AT&T Global Network Client Administrator s Guide for AT&T Global Network Client V Draft

Transcription

1 AT&T Global Network Client Administrator s Guide for AT&T Global Network Client V Draft 2003, AT&T Corporation, All rights reserved

2 Table of Contents Welcome... iii Guide Overview... iii System Requirements... iv Distribution... iv Installation Checklist... iv AT&T Global Network Client and MSI... 1 Install... 1 Uninstall... 1 AT&T Global Network Client... 2 Default Software Update Process... 2 First Connection after Initial Install Updates... 2 Automated Check for Updates... 3 Manual Check for Updates... 3 Servers and Directories... 4 Customizing the AT&T Global Network Client... 6 Customization Option One... 6 Customization Option Two... 8 AT&T Global Network Firewall... 9 Overview... 9 AT&T Global Network Firewall Function...11 Operational Modes Detail Explanation of AT&T Global Network Firewall Stateful Inspection Benefits of Kernel Level Implementation Behavior When IPSec VPN is Not Active Trusted LAN Customization Sharing Local Resources Exceptions to the Static Deny All Unsolicited Policy Centralized Administration Functionality Application Compatibility Firewall Conflicts NAT/Firewall Traversal Configuring UDP Encapsulation Extended Access AT&T Business Internet Service (BIS) Internet Extended Access Authentication Options AT&T VPN Tunneling Services (AVTS) Managed VPN Extended Access Authentication Process Custom Settings Service Manager Configuration Server Document Revision History Glossary of Terms Index Page ii 2003, AT&T Corporation, All rights reserved

3 Preface Welcome T his guide will help you understand some of the advanced features of the AT&T Global Network Client. The AT&T Global Network Client is a program that enables your Windows 1 computer to easily connect to your company s private network and/or the Internet over dial and broadband connections. The AT&T Global Network Client provides a consistent, easy-to-use interface to access the network from all over the world. The simple installation and setup procedures provide quick access to the network. Advanced features provide convenient, time-saving options for even the most demanding traveling users. This document is intended for IT professionals that are deploying the AT&T Global Network Client to their employees, or wish to gain a better understating of the administration of AT&T s remote access service. Guide Overview The remainder of this chapter includes System Requirements, Distribution and Installation Checklist. Those sections cover prerequisites to review before installing the AT&T Global Network Client. This guide explains: AT&T Global Network Client and MSI Customizing the AT&T Global Network Client AT&T Global Network Firewall Extended Access Custom Settings (Service Manager and Configuration Server) This administrator s guide is provided to you on an "as is" basis and AT&T shall have no liability for any errors or inaccuracies herein. This administrator s guide is subject to change without notice and you should consult your customer help desk or AT&T representative with specific questions. 1 Windows is a registered trademark of Microsoft Corporation. 2003, AT&T Corporation, All rights reserved Page iii

4 System Requirements The AT&T Global Network Client and its components are supported on the following operating systems and hardware: Operating Systems Windows 95 (With DUN 1.3) Windows 98 Windows 98 SE Windows Me Windows NT 4.0 (SP 3 or later) Windows 2000 Professional Windows XP Minimum System Requirements Pentium (or compatible) 133 MHz 32 MB RAM 5 MB free disk space (AT&T Global Network Client) 12 MB free disk space (optional components) 9600 modem that is recognized and configured by Windows Note: For NT environments like Windows NT, Windows 2000, and Windows XP, administrator rights are required to install software. Distribution The AT&T Global Network Client can be downloaded from: For AT&T VPN IPSEC services: ftp://ftp.attglobal.net/pub/client/win32/nvsetup.exe For all other services: ftp://ftp.attglobal.net/pub/client/win32/ncsetup.exe If you were given a customized version of the AT&T Global Network Client you should use only that version. Do not manually download one of the versions listed above. The AT&T Global Network Client can be distributed on CD-ROM through coordination with your account administrator. Installation Checklist Before starting the AT&T Global Network Client installation and setup, complete the following checklist. If you are missing any information, please contact your account administrator. Account User ID Page iv 2003, AT&T Corporation, All rights reserved

5 Password Admin rights to install or upgrade on Windows NT, 2000 and XP Verify Windows Dial-Up Networking is installed (Version 1.3 or later). Verify Windows TCP/IP is installed. Your Windows install media (CD or installed CAB files) may be required. A modem and phone line is required for dial users -oran existing Internet connection is required for other users. 2003, AT&T Corporation, All rights reserved Page v

6

7 Chapter 1 AT&T Global Network Client and MSI Install M icrosoft Installer (MSI) utility packages can be installed locally and remotely. When installing locally the user must have Administrator rights or the installation will fail. A remote installation will likely be done using Active Directory Group Policy or SMS. The AT&T Global Network Client software must be installed per computer. The software is not designed for per user installation. Please consult the Windows Installer: Benefits and Implementation for System Administrator s guide at taller.asp for more information regarding Windows Installer. After the System Administrator publishes the package on the server for download to users, the AT&T Global Network Client, Driver, and Gina will install silently when the user is booting up the computer. The AT&T Global Network Client will show up under programs. The Administrator will need to advise the users that the software has been installed on their computer. The user will then need to open the Client and continue with setup as described in the AT&T Global Network Client User s Guide found at Uninstall If the Administrator removes the software from the server, the software will be removed from all users computers. The user must restart or shutdown to ensure the software is uninstalled. The user must reboot or shutdown one more time for the AT&T Gina to uninstall. 2003, AT&T Corporation, All rights reserved Page 1

8 2Chapter 2 AT&T Global Network Client Detail information regarding the installation and use of the AT&T Global Network Client can be found in the AT&T Global Network Client User s Guide at Default Software Update Process The AT&T Global Network Client checks for software updates in three different situations, first connection after initial install, automated check, and manual check. The following components are checked each time: Phone List AT&T Global Network Client AT&T Global Network Firewall aka IPSec/Firewall Drivers (if Firewall is installed) AT&T Global Network Location Database AT&T Global Network Client Net Logon Extension (download checkbox only displayed if Net Logon Extension is installed) First Connection after Initial Install Updates The AT&T Global Network Client will automatically check for newer versions of the downloadable components during the first successful connection after the initial install. The default process for initial install: If the phone list on the server is newer than the Client installed phone list, the newer phone list will automatically download without prompting the user. If the Client on the server is newer than the Client installed, the user will be prompted to install the newer Client, and if the currently installed Client includes the IPSec/Firewall drivers the Client and drivers will be installed. If the Net Location Database is installed and the one on the server is newer, the user will be prompted to install the newer Net Location Database. If the AT&T Global Network Client with Classic or Hook Mode Net Logon Extension is installed and the one on the server is newer, the user will be prompted to install the newer Net Logon Extension. (For more information on the AT&T Global Network Client Logon Extension, see the AT&T Global Page , AT&T Corporation, All rights reserved

