VPN installation - Jim Marchant Home Page

Remote
ACCESS
2001
Virtual Private Network
Last Modified: June 28, 2002
(Includes Support for Windows XP Home and Pro)
Remote Access 2001: Virtual Private Network
Los Angeles Times
First Edition, August 2001
Second Edition, June 2002
Copyright © 2001 by the Los Angeles Times, Los Angeles, CA 90053
Contivity and Extranet are tradenames of Nortel Networks
Decade is a tradename of CE Engineering Publishing Systems
AT&T Net Client is a tradename of American Telephone & Telegraph
RSA SecurID Token is copyrighted by RSA Security Inc.
Netscape is a tradename of AOL Time Warner
Outlook 2000 and Internet Explorer are tradenames of Microsoft Corp.
MTUSpeed Pro 4.10 is copyrighted by Mike Sutherland
Contivity
VPN Client
Compiled by Los Angeles Times Editorial Systems, Information Technology
Tom Kuby, Manager
Remote Access Team:
Jackson Sellers, Editorial Systems (Team Leader)
Gary Ambrose, Editorial Systems, L.A.
Jim Carr, Editorial, O.C.
Tony Cruse, Editorial Systems, O.C.
Brett Levy, Editorial Systems, L.A.
Jim Marchant, Editorial Help Desk, L.A.
Hao Nguyen, Editorial Help Desk, L.A.
Jim Robinson, Editorial Systems, D.C.
Phillip Ruiz, Editorial Systems, D.C.
Morrine Sosnow, Editorial Systems, S.F.V.
RSA SecurID Token
Technical Guidance by the Times VPN Project Team , Information Technology
Michael Batton, VPN Project Lead
Eddie Velez, Manager of Network Services
Bill Urban, Manager, Customer Services
Jim Robertson, Network Architect
Chris Horeczko, Desktop Engineer
Jackson Sellers, Senior Analyst
Cynthia Cowan, Data Security
Mark Seybold, Systems Analyst
Gary Ambrose, Systems Analyst
Cover design by Chuck Nigash, Art Director, Daily Calendar
AT&T
Net Client
Please call the appropriate help desk if you have questions or problems
Los Angeles (Editorial)
Los Angeles (Business)
Orange County (Editorial)
Washington, D.C. (Editorial)
999-999-9999
999-999-9999
999-999-9999
299-999-9999
AT&T ISP Data
Contivity Client
Corporate Account: XXXX
User Name:
User ID: XXX
_______________
Initial Password: (Same as User ID)
1
Remote Access 2001
Virtual Private Network
CONTENTS
What Is VPN?
3
Read This First: Install CD
6
Windows 95 Updates
8
Your Internet Connection
12
Personal Tunnel: Contivity
25
Token Security
27
VPN Notes and Hints
30
Netscape
Outlook Web Access
Network Settings
H: Drive Mapping
30
32
34
36
DSL & Cable
America Online
Passwords
Internet Explorer
MTU & RWIN
37
37
38
39
44
This manual targets the Editorial Department, which has the largest number of remote network users, but it can be helpful to all Times employees
who have a need for remote communications and/or remote access to business databases, regardless of the department for which they work.
2
What Is VPN?
Just what you needed, right? Another TLA (or Three-Letter
Acronym) to deal with. Currently, at the very beginning of the 21st century,
all remote Editorial users of the Times network possess PPP accounts
(Point-to-Point Protocol), and Times business employees and foreign correspondents utilize PAL (Phone Access Lookup) for CompuServe connections. Many writers, editors and others have their own ISPs (Internet
Service Provider), although most are content with the Times-provided
PPP/PAL for remote access to Decade, Netscape, Internet Explorer, e-mail,
etc., and they see no reason at all for personal ISPs.
Well, say hello to VPN (Virtual Private Network), which replaces
PPP/PAL and requires not only an ISP but a PIN (Personal Identification
Number). VPN provides a means of connecting to the Times network over
the Internet. Why is the Times making this switch when you are happy
enough with what you’ve got? Economics, stupid. Recently a senior
Editorial manager was asked if Times writers and editors would appreciate
the fact that VPN is much cheaper than PPP. She laughed out loud. But
more than half a million dollars in annual savings is no laughing matter.
It’s not all economics, of course. VPN offers immediate benefits to
those who connect to Times systems from home, on the road or in national
and foreign bureaus. Let’s list a few:
1) You will no longer be cautioned to limit your connect time on the
Times network. Ten minutes or 10 hours is okay with the Times.
2) Cable modems as well as DSLs (Digital Subscriber Line) will
work nicely with VPN and provide exceptionally high speeds. This is a big
plus for Times employees who need/want high-speed communications.
Cable modems and DSLs are rapidly growing in popularity and everybody
will have them someday. But until now, neither of these always-connected,
high-speed services could be used to access the Times network. VPN
removes that limitation. Your cable modems and DSLs, however, must be
protected against hackers. Times-approved devices are listed in this manual.
[Not yet, actually, but they will be.]
3
3) Your home drive, or H: Drive, will be available. This personal
storage folder is where you can stash all kinds of data, including old e-mail
with sizable attachments, plus the novel that will make you famous. Just
kidding about the novel. The H: Drive and all other Times storage devices
are for business only.
4) VPN, especially when connected via DSL or cable modem, will
facilitate remote communications with the new CCI pagination system.
This “Remote Access 2001” manual will help you make the switch
from PPP/PAL to VPN — very much as the “Remote Decade 2000” manual guided you in installing both your Dial-Up Networking PPP and the
Decade application that interfaces with the Times News Editing System.
The good news is that all applications already installed on your remote PC
or laptop (Decade, Netscape, etc.) will be left undisturbed. We are dealing
here, in this manual, only with the manner in which you connect to the
Times network. From your point of view, PPP/PAL will transmogrify into
ISP/VPN.
