VPN installation - Jim Marchant Home Page
Transcription
VPN installation - Jim Marchant Home Page
Remote ACCESS 2001 Virtual Private Network Last Modified: June 28, 2002 (Includes Support for Windows XP Home and Pro) Remote Access 2001: Virtual Private Network Los Angeles Times First Edition, August 2001 Second Edition, June 2002 Copyright © 2001 by the Los Angeles Times, Los Angeles, CA 90053 Contivity and Extranet are tradenames of Nortel Networks Decade is a tradename of CE Engineering Publishing Systems AT&T Net Client is a tradename of American Telephone & Telegraph RSA SecurID Token is copyrighted by RSA Security Inc. Netscape is a tradename of AOL Time Warner Outlook 2000 and Internet Explorer are tradenames of Microsoft Corp. MTUSpeed Pro 4.10 is copyrighted by Mike Sutherland Contivity VPN Client Compiled by Los Angeles Times Editorial Systems, Information Technology Tom Kuby, Manager Remote Access Team: Jackson Sellers, Editorial Systems (Team Leader) Gary Ambrose, Editorial Systems, L.A. Jim Carr, Editorial, O.C. Tony Cruse, Editorial Systems, O.C. Brett Levy, Editorial Systems, L.A. Jim Marchant, Editorial Help Desk, L.A. Hao Nguyen, Editorial Help Desk, L.A. Jim Robinson, Editorial Systems, D.C. Phillip Ruiz, Editorial Systems, D.C. Morrine Sosnow, Editorial Systems, S.F.V. RSA SecurID Token Technical Guidance by the Times VPN Project Team , Information Technology Michael Batton, VPN Project Lead Eddie Velez, Manager of Network Services Bill Urban, Manager, Customer Services Jim Robertson, Network Architect Chris Horeczko, Desktop Engineer Jackson Sellers, Senior Analyst Cynthia Cowan, Data Security Mark Seybold, Systems Analyst Gary Ambrose, Systems Analyst Cover design by Chuck Nigash, Art Director, Daily Calendar AT&T Net Client Please call the appropriate help desk if you have questions or problems Los Angeles (Editorial) Los Angeles (Business) Orange County (Editorial) Washington, D.C. (Editorial) 999-999-9999 999-999-9999 999-999-9999 299-999-9999 AT&T ISP Data Contivity Client Corporate Account: XXXX User Name: User ID: XXX _______________ Initial Password: (Same as User ID) 1 Remote Access 2001 Virtual Private Network CONTENTS What Is VPN? 3 Read This First: Install CD 6 Windows 95 Updates 8 Your Internet Connection 12 Personal Tunnel: Contivity 25 Token Security 27 VPN Notes and Hints 30 Netscape Outlook Web Access Network Settings H: Drive Mapping 30 32 34 36 DSL & Cable America Online Passwords Internet Explorer MTU & RWIN 37 37 38 39 44 This manual targets the Editorial Department, which has the largest number of remote network users, but it can be helpful to all Times employees who have a need for remote communications and/or remote access to business databases, regardless of the department for which they work. 2 What Is VPN? Just what you needed, right? Another TLA (or Three-Letter Acronym) to deal with. Currently, at the very beginning of the 21st century, all remote Editorial users of the Times network possess PPP accounts (Point-to-Point Protocol), and Times business employees and foreign correspondents utilize PAL (Phone Access Lookup) for CompuServe connections. Many writers, editors and others have their own ISPs (Internet Service Provider), although most are content with the Times-provided PPP/PAL for remote access to Decade, Netscape, Internet Explorer, e-mail, etc., and they see no reason at all for personal ISPs. Well, say hello to VPN (Virtual Private Network), which replaces PPP/PAL and requires not only an ISP but a PIN (Personal Identification Number). VPN provides a means of connecting to the Times network over the Internet. Why is the Times making this switch when you are happy enough with what you’ve got? Economics, stupid. Recently a senior Editorial manager was asked if Times writers and editors would appreciate the fact that VPN is much cheaper than PPP. She laughed out loud. But more than half a million dollars in annual savings is no laughing matter. It’s not all economics, of course. VPN offers immediate benefits to those who connect to Times systems from home, on the road or in national and foreign bureaus. Let’s list a few: 1) You will no longer be cautioned to limit your connect time on the Times network. Ten minutes or 10 hours is okay with the Times. 2) Cable modems as well as DSLs (Digital Subscriber Line) will work nicely with VPN and provide exceptionally high speeds. This is a big plus for Times employees who need/want high-speed communications. Cable modems and DSLs are rapidly growing in popularity and everybody will have them someday. But until now, neither of these always-connected, high-speed services could be used to access the Times network. VPN removes that limitation. Your cable modems and DSLs, however, must be protected against hackers. Times-approved devices are listed in this manual. [Not yet, actually, but they will be.] 3 3) Your home drive, or H: Drive, will be available. This personal storage folder is where you can stash all kinds of data, including old e-mail with sizable attachments, plus the novel that will make you famous. Just kidding about the novel. The H: Drive and all other Times storage devices are for business only. 4) VPN, especially when connected via DSL or cable modem, will facilitate remote communications with the new CCI pagination system. This “Remote Access 2001” manual will help you make the switch from PPP/PAL to VPN — very much as the “Remote Decade 2000” manual guided you in installing both your Dial-Up Networking PPP and the Decade application that interfaces with the Times News Editing System. The good news is that all applications already installed on your remote PC or laptop (Decade, Netscape, etc.) will be left undisturbed. We are dealing here, in this manual, only with the manner in which you connect to the Times network. From your point of view, PPP/PAL will transmogrify into ISP/VPN. How does VPN work? First, think about what you are doing now. If you are a typical Editorial staffer, you use Windows Dial-Up Networking to connect to the Times PPP server via an 800 number. Then you launch Decade or Netscape or whatever, running the applications one at a time or all at once. If you are a Times business staffer, you use PAL/CompuServe to access various databases. The VPN procedure is not much different, although there is an extra step or two. Let’s look closely at the new VPN process. Connecting Remotely: A connection to your local ISP is established. The word “local” suggests where most of the corporate savings come from, since the PPP/PAL service is very expensive. Your ISP can be AT&T, PacBell, EarthLink, various DSL/cable modem services, almost anything except America Online. AOL sometimes works, but not for long, and it is not supported by the Times. Establishing a Private Network: Once your PC is connected to an ISP, the VPN client will bore a “tunnel” through the Internet to the Times network. Now you can run Decade, etc., or anything else the future brings. 