9 Network Domain Logon Guide at Automated Check for Updates The AT&T Global Network Client is programmed to automatically check for software updates every 30 days by default. The exception to this is the Net Location Database that automatically checks for updates every 90 days. The Client performs the first check 30 days after the install date which is determined by making a comparative check with the install date and the system date. The default process for automated checks: If the phone list on the server is newer than the Client installed phone list, the newer phone list will automatically download without prompting the user. If the Client on the server is newer than the Client installed, the user will be prompted to install the newer Client, and if the currently installed Client includes the IPSec/Firewall drivers the Client and drivers will be installed. If the Net Location Database is installed and the one on the server is newer, the user will be prompted to install the newer Net Location Database. If the AT&T Global Network Client with Classic or Hook Mode Net Logon Extension is installed and the one on the server is newer, the user will be prompted to install the newer Net Logon Extension. (For more information on the AT&T Global Network Client Logon Extension, see the AT&T Global Network Domain Logon Guide at Manual Check for Updates New releases of each of the components of AT&T Global Network Client can be downloaded through the Check for Updates dialog box as shown in Figure 1. Users can access this window by clicking on the arrow in the upper left-hand of the logon window, and then clicking on Check for Updates. An AT&T network server is queried for the most recent version of each component, which is compared against the version of each component currently installed. By default, this function will run automatically every 30 days. The AT&T Global Network Logon Extension will only display in Check for Updates if the component is installed. After the query to the network server is complete, the Check for Updates dialog box is updated so that any installed component that is out of date will be selected by default. You may decide not to download the components by clicking on the checkbox next to the component to remove the check from the box. The approximate size of each of the components in kilobytes is listed in the right column. Click the "Download" button to start downloading the selected components. 2003, AT&T Corporation, All rights reserved Page 3

10 Figure 1: Check for Updates Window Servers and Directories The FTP server used to download Client components is located on the Internet. The IP address is (ftp://ftp.attglobal.net). The directory paths and file names for each component follows: Phone List Files pub/dialtone/phonexn1.ph1 pub/dialtone/phonescp.ph7 pub/dialtone/phonelst.ver Net Location Database pub/dialtone/phonelcz.ph5 Client Files pub/client/win32/ (filename included in the ncversion.ini ) IPSec/Firewall Drivers pub/client/win32/(filename included in the ncversion.ini ) AT&T Global Network Client with Classic or Hook Mode Net Logon Extension pub/client/win32/(filename included in the ncversion.ini ) Software Download ver File Pub/client/win32/ncversion.ini If the AT&T Global Network IPSec/Firewall drivers are being used there is no reason to update the Client files as the IPSec/Firewall drivers contain the current Client within the executable. Software updates are stored in the following directories on Windows 2000 and Windows XP: Phone List Files Page , AT&T Corporation, All rights reserved

11 phonexn1.ph1 is renamed to phonelst.ph1 phonescp.ph7 (both files are located in a hidden directory located in local settings of the logged on user context. e.g. C:\Documents and Settings\RREY\LocalSettings\Application Data\AGNS\C~,PROGRA~1,AT&TGL~1,\Data ) Net Location Database pub/dialtone/phonelcz.ph5 (the file is located in the same place as the Phone List Files above) Client Files The file specified by the ncversion.ini criteria is downloaded to the install directory and renamed to ncsetup.exe. It is then run from the Client install directory. IPSec/Firewall Drivers The file specified by the ncversion.ini criteria is downloaded to the install directory and renamed to nvsetup.exe. It is then run from the Client install directory. AT&T Global Network Client with Classic or Hook Mode Net Logon Extension The file specified by the ncversion.ini criteria is downloaded to the install directory and renamed to ngsetup.exe. It is then run from the Client install directory. 2003, AT&T Corporation, All rights reserved Page 5

12 Chapter 3 Customizing the AT&T Global Network Client T here are two options to customize the AT&T Global Network Client; option one is to use FastPath codes and option two is a customized Client by AT&T. Customization Option One This option of using FastPath code is a feature of the Client that allows certain characteristics to be customized very easily. By customizing the Client, customers optimize and simplify their user's experience. The user simply runs the standard install program, enters the FastPath code on the first window, and the install and Client programs are automatically customized. Figure 2: FastPath code Page , AT&T Corporation, All rights reserved

13 FastPath codes are generated by AT&T. System Administrators should contact their AT&T representative with the request. FastPath codes can control the following features "Save password" can be checked and/or hidden. "Traveling user" can be checked and/or hidden. "Use existing connection" can be checked and/or hidden. "Logon to network" can be checked and/or hidden. The Protocol setup window can be hidden. An Internet registration offer code can be configured. The Location Database component can be automatically installed. The Firewall component can be automatically installed. The Component page of install can be hidden. The Program Group page of install can be hidden. The setup windows can be configured to connect with customer-direct authentication. Default updates to third-party programs can be disabled. Disable program update. 2003, AT&T Corporation, All rights reserved Page 7

14 Customization Option Two The second option is to have AT&T create a customized client that all your users would use. This option is a billable option and must be done by an experienced AT&T custom developer. Here are some reasons why using a customized client (option 2) can be better than a standard install. Branding Change titles, icon, and graphics Customize text on panels Additional security Remove saved password check box. Hide IP addresses such as your DNS and WINS. Reduce help desk calls and increased ease of use Reduce the number of panels your users will see during install and setup. Pre-select settings so users will not select incorrect information. Locking down settings reduces the chance of users making changes causing the client not to connect. Silent uninstalls of older versions of AT&T Dialer. Administrative Control Control what versions your users upgrade to by using a custom FTP site. Pre-install some of the client s optional components. Customized helpdesk numbers. Display custom messages to your users during install. It is important to know that the AT&T Global Network Client was engineered so that software updates will not affect your customized version of the client but will still allow you to benefit from getting updates. If you think this might be something your company could use, contact your AT&T sales representative for more details. Page , AT&T Corporation, All rights reserved

15 Chapter 4 AT&T Global Network Firewall Overview T he AT&T Global Network Firewall is an optional component and is not intended for all services. This component is intended for all AT&T Managed Tunneling Services using the Integrated AT&T Global Network Firewall of the AT&T Global Network Client. The Firewall: Blocks unsolicited non-tunnel IP traffic (does not block other protocols) Provides stateful inspection of all non-tunnel IP traffic Both solicited and unsolicited VPN traffic are allowed. VPN traffic can be limited through an Access Control List of pre-defined network addresses. Silently discards all unsolicited IP traffic The AT&T Global Network Firewall component serves two purposes; it protects a computer as a network firewall and provides secure VPN connectivity. Therefore, the AT&T Global Network Firewall component is a requirement for all AT&T Managed Tunneling Services using the integrated AT&T Global Network Firewall of the AT&T Global Network Client. The AT&T Global Network Firewall is implemented through a Microsoft Windows Network Device Interface Specification (NDIS) Intermediate Device Driver on your computer. Using NDIS, the AT&T Global Network Firewall becomes a part of your operating system and has the ability to monitor any potentially malicious TCP/IP network traffic that is flowing into your computer. The firewall functions are performed as part of that monitoring process. The Intermediate Device Driver is installed to act as a filter for all TCP/IP traffic flowing to and from the client machine. On Windows 2000 and Windows XP using V5.08 or above, the virtual VPN interface is exposed to the IP stack and the traffic is controlled through the routing table. Network Address Translation (NAT) is no longer performed by AT&T software and WINS, DNS, and Domain Suffix are only modified on the Virtual VPN interface. The existing intermediate driver continues to function as a firewall, and to control VPN traffic using Access Control Lists. The new VNIC architecture is shown in Figure 3: IPSec Intermediate Device Driver VNIC Architecture. The architecture for V5.07 and under is shown in Figure 4: IPSec Intermediate Device Driver Architecture (valid through V5.07). 2003, AT&T Corporation, All rights reserved Page 9