How does VPN work? First, think about what you are doing now. If
you are a typical Editorial staffer, you use Windows Dial-Up Networking to
connect to the Times PPP server via an 800 number. Then you launch
Decade or Netscape or whatever, running the applications one at a time or
all at once. If you are a Times business staffer, you use PAL/CompuServe to
access various databases. The VPN procedure is not much different,
although there is an extra step or two. Let’s look closely at the new VPN
process.
Connecting Remotely: A connection to your local ISP is established. The word “local” suggests where most of the corporate savings
come from, since the PPP/PAL service is very expensive. Your ISP can be
AT&T, PacBell, EarthLink, various DSL/cable modem services, almost
anything except America Online. AOL sometimes works, but not for long,
and it is not supported by the Times.
Establishing a Private Network: Once your PC is connected to an
ISP, the VPN client will bore a “tunnel” through the Internet to the Times
network. Now you can run Decade, etc., or anything else the future brings.
4
And you are saving the Times a bundle of money.
In general, you are responsible for installing this software on your
personal machine and making everything work. You can do it. You are professionals, working for a world-class newspaper. Follow the steps in this little manual. If you get into trouble, the Times Help Desk or one of the
regional Editorial Systems help desks will assist you. (Help desk phone
numbers are listed on Page 1 of this manual.) And any VPN-authorized
employee can bring his/her PC to the Electronics Department in Los
Angeles or Orange County for customizing. Appointments are required for
this personal service. For appointments, call 213-999-9999 in L.A. or 714999-9999 in O.C. But try to do it yourself.
JACKSON SELLERS
Senior Analyst, Calif. Bureaus & Special Projects
Editorial Systems, Information Technology
August 2001 (First Edition)
Note: This second edition, published in June 2002, expands the range of
Microsoft operating systems supported by the Times VPN client. Now
WinXP, the latest and greatest, is supported. Also, the VPN client itself has
undergone a name change. It is called Contivity. If you are running the old
client, Extranet, don’t worry. Extranet will continue to run nicely on operating systems ranging from Win95 to Win2000.
Minimum Requirements for Contivity VPN
• Operating system: Windows 95, 98, 98SE, ME, NT, 2000 or XP
• Storage: At least 5 MB of free disc space
• High-speed modem (or DSL/cable modem with Times-approved firewall)
• CD-ROM drive for installation
• PC must NOT be using America Online as its VPN ISP
5
Read This First: Install CD
Everything you need for VPN operations can be loaded from the
installation CD provided to you. If you are a Windows 95 user, your operating system can be updated. If you are running either Win95 or Win98, an
optional enhancement is available. If you have been authorized for an ISP
dialer, the AT&T Net Client can be installed. And of course almost everybody needs to install the Contivity VPN program.
Slip the CD into your CD-ROM drive. It will “auto-run,” meaning
the menu below will automatically appear. If nothing happens, go to My
Computer, open the CD and double-click Cdmenu.
Things You Must Know
These menu items can be
launched in two ways. 1) Doubleclick on them. 2) Click once to
select the program to be installed,
then click on the Install
Application icon at bottom left.
Anytime you want to display the
menu, simply eject the CD and
re-insert it, or manually open it as
described above.
If you already have a dialup ISP (other than AOL) or a DSL/cable
modem, and if you are running Windows 98SE, NT, ME, 2000 or XP, you
are in fat city. Launch “Install Contivity VPN Client v4.15.” The installation will begin. Now turn to this manual’s “Personal Tunnel: Contivity”
chapter, Page 25, and follow instructions. By Page 29, you’ll be connected
to the Times network. But don’t fail to look at the “VPN Notes and Hints”
chapter starting on Page 30. Good advice can be found there.
6
The rest of you — those running Windows 95 or 98 — have a bit
more work to do before installing the AT&T dialer and/or the Contivity
client. If your machine is using the old Win95 operating system, it must be
updated for VPN operations, a lengthy procedure if done manually but
automated as much as possible on the Times CD. Both Win95 and Win98
users should run the “Optional VPN Enhancement” program. Refer to the
“Installation Steps & Manual References” chart below. It lists the recommended order of installation and refers you to pages that can be helpful.
Installation Steps & Manual References
Step 1
Update Win95 Operating System
“Windows 95 Updates,” Page 8
Step 2
Optional Win95/Win98 Update
“Windows 95 Updates,” Page 10
Step 3
Install AT&T Dialer (if Authorized)
“Your Internet Connection,” Page 12
Step 4
Install Contivity VPN Client
“Personal Tunnel: Contivity,” Page 25
This is the normal order of installation, but the number of actual steps required depends on
your operating system version and whether or not you have been assigned an AT&T
account. Also, Step 2 is optional for Win95 and Win98 users, although it improves VPN
operations slightly and is considered worthwhile. The VPN enhancement is built into
Win98SE, NT, ME, 2000 and XP, so PCs running these operating systems don’t need it..
Network Settings for Win95, 98, 98SE & ME
Certain Times services require specific settings. Also, the on/off switch for the network
logon script lies within your network settings. You may prefer to turn off that switch, if it is
on, so you can achieve the fastest possible VPN logon from a remote location. Anytime
you want to turn a switch on or off, it is nice to know where it is.
See Page 34 in the “VPN Notes and Hints” chapter for further information.
MTU/RWIN Settings for Win95, 98, 98SE & ME
If you are dialing an ISP with any of these operating systems (as opposed to using a DSL or
cable modem), see Page 44 in the “VPN Notes and Hinits” chapter for important instructions.
