remote access 2001 - jim marchant home pagejmarchant.com/sources/vpninstall.pdf · contivity and...
TRANSCRIPT
RemoteACCESS
2001Virtual Private Network
Last Modified: June 28, 2002(Includes Support for Windows XP Home and Pro)
Contivity ClientUser Name:
_______________
AT&T ISP DataCorporate Account: XXXX
User ID: XXX
Initial Password: (Same as User ID)
Remote Access 2001: Virtual Private NetworkLos Angeles Times
First Edition, August 2001Second Edition, June 2002
Copyright © 2001 by the Los Angeles Times, Los Angeles, CA 90053
Contivity and Extranet are tradenames of Nortel NetworksDecade is a tradename of CE Engineering Publishing SystemsAT&T Net Client is a tradename of American Telephone & TelegraphRSA SecurID Token is copyrighted by RSA Security Inc.Netscape is a tradename of AOL Time WarnerOutlook 2000 and Internet Explorer are tradenames of Microsoft Corp.MTUSpeed Pro 4.10 is copyrighted by Mike Sutherland
Compiled by Los Angeles Times Editorial Systems, Information Technology
Tom Kuby, Manager
Remote Access Team:
Jackson Sellers, Editorial Systems (Team Leader)Gary Ambrose, Editorial Systems, L.A.Jim Carr, Editorial, O.C.Tony Cruse, Editorial Systems, O.C.Brett Levy, Editorial Systems, L.A.Jim Marchant, Editorial Help Desk, L.A.Hao Nguyen, Editorial Help Desk, L.A.Jim Robinson, Editorial Systems, D.C.Phillip Ruiz, Editorial Systems, D.C.Morrine Sosnow, Editorial Systems, S.F.V.
Technical Guidance by the Times VPN Project Team , Information Technology
Michael Batton, VPN Project LeadEddie Velez, Manager of Network ServicesBill Urban, Manager, Customer ServicesJim Robertson, Network ArchitectChris Horeczko, Desktop EngineerJackson Sellers, Senior AnalystCynthia Cowan, Data SecurityMark Seybold, Systems AnalystGary Ambrose, Systems Analyst
Cover design by Chuck Nigash, Art Director, Daily Calendar
Please call the appropriate help desk if you have questions or problems
Los Angeles (Editorial) 999-999-9999Los Angeles (Business) 999-999-9999Orange County (Editorial) 999-999-9999Washington, D.C. (Editorial) 299-999-9999
1
ContivityVPN Client
AT&TNet Client
RSA SecurID Token
Remote Access 2001Virtual Private Network
C O N T E N T S
What Is VPN?3
Read This First: Install CD6
Windows 95 Updates8
Your Internet Connection 12
Personal Tunnel: Contivity25
Token Security27
VPN Notes and Hints30
2
This manual targets the Editorial Department, which has the largest num-ber of remote network users, but it can be helpful to all Times employeeswho have a need for remote communications and/or remote access to busi-ness databases, regardless of the department for which they work.
Netscape 30 DSL & Cable 37 Outlook Web Access 32 America Online 37 Network Settings 34 Passwords 38 H: Drive Mapping 36 Internet Explorer 39
MTU & RWIN 44
What Is VPN?Just what you needed, right? Another TLA (or Three-Letter
Acronym) to deal with. Currently, at the very beginning of the 21st century,all remote Editorial users of the Times network possess PPP accounts(Point-to-Point Protocol), and Times business employees and foreign corre-spondents utilize PAL (Phone Access Lookup) for CompuServe connec-tions. Many writers, editors and others have their own ISPs (InternetService Provider), although most are content with the Times-providedPPP/PAL for remote access to Decade, Netscape, Internet Explorer, e-mail,etc., and they see no reason at all for personal ISPs.
Well, say hello to VPN (Virtual Private Network), which replacesPPP/PAL and requires not only an ISP but a PIN (Personal IdentificationNumber). VPN provides a means of connecting to the Times network overthe Internet. Why is the Times making this switch when you are happyenough with what you’ve got? Economics, stupid. Recently a seniorEditorial manager was asked if Times writers and editors would appreciatethe fact that VPN is much cheaper than PPP. She laughed out loud. Butmore than half a million dollars in annual savings is no laughing matter.
It’s not all economics, of course. VPN offers immediate benefits tothose who connect to Times systems from home, on the road or in nationaland foreign bureaus. Let’s list a few:
1) You will no longer be cautioned to limit your connect time on theTimes network. Ten minutes or 10 hours is okay with the Times.
2) Cable modems as well as DSLs (Digital Subscriber Line) willwork nicely with VPN and provide exceptionally high speeds. This is a bigplus for Times employees who need/want high-speed communications.Cable modems and DSLs are rapidly growing in popularity and everybodywill have them someday. But until now, neither of these always-connected,high-speed services could be used to access the Times network. VPNremoves that limitation. Your cable modems and DSLs, however, must beprotected against hackers. Times-approved devices are listed in this manual.[Not yet, actually, but they will be.]
3
3) Your home drive, or H: Drive, will be available. This personalstorage folder is where you can stash all kinds of data, including old e-mailwith sizable attachments, plus the novel that will make you famous. Justkidding about the novel. The H: Drive and all other Times storage devicesare for business only.