16 Virtual Adapter IP Stack Existing NIC IP Stack Virtual Adapter Network Configuration Existing NIC Network Configuration IP Address: Secure VPN IP Address: Internet Address Address DNS Address: VPN DNS DNS Address: Internet Address Address WINS Address: VPN WINS WINS Address: Internet Address Address Figure 3: IPSec Intermediate Device Driver VNIC Architecture Existing NIC Network Configuration IP Address: Internet Address (forcing AT&T Intermediate Device Driver to perform NAT using Secure VPN address) DNS Address: VPN DNS Address WINS Address: VPN WINS Address Figure 4: IPSec Intermediate Device Driver Architecture (valid through V5.07) Page , AT&T Corporation, All rights reserved

17 AT&T Global Network Firewall Function Having the AT&T Global Network Firewall component installed and active helps protect your computer from potentially malicious attacks attempted by other users of a shared public infrastructure. If enabled, the Firewall is active whenever your computer is powered on. This is a meaningful security feature to help reduce exposure for always-active broadband connections and it is recommended that broadband users keep the AT&T Global Network Firewall active at all times. Every IP packet received by the remote client machine is monitored and verified by the AT&T Global Network Firewall to determine if it is a potential threat. If the packet received is determined to be unsolicited by the client machine, it is silently discarded. The AT&T Global Network Firewall does not perform any user notification of unsolicited traffic. If your computer did not request, negotiate, or grant permission for a connection with another machine, the traffic is silently rejected. By protecting your remote workstation from potentially malicious attacks, the AT&T Global Network Firewall also bolsters the security of your company s secure network by insulating against potential attacks attempted through your computer. It will also inspect the traffic to insure that port and SYNC status are correct thereby thwarting attempts to use existing or recently expired session information for an attack. This blocks attacks from the Internet very effectively. The only traffic that does not get checked by the firewall is the traffic that passes through an established VPN tunnel to resources defined by the Service Manager Access Control List. If all traffic is configured to pass through the tunnel, then any data not destined to a host contained in the Access Control List is discarded. If Dual Access is enabled, then all traffic that falls within the Access Control List is sent down the tunnel. Any traffic destined to a host not included in the Access Control List is sent out to the Internet. The firewall keeps track of these packets not destined down the tunnel and insures that only proper responses to these requests are allowed. Operational Modes The firewall can operate in one of four modes: 1. Default The default firewall configuration sets the firewall enabled at all times, on all adapters. System Administrators have the ability to make basic changes to the default configuration via Service Manager: Set firewall always enabled (Y) and set user control to N. The firewall is always enabled. The radio buttons on the AT&T Global Network Firewall Configuration Window (see figure 3) are grayed out so the user cannot access. Set firewall always enabled (Y) and set user control to Y. The firewall is always enabled. The user can access the radio buttons on the AT&T Global Network Firewall configuration window (see figure3) to turn the firewall off, but the setting in SM (enabled) takes precedence over the user s selection. 2. VPN Only This mode disables the firewall when a VPN tunnel is not established. This mode is useful in environments that use enterprise management software to 2003, AT&T Corporation, All rights reserved Page 11

18 manage PCs on customer LANSs (Tivoli, SMS, etc.) since the firewall would incapacitate such software. When installed, the Firewall shows up both as a program and as a network adaptor. The state of the Firewall should only be selected using the AT&T Global Network Firewall application, not via the Windows Network Control Panel.* To disable the Firewall, click the box next to each LAN adapter so that a check no longer appears in the box. The Firewall will automatically become active on all interfaces when the user initiates an IPSec tunnel, regardless of the settings manually selected. The Firewall will return to the manual settings after the user disconnects from their IPSec tunnel. The user needs to be aware that disabling the AT&T Global Network Firewall through the Firewall application will disable the firewall protection whenever the user has not established an IPSec tunnel, including those times when the user initiates an Internet-only connection using the Client. A device that is used for Internet browsing (no tunnel established) is not protected by the Firewall if the adaptor in use is not checked. This is particularly important for broadband users. * Altering the configuration of the Firewall via the Network Control Panel will cause unpredictable results. 3. Trusted LAN This option allows the customer to provide a list of IP subnets that the customer dispenses IP addresses from via their DHCP servers. The firewall checks every time a new DHCP address is assigned to the PC. If the IP address falls within the configured trusted subnet then the firewall is disabled. If the IP address does not fall within the trusted subnet the firewall is enabled. Regardless of the assigned IP address if a VPN session is established the firewall is enabled on all interfaces. Currently this feature is only available via a custom kit. Once the trusted subnets have been established in the kit and the kit is deployed, there is no method available to dynamically update them. Customers who are concerned about the effectiveness of the Firewall can install a secondary firewall that will function in addition to the AT&T Global Network Firewall. They may or may not see non-tunnel activity in their secondary firewall depending on the design of the third party firewall. In some instances the AT&T Firewall will have already discarded malicious traffic, and in other instances the third party will discard it first. The secondary firewall can, however, be used to inspect traffic received through the tunnel. If you add a new network interface (i.e. a new Ethernet Network Interface Card) after the AT&T Global Network Firewall is installed, the AT&T Global Network Firewall will recognize the additional interface and automatically bind to it. This allows the AT&T Global Network Firewall to begin monitoring traffic sent across the new interface in addition to the existing interfaces. 4. Firewall Off Through Service Manager - In Service Manager the System Administrator has the option of setting the firewall where it is always turned off. Set the firewall always disabled (N) and set user control to N. The firewall is always disabled. If the user selects the AT&T Firewall configuration window (see figure 3), the user will receive a message stating Your network administrator has chosen not to use the AT&T Global Network Firewall. Caution: The firewall will be turned off for all VPN services. Page , AT&T Corporation, All rights reserved

19 Detail Explanation of AT&T Global Network Firewall Every IP packet that is received by the client machine is verified by the AT&T Global Network Firewall to determine if it is a potential threat. If the AT&T Global Network Firewall recognizes a packet as unsolicited by the client machine, it is silently discarded. An algorithm using a rolling list of recently contacted remote hosts determines a packet's solicitation status. Therefore, if the client did not request or negotiate communication with another machine, the communication is rejected. By protecting the client from malicious attacks the AT&T Global Network Firewall feature also bolsters the security of the customer's secure network by insulating against attacks attempted through the client machine. Example: The client has IP address of and telnets to an Internet IP address of The AT&T Global Network Firewall would save the following information to the rolling list: Source IP Destination IP Source Port Destination Port Protocol (telnet) TCP Note that the destination port is specific to the Telnet protocol, and the source port was determined as an available port by the Telnet protocol during session initialization. When the Telnet session is acknowledged by the remote host, an inbound packet would be presented to the client machine and evaluated by the AT&T Global Network Firewall: Source IP Destination IP Source Port Destination Port Protocol Data TCP XXXX The AT&T Global Network Firewall will receive the inbound packet, swap the source and destination ports, and verify the packet against the existing communications in the security list. In this instance, because the inbound packet matches an entry in the rolling security list, the inbound packet is allowed transport into the client machine. If a user on the machine hosting the Telnet session attempted to attack the remote client by initiating a secondary Telnet session back to the client, an inbound packet from the attacker would be presented to the client machine and evaluated as: Source IP Destination IP Source Port Destination Port Protocol Data TCP XXXX This packet will be silently discarded because the destination port on the client is not currently logged as open in the security list. Therefore, the protected client machine will not respond to the communication. 2003, AT&T Corporation, All rights reserved Page 13