7
Windows 95 Updates
The Contivity VPN Client requires a Win95, Win98, Win98SE,
WinNT, WinME, Win2000 or WinXP operating system. System updates are
required for all Windows 95 versions, and the oldest and most common
Win95 version requires four of them, five counting an optional one. If you
are a Win95 user, don’t despair. On second thought, go ahead and despair if
it helps. As a professional Los Angeles Times writer or editor or business
employee, you should be up to Win98 by now, at least, but you aren’t, so
read on. We’ve got an automated deal you can’t refuse.
Want to Do It Yourself?
Okay, turn to Page 11 for
detailed instructions. After
seeing how much trouble it
is, you’ll quickly come back
here, where fewer dragons
await.
Insert or re-insert the installation CD into your drive. The main menu
will appear, as above. Select “Windows 95 Operating System Updates,” as
shown, then click the “Install Application” icon. The updating will start.
Skip to Page 10 unless the following note applies to you.
Important: If you get a message saying “Out of Environment
Space” or “Command.Com Cannot Be Found,” you must add a command
line to your Win95 CONFIG.SYS file. Sorry about that, but it can’t be
helped. It’s the price you must pay for being so far behind on your operating system. Exit from the Times installation CD. Go to Start, Run and
enter Sysedit in the prompt. Execute the prompt. The Configuration
System Editor window will appear (next page).
8
Click once on the CONFIG.SYS window (the one behind AUTOEXEC.BAT) to give yourself full editing access. Now go down to the bottom
of the CONFIG.SYS file and enter the following statement as the last line:
shell=c:\command.com/e:4096/p
Exit from the System Configuration Editor. You will see this
query:
Answer Yes. Even if you are not prompted to do so, reboot your system now. The new CONFIG.SYS statement becomes active on reboot, and
you will need this re-configuration when you run the “Windows 95
Operating System Updates” program again.
9
In general, the Windows 95 OS update program does the following:
1) Identifies the operating system version of your PC.
2) Installs the necessary updates.
3) Provides essential Microsoft files.
You will see lots of action on your screen, copying of files, etc. If all
goes well, you will see the notice below.
Do not remove the CD! Click OK
to start the reboot. As before, you
will see much file copying on your
screen, concluding with another
restart prompt, shown at below
left.
You may get several Version Conflict warnings
similar to that shown at right. Obey the recommendation. If the file being copied is older, keep
the existing file. If that confuses you, we’ll make
it simple: Answer Yes to all such warnings.
After answering Yes to the restart
query at left, you are almost finished with Win95 operating system
updates. Almost but not quite. See
below. Shucks. There is something
else to do.
VPN Enhancement Update for Win95 amd Win98
Although optional, the update is recommended, and it is very fast and
simple. Close any applications running. Only your desktop should be
active. Insert or re-insert the Times installation CD, thus displaying the
VPN Client Install menu. Select “Optional VPN Enhancement for Win95
and Win98,” and click “Install Application.” The program knows whether
you are running Win95 or Win98, and will install the appropriate file.
Screens will flash and file copying will be done. Rebooting, to seal the
VPN update into the operating system, is automatic. You are finished, and
your PC is set for optimum VPN operations. Now you can proceed to the
AT&T dialer installation, if needed, and/or the Contivity VPN installation.
10
Want to Do It Yourself? Really?
If you prefer to do the updating manually, or if you just want to know
what is being done to your personal machine, this page will help. First, you
must know what operating system you are using. Go to Start, Settings,
Control Panel and System. The System Properties box will appear. The
Windows version is identified under “System” (see below). Now find your
version in the table at bottom. The update files can be executed from the
distributed CD. They can be found in the Winupdate folder. The network
update will require your original Windows CD-ROM installer on reboot.
Look, it all gets a bit complicated. Best advice: Forget about doing it yourself and turn back to Page 8, where a much easier procedure is documented.
If you are determined to go ahead,
you can insert or re-insert the VPN
CD and click on “Browse CD.” Find
the Winupdate folder and doubleclick on it. There you will find all the
executable update files listed in the
chart below. Good luck, brave souls.
Windows Version
Updates Required
CD Filename
Windows 95 (4.00.950)
Win95 Service Pack 1
Win95 Socket Update - Kernel 2
Win95 Socket 2 Update
Win95 Dial-up Network 1.3 Update
Win95 VPN Update (Optional)
W95pack.exe
W95kernel.exe
W95socket2.exe
W95network.exe
W95vpn.exe
Windows 95A (4.00.950A)
Win95 Socket Update - Kernel 2
Win95 Socket 2 Update
Win95 Dial-up Network 1.3 Update
Win95 VPN Update (Optional)
W95kernel.exe
W95socket2.exe
W95network.exe
W95vpn.exe
Windows 95B (4.00.950B)
Windows 95C (4.00.950C)
Win95 Socket 2 Update
Win95 Dial-up Network 1.3 Update
Win95 VPN Update (Optional)
W95socket2.exe
W95network.exe
W95vpn.exe
Windows 98 (4.10.1998)
Win98 VPN Update (Optional)
W98vpn.exe
Windows 98 SE (4.10.2222A)
No Updates Required
None
Windows NT 4.0
No Updates Required
None
Windows ME or 2000
No Updates Required
None
11
Your Internet Connection
AT&T
Net Client
You must have a connection to the Internet to use Contivity VPN software.
Cable modems, DSLs and dialup ISDNs are ideal for the purpose. The first two
— DSLs and cable modems — are always “on line,” or can be, and they are very
fast. Dialup ISPs, while lower in cost and limited to the speed of the PC’s modem,
will serve the majority of us. Most ISPs will work — AT&T, PacBell, EarthLink,
etc. — but AOL will not. The Times VPN request form states flatly: “VPN access
service will not be supported if AOL (America Online) is your ISP.” (See “VPN
Notes and Hints,” Page 37, for further discussion of the AOL matter.)
If you have a personal DSL or cable modem, congratulations. It will provide high-speed access to the Times network. You don’t need an ISP dialer. Skip
this chapter. Go to the next one, “Personal Tunnel: Contivity,” Page 25, and begin
installing your VPN client.