4) VPN, especially when connected via DSL or cable modem, willfacilitate remote communications with the new CCI pagination system.
This “Remote Access 2001” manual will help you make the switchfrom PPP/PAL to VPN — very much as the “Remote Decade 2000” manu-al guided you in installing both your Dial-Up Networking PPP and theDecade application that interfaces with the Times News Editing System.The good news is that all applications already installed on your remote PCor laptop (Decade, Netscape, etc.) will be left undisturbed. We are dealinghere, in this manual, only with the manner in which you connect to theTimes network. From your point of view, PPP/PAL will transmogrify intoISP/VPN.
How does VPN work? First, think about what you are doing now. Ifyou are a typical Editorial staffer, you use Windows Dial-Up Networking toconnect to the Times PPP server via an 800 number. Then you launchDecade or Netscape or whatever, running the applications one at a time orall at once. If you are a Times business staffer, you use PAL/CompuServe toaccess various databases. The VPN procedure is not much different,although there is an extra step or two. Let’s look closely at the new VPNprocess.
Connecting Remotely: A connection to your local ISP is estab-lished. The word “local” suggests where most of the corporate savingscome from, since the PPP/PAL service is very expensive. Your ISP can beAT&T, PacBell, EarthLink, various DSL/cable modem services, almostanything except America Online. AOL sometimes works, but not for long,and it is not supported by the Times.
Establishing a Private Network: Once your PC is connected to anISP, the VPN client will bore a “tunnel” through the Internet to the Timesnetwork. Now you can run Decade, etc., or anything else the future brings.
4
And you are saving the Times a bundle of money.
In general, you are responsible for installing this software on yourpersonal machine and making everything work. You can do it. You are pro-fessionals, working for a world-class newspaper. Follow the steps in this lit-tle manual. If you get into trouble, the Times Help Desk or one of theregional Editorial Systems help desks will assist you. (Help desk phonenumbers are listed on Page 1 of this manual.) And any VPN-authorizedemployee can bring his/her PC to the Electronics Department in LosAngeles or Orange County for customizing. Appointments are required forthis personal service. For appointments, call 213-999-9999 in L.A. or 714-999-9999 in O.C. But try to do it yourself.
JACKSON SELLERSSenior Analyst, Calif. Bureaus & Special Projects
Editorial Systems, Information Technology
August 2001 (First Edition)
Note: This second edition, published in June 2002, expands the range ofMicrosoft operating systems supported by the Times VPN client. NowWinXP, the latest and greatest, is supported. Also, the VPN client itself hasundergone a name change. It is called Contivity. If you are running the oldclient, Extranet, don’t worry. Extranet will continue to run nicely on operat-ing systems ranging from Win95 to Win2000.
5
Minimum Requirements for Contivity VPN
• Operating system: Windows 95, 98, 98SE, ME, NT, 2000 or XP• Storage: At least 5 MB of free disc space• High-speed modem (or DSL/cable modem with Times-approved firewall)• CD-ROM drive for installation• PC must NOT be using America Online as its VPN ISP
Read This First: Install CDEverything you need for VPN operations can be loaded from the
installation CD provided to you. If you are a Windows 95 user, your operat-ing system can be updated. If you are running either Win95 or Win98, anoptional enhancement is available. If you have been authorized for an ISPdialer, the AT&T Net Client can be installed. And of course almost every-body needs to install the Contivity VPN program.
Slip the CD into your CD-ROM drive. It will “auto-run,” meaningthe menu below will automatically appear. If nothing happens, go to MyComputer, open the CD and double-click Cdmenu.
If you already have a dialup ISP (other than AOL) or a DSL/cablemodem, and if you are running Windows 98SE, NT, ME, 2000 or XP, youare in fat city. Launch “Install Contivity VPN Client v4.15.” The installa-tion will begin. Now turn to this manual’s “Personal Tunnel: Contivity”chapter, Page 25, and follow instructions. By Page 29, you’ll be connectedto the Times network. But don’t fail to look at the “VPN Notes and Hints”chapter starting on Page 30. Good advice can be found there.
6
Things You Must Know
These menu items can belaunched in two ways. 1) Double-click on them. 2) Click once toselect the program to be installed,then click on the InstallApplication icon at bottom left.Anytime you want to display themenu, simply eject the CD andre-insert it, or manually open it asdescribed above.
The rest of you — those running Windows 95 or 98 — have a bitmore work to do before installing the AT&T dialer and/or the Contivityclient. If your machine is using the old Win95 operating system, it must beupdated for VPN operations, a lengthy procedure if done manually butautomated as much as possible on the Times CD. Both Win95 and Win98users should run the “Optional VPN Enhancement” program. Refer to the“Installation Steps & Manual References” chart below. It lists the recom-mended order of installation and refers you to pages that can be helpful.
7
Installation Steps & Manual ReferencesStep 1 Update Win95 Operating System “Windows 95 Updates,” Page 8
Step 2 Optional Win95/Win98 Update “Windows 95 Updates,” Page 10
Step 3 Install AT&T Dialer (if Authorized) “Your Internet Connection,” Page 12
Step 4 Install Contivity VPN Client “Personal Tunnel: Contivity,” Page 25
This is the normal order of installation, but the number of actual steps required depends onyour operating system version and whether or not you have been assigned an AT&Taccount. Also, Step 2 is optional for Win95 and Win98 users, although it improves VPNoperations slightly and is considered worthwhile. The VPN enhancement is built intoWin98SE, NT, ME, 2000 and XP, so PCs running these operating systems don’t need it..