20 Stateful Inspection When negotiating communication across the Internet, the IP traffic negotiates several port states to identify the current state of communication. For example, when the above telnet session had completed, a packet would be sent identifying the ports (23 & 1005) between those two hosts as closed. These port state messages are recognized and monitored by the AT&T Global Network Firewall, so that when an active session has expired, the session is automatically removed from the rolling list to limit exposure to malicious attacks. Example: If a user on the machine hosting the Telnet session above attempted to attack the remote client by initiating a new Telnet session on the open Telnet port (1005), an inbound packet from the attacker would be presented to the client machine and evaluated as: Source IP Destination IP Source Port Destination Port Protocol Data TCP XXXX The packet would be checked against the security list. The new session would attempt to SYNC the session. Because the session was already in progress, the port would no longer be in the initial SYNC state, so the packet is silently discarded. Again, the protected client machine will not respond to the communication. Benefits of Kernel Level Implementation Because of the use of the NDIS Intermediate Device Driver, the AT&T Global Network Firewall is unique from most competing products because it is implemented at the operating system kernel level rather than the user application level. This makes the AT&T Global Network Firewall more difficult to manipulate, circumvent, or remove from the client system than a firewall implemented at the application level. Implementation at the operating system level also provides additional protection from "Denial of Service" attacks. "Denial of Service" attacks attempt to render a user machine unusable by flooding it with useless network traffic. The AT&T Global Network Firewall recognizes the traffic as unsolicited and does not allow the traffic to route into the IP stack of the client machine. Finally, because of the kernel level implementation, the AT&T Global Network Firewall performs more efficiently than competing implementations, freeing more computing resources for the user application, rather than firewall security. Behavior When IPSec VPN is Not Active Account administrators control the optional feature allowing users to turn off the AT&T Global Network Firewall at times when there is no active AT&T IPSec VPN Page , AT&T Corporation, All rights reserved

21 session using the AT&T Global Network Firewall Configuration Window. The AT&T Global Network Firewall Configuration Window lists the available network interfaces and allows the user to select which interfaces the AT&T Global Network Firewall should monitor. An example is shown in Figure 5. Any selections made in the AT&T Global Network Firewall Configuration Window only apply when there is no active AT&T IPSec Virtual Private Network connection. Whenever there is an active IPSec Virtual Private Network connection, the AT&T Global Network Firewall is automatically enabled on all network interfaces to protect both the remote user and the Intranet. Figure 5: AT&T Global Network Firewall Configuration Window If a customer does not wish to allow access to the AT&T Global Network Firewall Configuration Window, a custom version of the AT&T Global Network Client can be deployed that does not include the AT&T Global Network Firewall Configuration Window. Beginning with version 5.05 of the AT&T Global Network Firewall, account administrators can control if users have access to the AT&T Global Network Firewall Configuration Window through the AT&T centralized administration engine, AT&T Service Manager (See Custom Settings in Appendix A). If a user does not have access to the AT&T Global Network Firewall Configuration Window, the AT&T Global Network Firewall is always active on all network interfaces by default. Trusted LAN Customization Many laptop users utilize shared broadband access outside the office, but a trusted LAN environment in the office. To protect these users when using shared access it is important that the firewall remain active at all times. However, the firewall may impact their productivity in a trusted office environment. Account administrators can request a special customization that allows the AT&T Global Network Firewall to recognize the office LAN and allow traffic from trusted hosts on the office LAN to route to the client machine regardless of solicitation status. Account administrators must provide AT&T a list of subnets defining their trusted LAN and using that list, 2003, AT&T Corporation, All rights reserved Page 15

22 the AT&T Global Network Firewall will verify if the client resides on a trusted LAN when the machine is powered on. If the user initiates an IPSec VPN while in the office, the AT&T Global Network Firewall automatically ignores the 'Trusted LAN' customization and follows the rules of the service. The 'Trusted LAN' customization requires users be configured to use DHCP when running Windows 95, Windows 98, Windows 98 SE, or Windows ME. Windows NT 4.0, Windows 2000, and Windows XP users are supported for both static(v5.05+) and DHCP IP addressing. The subnets defining the trusted LAN are static and must be supplied at customization time, before client deployment. A maximum of 125 subnets can be used to define the trusted LAN. This feature is through a custom kit only. Sharing Local Resources Customers may still wish to access local resources (such as printers and other servers) outside the tunnel while an IPSec tunnel is established. This requires an IPSec dual access capable service on the AT&T Global Network Client. IPSec dual access allows users to access destinations outside the tunnel either locally or through the Internet in addition to resources down the tunnel. Users that host shared resources to the local LAN (such as printers) will not be able to do so while an IPSec tunnel is established. This traffic will be viewed as unsolicited IP traffic, and will be silently discarded by AT&T Global Network Firewall. Customers who need to provide this hosting capability will not be able to do so while the IPSec tunnel is established unless the AT&T Global Network Firewall is disabled administratively from Service Manager (see Operational Modes above). This does, however, leave users unprotected unless alternate firewall protection is employed. Users on Windows 2000 or Windows XP connecting via the AT&T Global Network Client V5.08 or above will not have a DNS or WINS name resolution problem accessing local and non-local resources in a multi-homed environment. Otherwise in some Dual Access configurations, users may require special accommodations for DNS or WINS name resolution for local and non-local resources simultaneously. Customers have the option of specifying different DNS/WINS server addresses via Service Manager for use while the IPSec tunnel is established, or they may continue to use local or existing DNS/WINS settings. In pre-5.08 Clients or earlier OS s, any negative reply from a DNS/WINS server is authoritative and final. In such a case, the DNS server to which the machine resolves must be configured to resolve for both environments. If this is not possible, some less optimal alternatives do exist. They include: Referring to resources from one of the two environments using IP addresses only, Defining name to address translations in local hosts or lmhosts files on each Client user s PC. Page , AT&T Corporation, All rights reserved