If you are authorized to use AT&T Net Client as your ISP dialer, your next
step is to install the program from the CD distributed with this manual. Pertinent
AT&T information (account, user ID and initial password) can be found on the
manual’s copyright page. Insert the CD into your drive. Click “Install AT&T
Internet Dialer” to select it. Then click the “Install Application” icon. The box
below will appear. Click Next. No entry is required for “FastPath.”
12
Click I Agree to the License Agreement (above). Then accept the default
“Destination Folder” in the Folder box below. Click Next.
13
Check the boxes for “AT&T Net Client” and “AT&T Net Location
Database.” Click Next. The information box below will pop up. Read it if you
care to, or just click OK to get rid of it. To continue, you’ll have to click Next
again on the Components screen.
14
Check the “Create an icon on the desktop.” Click Next. In the Start box
below, click Install to begin installation of AT&T Net Client.
15
Let’s finish this now rather than later. Choose “Yes, continue setup.” The
next box lists three items needed for connection. You’ve got all of them, we can
hope. Do not open a new Internet account. Click Next.
16
Enter the AT&T “Account” and “User ID” provided to you. Do not click
Next yet. Click on the “Advanced Login Properties” button to set up important
dialer defaults. The Network box below will pop up. Choose “The Internet.”
Click Next.
17
Check the “TCP/IP” box and then click Next. Below, click the “No” button
and then click Next.
18
Select the “Use default network settings” button on the DNS screen and
then click Next. Make the same selection on the WINS screen below and click
Finish.
19
Your “Advanced Login Properties” chores are finished, and the User
ID window that you filled out earlier (above) waits for you to take further
action. (Your “User ID” will be different from that shown.) Click Next.
In the Network Connection window
at left, select the “Dial using my
computer’s modem” button and click
Next.
The Modem window at right will be
correct if your PC already has a
working modem installed. Click Next.
20
Do you have “Call
Waiting” service? If
so, you should choose
the appropriate “Dial
prefix” to disable it
during those times
when you are connected to your ISP. Your
telephone company
can tell you which prefix will do the job.
Enter the information appropriate to your dial-up location. Click Next to
continue. In the Network Access Number screen below, select the appropriate
“Country,” “Region” and “Number to dial.” You will have to double-click the
phone number to make it show up in the “Number to dial” field. Click Next.
21
Review the information on the Connect Summary screen. Click Next. On
the Setup Complete window below, click Finish to begin the fun part of all this.
22
Pretty dialer, isn’t it? You are being asked for your password. Your
initial password is exactly the same as your AT&T user ID, or “Login
Profile” as it is called here. If your initial password is XXX9999, it doesn’t
matter whether you enter it as XXX9999 or xxx9999. Enter the password
either way, but don’t “Save password” just yet. It would be ridiculous to
save an initial password that won’t work the next time you use it. Click
Connect after entering the password.
The dialer will dial the AT&T number you selected during setup. In the
process of getting connected to the ISP, you’ll be required to change the
password. A New Password prompt will appear.
Your “Current password” (XXX9999, for
example) is already entered. You must enter
a new one twice (to verify that you didn’t
mistype the first time). Choose a password
you can’t forget! Click OK. Just to be clear,
this is your AT&T Net Client password. It
has nothing to do with your Times NT
password.
Note: Back on Page 14, you checked a box requesting an AT&T Net
Location Database download. This will happen now. It will take about two
minutes. Then you will have an up-to-date AT&T phone directory.
23
Congratulations! You are now
connected to your ISP. In this
case the line speed is 52,000 bits
per second. For a variety of
reasons, yours may differ, either
higher or lower.
What next? Well, you could do something. You could run an Internet
browser such as Netscape, but if this is the browser you have been using on
the Times PPP, the Proxies configuration must be changed to “Direct
connection to the Internet.” (See “VPN Notes and Hints” in this manual,
Page 30, or Page 39 for Internet Explorer.) But let’s not go off on a tangent
right now. You’ve got more important things to do, such as installing the
VPN software.
So log off. Click the dialer
button showing an empty box
(above). You will be asked to
confirm the disconnection. See box
at right. Click Yes. The next time
you connect to the Internet you can
save your new password.
An important note about the
AT&T dialer . . . of interest to
those who travel from city to
city or from nation to nation:
If the “Traveling user” box is
checked on the dialer, as shown
at left, a handy setup panel is
added at the bottom. You can
quickly change the dialing
instructions wherever you go.
Bon Voyage!
24
Personal Tunnel: Contivity
Your Virtual Private Network client is called Contivity. You are ready to
install it. If you have not rebooted since installing AT&T Net Client, reboot now!
Then insert the VPN installation CD into your CD-ROM drive. If the CD menu
does not auto-display, go to My Computer, open the CD and double-click on
Cdmenu.exe.
Select “Install Contivity VPN Client v4.15” and click the “Install
Application” icon. Contivity installation will begin. You may get several Version
Conflict warnings, as shown below. Obey the recommendation. If the file being
copied is older, keep the existIf Things Do Not Go Well...
ing file. In other words,
answer Yes to all such warnPerhaps you see an error message such as “Out
ings. Continue to the next page
of Environment Space” or “Command.Com
of this manual unless the box at
Cannot Be Found.” The messages most often
right applies.
show up on Windows 95 PCs, but they also can
pop up on Win98 machines and maybe even
later operating systems. The assumption here
must be that you are at least a Win98 user, since
a Win95 user would have taken care of the problem back on Pages 8 and 9. Anyway, if you face
this problem, turn to those pages and make the
required entry in your CONFIG.SYS file as
instructed. Reboot, return here and try installing
Contivity again.
Attention, XP Users!
You will get the message at left.