Network Settings for Win95, 98, 98SE & MECertain Times services require specific settings. Also, the on/off switch for the networklogon script lies within your network settings. You may prefer to turn off that switch, if it ison, so you can achieve the fastest possible VPN logon from a remote location. Anytimeyou want to turn a switch on or off, it is nice to know where it is.
See Page 34 in the “VPN Notes and Hints” chapter for further information.
MTU/RWIN Settings for Win95, 98, 98SE & MEIf you are dialing an ISP with any of these operating systems (as opposed to using a DSL orcable modem), see Page 44 in the “VPN Notes and Hinits” chapter for important instructions.
Windows 95 UpdatesThe Contivity VPN Client requires a Win95, Win98, Win98SE,
WinNT, WinME, Win2000 or WinXP operating system. System updates arerequired for all Windows 95 versions, and the oldest and most commonWin95 version requires four of them, five counting an optional one. If youare a Win95 user, don’t despair. On second thought, go ahead and despair ifit helps. As a professional Los Angeles Times writer or editor or businessemployee, you should be up to Win98 by now, at least, but you aren’t, soread on. We’ve got an automated deal you can’t refuse.
8
Insert or re-insert the installation CD into your drive. The main menuwill appear, as above. Select “Windows 95 Operating System Updates,” asshown, then click the “Install Application” icon. The updating will start.Skip to Page 10 unless the following note applies to you.
Important: If you get a message saying “Out of EnvironmentSpace” or “Command.Com Cannot Be Found,” you must add a commandline to your Win95 CONFIG.SYS file. Sorry about that, but it can’t behelped. It’s the price you must pay for being so far behind on your operat-ing system. Exit from the Times installation CD. Go to Start, Run andenter Sysedit in the prompt. Execute the prompt. The ConfigurationSystem Editor window will appear (next page).
Want to Do It Yourself?
Okay, turn to Page 11 fordetailed instructions. Afterseeing how much trouble itis, you’ll quickly come backhere, where fewer dragonsawait.
9
Click once on the CONFIG.SYS window (the one behind AUTOEX-EC.BAT) to give yourself full editing access. Now go down to the bottomof the CONFIG.SYS file and enter the following statement as the last line:
shell=c:\command.com/e:4096/p
Exit from the System Configuration Editor. You will see thisquery:
Answer Yes. Even if you are not prompted to do so, reboot your sys-tem now. The new CONFIG.SYS statement becomes active on reboot, andyou will need this re-configuration when you run the “Windows 95Operating System Updates” program again.
In general, the Windows 95 OS update program does the following:
1) Identifies the operating system version of your PC.2) Installs the necessary updates.3) Provides essential Microsoft files.
You will see lots of action on your screen, copying of files, etc. If allgoes well, you will see the notice below.
10
You may get several Version Conflict warningssimilar to that shown at right. Obey the recom-mendation. If the file being copied is older, keepthe existing file. If that confuses you, we’ll makeit simple: Answer Yes to all such warnings.
Do not remove the CD! Click OKto start the reboot. As before, youwill see much file copying on yourscreen, concluding with anotherrestart prompt, shown at belowleft.
After answering Yes to the restartquery at left, you are almost fin-ished with Win95 operating systemupdates. Almost but not quite. Seebelow. Shucks. There is somethingelse to do.
VPN Enhancement Update for Win95 amd Win98
Although optional, the update is recommended, and it is very fast andsimple. Close any applications running. Only your desktop should beactive. Insert or re-insert the Times installation CD, thus displaying theVPN Client Install menu. Select “Optional VPN Enhancement for Win95and Win98,” and click “Install Application.” The program knows whetheryou are running Win95 or Win98, and will install the appropriate file.Screens will flash and file copying will be done. Rebooting, to seal theVPN update into the operating system, is automatic. You are finished, andyour PC is set for optimum VPN operations. Now you can proceed to theAT&T dialer installation, if needed, and/or the Contivity VPN installation.
If you prefer to do the updating manually, or if you just want to knowwhat is being done to your personal machine, this page will help. First, youmust know what operating system you are using. Go to Start, Settings,Control Panel and System. The System Properties box will appear. TheWindows version is identified under “System” (see below). Now find yourversion in the table at bottom. The update files can be executed from thedistributed CD. They can be found in the Winupdate folder. The networkupdate will require your original Windows CD-ROM installer on reboot.Look, it all gets a bit complicated. Best advice: Forget about doing it your-self and turn back to Page 8, where a much easier procedure is documented.