23 Exceptions to the Static Deny All Unsolicited Policy The only exceptions to the static deny all unsolicited firewall policy exist when there is an active VPN connection. When VPN connected, the firewall does not interfere with VPN traffic. With an active VPN connection users receive all VPN traffic, solicited or unsolicited. Administrators have the ability to define an Access Control List identifying the hosts with which a user can communicate through the VPN. Then the user can only initiate communication to those hosts defined in the Access Control List. If an Access Control List is not defined, all traffic is considered VPN traffic. Administrators can also define an Access Control List for their non-vpn interfaces (aka Internet interface). This is known as the fenced Internet Access Control List. If a fenced Internet Access Control List is defined, when VPN connected, those hosts in the fenced Internet list can initiate unsolicited traffic to the user. Centralized Administration The current version of the AT&T Global Network Firewall does not allow for centralized administration. Future plans include the ability to configure and administer the AT&T Global Network Firewall via the AT&T Service Manager. Functionality By default, the AT&T Global Network Firewall feature is active on all network card interfaces and all Microsoft Remote Access Services WAN/Dial-Up Networking interfaces whenever the client machine is powered on, regardless of whether there is a current connection to an AT&T network. This is a meaningful security feature to reduce exposure for always-active broadband connections. The user can be confident that the AT&T Global Network Firewall is constantly monitoring the IP traffic attempting to enter and exit the machine. The AT&T Global Network Firewall automatically supports all standard business applications and protocols. In some cases, users may be using their personal PC to support business connectivity. For them, the firewall may affect the functionality of their non-business applications, such as Internet gaming. Users may be able to disable the AT&T Global Network Firewall when not accessing their corporate network through the AT&T Global Network Firewall Configuration Window. The customer's secure network can be a shared secure network such as the AT&T Managed Data Network or a secure network private to an individual customer. Negotiation includes a list of pre-determined network addresses as well as communication initiated by the client machine to communicate with another machine via a specific protocol. The account administrator sets the pre-determined Access Control List when the account is created. The Access Control List is used during secure IPSec tunnel sessions. During a secure session, data flowing to or from a machine on the Access Control List can flow freely without blocking. This allows users on the secure network to initiate communication with a remote peer. The protocol used to negotiate the communication is important because several ports may be opened on the client machine based on a single negotiation. For example, if a 2003, AT&T Corporation, All rights reserved Page 17

24 client initiates an FTP transfer with a remote host, the initiating port is opened, as well as the data return port, which is different than the initiating port. A WAN connection is equivalent to a connection made through a PC com port. The Access Control List is determined at the account administrator level and is communicated to the AT&T IPSec Intermediate Driver during authentication to a secure session. Application Compatibility It is important to note that because of protocol negotiation, some applications do not work through a standard firewall without special processing. An example of this is Net2Phone, which communicates on several ports and embeds port and address information within the data stream. Without additional logic supporting the Net2Phone negotiation in the firewall, a user would not be able to successfully implement the application through a firewall. The AT&T Global Network Firewall has a commitment to perform the necessary logic to support the unique requirements of all business applications. Firewall Conflicts The Client program uses IP to communicate with other computers on the network just like other network programs (such as web browsers and programs). Third-party personal firewalls (like ZoneAlarm and BlackICE) can prohibit certain types of network communication. The following list describes some of the network communication that the Client performs during a connection. Some firewalls must be configured to allow the Client to communicate with the network in order for these features to function properly. 1. Dial Authentication The Client uses a proprietary enhanced authentication process. After dialing and completing PPP negotiation with a bogus password, the dialer attempts to ping the dialed gateway (using ICMP). Then the dialer opens a TCP socket on port 5053 to the gateway to perform enhanced authentication. During enhanced authentication, a session key is exchanged and authentication credentials are verified across an Advanced Encrypted Standard (AES)-encrypted data stream. A customization could be made to the Client to disable enhanced authentication and use PAP instead, but the following consequences would occur: Meaningful error messages are lost. Instead of "invalid user ID", "expired password", "revoked password", etc. the user only sees "authentication failed". Login retries are lost. The user must redial to change user ID or password. The ability to warn a user if a closer access number is available is lost. Ability to change passwords is lost. The AT&T helpdesk will not provide first-level support without special arrangements Page , AT&T Corporation, All rights reserved

25 AT&T recommends adding policy rules to the firewall to allow enhanced authentication to be used. 2. Disconnect warning The Client communicates with the dialed gateway after connecting to be notified of pending disconnects. For example, a user can configure an inactivity timeout in the Client of 20 minutes with a warning 1 minute before disconnecting. The Client sends a UDP datagram on port 7000 to the dialed gateway informing it of the settings. The dialer then listens on UDP port If the connection is idle for 19 minutes a datagram is sent from the gateway to the Client and the Client displays a warning that the connection will be disconnected in 1 minute unless the user takes the appropriate action. Maximum inactivity timeouts are set in the AT&T network at the account level. The AT&T gateways will timeout inactive connections regardless of the client used. However, the warning will only be displayed if the Client is allowed to communicate on UDP port This is not a critical feature, but AT&T recommends adding policy rules to the firewall to allow disconnect warnings to be used. 3. Software updates The Client periodically checks for updates to its phone list and the program itself. The Client uses standard, anonymous FTP (TCP port 20 and 21) to check and download updates. Normally updates are downloaded from , but this can be customized to download from any address. AT&T recommends adding policy rules to the firewall to allow software updates from that server. Alternately, the customer can have the Client customized to download updates from a server on the customer's internal network. The customer is responsible for maintaining the FTP server and keeping its software and phone list current. This customization is not recommended because experience has shown that most customers have regretted maintaining their own server. 4. SLA data collection The Client uploads data about all connection attempts to a server after connecting. All connection attempts including busy signals, failed authentication, retries, modem failures, etc. are included in the data sent to the server. This data is used for measuring SLAs (Service Level Agreements). In Client versions prior to 5.05 the data was sent using HTTP (TCP port 80) to one of the following addresses: , , , or Beginning with version 5.05, the data is sent using HTTP (TCP port 80) to one of the following addresses: and If this SLA data is not collected, AT&T will not provide service-level guarantees. AT&T recommends adding policy rules to the firewall to allow SLA data to be sent to those servers. 5. Config server updates The Client requests configuration settings (like start page, server, proxy server, etc) from the "config server." The Client updates third-party and browser 2003, AT&T Corporation, All rights reserved Page 19

26 programs with these settings. The request is sent from the client on TCP port 1800 to one of the following addresses , , , AT&T recommends adding policy rules to the firewall to allow config server data to be requested from those servers. 6. VPN Tunneling When connecting with a service that requires VPN tunneling, the Client uses IPSec to communicate with the tunnel server. The IPSec protocol uses the following ports for key exchange, encrypted data flow, and digital certificate checking. Port Protocol Direction Application ESP (50) in/out IPSec tunnel 21 TCP out Passive FTP for Client Updates 80 HTTP out Remote Access Repository 500 UDP in/out IPSec ISAKMP negotiation UDP in UDP Wrapper Users 1800 TCP out Configuration Server Query 4500 UDP in IPSec with NAT-Traversal 5080 TCP out Service Manager authentication AT&T recommends adding policy rules to the firewall to allow IPSec tunneling if needed. Note: The addresses and protocols specified in this note are subject to change in future versions of the Client. NAT/Firewall Traversal The AT&T Global Network Client/Network Firewall IPSec implementation supports NAT/Firewall traversal by UDP encapsulation IPSec traffic. UDP encapsulation offers many advantages for remote access users: 1. Traverse NAT/Firewall devices that perform port address translation. IPSec is an IP protocol not a TCP or UDP protocol. The AT&T Client drivers operate in tunnel mode (not transport mode) where the entire original IP packet is encrypted and encapsulated with the outer IPSec IP packet. In this case the UDP/TCP port values are not available for a NAT device to evaluate, therefore a NAT mechanism based on the TCP or UDP port values will not work with IPSec in tunnel mode. Therefore, all tunneled IPSec traffic is UDP encapsulated such that the traffic appears to be UDP traffic to firewalls/routers. Page , AT&T Corporation, All rights reserved