4 And you are saving the Times a bundle of money. In general, you are responsible for installing this software on your personal machine and making everything work. You can do it. You are professionals, working for a world-class newspaper. Follow the steps in this little manual. If you get into trouble, the Times Help Desk or one of the regional Editorial Systems help desks will assist you. (Help desk phone numbers are listed on Page 1 of this manual.) And any VPN-authorized employee can bring his/her PC to the Electronics Department in Los Angeles or Orange County for customizing. Appointments are required for this personal service. For appointments, call 213-999-9999 in L.A. or 714999-9999 in O.C. But try to do it yourself. JACKSON SELLERS Senior Analyst, Calif. Bureaus & Special Projects Editorial Systems, Information Technology August 2001 (First Edition) Note: This second edition, published in June 2002, expands the range of Microsoft operating systems supported by the Times VPN client. Now WinXP, the latest and greatest, is supported. Also, the VPN client itself has undergone a name change. It is called Contivity. If you are running the old client, Extranet, don’t worry. Extranet will continue to run nicely on operating systems ranging from Win95 to Win2000. Minimum Requirements for Contivity VPN • Operating system: Windows 95, 98, 98SE, ME, NT, 2000 or XP • Storage: At least 5 MB of free disc space • High-speed modem (or DSL/cable modem with Times-approved firewall) • CD-ROM drive for installation • PC must NOT be using America Online as its VPN ISP 5 Read This First: Install CD Everything you need for VPN operations can be loaded from the installation CD provided to you. If you are a Windows 95 user, your operating system can be updated. If you are running either Win95 or Win98, an optional enhancement is available. If you have been authorized for an ISP dialer, the AT&T Net Client can be installed. And of course almost everybody needs to install the Contivity VPN program. Slip the CD into your CD-ROM drive. It will “auto-run,” meaning the menu below will automatically appear. If nothing happens, go to My Computer, open the CD and double-click Cdmenu. Things You Must Know These menu items can be launched in two ways. 1) Doubleclick on them. 2) Click once to select the program to be installed, then click on the Install Application icon at bottom left. Anytime you want to display the menu, simply eject the CD and re-insert it, or manually open it as described above. If you already have a dialup ISP (other than AOL) or a DSL/cable modem, and if you are running Windows 98SE, NT, ME, 2000 or XP, you are in fat city. Launch “Install Contivity VPN Client v4.15.” The installation will begin. Now turn to this manual’s “Personal Tunnel: Contivity” chapter, Page 25, and follow instructions. By Page 29, you’ll be connected to the Times network. But don’t fail to look at the “VPN Notes and Hints” chapter starting on Page 30. Good advice can be found there. 6 The rest of you — those running Windows 95 or 98 — have a bit more work to do before installing the AT&T dialer and/or the Contivity client. If your machine is using the old Win95 operating system, it must be updated for VPN operations, a lengthy procedure if done manually but automated as much as possible on the Times CD. Both Win95 and Win98 users should run the “Optional VPN Enhancement” program. Refer to the “Installation Steps & Manual References” chart below. It lists the recommended order of installation and refers you to pages that can be helpful. Installation Steps & Manual References Step 1 Update Win95 Operating System “Windows 95 Updates,” Page 8 Step 2 Optional Win95/Win98 Update “Windows 95 Updates,” Page 10 Step 3 Install AT&T Dialer (if Authorized) “Your Internet Connection,” Page 12 Step 4 Install Contivity VPN Client “Personal Tunnel: Contivity,” Page 25 This is the normal order of installation, but the number of actual steps required depends on your operating system version and whether or not you have been assigned an AT&T account. Also, Step 2 is optional for Win95 and Win98 users, although it improves VPN operations slightly and is considered worthwhile. The VPN enhancement is built into Win98SE, NT, ME, 2000 and XP, so PCs running these operating systems don’t need it.. Network Settings for Win95, 98, 98SE & ME Certain Times services require specific settings. Also, the on/off switch for the network logon script lies within your network settings. You may prefer to turn off that switch, if it is on, so you can achieve the fastest possible VPN logon from a remote location. Anytime you want to turn a switch on or off, it is nice to know where it is. See Page 34 in the “VPN Notes and Hints” chapter for further information. MTU/RWIN Settings for Win95, 98, 98SE & ME If you are dialing an ISP with any of these operating systems (as opposed to using a DSL or cable modem), see Page 44 in the “VPN Notes and Hinits” chapter for important instructions. 