Next Tokencode, ask the user for their current tokencode (the value in the LCD window on their SecurIDtoken). Enter the tokencode in the box provided. Click on the OK button.Tell the user that when the current tokencode (the one they just gave you) changes, they should write down the first (4) digits of the next tokencode. These first (4) digits will be the user’s PIN. The user should not read the PIN to you. The PIN is secret.Click the OK button.Click the OK button.
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
Setting PINs: A user has the option of changing their PIN from the one assigned by the system in step 1.4.8 to a PIN of their choice. The user PIN must be 4-8 characters in length, and may contain numbers or letters. The following steps describe how to let a user choose their own PIN.Place the user’s token in new PIN mode: In the ACE/Server vx.x.x Administration application, choose, User. Choose, Edit User... Enter the user’s last name. Double click on the user’s last name. The Select User window will appear. In the Tokens: window, double-click on the serial number text to bring up the Edit Token window. Click on the Clear PIN button.
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
Lost tokens: A user may call stating that they have lost or misplaced their SecurID token. The following procedure will allow you to assign a group of ten one-time passwords to get them connected to the network. These one time passwords must be used in succession and can only be used once each. All of these passwords will expire in seven days. If the user has misplaced their token, they have ten logons or seven days to find it, whichever comes first. If the user has lost their token, they must arrange for a new one to be sent as soon as possible so it will arrive within seven days.
Gecis IT ServicesTraining Team
Aug 2005
Issue one-time passwordsUncheck the Enable box. Click on the Edit Lost Status button. Click on the Lost radio button. Make sure One-Time Password Set is selected, then click on the Set Up Password(s)... button. Select Use Numbers and Use Letters, then click on the Generate New Passwords button. A list of passwords will appear on the right. Read the first two passwords to the user and explain to them that each may only be used once and must beused in the sequence given. E-mail the remaining passwords to the user.
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
Tip: The one-time password list can be saved as a text file by clicking on the Save New Set As... button, opened, and then easily pasted in an email message. If you save a password list to your hard drive, save it in a temporary directory and make sure you delete the file when finished. Explain to the user that if the user has misplaced their token, they have ten logons or seven days to find it, whichever comes first. If the user has lost their token, they must request a new one as soon as possible so it may be sent to them within seven days. Click on the Exit button. Click on the OK button until you are out of all Edit screens. You should end up back at the main ACE/Server Administration screen.
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
The user is receiving ACCESS DENIED, PASSCODE IncorrectA record giving this description of the event but listing the user’s login correctly can be logged for a number of reasons. The most common reason is the user entered his PASSCODE inaccurately. If the user tried to authenticate only once or twice before calling you, tell him to try again. If the user still is denied access, it may be that the token’s clock and the system’s clock are out of synch. If the system time is correct and the user is being denied access, perform the Resynchronize Token operation.
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
ACE Admin Server Interface
To Resynchronize a token:Select Edit Token on the Token menu. The Select Token dialog box opens. Specify the user’s token serial number, and click the OK button. When the Edit Token dialog box opens, click Resynchronize Token. The Resynchronize Token dialog box opens. Ask the user for the code currently displayed by his or her token. Enter this code (without including any PIN) in the blank field of the Resynchronize Token dialog box. Click the OK button.
Gecis IT ServicesTraining Team
Aug 2005
If you entered the first code correctly, the system recognizes it as valid for the token and prompts for the next code. Tell the user to wait for the tokencode to change and then to read the new code to you. Enter this code, and click OK. If the second code is valid, the operation is completed and you are returned to the Edit Token dialog box. Click OK in the Edit Token dialog box to save the resynchronization information.
ACE Admin Server Interface
If the operation was not successful, the system displays an error message. If this occurs,re-initiate the operation and carefully enter the SecurID codes.Synchronization will fail:· if either code is entered incorrectly· if the two codes are not successive· or if the codes are not current
Gecis IT ServicesTraining Team
Aug 2005
How do I know it's a problem with SecurID?If the user is receiving a prompt for PASSCODE, then they are connecting to the ACE/Server and the problem is either user error, a token problem, or a problem with the ACE/Server. If the user is receiving a prompt for Password instead of PASSCODE, they are not connecting to the ACE/Server and the problem is most likely elsewhere in the network.
What is the user accessing?Never assume that a user is attempting to use their SecurID for Dial/PPP. Find out exactly what message the user is receiving before proceeding with a resolution. Failed login attempts on the firewalls will result in a “Login incorrect” message. In addition, another sign of a user accessing a firewall is the fact that they will most likely being using a Telnet application rather than Dial Up Networking (DUN).
ACE Admin Server Interface
Gecis IT ServicesTraining Team
Aug 2005
Purpose of the Module
• What is Remote Office ?
• Requirements for accessing Remote Office.
• Accessing Remote Office.
• Limitations of Remote Office.
Gecis IT ServicesTraining Team
Aug 2005
RemoteOffice
• Clientless VPN• Less administration (no definition of aliases)• More reliable serving of web pages• Additional functionality
• Group-defined bookmarks• User-defined bookmarks• Saved cookies/passwords• Access to network shares (Gen 2)• Support for non-web applications including MAPI
(Gen 2+)
What is it?
Gecis IT ServicesTraining Team
Aug 2005
RemoteOffice
• Internet access• Workstation with browser• ACE token• VPN account
• Users time out if inactive for 10 minutes or session length exceeds 60 minutes
• Only one logon per user permitted – second logon knocks off the first
What does a user need to access it ?
Gecis IT ServicesTraining Team
Aug 2005
RemoteOffice
•Users access as remoteoffice.ge.com•Two servers – remoteoffice1.ge.com (Cincinnati) and remoteoffice2.ge.com (Alpharetta)•Will probably use Enhanced DNS in Gen 2 for failover and load balancing
Gecis IT ServicesTraining Team
Aug 2005
RemoteOffice
•User logs on with VPN ID and SecurID tokencode (PIN+token)•User assigned to business group based on VPN group parameter in VPN directory
Gecis IT ServicesTraining Team
Aug 2005
RemoteOffice
•User receives customized list of bookmarks – can add to bookmarks•User can also type in any Intranet/Internet URL•Major administrative task expected is bookmark definition
Gecis IT ServicesTraining Team
Aug 2005
RemoteOffice
Exit
Re
turnM
ov
e
Move Move browsing toolbar to top left (or top right)
Return Return to bookmark page
Exit Exit Remote Office
Gecis IT ServicesTraining Team
Aug 2005
RemoteOffice
• HTTPS to external sites not permitted• Users cannot access https://benefits.ge.com or other
secured external sites• Users should go to these sites directly – not through
Remote Office
Limitations
Gecis IT ServicesTraining Team
Aug 2005
We have discussed …..
• What is VPN ?
• How does VPN Work ?
• Advantages of VPN
• How does a GE employee connect to GE Network remotely ?
• What is Fiberlink ?
• How do we connect to Internet using Fiberlink ?
• What is a Token ?
• Different types of Token ?
• What is Nortel Contivity VPN Client ?
• How do we connect to GE Intranet using Contivity VPN Client ?
• Setting up a New Pin
• What is ACE Admin ?
• Administering the Token.
• Remote Office.
Gecis IT ServicesTraining Team
Aug 2005
FAQ’s
Microsoft Word
Document