27 2. Traverse NAT/Firewall devices that do not allow IPSec ESP packets to pass through. Some firewall/routers are configured to prevent IPSec ESP or IP Protocol 50 to pass through. By encapsulating this traffic as UDP, the IPSec ESP traffic will appear to be UDP and pass through the firewall. 3. Multiple users can establish VPN connections through a NAT/firewall device to the same VPN Endpoint. When multiple users connect to the same VPN endpoint from behind a NAT/firewall device, the VPN endpoint only communicates with a single IP address, the NAT/firewall device s IP address. When multiple tunnels are established to the VPN endpoint with normal IPSec EDP traffic it is not possible for the VPN endpoint to uniquely identify multiple tunnels. By UDP encapsulating the ESP traffic, the NAT/firewall device will perform port address translation, thus presenting a unique UDP source port to the VPN endpoint for each tunnel. This allows the VPN endpoint to manage multiple IPSec tunnels individually even when established using the same source IP address. Configuring UDP Encapsulation A preference labeled Negotiate UDP Encapsulation with VPN server for NAT Traversal. is available in the Login Properties/Preferences panel as shown in Figure 6 to allow an end user to specify the use of UDP encapsulation. Starting with version 5.08+, the default value for this preference can be centrally configured in Service Manager. To utilize UDP encapsulation, this preference must be selected along with configuring the UDP Encapsulation/NAT Traversal settings on the VPN endpoint. Figure 6: Login Properties/Preferences 2003, AT&T Corporation, All rights reserved Page 21

28 IPSec and NAT/Firewall traversal is currently a high priority for the IPSec Working Group, but the proposed solution are still in draft format and have not been accepted as RFCs. Since the industry has not adopted a standard approach, our implementation varies based on tunnel endpoint as listed below: SIG Nortel CISCO NAT devices are auto-detected through a series of hashes during IKE negotiations. The AT&T Global Network Firewall uses UDP port 4500 as the source port and UDP port 500 as the destination port in IKE negotiations and ESP IPSec data flows. This implementation is based off the following Internet drafts: NAT devices are auto-detected through a series of hashes during IKE negotiations. IKE and IPSec ESP traffic are UDP encapsulated using available UDP ports above 1024 combined with the UDP port specified in Nortel switch configuration (typically UDP port 4500). NAT devices are auto-detected through a series of hashes during IKE negotiations. The AT&T global Network Firewall uses UDP port 4500 as the source port and UDP port 4500 as the destination port in IKE negotiations and ESP IPSec data flows. This implementation is based off the following Internet drafts: The AT&T Global Network Client/Network Firewall supports most NAT/firewall devices. There are known difficulties when tunneling IPSec traffic through NAT/Firewalls which are documented in the IPSec Working Group draft as AT&T is committed to supporting all NAT device vendors that are aware of the known IPSec compatibility issues and comply with the industry standards. Page , AT&T Corporation, All rights reserved

29 Chapter 5 Extended Access E xtended Access is an AT&T offering that allows remote users to access the network through local points of presence (PoPs) that are owned and managed by another Internet Service Provider (ISP) that is an AT&T partner. Extended Access provides local access in over 90 countries where AT&T does not have PoPs. There is an hourly access charge for the use of Extended Access based on region. The Extended Access ISP proxies users authentication requests to AT&T to allow access to the Internet. The protocol and data flow for connecting to Extended Access PoPs vary depending on the service being accessed. For more information, go to the AT&T Extended Access web site at AT&T Business Internet Service (BIS) New AT&T customers registered in the United States and Canada that have signed an AT&T Master Agreement dated 10/21/02 or later, and existing customers that have previously signed an agreement that references the AT&T Business Internet Services Global Service Description are eligible to use the feature immediately. All other customers should contact their account representative. Extended Access for BIS requires a custom Client--the generally available E-Access Client, or a customization added to the customer's already customized Client. Internet Extended Access Authentication Options When connecting to an Extended Access PoP for AT&T s Business Internet Service, clear-text user IDs and passwords are typically used for the connection process as shown in Figure 7. However, if the AT&T Global Network Client and Firewall are used to connect, the connection process is encrypted and enhanced (see Figure 8). 2003, AT&T Corporation, All rights reserved Page 23

30 Figure 7: Internet Extended Access with Clear-Text Password - Overview Diagram AT&T VPN Tunneling Services (AVTS) Contact your AT&T Account Representative to order this feature. AVTS customers do not require a custom Client. The System Administrator gives the users access to the extended PoPs by enabling the Extended Access field in Service Manager (see Appendix A.) Managed VPN Extended Access Authentication Process When connecting to AT&T s Managed VPN service through an Extended Access PoP, the connection flows are encrypted and enhanced. This connection requires the AT&T Global Network Client and Firewall on the remote user s computer. The connection process involves three phases as described and illustrated below. Phase 0 Phase 1 Phase 2 The dial link to the Extended Access PoP is established. In most cases, an authenticated status is granted to the user so that the Extended Access PoP grants the user limited Internet access. Internet access is limited by the AT&T firewall to only allow communication to the AT&T authentication servers so that phase 1 authentication can commence. Enhanced authentication is conducted between the AT&T client and an AT&T authentication server. Enhanced authentication flows are encrypted and provide a robust protocol that allows authentication challenges and meaningful error messages. (Authentication challenges include scenarios such as invalid password, next card code, new PIN, etc.) The VPN connection is established. This includes negotiating protocols, establishing privacy, and again authenticating the user. Page , AT&T Corporation, All rights reserved

31 Figure 8: Managed VPN Extended Access Overview Diagram 2003, AT&T Corporation, All rights reserved Page 25

32 Appendix A Custom Settings A T&T provides System Administrators the tools to define settings pushed down to the AT&T Global Network Client (AKA Client). These settings are sent to the Client by Service Manager or by the Configuration Server (AKA Config Server). System Administrators supply AT&T Enablement with their customer specific information for variables pushed down by Service Manager or the Config Server. System Administrators have access to a web based tool to enter the customer specific values pushed down from Service Manager. Service Manager Administrators can update the following fields on Service Manager for your corporate Internet users. Administrators can access the web page for updates at 1. Authentication method - Specifies the way the user is to be authenticated. Must be D, L, R, S, or W for a regular (non-model) ID. Must be D, L, R, S, W, or blank for a model ID. Valid values are: D Radius L LDAP R RACF S SecurID W - SafeWord 2. Help Desk number The help desk number you want your users to call for help. 3. Default service type Optional. A two character code to be used when authenticating for IP services. Valid Values: Page , AT&T Corporation, All rights reserved