7 Windows 95 Updates The Contivity VPN Client requires a Win95, Win98, Win98SE, WinNT, WinME, Win2000 or WinXP operating system. System updates are required for all Windows 95 versions, and the oldest and most common Win95 version requires four of them, five counting an optional one. If you are a Win95 user, don’t despair. On second thought, go ahead and despair if it helps. As a professional Los Angeles Times writer or editor or business employee, you should be up to Win98 by now, at least, but you aren’t, so read on. We’ve got an automated deal you can’t refuse. Want to Do It Yourself? Okay, turn to Page 11 for detailed instructions. After seeing how much trouble it is, you’ll quickly come back here, where fewer dragons await. Insert or re-insert the installation CD into your drive. The main menu will appear, as above. Select “Windows 95 Operating System Updates,” as shown, then click the “Install Application” icon. The updating will start. Skip to Page 10 unless the following note applies to you. Important: If you get a message saying “Out of Environment Space” or “Command.Com Cannot Be Found,” you must add a command line to your Win95 CONFIG.SYS file. Sorry about that, but it can’t be helped. It’s the price you must pay for being so far behind on your operating system. Exit from the Times installation CD. Go to Start, Run and enter Sysedit in the prompt. Execute the prompt. The Configuration System Editor window will appear (next page). 8 Click once on the CONFIG.SYS window (the one behind AUTOEXEC.BAT) to give yourself full editing access. Now go down to the bottom of the CONFIG.SYS file and enter the following statement as the last line: shell=c:\command.com/e:4096/p Exit from the System Configuration Editor. You will see this query: Answer Yes. Even if you are not prompted to do so, reboot your system now. The new CONFIG.SYS statement becomes active on reboot, and you will need this re-configuration when you run the “Windows 95 Operating System Updates” program again. 9 In general, the Windows 95 OS update program does the following: 1) Identifies the operating system version of your PC. 2) Installs the necessary updates. 3) Provides essential Microsoft files. You will see lots of action on your screen, copying of files, etc. If all goes well, you will see the notice below. Do not remove the CD! Click OK to start the reboot. As before, you will see much file copying on your screen, concluding with another restart prompt, shown at below left. You may get several Version Conflict warnings similar to that shown at right. Obey the recommendation. If the file being copied is older, keep the existing file. If that confuses you, we’ll make it simple: Answer Yes to all such warnings. After answering Yes to the restart query at left, you are almost finished with Win95 operating system updates. Almost but not quite. See below. Shucks. There is something else to do. VPN Enhancement Update for Win95 amd Win98 Although optional, the update is recommended, and it is very fast and simple. Close any applications running. Only your desktop should be active. Insert or re-insert the Times installation CD, thus displaying the VPN Client Install menu. Select “Optional VPN Enhancement for Win95 and Win98,” and click “Install Application.” The program knows whether you are running Win95 or Win98, and will install the appropriate file. Screens will flash and file copying will be done. Rebooting, to seal the VPN update into the operating system, is automatic. You are finished, and your PC is set for optimum VPN operations. Now you can proceed to the AT&T dialer installation, if needed, and/or the Contivity VPN installation. 10 Want to Do It Yourself? Really? If you prefer to do the updating manually, or if you just want to know what is being done to your personal machine, this page will help. First, you must know what operating system you are using. Go to Start, Settings, Control Panel and System. The System Properties box will appear. The Windows version is identified under “System” (see below). Now find your version in the table at bottom. The update files can be executed from the distributed CD. They can be found in the Winupdate folder. The network update will require your original Windows CD-ROM installer on reboot. Look, it all gets a bit complicated. Best advice: Forget about doing it yourself and turn back to Page 8, where a much easier procedure is documented. If you are determined to go ahead, you can insert or re-insert the VPN CD and click on “Browse CD.” Find the Winupdate folder and doubleclick on it. There you will find all the executable update files listed in the chart below. Good luck, brave souls. Windows Version Updates Required CD Filename Windows 95 (4.00.950) Win95 Service Pack 1 Win95 Socket Update - Kernel 2 Win95 Socket 2 Update Win95 Dial-up Network 1.3 Update Win95 VPN Update (Optional) W95pack.exe W95kernel.exe W95socket2.exe W95network.exe W95vpn.exe Windows 95A (4.00.950A) Win95 Socket Update - Kernel 2 Win95 Socket 2 Update Win95 Dial-up Network 1.3 Update Win95 VPN Update (Optional) W95kernel.exe W95socket2.exe W95network.exe W95vpn.exe Windows 95B (4.00.950B) Windows 95C (4.00.950C) Win95 Socket 2 Update Win95 Dial-up Network 1.3 Update Win95 VPN Update (Optional) W95socket2.exe W95network.exe W95vpn.exe Windows 98 (4.10.1998) Win98 VPN Update (Optional) W98vpn.exe Windows 98 SE (4.10.2222A) No Updates Required None Windows NT 4.0 No Updates Required None Windows ME or 2000 No Updates Required None 11 Your Internet Connection AT&T Net Client You must have a connection to the Internet to use Contivity VPN software. Cable modems, DSLs and dialup ISDNs are ideal for the purpose. The first two — DSLs and cable modems — are always “on line,” or can be, and they are very fast. Dialup ISPs, while lower in cost and limited to the speed of the PC’s modem, will serve the majority of us. Most ISPs will work — AT&T, PacBell, EarthLink, etc. — but AOL will not. The Times VPN request form states flatly: “VPN access service will not be supported if AOL (America Online) is your ISP.” (See “VPN Notes and Hints,” Page 37, for further discussion of the AOL matter.) If you have a personal DSL or cable modem, congratulations. It will provide high-speed access to the Times network. You don’t need an ISP dialer. Skip this chapter. Go to the next one, “Personal Tunnel: Contivity,” Page 25, and begin installing your VPN client. If you are authorized to use AT&T Net Client as your ISP dialer, your next step is to install the program from the CD distributed with this manual. Pertinent AT&T information (account, user ID and initial password) can be found on the manual’s copyright page. Insert the CD into your drive. Click “Install AT&T Internet Dialer” to select it. Then click the “Install Application” icon. The box below will appear. Click Next. No entry is required for “FastPath.” 