Scary, isn’t it? The correct
response is Continue Anyway,
but any sane person would
click STOP Installation immediately. So step back a moment
from sanity. Pretend you are
insane. Click Continue
Anyway. Take my word for it.
25
That was easy, wasn’t it? Several flashing screens, a couple of mildly
entertaining horizontal copying bars and you are done. You will be advised
to reboot your PC. Do it. Click Yes in the box that looks like the one at
below left. When you get back up, you’ll see the Contivity VPN Client icon
on your desktop, as shown at right below.
But don’t relax. There is more to do. First, establish a connection with
your ISP, whether it is dialup or DSL/cable. Contivity will need the Internet
connection shortly. Then double-click your Contivity desktop icon. The
following dialog box will appear.
Notice that the default
connection target is
Xxxxxx- XXX-XX.
Click on the down
arrow next to it. You’ll
see another choice —
Xxxxxxx-XXX-Xxx.
Why is that important
to know? Well,
suppose the Los
Angeles VPN gateway
is unavailable for some
reason. You can shift
to Chicago to do your
work on the Times
network. Your user
name and PIN are as
valid in Chicago as
they are in Los
Angeles. Oh, you don’t
know much about the
VPN PIN, do you?
Read on.
It’s time to pull out the keychain fob you received with this manual.
Turn to the next page and study a short chapter entitled “Token Security.”
26
Token Security
You are ready to log onto the Times network for the first time. Your
token device looks like the graphic shown here, and it is about the same size.
Every minute of every hour, it generates a
six-digit number that may be entered into
the “Token” field of Contivity’s opening
window. This is your token, assigned to
you alone. The numbers will match
nobody else’s at any one time. Notice the
stack of bars to the immediate left of the
token readout. Each bar represents 10
seconds. In this particular case, 40 seconds will elapse before the number
changes again, before the stack is rebuilt to six bars for another 60-second
countdown.
Since this is the first time you have used the token, ignore the “PIN”
field in the Contivity window below, because you don’t have a PIN yet. But
you must enter your Contivity “User Name.” Your user name is the same as
your Times network name, generally an initial plus surname, rendered solid,
as in jsmith. (If you have forgotten it, see Page 1 of this manual, where your
user name is recorded.) And of course you must enter the six-digit number
displayed on the SecurID token. Follow the directions below.
If the token is
very near the
end of its 60second cycle,
wait for a new
number, then
type it into the
“Token” field.
Now click the
Save button at
the bottom of
the box.
Nothing
dramatic will
happen, but
Contivity now
knows this is
the
configuration
you will always
be using. Click
Connect or
strike the Enter
key.
27
If you did not click Save as instructed,
shame on you. You’ll get the question at
left. Answer Yes. You won’t have to Save
again.
Your AT&T dialer (if that’s what you are using) has already connected you to
the Internet. Now the Contivity VPN software will “bore” a tunnel into the
Times network from the Internet. You will be required to create a PIN. The
rules are simple. It must be all numbers and no shorter than four digits. Create
a PIN and don’t forget it!
The advisory at right will pop up. The
instructions would be worth reading if they
were correct. Rather than a mere click, a
right-click on the Taskbar icon is required
to disconnect. But regardless, you don’t
want to be bothered with this notice again,
so check the box saying “Do not show this
message in the future.” Then click OK.
When you see the Security Banner
at left, you are in! Click OK. But
you are not “in” all the way. Sorry.
You still have to sign onto the Times
network (see below).
Note: The brief message in the
Security Banner will probably be
expanded in the future to issue
various warnings.
Enter your Times
network password
and click OK. If
your Windows
Password prompt
shows up next,
you can just
Cancel it. If you
change the
Windows
password to match
your network
password, you
won’t be annoyed
by this again.
28
Notice the Windows Toolbar icons,
normally at lower right on your desktop. One of
them is the ISP icon, meaning you are
connected to your Internet service provider.
Another is the Contivity icon, meaning you are
connected to the Times network. Now you can
run your Times applications. When you are
ready to sign off, close all applications, then
right-click on the Contivity icon and left-click
Disconnect Contivity VPN. You’ll see the box
below. Click Yes.
And you must also disconnect from your AT&T dialup ISP, if that is
what you are using. If you can’t figure it out yourself, this manual’s “Your
Internet Connection” chapter tells you how to do it.
Don’t worry, folks. All of this, as complicated as it may seem right
now, will become routine in short order. The benefits for both you and the
Times may not be fully apparent, but they are abundant as large newspapers
around the world move into 21st Century technology. And you did it all by
yourself! With maybe a little help from your Information Technology
friends.
Congratulations, but don’t completely relax now that you’ve got VPN
running. There are important peripheral issues to deal with or just be aware
of. The next chapter, “VPN Notes and Hints,” explores such subjects as
Netscape, Outlook Web Access (OWA), Network Settings, H Drive Mapping,
DSLs & Cable Modems, America Online, Passwords, Internet Explorer and
MTU & RWIN. Some if not all these articles will be of interest to you, and
some are even vital to smooth VPN operations.
JACKSON SELLERS
Editorial Systems, Information Technology
29
VPN Notes and Hints
Subject Index:
Netscape
Outlook Web Access
Network Settings
H: Drive Mapping
DSLs & Cable Modems
America Online
Passwords
Internet Explorer
MTU & RWIN
The Friendliest Browser
E-Mail via the Internet
Win95, 98, 98SE & ME
Personal Network Folder
Firewalls and Routers
Popular but Troublesome
The Good, the Bad, the Ugly
Configuration for VPN
Dialup VPN Settings
30
32
34
36
37
37
38
39
44
Netscape: Many of you are running Netscape as your Internet browser
on PPP/CompuServe. It is configured with an automatic proxy statement:
http://config.latimes.trb/proxy.pac or //news.latimes.com/proxy.pac
This configuration, with either proxy, will work nicely on VPN for access to
both the Internet and the Times Intranet (Editorial Library, etc.), but the
setting must be changed to “Direct connection to the Internet” if Netscape is
run on your ISP alone. Here’s how to change the Netscape setting from one
to the other:
Suggestion: Don’t actually
do anything here. Simply
digest the information, then
turn to Netscape Profile
Manager instructions on
the next page. The manager
will make things easy for
you. Netscape’s Edit menu
offers Preferences, as
shown at left. If you click
on the boxed “+” next to
Advanced, then click on
Proxies, configuration
choices will be displayed.