Windows Version Updates Required CD Filename
Windows 95 (4.00.950) Win95 Service Pack 1 W95pack.exeWin95 Socket Update - Kernel 2 W95kernel.exeWin95 Socket 2 Update W95socket2.exeWin95 Dial-up Network 1.3 Update W95network.exeWin95 VPN Update (Optional) W95vpn.exe
Windows 95A (4.00.950A) Win95 Socket Update - Kernel 2 W95kernel.exeWin95 Socket 2 Update W95socket2.exeWin95 Dial-up Network 1.3 Update W95network.exeWin95 VPN Update (Optional) W95vpn.exe
Windows 95B (4.00.950B) Win95 Socket 2 Update W95socket2.exeWindows 95C (4.00.950C) Win95 Dial-up Network 1.3 Update W95network.exe
Win95 VPN Update (Optional) W95vpn.exe
Windows 98 (4.10.1998) Win98 VPN Update (Optional) W98vpn.exe
Windows 98 SE (4.10.2222A) No Updates Required None
Windows NT 4.0 No Updates Required None
Windows ME or 2000 No Updates Required None
If you are determined to go ahead,you can insert or re-insert the VPNCD and click on “Browse CD.” Findthe Winupdate folder and double-click on it. There you will find all theexecutable update files listed in thechart below. Good luck, brave souls.
11
Want to Do It Yourself? Really?
Your Internet ConnectionYou must have a connection to the Internet to use Contivity VPN software.
Cable modems, DSLs and dialup ISDNs are ideal for the purpose. The first two— DSLs and cable modems — are always “on line,” or can be, and they are veryfast. Dialup ISPs, while lower in cost and limited to the speed of the PC’s modem,will serve the majority of us. Most ISPs will work — AT&T, PacBell, EarthLink,etc. — but AOL will not. The Times VPN request form states flatly: “VPN accessservice will not be supported if AOL (America Online) is your ISP.” (See “VPNNotes and Hints,” Page 37, for further discussion of the AOL matter.)
If you have a personal DSL or cable modem, congratulations. It will pro-vide high-speed access to the Times network. You don’t need an ISP dialer. Skipthis chapter. Go to the next one, “Personal Tunnel: Contivity,” Page 25, and begininstalling your VPN client.
If you are authorized to use AT&T Net Client as your ISP dialer, your nextstep is to install the program from the CD distributed with this manual. PertinentAT&T information (account, user ID and initial password) can be found on themanual’s copyright page. Insert the CD into your drive. Click “Install AT&TInternet Dialer” to select it. Then click the “Install Application” icon. The boxbelow will appear. Click Next. No entry is required for “FastPath.”
12
AT&TNet Client
13
Click I Agree to the License Agreement (above). Then accept the default“Destination Folder” in the Folder box below. Click Next.
Check the boxes for “AT&T Net Client” and “AT&T Net LocationDatabase.” Click Next. The information box below will pop up. Read it if youcare to, or just click OK to get rid of it. To continue, you’ll have to click Nextagain on the Components screen.
14
Check the “Create an icon on the desktop.” Click Next. In the Start boxbelow, click Install to begin installation of AT&T Net Client.
15
Let’s finish this now rather than later. Choose “Yes, continue setup.” Thenext box lists three items needed for connection. You’ve got all of them, we canhope. Do not open a new Internet account. Click Next.
16
Enter the AT&T “Account” and “User ID” provided to you. Do not clickNext yet. Click on the “Advanced Login Properties” button to set up importantdialer defaults. The Network box below will pop up. Choose “The Internet.”Click Next.
17
18
Check the “TCP/IP” box and then click Next. Below, click the “No” buttonand then click Next.
19
Select the “Use default network settings” button on the DNS screen andthen click Next. Make the same selection on the WINS screen below and clickFinish.
Your “Advanced Login Properties” chores are finished, and the User
ID window that you filled out earlier (above) waits for you to take further action. (Your “User ID” will be different from that shown.) Click Next.
In the Network Connection window at left, select the “Dial using my computer’s modem” button and cNext.
lick
The Modem window at right will be correct if your PC already has a working modem installed. Click Next.
20
21
Enter the information appropriate to your dial-up location. Click Next tocontinue. In the Network Access Number screen below, select the appropriate“Country,” “Region” and “Number to dial.” You will have to double-click thephone number to make it show up in the “Number to dial” field. Click Next.
Do you have “CallWaiting” service? Ifso, you should choosethe appropriate “Dialprefix” to disable itduring those timeswhen you are connect-ed to your ISP. Yourtelephone companycan tell you which pre-fix will do the job.
22
Review the information on the Connect Summary screen. Click Next. Onthe Setup Complete window below, click Finish to begin the fun part of all this.
Pretty dialer, isn’t it? You are being asked for your password. Your initial password is exactly the same as your AT&T user ID, or “Login Profile” as it is called here. If your initial password is XXX9999, it doesn’t matter whether you enter it as XXX9999 or xxx9999. Enter the password either way, but don’t “Save password” just yet. It would be ridiculous to save an initial password that won’t work the next time you use it. Click Connect after entering the password.
23
password. A New Password promp
our “Current password” (XXX9999, for er
ote: Back on Page 14, you checked a box requesting an AT&T Net Location Database download. This will happen now. It will take about two minutes. Then you will have an up-to-date AT&T phone directory.
The dialer will dial the AT&T number you selected during setup. In the process of getting connected to the ISP, you’ll be required to change the
t will appear.
Yexample) is already entered. You must enta new one twice (to verify that you didn’t mistype the first time). Choose a passwordyou can’t forget! Click OK. Just to be clear,this is your AT&T Net Client password. It has nothing to do with your Times NT password.