12 Click I Agree to the License Agreement (above). Then accept the default “Destination Folder” in the Folder box below. Click Next. 13 Check the boxes for “AT&T Net Client” and “AT&T Net Location Database.” Click Next. The information box below will pop up. Read it if you care to, or just click OK to get rid of it. To continue, you’ll have to click Next again on the Components screen. 14 Check the “Create an icon on the desktop.” Click Next. In the Start box below, click Install to begin installation of AT&T Net Client. 15 Let’s finish this now rather than later. Choose “Yes, continue setup.” The next box lists three items needed for connection. You’ve got all of them, we can hope. Do not open a new Internet account. Click Next. 16 Enter the AT&T “Account” and “User ID” provided to you. Do not click Next yet. Click on the “Advanced Login Properties” button to set up important dialer defaults. The Network box below will pop up. Choose “The Internet.” Click Next. 17 Check the “TCP/IP” box and then click Next. Below, click the “No” button and then click Next. 18 Select the “Use default network settings” button on the DNS screen and then click Next. Make the same selection on the WINS screen below and click Finish. 19 Your “Advanced Login Properties” chores are finished, and the User ID window that you filled out earlier (above) waits for you to take further action. (Your “User ID” will be different from that shown.) Click Next. In the Network Connection window at left, select the “Dial using my computer’s modem” button and click Next. The Modem window at right will be correct if your PC already has a working modem installed. Click Next. 20 Do you have “Call Waiting” service? If so, you should choose the appropriate “Dial prefix” to disable it during those times when you are connected to your ISP. Your telephone company can tell you which prefix will do the job. Enter the information appropriate to your dial-up location. Click Next to continue. In the Network Access Number screen below, select the appropriate “Country,” “Region” and “Number to dial.” You will have to double-click the phone number to make it show up in the “Number to dial” field. Click Next. 21 Review the information on the Connect Summary screen. Click Next. On the Setup Complete window below, click Finish to begin the fun part of all this. 22 Pretty dialer, isn’t it? You are being asked for your password. Your initial password is exactly the same as your AT&T user ID, or “Login Profile” as it is called here. If your initial password is XXX9999, it doesn’t matter whether you enter it as XXX9999 or xxx9999. Enter the password either way, but don’t “Save password” just yet. It would be ridiculous to save an initial password that won’t work the next time you use it. Click Connect after entering the password. The dialer will dial the AT&T number you selected during setup. In the process of getting connected to the ISP, you’ll be required to change the password. A New Password prompt will appear. Your “Current password” (XXX9999, for example) is already entered. You must enter a new one twice (to verify that you didn’t mistype the first time). Choose a password you can’t forget! Click OK. Just to be clear, this is your AT&T Net Client password. It has nothing to do with your Times NT password. Note: Back on Page 14, you checked a box requesting an AT&T Net Location Database download. This will happen now. It will take about two minutes. Then you will have an up-to-date AT&T phone directory. 23 Congratulations! You are now connected to your ISP. In this case the line speed is 52,000 bits per second. For a variety of reasons, yours may differ, either higher or lower. What next? Well, you could do something. You could run an Internet browser such as Netscape, but if this is the browser you have been using on the Times PPP, the Proxies configuration must be changed to “Direct connection to the Internet.” (See “VPN Notes and Hints” in this manual, Page 30, or Page 39 for Internet Explorer.) But let’s not go off on a tangent right now. You’ve got more important things to do, such as installing the VPN software. So log off. Click the dialer button showing an empty box (above). You will be asked to confirm the disconnection. See box at right. Click Yes. The next time you connect to the Internet you can save your new password. An important note about the AT&T dialer . . . of interest to those who travel from city to city or from nation to nation: If the “Traveling user” box is checked on the dialer, as shown at left, a handy setup panel is added at the bottom. You can quickly change the dialing instructions wherever you go. Bon Voyage! 24 Personal Tunnel: Contivity Your Virtual Private Network client is called Contivity. You are ready to install it. If you have not rebooted since installing AT&T Net Client, reboot now! Then insert the VPN installation CD into your CD-ROM drive. If the CD menu does not auto-display, go to My Computer, open the CD and double-click on Cdmenu.exe. Select “Install Contivity VPN Client v4.15” and click the “Install Application” icon. Contivity installation will begin. You may get several Version Conflict warnings, as shown below. Obey the recommendation. If the file being copied is older, keep the existIf Things Do Not Go Well... ing file. In other words, answer Yes to all such warnPerhaps you see an error message such as “Out ings. Continue to the next page of Environment Space” or “Command.Com of this manual unless the box at Cannot Be Found.” The messages most often right applies. show up on Windows 95 PCs, but they also can pop up on Win98 machines and maybe even later operating systems. The assumption here must be that you are at least a Win98 user, since a Win95 user would have taken care of the problem back on Pages 8 and 9. Anyway, if you face this problem, turn to those pages and make the required entry in your CONFIG.SYS file as instructed. Reboot, return here and try installing Contivity again. Attention, XP Users! You will get the message at left. Scary, isn’t it? The correct response is Continue Anyway, but any sane person would click STOP Installation immediately. So step back a moment from sanity. Pretend you are insane. Click Continue Anyway. Take my word for it. 25 That was easy, wasn’t it? Several flashing screens, a couple of mildly entertaining horizontal copying bars and you are done. You will be advised to reboot your PC. Do it. Click Yes in the box that looks like the one at below left. When you get back up, you’ll see the Contivity VPN Client icon on your desktop, as shown at right below. But don’t relax. There is more to do. First, establish a connection with your ISP, whether it is dialup or DSL/cable. Contivity will need the Internet connection shortly. Then double-click your Contivity desktop icon. The following dialog box will appear. Notice that the default connection target is Xxxxxx- XXX-XX. Click on the down arrow next to it. You’ll see another choice — Xxxxxxx-XXX-Xxx. Why is that important to know? Well, suppose the Los Angeles VPN gateway is unavailable for some reason. You can shift to Chicago to do your work on the Times network. Your user name and PIN are as valid in Chicago as they are in Los Angeles. Oh, you don’t know much about the VPN PIN, do you? Read on. It’s time to pull out the keychain fob you received with this manual. Turn to the next page and study a short chapter entitled “Token Security.” 