Click the radio button next
to “Direct connection to the
Internet.” Now click OK.
This makes everything right
for running Netscape on
your ISP alone. If Netscape
is being run on VPN, it
needs the “Automatic proxy
configuration” setting with
its Times proxy statement.
Just click its radio button,
then OK.
30
In Netscape, but not in Internet Explorer, you can create profiles that will
be conveniently ready for VPN on the one hand or ISP-only on the other. This
manual cannot devote much space to Netscape Profile Manager, but the program
is fairly straightforward. First, of course, you must have Netscape installed. Go to
Start, then Run. The Run line requires an entry of Netscape -profile_manager.
Yes, the line is nerdy, but you’ll only have to do this once. Don’t yield to your literate impulse to eliminate the space in the Run line. Netscape-profile_manager
(without the space) will NOT work, while execution of the precisely correct command will display the following box.
Read the directions in the box itself.
Your goal is to produce the profiles listed at left. The New button will allow
you to create them. In the end, when all
is done, the ISP Netscape Browser,
with its “Direct to Internet” setting, will
work nicely on an ISP-only connection,
and the VPN Netscape Browser, with
its Times proxy setting, will give
desired results on a VPN connection.
But all is not done yet. Click Back.
Henceforth, whenever you run Netscape, the box below is what you will
see first. The default “Profile name” will be whatever you ran last. If you need the
other one for your current session, drill down and select it. At this point, however,
simply Exit.
Okay, let’s test/refine the two profiles.
Connect to your ISP. Run Netscape,
choosing the ISP Netscape Browser.
Follow the directions on the previous
page, clicking the “Direct connection to
the Internet” button. When finished, exit
from Netscape and establish a VPN connection. Run Netscape, choosing the VPN
Netscape Browser. This time, of course,
you will click the “Automatic proxy configuration” button. If the proxy is not
there, enter it. Now the Netscape profiles
are configured to go both ways.
31
Outlook Web Access (OWA): This is the way you will access your e-mail
remotely. It saves you and your friendly support people a lot of trouble,
because you do not need the Outlook client installed on your home PC or
laptop. Once connected to your ISP or VPN, you will simply run your Internet
browser — usually Netscape or Internet Explorer — and then execute a URL,
specifically xxxxxxx.xxxxxxx.xxx. The beauty of this is that your Times e-mail
becomes available wherever in the world you have access to an ISP. It doesn’t
have to be your ISP. It can be somebody else’s. You can get your e-mail at
home or on the road, but you can also get it on an ISP-connected PC at a
friend’s home, at almost any business facility, and at cybershops in Switzerland
and Japan, just to name two of the world’s many Internet nations. This
constitutes a dramatic improvement in Times remote e-mail service. Execute
the URL — xxxxxxx.xxxxxxx.xxx — and you will see the window below. Hint:
Save a bookmark at this point for your future convenience. Enter your network
user name in the “Log On” box and click where it says “click here.”
The prompt at left will appear. There
is a delimiter between the xxxxxxx
and your user name. It’s shown here
as a xxxxxxxx, but a xxxxxxxxxxxx
will work just as well. The
“Password” is your normal,
unforgettable network password.
Click OK.
32
Okay, there you have it! Things look a little different from the office
version, but everything is essentially the same. Notice that only Page 1 of the
“Inbox” is displayed, but that you can click forward to Pages 2, 3, 4, etc.
Also be aware that OWA does not automatically notify you of a newly
received e-mail, as the full Outlook client does. To display any new
messages, or refresh the “Inbox,”you must click the Check for New Mail
icon on the toolbar, which looks like this:
Recommended logoff procedure: Click on the Log Off icon at the bottom
left of the OWA screen. The message below will appear. Follow directions
and close your Internet browser. Hint:You can just close your browser and
forget it.
Logoff:
To complete the log off process and prevent other users from
opening your mailbox, you must close your browser.
33
Network Settings for Win95, 98, 98SE & ME: Eventually you will have to deal
with settings for Client for Microsoft Networks, so you might as well do it now.
This is your operating system’s program for interacting with networks, most pertinently, in your case, the Times network. In general, PAL/CompuServe users are
already set up, and Editorial PPP users are not set up at all; nor, of course, are
those who buy new computers. These instructions show “screen grabs” from
Windows 98, but they are applicable to Win95, 98SE and ME. Go to your
Control Panel and double-click on the Network icon. The box below will appear.
There’s always something
to confuse us, isn’t there?
Contivity has replaced
Extranet as the name of
the Times VPN client, but
the VPN network adapter
is still called Extranet
Access Client Adapter, as
shown at left. Never mind.
We are not interested in
that right now.
Click once on Client for Microsoft Networks to highlight it as shown above,
then click on Properties to display the box on the next page.
Important Note: The Microsoft client may not be there, or it may be there
but not be visible. Scroll the directory to be sure. If it is not there, you must install
it. Click Add, then Client, then Add again, then Microsoft. Now pick Client for
Microsoft Network and click OK. You may be requested to insert your original
Windows CD-ROM disc. You certainly will have to reboot.
34
First, enter XXXXXXX as your
“Windows NT domain.” (Case is
not important. The entry could be
xxxxxxx.)