N
Congratulations! You are now connected to your ISP. In this case the line speed is 52,000 bits per second. For a variety of reasons, yours may differ, either higher or lower.
What next? Well, you could do something. You could run an Internet browser such as Netscape, but if this is the browser you have been using on the Times PPP, the Proxies configuration must be changed to “Direct connection to the Internet.” (See “VPN Notes and Hints” in this manual, Page 30, or Page 39 for Internet Explorer.) But let’s not go off on a tangent right now. You’ve got more important things to do, such as installing the VPN software.
So log off. Click the dialer button showing an empty box (above). You will be asked to confirm the disconnection. See box at right. Click Yes. The next time you connect to the Internet you can save your new password.
24
A
city or from nation to nation:
the “Traveling user” box is n
o.
An important note about the T&T dialer . . . of interest to
those who travel from city to
Ifchecked on the dialer, as showat left, a handy setup panel is added at the bottom. You can quickly change the dialing instructions wherever you gBon Voyage!
Personal Tunnel: Contivity
25
Your Virtual Private Network client is called Contivity. You are ready toinstall it. If you have not rebooted since installing AT&T Net Client, reboot now!Then insert the VPN installation CD into your CD-ROM drive. If the CD menudoes not auto-display, go to My Computer, open the CD and double-click onCdmenu.exe.
Select “Install Contivity VPN Client v4.15” and click the “InstallApplication” icon. Contivity installation will begin. You may get several VersionConflict warnings, as shown below. Obey the recommendation. If the file being copied is older, keep the exist-ing file. In other words,answer Yes to all such warn-ings. Continue to the next pageof this manual unless the box atright applies.
If Things Do Not Go Well...Perhaps you see an error message such as “Outof Environment Space” or “Command.ComCannot Be Found.” The messages most oftenshow up on Windows 95 PCs, but they also canpop up on Win98 machines and maybe evenlater operating systems. The assumption heremust be that you are at least a Win98 user, sincea Win95 user would have taken care of the prob-lem back on Pages 8 and 9. Anyway, if you facethis problem, turn to those pages and make therequired entry in your CONFIG.SYS file asinstructed. Reboot, return here and try installingContivity again.
Attention, XP Users!
You will get the message at left.Scary, isn’t it? The correctresponse is Continue Anyway,but any sane person wouldclick STOP Installation imme-diately. So step back a momentfrom sanity. Pretend you areinsane. Click ContinueAnyway. Take my word for it.
That was easy, wasn’t it? Several flashing screens, a couple of mildly entertaining horizontal copying bars and you are done. You will be advised to reboot your PC. Do it. Click Yes in the box that looks like the one at below left. When you get back up, you’ll see the Contivity VPN Client icon on your desktop, as shown at right below.
But don’t relax. There is more to do. First, establish a connection with
your ISP, whether it is dialup or DSL/cable. Contivity will need the Internet connection shortly. Then double-click your Contivity desktop icon. The following dialog box will appear.
26
on’t he
Notice that the default connection target is Xxxxxx- XXX-XX. Click on the down arrow next to it. You’ll see another choice — Xxxxxxx-XXX-Xxx. Why is that important to know? Well, suppose the Los Angeles VPN gateway is unavailable for some reason. You can shift to Chicago to do your work on the Times network. Your user name and PIN are as valid in Chicago as they are in Los Angeles. Oh, you dknow much about tVPN PIN, do you? Read on.
It’s time to pull out the keychain fob you received with this manual. Turn to the next page and study a short chapter entitled “Token Security.”
Token Security You are ready to log onto the Times network for the first time. Your
token device looks like the graphic shown here, and it is about the same size. Every minute of every hour, it generates a six-digit number that may be entered into the “Token” field of Contivity’s opening window. This is your token, assigned to you alone. The numbers will match nobody else’s at any one time. Notice the stack of bars to the immediate left of the token readout. Each bar represents 10 seconds. In this particular case, 40 seconds will elapse before the number changes again, before the stack is rebuilt to six bars for another 60-second countdown.
Since this is the first time you have used the token, ignore the “PIN” field in the Contivity window below, because you don’t have a PIN yet. But you must enter your Contivity “User Name.” Your user name is the same as your Times network name, generally an initial plus surname, rendered solid, as in jsmith. (If you have forgotten it, see Page 1 of this manual, where your user name is recorded.) And of course you must enter the six-digit number displayed on the SecurID token. Follow the directions below.
If the token is very near the end of its 60- second cycle, wait for a new number, then type it into the “Token” field. Now click the Save button at the bottom of the box. Nothing dramatic will happen, but Contivity now knows this is the configuration you will always be using. Click Connect or strike the Enter key.
27
If you did not click Save as instructed, shame on you. You’ll get the question at left. Answer Yes. You won’t have to Save again.
Your AT&T dialer (if that’s what you are using) has already connected you to the Internet. Now the Contivity VPN software will “bore” a tunnel into the Times network from the Internet. You will be required to create a PIN. The rules are simple. It must be all numbers and no shorter than four digits. Create a PIN and don’t forget it! The advisory at right will pop up. The instructions would be worth reading if they were correct. Rather than a mere click, a right-click on the Taskbar icon is required to disconnect. But regardless, you don’t want to be bothered with this notice again, so check the box saying “Do not show this message in the future.” Then click OK.