26 Token Security You are ready to log onto the Times network for the first time. Your token device looks like the graphic shown here, and it is about the same size. Every minute of every hour, it generates a six-digit number that may be entered into the “Token” field of Contivity’s opening window. This is your token, assigned to you alone. The numbers will match nobody else’s at any one time. Notice the stack of bars to the immediate left of the token readout. Each bar represents 10 seconds. In this particular case, 40 seconds will elapse before the number changes again, before the stack is rebuilt to six bars for another 60-second countdown. Since this is the first time you have used the token, ignore the “PIN” field in the Contivity window below, because you don’t have a PIN yet. But you must enter your Contivity “User Name.” Your user name is the same as your Times network name, generally an initial plus surname, rendered solid, as in jsmith. (If you have forgotten it, see Page 1 of this manual, where your user name is recorded.) And of course you must enter the six-digit number displayed on the SecurID token. Follow the directions below. If the token is very near the end of its 60second cycle, wait for a new number, then type it into the “Token” field. Now click the Save button at the bottom of the box. Nothing dramatic will happen, but Contivity now knows this is the configuration you will always be using. Click Connect or strike the Enter key. 27 If you did not click Save as instructed, shame on you. You’ll get the question at left. Answer Yes. You won’t have to Save again. Your AT&T dialer (if that’s what you are using) has already connected you to the Internet. Now the Contivity VPN software will “bore” a tunnel into the Times network from the Internet. You will be required to create a PIN. The rules are simple. It must be all numbers and no shorter than four digits. Create a PIN and don’t forget it! The advisory at right will pop up. The instructions would be worth reading if they were correct. Rather than a mere click, a right-click on the Taskbar icon is required to disconnect. But regardless, you don’t want to be bothered with this notice again, so check the box saying “Do not show this message in the future.” Then click OK. When you see the Security Banner at left, you are in! Click OK. But you are not “in” all the way. Sorry. You still have to sign onto the Times network (see below). Note: The brief message in the Security Banner will probably be expanded in the future to issue various warnings. Enter your Times network password and click OK. If your Windows Password prompt shows up next, you can just Cancel it. If you change the Windows password to match your network password, you won’t be annoyed by this again. 28 Notice the Windows Toolbar icons, normally at lower right on your desktop. One of them is the ISP icon, meaning you are connected to your Internet service provider. Another is the Contivity icon, meaning you are connected to the Times network. Now you can run your Times applications. When you are ready to sign off, close all applications, then right-click on the Contivity icon and left-click Disconnect Contivity VPN. You’ll see the box below. Click Yes. And you must also disconnect from your AT&T dialup ISP, if that is what you are using. If you can’t figure it out yourself, this manual’s “Your Internet Connection” chapter tells you how to do it. Don’t worry, folks. All of this, as complicated as it may seem right now, will become routine in short order. The benefits for both you and the Times may not be fully apparent, but they are abundant as large newspapers around the world move into 21st Century technology. And you did it all by yourself! With maybe a little help from your Information Technology friends. Congratulations, but don’t completely relax now that you’ve got VPN running. There are important peripheral issues to deal with or just be aware of. The next chapter, “VPN Notes and Hints,” explores such subjects as Netscape, Outlook Web Access (OWA), Network Settings, H Drive Mapping, DSLs & Cable Modems, America Online, Passwords, Internet Explorer and MTU & RWIN. Some if not all these articles will be of interest to you, and some are even vital to smooth VPN operations. JACKSON SELLERS Editorial Systems, Information Technology 29 VPN Notes and Hints Subject Index: Netscape Outlook Web Access Network Settings H: Drive Mapping DSLs & Cable Modems America Online Passwords Internet Explorer MTU & RWIN The Friendliest Browser E-Mail via the Internet Win95, 98, 98SE & ME Personal Network Folder Firewalls and Routers Popular but Troublesome The Good, the Bad, the Ugly Configuration for VPN Dialup VPN Settings 30 32 34 36 37 37 38 39 44 Netscape: Many of you are running Netscape as your Internet browser on PPP/CompuServe. It is configured with an automatic proxy statement: http://config.latimes.trb/proxy.pac or //news.latimes.com/proxy.pac This configuration, with either proxy, will work nicely on VPN for access to both the Internet and the Times Intranet (Editorial Library, etc.), but the setting must be changed to “Direct connection to the Internet” if Netscape is run on your ISP alone. Here’s how to change the Netscape setting from one to the other: Suggestion: Don’t actually do anything here. Simply digest the information, then turn to Netscape Profile Manager instructions