Other settings:
Logon validation: Do not check
the “Log on to Windows NT
domain” box. Yes, if the box is
checked, the Times logon script
will run, and your H: Drive will
be automatically configured.
Sounds good, doesn’t? But it will
take much longer for you to log
on, and you will drum your
fingers. Best advice: Leave the
box unchecked, and map the H:
Drive yourself, as detailed on
Page 36.
Network logon options: The
“Logon and restore network
connections” radio button should
be activated, as shown.
Clicking OK on the Networks Properties window above will return
you to the Network window displayed on the previous page. Click on the
Identification tab, and you will see the dialog box below. Unfortunately,
there is more to do.
“Computer name” can be anything you want,
provided it is not the same as a valid Times
server or your network name. Just to be safe,
let’s follow this convention: xxxxxxxxxxxx;
for example, xxxxxxxxxxx. There is a 14character limitation here, so truncate your
user name if necessary.
“Workgroup” must be XXXXX or xxxxxxx.
“Computer description” is completely
optional. It can be nothing at all or whatever
is desired.
Click OK and you will return to the
beginning of these network setups. Click OK
again to seal the new settings into your
operating system. You will be required to
reboot.
35
H: Drive Mapping: Some of you are not acquainted with the H: Drive,
although everybody has one when he/she logs onto a terminal in a Times
networked newsroom or office. You can store text or graphs there, and it is
much more secure than your PC’s hard drive, which eventually will crash
and lose its data. This H: Drive, or Home Drive as it is called, can also be
accessed remotely by VPN users. If the Times logon script is run in
conjunction with VPN logons, you will get access automatically. If not, you
won’t, but you can manually map the H: Drive while you are logged onto the
network via VPN. You may not be particularly interested in your H: Drive.
If so, forget about it. But if you want remote access to this storage place,
follow these directions:
Go to your desktop while logged onto the Times network. Right-click
on My Computer. Now click on Map Network Drive. The dialog box
above will appear, although the entries won’t be the same. For “Drive,” drill
down to the H: Drive and select it. For “Path,” . . . Ah, this presents a
problem for many of you. Most likely, you don’t know the name of your H:
Drive server. Xxxxxxx’s server is xxxxxxxx, but that’s probably not yours.
There are a number of such Times servers. If you don’t know the name of
yours, call the L.A. Help Desk — or, if you have access to a newsroom
networked terminal, as nearly all of you do, you can log onto that terminal,
go to My Computer and simply look. When Xxxxxxx does that, he sees
Xxxxxxxxxxxxxxxxxxxxxxx. Either way, you need the name of the server to
map your H: Drive for remote access. The “Reconnect at logon” box should
be checked. As usual, after all is done, click OK to seal the bargain.
36
DSLs & Cable Modems: [Firewall recommendations still pending]
America Online: The Times does not support America Online on either office or
private PCs. If you insist on using AOL, you are on your own. But let’s be practical here. Many of you already possess AOL and are happy with it. Your kids use
it. You and/or your spouse or significant other have joint or separate AOL e-mail
accounts. Now the Times is telling you that AOL won’t work as your VPN ISP.
Yes, that’s true — AOL won’t work reliably in that role — but what about just
keeping AOL around for the kids and spouse? No doubt the AOL program is
aggressive, always trying to take over, but there is plenty of anecdotal evidence
suggesting that AOL won’t be troublesome if the ISP/VPN programs are installed
on top — that is, to be perfectly clear, if ISP/VPN is installed after the AOL program was installed. But if you do this, and if it works (as it probably will), you
must never, never, never update your AOL version, because then AOL will think
it is the top dog again. And if it doesn’t work, or if your spouse or kids subsequently update AOL, innocently answering Yes to an AOL online suggestion that
the program be updated, don’t call the Times Help Desk. You will only be told:
“The Times doesn’t support AOL.” What do you do then? Hire an expert. A cottage industry has arisen to deal with the complexities of uninstalling AOL. Sorry,
but that’s the way it is, as some Times people have already discovered.
37
Passwords: Don’t forget your AT&T password or your Contivity PIN! Write
them down in a secret place. Such advice is heresy to security people. Don’t tell
anybody I told you to do that. But if you do forget your password, notify the Help
Desk and your account will be reset, meaning your AT&T password will revert to
XXX9999 or whatever. The reset won’t come immediately. The task must be done
in Chicago at present. If you forget your Extranet PIN, also notify the Help Desk.
If you lose your SecurID token, you are in more serious trouble. You must notify
the Help Desk and request a brand-new account, and you’ll have to fill out another VPN request form and get your supervisor to sign it. Your department will be
billed $50.
Another password matter: If the Times VPN gateway — the device that
handles authentications — gets the notion that your SecurID fob is out of sync, it
will issue a challenge that looks like the prompt below.
There is no online help here at all. What the hell is a passcode? An
unknown programmer, at some point in the development of Contivity, assumed
you would know. He knew, so why not you? Well, a passcode is your PIN plus
the six-digit readout on your VPN fob, rendered solid. To be clear: If your PIN is
999, you will respond with “999999999,” assuming your fob readout is
“9999.”
Warning: You must not make too many mistakes in this passcode
response. After three attempts, you may find yourself locked out of VPN, facing
what could be a lengthy delay in getting your authorities restored.
38
Internet Explorer: The Times proxy requirement for Netscape applies equally to
Microsoft’s Internet Explorer. The proxy — http://xxxxxx.xxxxxxx.xxx/xxxxx.xxx —
should be activated for Internet/Intranet access on VPN. It should be disabled for
Internet access on ISP alone. Unlike Netscape, IE offers no profile manager to
simplify the matter of switching from VPN connections to, say, the AT&T Net
Client running alone. The best plan may be to set up dialup settings for VPN and
then, when necessary, modify the settings for ISP alone — or vice versa, depending on which connection is used the most. DSL/cable users face a similar dilemma when switching between the two services. All Internet Explorer settings are
made in Internet Options. There are two ways to get there: 1) Go to your
Control Panel and double-click on Internet Options. 2) With IE running, go to
Tools, then Internet Options. The window below will appear.