33 03 = LAN Dial 05 = Secure IP Dial 06 = Internet 07 = Async Terminal Services (ATS) 08 = Async Pass Through 09 = Dual Access 0A = VPEF (VCOM, XPC) 0B = Multi-Protocol Tunneling (MPT, LAN Dial V2) 0C = Fixed IP 0D = Managed Tunneling Service using PPTP (MTS/PPTP 0E = Managed Tunneling Service using PPTP with Multi-Protocol 0F = TCP Clear 10 = Managed Tunneling Service using IPSec (MTS/IPSec) 11 = 3D (Internet, Common Services, Tunneling) 12 = Managed Tunneling Services using IPSec with Dual Access 4. Idle dial timeout Specifies a service-level value. A blank which is the default, implies the value is provided by the LIG. If specified, the value must be between 1 and 720 for all services except Internet for which the value range is 1 to 35. For not timeout, you will set it to 999, but 999 is not allowed for Internet service. 5. Tunnel Dual access Specifies whether the user is enabled for the dual access feature of IPSec Managed Tunneling. A Y in this field will also allow the user to access Internet locations. The default is blank. The values are as follows: Y = Dual Access enables N = No Dual Acess 6. Analog auto dial backup Optional. The default is blank. Valid Values: 0 = Automatic Backup is not allowed 1 = Automatic Backup is allowed using 1 line 2 = Automatic Backup is allowed using 2 bundled lines U = Automatic Backup is allowed using an unlimited number of bundled lines 7. ISDN auto backup Optional. The default is blank. Valid Values: 0 = ISDN Automatic Backup is not allowed 1 = ISDN Automatic Backup is allowed using 1 B channel 2 = ISDN Automatic Backup is allowed using 2 bonded B channels U = ISDN Automatic Backup is allowed using an unlimited number of bundled lines 2003, AT&T Corporation, All rights reserved Page 27

34 8. Dial session timeout Specifies the time, in minutes, that the Dial Session will maintain a connection before a timeout occurs and the session is dropped. Valid range is 1 through 7, Enable AT&T firewall Optional. The default is blank. It can be inherited from a model ID. Specifies that the firewall is always enabled. Valid values: Y = Firewall is enabled N = Firewall is completely disabled 10. User controlled firewall Optional. The default is blank. It can be inherited from a model ID. This will allow the user to turn the firewall on or off. Valid Values: Y = user is allowed to turn firewall off N = user is not allowed to turn firewall off 11. Time for password to expire Can only be updated by AT&T. 12. Activity threshold timeout Optional. It can be inherited from a mode. Specifies a 3 bytes numeric value in minutes for the AT&T Global Network Client to timeout the user. The valid range is from 1 to 60 minutes. 13. Activity threshold bytes Optional. It can be inherited from a model. Specifies a 5 bytes numeric value in bytes for the AT&T Global Network Client to control the maximum bytes allowed in a packet for the user. The valid range is from 50 to 50,000 bytes. 14. Extended Access allowed Specifies whether the user can access the network via extended reach Points of Presence (POPs) which are provided by partner ISPs. The default is blank. Valid Values: Y = user is allowed Extended Access N = user is not allowed Extended Access 15. DNS Specifies the primary and secondary DNS values for your account 16. WINS Specifies the primary and secondary WINS values for your account. 17. Domain name The name of the domain for the client session. 18. Domain Search Suffix 1-5 Up to 5 domain suffixes may be entered to aid in web address searching (for example, att.com). 19. Negotiate UDP - Specifies the default setting for whether the Client is to negotiate UDP encapsulation with the tunnel end point. The default is blank Y = Negotiate UDP Encapsulation N = Do not negotiate Page , AT&T Corporation, All rights reserved

35 Configuration Server Administrators can update the following fields on the Configuration Server for your corporate and virtual private network users. The value of LEAVE ALONE (must be in upper case) can be specified in any of the available Config Server settings, which will result in nothing being sent to the users PC for the specified values. 1. Browser home page The default web page all employees should access upon connection to the Internet. 2. ID The ID 3. Mail server (SMTP ASYMTP and POP3) The IP address of the mailer server your company uses. 4. Mail server User ID The ID user on you mail server. 5. News Server A News Server will allow access to newsgroups that is a discussion about a particular subject consisting of notes written to a central Internet site and redistributed through Usenet, a worldwide network of news discussion groups. 6. Socks server The IP address of your SOCKS server [A socks server handles requests from clients (PCs) inside a company s Firewall]. 7. Proxy server A proxy server is a server that acts as an intermediary between a workstation/user and the Internet so that a company can ensure security, administrative control, and caching service. 8. Auto-proxy URL Auto Proxy allows different proxies based on URL wild card pattern matching. It also allows multiple proxies to provide proxy failover support if the primary proxy becomes unavailable. 9. Pop-up messages This is a feature where you can send your users a message. When the user signs on to your service, the message will pop-up for the user to read. 10. Mail Domain Your company s mail domain name such as attglobal.net. 11. Permanent settings These are settings your users cannot change. 12. Authorized SMTP user name The name of your authorized SMTP users. 13. Authorized SMTP server name This is the IP address of your SMTP server. 2003, AT&T Corporation, All rights reserved Page 29

36 Appendix B Document Revision History Date April 18, 2003 May 20, 2003 June 9, 2003 June 23, 2003 Version Description 5.07 Original document Updates to Firewall, added information regarding Extended Access Updates to Customizing the AT&T Global Network Client 5.08 Updates to Firewall, added sections NAT/Firewall Traversal and Configuring UDP Encapsulation, added chapter for AT&T Global Network Client Written by: Mark Colley Cyndy Lobb Becky Claxon Page , AT&T Corporation, All rights reserved

37 Glossary of Terms A Access ControlLlist - An Access Control List (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. Each object has a security attribute that identifies its Access Control List. The list has an entry for each system user with access privileges. The Access Control List referenced in this document is a list of network addresses in relation to the VPN tunnel that limits VPN traffic. D DualAccess The DualAccess service is the same as the SecureIP service with the addition of being able to access the Internet at the same time as the company s private network, using the same network connection. F FixedIP The FixedIP service provides remote access to a company's private network via a network-based VPN to a tunnel server on the company s private network. The client IP address can be static or assigned from a customerspecific address pool on the tunnel server. The service supports multiple protocols and provides centrally managed network-based subnet filtering and network-based firewall security. Fixed IP DualAccess The Fixed IP DualAccess service is the same as the Fixed IP service with the addition of being able to access to the Internet using the same network connection. I Internet - An Internet dial service, which gives you multiple accounts and access to news groups. Users can connect to their Internet account in over 50 countries. IPX/SPX Compatible IPX/SPX compatible is a transport protocol used in Novell NetWare networks. IPsec - IPsec (Internet Protocol Security) is a developing standard for security at the network or packet processing layer of network communication. IPsec is especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. M Managed Tunneling Service - IPSec The Managed Tunneling Service - IPSec service provides remote access to a company's private network via an end to end IPSec VPN from the client to a tunnel server on the company s private network. The service provides centrally managed subnet filtering on the client and client firewall security as well as centrally managed network-based subnet filtering and network-based firewall security. The authentication for the VPN is provided through the AT&T Global Network Service Manager, or through a customer managed authentication server via the AT&T Global Network Service Manager. The AT&T Global Network authentication infrastructure has direct communication with the customer managed authentication engine. Managed Tunneling Service - IPSec DualAccess The Managed Tunneling Service IPSec is the same as the Managed Tunneling Service - IPSec service with the addition of being able to access the Internet using the same network connection. The authentication for the service is provided through the AT&T Global Network Service Manager, or through a customer 2003, AT&T Corporation, All rights reserved Page 31