on the next page. The manager will make things easy for you. Netscape’s Edit menu offers Preferences, as shown at left. If you click on the boxed “+” next to Advanced, then click on Proxies, configuration choices will be displayed. Click the radio button next to “Direct connection to the Internet.” Now click OK. This makes everything right for running Netscape on your ISP alone. If Netscape is being run on VPN, it needs the “Automatic proxy configuration” setting with its Times proxy statement. Just click its radio button, then OK. 30 In Netscape, but not in Internet Explorer, you can create profiles that will be conveniently ready for VPN on the one hand or ISP-only on the other. This manual cannot devote much space to Netscape Profile Manager, but the program is fairly straightforward. First, of course, you must have Netscape installed. Go to Start, then Run. The Run line requires an entry of Netscape -profile_manager. Yes, the line is nerdy, but you’ll only have to do this once. Don’t yield to your literate impulse to eliminate the space in the Run line. Netscape-profile_manager (without the space) will NOT work, while execution of the precisely correct command will display the following box. Read the directions in the box itself. Your goal is to produce the profiles listed at left. The New button will allow you to create them. In the end, when all is done, the ISP Netscape Browser, with its “Direct to Internet” setting, will work nicely on an ISP-only connection, and the VPN Netscape Browser, with its Times proxy setting, will give desired results on a VPN connection. But all is not done yet. Click Back. Henceforth, whenever you run Netscape, the box below is what you will see first. The default “Profile name” will be whatever you ran last. If you need the other one for your current session, drill down and select it. At this point, however, simply Exit. Okay, let’s test/refine the two profiles. Connect to your ISP. Run Netscape, choosing the ISP Netscape Browser. Follow the directions on the previous page, clicking the “Direct connection to the Internet” button. When finished, exit from Netscape and establish a VPN connection. Run Netscape, choosing the VPN Netscape Browser. This time, of course, you will click the “Automatic proxy configuration” button. If the proxy is not there, enter it. Now the Netscape profiles are configured to go both ways. 31 Outlook Web Access (OWA): This is the way you will access your e-mail remotely. It saves you and your friendly support people a lot of trouble, because you do not need the Outlook client installed on your home PC or laptop. Once connected to your ISP or VPN, you will simply run your Internet browser — usually Netscape or Internet Explorer — and then execute a URL, specifically xxxxxxx.xxxxxxx.xxx. The beauty of this is that your Times e-mail becomes available wherever in the world you have access to an ISP. It doesn’t have to be your ISP. It can be somebody else’s. You can get your e-mail at home or on the road, but you can also get it on an ISP-connected PC at a friend’s home, at almost any business facility, and at cybershops in Switzerland and Japan, just to name two of the world’s many Internet nations. This constitutes a dramatic improvement in Times remote e-mail service. Execute the URL — xxxxxxx.xxxxxxx.xxx — and you will see the window below. Hint: Save a bookmark at this point for your future convenience. Enter your network user name in the “Log On” box and click where it says “click here.” The prompt at left will appear. There is a delimiter between the xxxxxxx and your user name. It’s shown here as a xxxxxxxx, but a xxxxxxxxxxxx will work just as well. The “Password” is your normal, unforgettable network password. Click OK. 32 Okay, there you have it! Things look a little different from the office version, but everything is essentially the same. Notice that only Page 1 of the “Inbox” is displayed, but that you can click forward to Pages 2, 3, 4, etc. Also be aware that OWA does not automatically notify you of a newly received e-mail, as the full Outlook client does. To display any new messages, or refresh the “Inbox,”you must click the Check for New Mail icon on the toolbar, which looks like this: Recommended logoff procedure: Click on the Log Off icon at the bottom left of the OWA screen. The message below will appear. Follow directions and close your Internet browser. Hint:You can just close your browser and forget it. Logoff: To complete the log off process and prevent other users from opening your mailbox, you must close your browser. 33 Network Settings for Win95, 98, 98SE & ME: Eventually you will have to deal with settings for Client for Microsoft Networks, so you might as well do it now. This is your operating system’s program for interacting with networks, most pertinently, in your case, the Times network. In general, PAL/CompuServe users are already set up, and Editorial PPP users are not set up at all; nor, of course, are those who buy new computers. These instructions show “screen grabs” from Windows 98, but they are applicable to Win95, 98SE and ME. Go to your Control Panel and double-click on the Network icon. The box below will appear. There’s always something to confuse us, isn’t there? Contivity has replaced Extranet as the name of the Times VPN client, but the VPN network adapter is still called Extranet Access Client Adapter, as shown at left. Never mind. We are not interested in that right now. Click once on Client for Microsoft Networks to highlight it as shown above, then click on Properties to display the box on the next page. Important Note: The Microsoft client may not be there, or it may be there but not be visible. Scroll the directory to be sure. If it is not there, you must install it. Click Add, then Client, then Add again, then Microsoft. Now pick Client for Microsoft Network and click OK. You may be requested to insert your original Windows CD-ROM disc. You certainly will have to reboot. 