28
various warnings.
match rk
oyed
When you see the Security Banner at left, you are in! Click OK. But you are not “in” all the way. Sorry. You still have to sign onto the Times network (see below). Note: The brief message in the Security Banner will probably be expanded in the future to issue
Enter your Times network password and click OK. If your Windows Password prompt shows up next, you can just Cancel it. If you change the Windows password to your netwopassword, youwon’t be annby this again.
Notice the Windows Toolbar icons, normally at lower right on your desktop. One of them is the ISP icon, meaning you are connected to your Internet service provider. Another is the Contivity icon, meaning you are connected to the Times network. Now you can run your Times applications. When you are ready to sign off, close all applications, then right-click on the Contivity icon and left-click Disconnect Contivity VPN. You’ll see the box below. Click Yes.
And you must also disconnect from your AT&T dialup ISP, if that is what you are using. If you can’t figure it out yourself, this manual’s “Your Internet Connection” chapter tells you how to do it.
Don’t worry, folks. All of this, as complicated as it may seem right now, will become routine in short order. The benefits for both you and the Times may not be fully apparent, but they are abundant as large newspapers around the world move into 21st Century technology. And you did it all by yourself! With maybe a little help from your Information Technology friends.
Congratulations, but don’t completely relax now that you’ve got VPN running. There are important peripheral issues to deal with or just be aware of. The next chapter, “VPN Notes and Hints,” explores such subjects as Netscape, Outlook Web Access (OWA), Network Settings, H Drive Mapping, DSLs & Cable Modems, America Online, Passwords, Internet Explorer and MTU & RWIN. Some if not all these articles will be of interest to you, and some are even vital to smooth VPN operations.
JACKSON SELLERS Editorial Systems, Information Technology
29
VPN Notes and Hints Subject Index: Netscape The Friendliest Browser 30 Outlook Web Access E-Mail via the Internet 32 Network Settings Win95, 98, 98SE & ME 34 H: Drive Mapping Personal Network Folder 36 DSLs & Cable Modems Firewalls and Routers 37 America Online Popular but Troublesome 37 Passwords The Good, the Bad, the Ugly 38 Internet Explorer Configuration for VPN 39 MTU & RWIN Dialup VPN Settings 44
Netscape: Many of you are running Netscape as your Internet browser on PPP/CompuServe. It is configured with an automatic proxy statement:
http://config.latimes.trb/proxy.pac or //news.latimes.com/proxy.pac This configuration, with either proxy, will work nicely on VPN for access to both the Internet and the Times Intranet (Editorial Library, etc.), but the setting must be changed to “Direct connection to the Internet” if Netscape is run on your ISP alone. Here’s how to change the Netscape setting from one to the other:
30
ight
scape
c proxy ng with
Suggestion: Don’t actually do anything here. Simply digest the information, then turn to Netscape Profile Manager instructions on the next page. The manager will make things easy for you. Netscape’s Edit menu offers Preferences, as shown at left. If you click on the boxed “+” next to Advanced, then click on Proxies, configuration choices will be displayed. Click the radio button next to “Direct connection to the Internet.” Now click OK. This makes everything rfor running Netscape on your ISP alone. If Netis being run on VPN, it needs the “Automaticonfiguration” settiits Times proxy statement. Just click its radio button, then OK.
31
In Netscape, but not in Internet Explorer, you can create profiles that willbe conveniently ready for VPN on the one hand or ISP-only on the other. Thismanual cannot devote much space to Netscape Profile Manager, but the programis fairly straightforward. First, of course, you must have Netscape installed. Go toStart, then Run. The Run line requires an entry of Netscape -profile_manager.Yes, the line is nerdy, but you’ll only have to do this once. Don’t yield to your lit-erate impulse to eliminate the space in the Run line. Netscape-profile_manager(without the space) will NOT work, while execution of the precisely correct com-mand will display the following box.
Read the directions in the box itself.Your goal is to produce the profiles list-ed at left. The New button will allowyou to create them. In the end, when allis done, the ISP Netscape Browser,with its “Direct to Internet” setting, willwork nicely on an ISP-only connection,and the VPN Netscape Browser, withits Times proxy setting, will givedesired results on a VPN connection.But all is not done yet. Click Back.
Okay, let’s test/refine the two profiles.Connect to your ISP. Run Netscape,choosing the ISP Netscape Browser.Follow the directions on the previouspage, clicking the “Direct connection tothe Internet” button. When finished, exitfrom Netscape and establish a VPN con-nection. Run Netscape, choosing the VPNNetscape Browser. This time, of course,you will click the “Automatic proxy con-figuration” button. If the proxy is notthere, enter it. Now the Netscape profilesare configured to go both ways.
Henceforth, whenever you run Netscape, the box below is what you willsee first. The default “Profile name” will be whatever you ran last. If you need theother one for your current session, drill down and select it. At this point, however,simply Exit.