38 managed authentication server via the AT&T Global Network Service Manager. The AT&T Global Network authentication infrastructure has direct communication with the customer managed authentication engine. Managed Tunneling Service - IPSec The Managed Tunneling Service - IPSec service provides remote access to a company's private network via an end to end IPSec VPN from the client to a tunnel server on the company s private network. The service provides centrally managed subnet filtering on the client and client firewall security as well as centrally managed network-based subnet filtering and network-based firewall security. The authentication for the VPN is provided through a customer managed authentication server, residing on the customer premise. The AT&T Global Network authentication infrastructure does not communicate with the customer managed authentication engine. Managed Tunneling Service - IPSec DualAccess The Managed Tunneling Service IPSec is the same as the Managed Tunneling Service - IPSec service with the addition of being able to access the Internet using the same network connection. The authentication for the VPN is provided through a customer managed authentication server, residing on the customer premise. The AT&T Global Network authentication infrastructure does not communicate with the customer managed authentication engine. N NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world. NetBEUI NetBEUI is used by IBM or Microsoft LAN servers for access to network drives or printers. An example of an application that uses NetBEUI is Windows Network Neighborhood. NIC - A network interface card (NIC) is a computer circuit board or card that is installed in a computer so that it can be connected to a network. Personal computers and workstations on a local area network (LAN) typically contain a network interface card specifically designed for the LAN transmission technology, such as Ethernet or token ring. Network interface cards provide a dedicated, full-time connection to a network. Most home and portable computers connect to the Internet through as-needed dial-up connection. The modem provides the connection interface to the Internet service provider. S SecureIP - The SecureIP service provides remote access to a company's private IP network (Intranet) via a shared private AT&T network. The service provides centrally managed network-based subnet filtering and network-based firewall security. Synchronous (SYNC) - In program-toprogram communication, synchronous communication requires that each end of an exchange of communication respond in turn without initiating a new communication. A typical activity that might use a synchronous protocol would be a transmission of files from one point to another. As each transmission is received, a response is Page , AT&T Corporation, All rights reserved

39 returned indicating success or the need to resend. Each successive transmission of data requires a response to the previous transmission before a new one can be initiated. Simple Mail Transfer Protocol (SMTP) - SMTP is a TCP/IP protocol used in sending and receiving . T TCP/IP - TCP/IP is most commonly used to view web pages, to send and receive , and to browse newsgroups. TCP/IP is required to connect to the network and always available. U UDP (User Datagram Protocol) is a communications protocol that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like the Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit (called a datagram) from one computer to another. Unlike TCP, however, UDP does not provide the service of dividing a message into packets (datagrams) and reassembling it at the other end. Specifically, UDP doesn't provide sequencing of the packets that the data arrives in. 2003, AT&T Corporation, All rights reserved Page 33

40 Index 3D (Internet, Common Services, Tunneling), 22 F A Fastpath, 2, 3 Access Control List, 5, 7, 13, 14, 15 Fixed IP, 22, 26 Activity Threshold Bytes, 23 Frequently Asked Questions, 25 Activity Threshold Timeout, 23 Analog Auto Dial Backup, 22 H Application Level, 10 Help Desk Number, 21 Async Pass Through, 22 Hosts, 12 Async Terminal Services (ATS), 22 AT&T Business Internet Services (BIS), 18 I AT&T Global Network Firewall, 5, 7, 8, 9, 11, 12, 14, 15 AT&T Global Network Firewall Configuration Idle Dial Timeout, 22 Inactivity Timeouts, 16 Installation Checklist, iv Window, 8, 11, 15 Internet, 22 AT&T IPSec VPN, 10 IPSec, 17 AT&T Managed VPN Services, 19 IPSec Managed Tunneling Service, 13, 22 AT&T Remote Acess Services, 13 IPSec tunnel, 8, 12 AT&T VPN IPSEC Services, iv IPSec VPN, 12, 13 AT&T VPN Tunneling Services (AVTS), 19 IPX, 26 Authentication Method, 21 ISDN Auto Backup, 22 Authorized SMTP Server Name, 24 Authorized SMTP User Name, 24 L Auto Proxy URL, 24 LAN adapter, 8 LAN Dial, 22 B LDAP, 21 Broadband, 13 Lmhosts, 12 Browser Home Page, 24 Local Resources, 12 C M Clear Text User IDs, 18 Mail Domain, 24 Configuration Server (Config Server), 21, 24 Mail Server, 24 Configuration Server Updates, 17 Mail Server User ID, 24 Managed Tunneling Service, 5, 26, 27 D Managed Tunneling Service using IPSec Default Service Type, 21 (MTS/IPSec), 22 Denial of Service Attacks, 10 DHCP, 8, 12 Dial Authentication, 16 Managed Tunneling Service using PPTP (MTS/PPTP), 22 Managed Tunneling Service using PPTP with Dial Session Timeout, 23 Multi-Protocol, 22 Disconnect Warning, 16 Managed Tunneling Services using IPSec with Domain Name, 23 Dual Access, 14, 22 Domain Name System (DNS), 4, 12, 23 Microsoft Installer (MSI), 1 Domain Search Suffix, 23 Multi-Protocol Tunneling (MPT, LAN Dial V2), Dual Access, 13, E N ID, 24 NDIS Intermediate Device Driver, 10 Enable AT&T Firewall, 23 Negotiate UDP, 23 Enhanced Authentication, 16 NetBEUI, 27 Extended Access, 18, 19 Network Address Transversal (NAT), 5 Extended Access Allowed, 23 Page , AT&T Corporation, All rights reserved

41 Network Device Interface Specification (NDIS) Intermediate Device Driver, 5 Network Interface Card (NIC), 6 News Server, 24 O Operating system, iv Operating System Kernel Level, 10 P PAP, 16 Permanent Settings, 24 Points of Presence (PoPs), 18, 19 Pop-Up Messages, 24 Port, 16, 17 PPP, 16 Proxy Server, 24 R RACF, 21 Radius, 21 Revision History, 25 S SafeWord, 21 Secure IP Dial, 22 SecureIP, 13 SecureIP Service, 13 SecurID, 21 Service Level Agreements (SLA), 17 Service Manager, 8, 12, 14, 21 SLA Data Collection, 17 Socks Server, 24 Software Updates, 16 Stateful Inspection, 10 System requirement, iv T TCP Clear, 22 TCP/IP, v, 27 Third Party Personal Firewalls, 15 Time for Password to Expire, 23 Trusted LAN, 8, 11, 12 Tunnel Dual Access, 22 U User Controlled Firewall, 23 V Virtual Network Interface Card (VNIC), 5 Virtual Private Network (VPN), 5, 26, 27 VPEF (VCOM, XPC), 22 VPN Tunneling, 17 W Windows Internet Naming Service (WINS), 4, 12, , AT&T Corporation, All rights reserved Page 35