34 First, enter XXXXXXX as your “Windows NT domain.” (Case is not important. The entry could be xxxxxxx.) Other settings: Logon validation: Do not check the “Log on to Windows NT domain” box. Yes, if the box is checked, the Times logon script will run, and your H: Drive will be automatically configured. Sounds good, doesn’t? But it will take much longer for you to log on, and you will drum your fingers. Best advice: Leave the box unchecked, and map the H: Drive yourself, as detailed on Page 36. Network logon options: The “Logon and restore network connections” radio button should be activated, as shown. Clicking OK on the Networks Properties window above will return you to the Network window displayed on the previous page. Click on the Identification tab, and you will see the dialog box below. Unfortunately, there is more to do. “Computer name” can be anything you want, provided it is not the same as a valid Times server or your network name. Just to be safe, let’s follow this convention: xxxxxxxxxxxx; for example, xxxxxxxxxxx. There is a 14character limitation here, so truncate your user name if necessary. “Workgroup” must be XXXXX or xxxxxxx. “Computer description” is completely optional. It can be nothing at all or whatever is desired. Click OK and you will return to the beginning of these network setups. Click OK again to seal the new settings into your operating system. You will be required to reboot. 35 H: Drive Mapping: Some of you are not acquainted with the H: Drive, although everybody has one when he/she logs onto a terminal in a Times networked newsroom or office. You can store text or graphs there, and it is much more secure than your PC’s hard drive, which eventually will crash and lose its data. This H: Drive, or Home Drive as it is called, can also be accessed remotely by VPN users. If the Times logon script is run in conjunction with VPN logons, you will get access automatically. If not, you won’t, but you can manually map the H: Drive while you are logged onto the network via VPN. You may not be particularly interested in your H: Drive. If so, forget about it. But if you want remote access to this storage place, follow these directions: Go to your desktop while logged onto the Times network. Right-click on My Computer. Now click on Map Network Drive. The dialog box above will appear, although the entries won’t be the same. For “Drive,” drill down to the H: Drive and select it. For “Path,” . . . Ah, this presents a problem for many of you. Most likely, you don’t know the name of your H: Drive server. Xxxxxxx’s server is xxxxxxxx, but that’s probably not yours. There are a number of such Times servers. If you don’t know the name of yours, call the L.A. Help Desk — or, if you have access to a newsroom networked terminal, as nearly all of you do, you can log onto that terminal, go to My Computer and simply look. When Xxxxxxx does that, he sees Xxxxxxxxxxxxxxxxxxxxxxx. Either way, you need the name of the server to map your H: Drive for remote access. The “Reconnect at logon” box should be checked. As usual, after all is done, click OK to seal the bargain. 36 DSLs & Cable Modems: [Firewall recommendations still pending] America Online: The Times does not support America Online on either office or private PCs. If you insist on using AOL, you are on your own. But let’s be practical here. Many of you already possess AOL and are happy with it. Your kids use it. You and/or your spouse or significant other have joint or separate AOL e-mail accounts. Now the Times is telling you that AOL won’t work as your VPN ISP. Yes, that’s true — AOL won’t work reliably in that role — but what about just keeping AOL around for the kids and spouse? No doubt the AOL program is aggressive, always trying to take over, but there is plenty of anecdotal evidence suggesting that AOL won’t be troublesome if the ISP/VPN programs are installed on top — that is, to be perfectly clear, if ISP/VPN is installed after the AOL program was installed. But if you do this, and if it works (as it probably will), you must never, never, never update your AOL version, because then AOL will think it is the top dog again. And if it doesn’t work, or if your spouse or kids subsequently update AOL, innocently answering Yes to an AOL online suggestion that the program be updated, don’t call the Times Help Desk. You will only be told: “The Times doesn’t support AOL.” What do you do then? Hire an expert. A cottage industry has arisen to deal with the complexities of uninstalling AOL. Sorry, but that’s the way it is, as some Times people have already discovered. 37 Passwords: Don’t forget your AT&T password or your Contivity PIN! Write them down in a secret place. Such advice is heresy to security people. Don’t tell anybody I told you to do that. But if you do forget your password, notify the Help Desk and your account will be reset, meaning your AT&T password will revert to XXX9999 or whatever. The reset won’t come immediately. The task must be done in Chicago at present. If you forget your Extranet PIN, also notify the Help Desk. If you lose your SecurID token, you are in more serious trouble. You must notify the Help Desk and request a brand-new account, and you’ll have to fill out another VPN request form and get your supervisor to sign it. Your department will be billed $50. Another password matter: If the Times VPN gateway — the device that handles authentications — gets the notion that your SecurID fob is out of sync, it will issue a challenge that looks like the prompt below. There is no online help here at all. What the hell is a passcode? An unknown programmer, at some point in the development of Contivity, assumed you would know. He knew, so why not you? Well, a passcode is your PIN plus the six-digit readout on your VPN fob, rendered solid. To be clear: If your PIN is 999, you will respond with “999999999,” assuming your fob readout is “9999.” Warning: You must not make too many mistakes in this passcode response. After three attempts, you may find yourself locked out of VPN, facing what could be a lengthy delay in getting your authorities restored. 38 Internet Explorer: The Times proxy requirement for Netscape applies equally to Microsoft’s Internet Explorer. The proxy — http://xxxxxx.xxxxxxx.xxx/xxxxx.xxx — should be activated for Internet/Intranet access on VPN. It should be disabled for Internet access on ISP alone. Unlike Netscape, IE offers no profile manager to simplify the matter of switching from VPN connections to, say, the AT&T Net Client running alone. The best plan may be to set up dialup settings for VPN and then, when necessary, modify the settings for ISP alone — or vice versa, depending on which connection is used the most. DSL/cable users face a similar dilemma when switching between the two services. All Internet Explorer settings are made in Internet Options. There are two ways to get there: 1) Go to your Control Panel and double-click on Internet Options. 