Outlook Web Access (OWA): This is the way you will access your e-mail remotely. It saves you and your friendly support people a lot of trouble, because you do not need the Outlook client installed on your home PC or laptop. Once connected to your ISP or VPN, you will simply run your Internet browser — usually Netscape or Internet Explorer — and then execute a URL, specifically xxxxxxx.xxxxxxx.xxx. The beauty of this is that your Times e-mail becomes available wherever in the world you have access to an ISP. It doesn’t have to be your ISP. It can be somebody else’s. You can get your e-mail at home or on the road, but you can also get it on an ISP-connected PC at a friend’s home, at almost any business facility, and at cybershops in Switzerland and Japan, just to name two of the world’s many Internet nations. This constitutes a dramatic improvement in Times remote e-mail service. Execute the URL — xxxxxxx.xxxxxxx.xxx — and you will see the window below. Hint: Save a bookmark at this point for your future convenience. Enter your network user name in the “Log On” box and click where it says “click here.”
32
The prompt at left will appear. There is a delimiter between the xxxxxxx and your user name. It’s shown here as a xxxxxxxx, but a xxxxxxxxxxxx will work just as well. The “Password” is your normal, unforgettable network password. Click OK.
Okay, there you have it! Things look a little different from the office version, but everything is essentially the same. Notice that only Page 1 of the “Inbox” is displayed, but that you can click forward to Pages 2, 3, 4, etc. Also be aware that OWA does not automatically notify you of a newly received e-mail, as the full Outlook client does. To display any new messages, or refresh the “Inbox,”you must click the Check for New Mail icon on the toolbar, which looks like this:
Recommended logoff procedure: Click on the Log Off icon at the bottom left of the OWA screen. The message below will appear. Follow directions and close your Internet browser. Hint:You can just close your browser and forget it.
Logoff: To complete the log off process and prevent other users from opening your mailbox, you must close your browser.
33
Network Settings for Win95, 98, 98SE & ME: Eventually you will have to dealwith settings for Client for Microsoft Networks, so you might as well do it now.This is your operating system’s program for interacting with networks, most perti-nently, in your case, the Times network. In general, PAL/CompuServe users arealready set up, and Editorial PPP users are not set up at all; nor, of course, arethose who buy new computers. These instructions show “screen grabs” fromWindows 98, but they are applicable to Win95, 98SE and ME. Go to yourControl Panel and double-click on the Network icon. The box below will appear.
34
Click once on Client for Microsoft Networks to highlight it as shown above,then click on Properties to display the box on the next page.
Important Note: The Microsoft client may not be there, or it may be therebut not be visible. Scroll the directory to be sure. If it is not there, you must installit. Click Add, then Client, then Add again, then Microsoft. Now pick Client forMicrosoft Network and click OK. You may be requested to insert your originalWindows CD-ROM disc. You certainly will have to reboot.
There’s always somethingto confuse us, isn’t there?Contivity has replacedExtranet as the name ofthe Times VPN client, butthe VPN network adapteris still called ExtranetAccess Client Adapter, asshown at left. Never mind.We are not interested inthat right now.
35
e
First, enter XXXXXXX as your “Windows NT domain.” (Case is not important. The entry could bxxxxxxx.)
Other settings:
Logon validation: Do not check the “Log on to Windows NT domain” box. Yes, if the box is checked, the Times logon script will run, and your H: Drive will be automatically configured. Sounds good, doesn’t? But it will take much longer for you to log on, and you will drum your fingers. Best advice: Leave the box unchecked, and map the H: Drive yourself, as detailed on Page 36.
Network logon options: The “Logon and restore network connections” radio button should be activated, as shown.
Clicking OK on the Networks Properties window above will return you to the Network window displayed on the previous page. Click on the Identification tab, and you will see the dialog box below. Unfortunately, there is more to do. “Computer name” can be anything you want, provided it is not the same as a valid Times server or your network name. Just to be safe, let’s follow this convention: xxxxxxxxxxxx; for example, xxxxxxxxxxx. There is a 14-character limitation here, so truncate your user name if necessary.
“Workgroup” must be XXXXX or xxxxxxx.
“Computer description” is completely optional. It can be nothing at all or whatever is desired.
Click OK and you will return to the beginning of these network setups. Click OK again to seal the new settings into your operating system. You will be required to reboot.
H: Drive Mapping: Some of you are not acquainted with the H: Drive, although everybody has one when he/she logs onto a terminal in a Times networked newsroom or office. You can store text or graphs there, and it is much more secure than your PC’s hard drive, which eventually will crash and lose its data. This H: Drive, or Home Drive as it is called, can also be accessed remotely by VPN users. If the Times logon script is run in conjunction with VPN logons, you will get access automatically. If not, you won’t, but you can manually map the H: Drive while you are logged onto the network via VPN. You may not be particularly interested in your H: Drive. If so, forget about it. But if you want remote access to this storage place, follow these directions:
Go to your desktop while logged onto the Times network. Right-click on My Computer. Now click on Map Network Drive. The dialog box above will appear, although the entries won’t be the same. For “Drive,” drill down to the H: Drive and select it. For “Path,” . . . Ah, this presents a problem for many of you. Most likely, you don’t know the name of your H: Drive server. Xxxxxxx’s server is xxxxxxxx, but that’s probably not yours. There are a number of such Times servers. If you don’t know the name of yours, call the L.A. Help Desk — or, if you have access to a newsroom networked terminal, as nearly all of you do, you can log onto that terminal, go to My Computer and simply look. When Xxxxxxx does that, he sees Xxxxxxxxxxxxxxxxxxxxxxx. Either way, you need the name of the server to map your H: Drive for remote access. The “Reconnect at logon” box should be checked. As usual, after all is done, click OK to seal the bargain.