This is where the home page is named. Since we are configuring a VPN
setup here, you may want to enter a Times Intranet site such as http://xxxx.xxxx.
xxxxxxx.xxx, the Editorial Library’s page. Many writers and editors prefer it
because, among other things, it offers a link to TimesOnline, the Editorial
archives. But any address will do. VPN provides access to both internal and external sites. Click the Connections tab, which displays the window on the next page.
39
Select AT&T Net Client or
whatever dialup ISP you
are using for VPN
operations. Click Settings
and the dialog box below
will be displayed.
Important Note to DSL
and Cable Modem Users:
You should choose LAN
Settings instead. Although
equally as remote as dialup
users, you connect directly
to the Times LAN. You
lucky guys and gals are not
dialup users. Click LAN
Settings and follow the
proxy instructions below,
which are actually aimed at
your less speedy comrades.
Make the settings exactly as
shown at right. Well, not
exactly. The “User name”
account information at the
bottom will be yours, not the
account shown here. The
Proxy Server entries are not
essential for dialup ISP users,
but they are essential for
DSL/cable VPN sessions. The
Proxy Server address is
xxxxx.xxxxxxx.xxx, not
xxxxx.xxxxx.xx as shown. The
damned field is not quite large
enough to display the entire
proxy name. Click OK here
and you will return to the
previous window, above.
Now click on the Advanced
tab. The window on the next
page will appear.
40
Scroll down to Internet
Explorer’s HTTP 1.1
Settings. Both boxes
should be checked as
shown. Click OK until
you are out of all this, and
you are done. Now, when
you’ve got a VPN
connection to the Times,
Internet Explorer will
work as desired, accessing
both internal and external
sites. Great, but what
about switching to an ISPonly connection? Sure,
you can do it, but changes
in the settings will be
required. IE is a bit
troublesome in this
respect. See below.
When you run Internet
Explorer on your ISP
connection alone, the settings
should be what you see at left.
But they may not be that way.
Happily, you can make
modifications on the fly,
within Internet Explorer itself.
Go to Tools, then Internet
Options and click on the
Connections tab. Make sure
your ISP is highlighted and
then click on Settings. Disable
the proxy data and enable
“Automatically detect
settings.” Click OK out of this,
and away you will surf on the
World Wide Web.
But wait! There are more IE
settings! See the next page.
41
Your Internet Explorer operations will be more efficient and
secure if you pay further attention to Internet Properties
settings. Go to Internet
Options, as instructed on Page
39, then click on the
Advanced tab. The window at
right will open. If you know
what you are doing, make your
own selections. If you don’t,
join the club and slavishly follow Times recommendations as
shown here. Scroll until you
reach the bottom, checking and
unchecking the boxes.
This list of settings may not
correspond exactly with
yours. It depends on your
Internet Explorer version. Just
do the best you can, referring
always to the Times recommendations.
One more page to go.
See the next page.
42
Keep on scrolling, checking
and unchecking, folks! You’ll
only have to do this once for
ultimate Internet Explorer performance.
The “Security” settings at left
may be the most important of
all. They will give a measure
of protection to both you and
the Times. Click OK out of
Internet Properties and
again out of Internet
Options. Finished at last!
43
MTU & RWIN Settings: If you are a dialup VPN user, and if you are running
Win95, 98, 98SE or ME, you can improve performance significantly by following
these instructions. Don’t bother (don’t even try) if you are running Win2000,
WinNT or WinXP. They are smart enough to handle things themselves. Also,
don’t bother if you are equipped with a DSL or cable modem, which is as good as
it gets. What we are talking about here is strictly for VPNers who dial out to ISPs
from machines running the earlier Microsoft operating systems.
What is MTU? It means Maximum Transmission Unit and is recorded in
your PC’s registry, where only the brave dare go. The Windows default MTU setting is 1500. This is the optimum setting for LAN connections, which, in a remote
sense, mean DSL and cable modems. It is too large, however, for dial-up connections. Since you are a dial-up VPN user, you’ll need to lower this setting to 576.
What is RWIN? It means Receive Window and is defined as “the amount of
unacknowledged data that can be outstanding on a TCP connection.” Don’t ask
what that means. Just accept the recommendation that RWIN should be set at 4.
Slip the Times VPN installation into your CD drive. The menu will appear.
Select “Update System Registry with MTUSpeed Pro v4.10” and click Install
Application, or just double-click the menu item.
44
Don’t worry about this being “for Windows 95.” It will work on Win98,
Win98SE and WinME as well. Select Dial-Up Adapter, as shown above. You may
have to drill down to select it. “Drill down” means clicking on the down arrow to
reveal a list of your adapters. Make sure the “Apply same values” box at lower
left is not checked and the “RWIN enabled” box at lower right is checked. Slide
the RWIN trackbar to 4. (If the bar won’t slide, click the Optimum Settings button and try again.) Now click the Change MaxMTU button. The New MTU
Setting dialog box will appear.
Enter 576 as a new MTU value. Click OK. Now you must also set the
MTU for the VPN Extranet adapter. Yes, Contivity’s adapter is still called
“Extranet.” Follow directions on the next page.
45
Drill down and select Extranet Access Client Adapter, as shown below.
Slide the RWIN trackbar to 4, click Change MaxMTU, enter 576 and click OK.
To seal the bargain, click the Update
Registry button. Click a final OK and
reboot. Your dialup VPN sessions should
go much better now, with fewer problems
when transmitting or receiving long stories
and other data.
46