2) With IE running, go to Tools, then Internet Options. The window below will appear. This is where the home page is named. Since we are configuring a VPN setup here, you may want to enter a Times Intranet site such as http://xxxx.xxxx. xxxxxxx.xxx, the Editorial Library’s page. Many writers and editors prefer it because, among other things, it offers a link to TimesOnline, the Editorial archives. But any address will do. VPN provides access to both internal and external sites. Click the Connections tab, which displays the window on the next page. 39 Select AT&T Net Client or whatever dialup ISP you are using for VPN operations. Click Settings and the dialog box below will be displayed. Important Note to DSL and Cable Modem Users: You should choose LAN Settings instead. Although equally as remote as dialup users, you connect directly to the Times LAN. You lucky guys and gals are not dialup users. Click LAN Settings and follow the proxy instructions below, which are actually aimed at your less speedy comrades. Make the settings exactly as shown at right. Well, not exactly. The “User name” account information at the bottom will be yours, not the account shown here. The Proxy Server entries are not essential for dialup ISP users, but they are essential for DSL/cable VPN sessions. The Proxy Server address is xxxxx.xxxxxxx.xxx, not xxxxx.xxxxx.xx as shown. The damned field is not quite large enough to display the entire proxy name. Click OK here and you will return to the previous window, above. Now click on the Advanced tab. The window on the next page will appear. 40 Scroll down to Internet Explorer’s HTTP 1.1 Settings. Both boxes should be checked as shown. Click OK until you are out of all this, and you are done. Now, when you’ve got a VPN connection to the Times, Internet Explorer will work as desired, accessing both internal and external sites. Great, but what about switching to an ISPonly connection? Sure, you can do it, but changes in the settings will be required. IE is a bit troublesome in this respect. See below. When you run Internet Explorer on your ISP connection alone, the settings should be what you see at left. But they may not be that way. Happily, you can make modifications on the fly, within Internet Explorer itself. Go to Tools, then Internet Options and click on the Connections tab. Make sure your ISP is highlighted and then click on Settings. Disable the proxy data and enable “Automatically detect settings.” Click OK out of this, and away you will surf on the World Wide Web. But wait! There are more IE settings! See the next page. 41 Your Internet Explorer operations will be more efficient and secure if you pay further attention to Internet Properties settings. Go to Internet Options, as instructed on Page 39, then click on the Advanced tab. The window at right will open. If you know what you are doing, make your own selections. If you don’t, join the club and slavishly follow Times recommendations as shown here. Scroll until you reach the bottom, checking and unchecking the boxes. This list of settings may not correspond exactly with yours. It depends on your Internet Explorer version. Just do the best you can, referring always to the Times recommendations. One more page to go. See the next page. 42 Keep on scrolling, checking and unchecking, folks! You’ll only have to do this once for ultimate Internet Explorer performance. The “Security” settings at left may be the most important of all. They will give a measure of protection to both you and the Times. Click OK out of Internet Properties and again out of Internet Options. Finished at last! 43 MTU & RWIN Settings: If you are a dialup VPN user, and if you are running Win95, 98, 98SE or ME, you can improve performance significantly by following these instructions. Don’t bother (don’t even try) if you are running Win2000, WinNT or WinXP. They are smart enough to handle things themselves. Also, don’t bother if you are equipped with a DSL or cable modem, which is as good as it gets. What we are talking about here is strictly for VPNers who dial out to ISPs from machines running the earlier Microsoft operating systems. What is MTU? It means Maximum Transmission Unit and is recorded in your PC’s registry, where only the brave dare go. The Windows default MTU setting is 1500. This is the optimum setting for LAN connections, which, in a remote sense, mean DSL and cable modems. It is too large, however, for dial-up connections. Since you are a dial-up VPN user, you’ll need to lower this setting to 576. What is RWIN? It means Receive Window and is defined as “the amount of unacknowledged data that can be outstanding on a TCP connection.” Don’t ask what that means. Just accept the recommendation that RWIN should be set at 4. Slip the Times VPN installation into your CD drive. The menu will appear. Select “Update System Registry with MTUSpeed Pro v4.10” and click Install Application, or just double-click the menu item. 44 Don’t worry about this being “for Windows 95.” It will work on Win98, Win98SE and WinME as well. Select Dial-Up Adapter, as shown above. You may have to drill down to select it. “Drill down” means clicking on the down arrow to reveal a list of your adapters. Make sure the “Apply same values” box at lower left is not checked and the “RWIN enabled” box at lower right is checked. Slide the RWIN trackbar to 4. (If the bar won’t slide, click the Optimum Settings button and try again.) Now click the Change MaxMTU button. The New MTU Setting dialog box will appear. Enter 576 as a new MTU value. Click OK. Now you must also set the MTU for the VPN Extranet adapter. Yes, Contivity’s adapter is still called “Extranet.” Follow directions on the next page. 45 Drill down and select Extranet Access Client Adapter, as shown below. Slide the RWIN trackbar to 4, click Change MaxMTU, enter 576 and click OK. To seal the bargain, click the Update Registry button. Click a final OK and reboot. Your dialup VPN sessions should go much better now, with fewer problems when transmitting or receiving long stories and other data. 46