36
DSLs & Cable Modems: [Firewall recommendations still pending]
37
America Online: The Times does not support America Online on either office orprivate PCs. If you insist on using AOL, you are on your own. But let’s be practi-cal here. Many of you already possess AOL and are happy with it. Your kids useit. You and/or your spouse or significant other have joint or separate AOL e-mailaccounts. Now the Times is telling you that AOL won’t work as your VPN ISP.Yes, that’s true — AOL won’t work reliably in that role — but what about justkeeping AOL around for the kids and spouse? No doubt the AOL program isaggressive, always trying to take over, but there is plenty of anecdotal evidencesuggesting that AOL won’t be troublesome if the ISP/VPN programs are installedon top — that is, to be perfectly clear, if ISP/VPN is installed after the AOL pro-gram was installed. But if you do this, and if it works (as it probably will), youmust never, never, never update your AOL version, because then AOL will thinkit is the top dog again. And if it doesn’t work, or if your spouse or kids subse-quently update AOL, innocently answering Yes to an AOL online suggestion thatthe program be updated, don’t call the Times Help Desk. You will only be told:“The Times doesn’t support AOL.” What do you do then? Hire an expert. A cot-tage industry has arisen to deal with the complexities of uninstalling AOL. Sorry,but that’s the way it is, as some Times people have already discovered.
Passwords: Don’t forget your AT&T password or your Contivity PIN! Writethem down in a secret place. Such advice is heresy to security people. Don’t tellanybody I told you to do that. But if you do forget your password, notify the HelpDesk and your account will be reset, meaning your AT&T password will revert toXXX9999 or whatever. The reset won’t come immediately. The task must be donein Chicago at present. If you forget your Extranet PIN, also notify the Help Desk.If you lose your SecurID token, you are in more serious trouble. You must notifythe Help Desk and request a brand-new account, and you’ll have to fill out anoth-er VPN request form and get your supervisor to sign it. Your department will bebilled $50.
Another password matter: If the Times VPN gateway — the device thathandles authentications — gets the notion that your SecurID fob is out of sync, itwill issue a challenge that looks like the prompt below.
38
There is no online help here at all. What the hell is a passcode? Anunknown programmer, at some point in the development of Contivity, assumedyou would know. He knew, so why not you? Well, a passcode is your PIN plusthe six-digit readout on your VPN fob, rendered solid. To be clear: If your PIN is999, you will respond with “999999999,” assuming your fob readout is“9999.”
Warning: You must not make too many mistakes in this passcoderesponse. After three attempts, you may find yourself locked out of VPN, facingwhat could be a lengthy delay in getting your authorities restored.
39
Internet Explorer: The Times proxy requirement for Netscape applies equally toMicrosoft’s Internet Explorer. The proxy — http://xxxxxx.xxxxxxx.xxx/xxxxx.xxx —should be activated for Internet/Intranet access on VPN. It should be disabled forInternet access on ISP alone. Unlike Netscape, IE offers no profile manager tosimplify the matter of switching from VPN connections to, say, the AT&T NetClient running alone. The best plan may be to set up dialup settings for VPN andthen, when necessary, modify the settings for ISP alone — or vice versa, depend-ing on which connection is used the most. DSL/cable users face a similar dilem-ma when switching between the two services. All Internet Explorer settings aremade in Internet Options. There are two ways to get there: 1) Go to yourControl Panel and double-click on Internet Options. 2) With IE running, go toTools, then Internet Options. The window below will appear.
This is where the home page is named. Since we are configuring a VPNsetup here, you may want to enter a Times Intranet site such as http://xxxx.xxxx.xxxxxxx.xxx, the Editorial Library’s page. Many writers and editors prefer itbecause, among other things, it offers a link to TimesOnline, the Editorialarchives. But any address will do. VPN provides access to both internal and exter-nal sites. Click the Connections tab, which displays the window on the next page.
Select AT&T Net Client or whatever dialup ISP you are using for VPN operations. Click Settings and the dialog box below will be displayed. Important Note to DSL and Cable Modem Users: You should choose LAN Settings instead. Although equally as remote as dialup users, you connect directly to the Times LAN. You lucky guys and gals are not dialup users. Click LAN Settings and follow the proxy instructions below, which are actually aimed at your less speedy comrades.
Make the settings exactly as shown at right. Well, not exactly. The “User name” account information at the bottom will be yours, not the account shown here. The Proxy Server entries are not essential for dialup ISP users, but they are essential for DSL/cable VPN sessions. The Proxy Server address is xxxxx.xxxxxxx.xxx, not xxxxx.xxxxx.xx as shown. The damned field is not quite large enough to display the entire proxy name. Click OK here and you will return to the previous window, above. Now click on the Advanced tab. The window on the next page will appear.
40
41
ccessing l
? Sure,
Scroll down to Internet Explorer’s HTTP 1.1 Settings. Both boxes should be checked as shown. Click OK until you are out of all this, and you are done. Now, when you’ve got a VPN connection to the Times, Internet Explorer will work as desired, aboth internal and externasites. Great, but what about switching to an ISP-only connectionyou can do it, but changes in the settings will be required. IE is a bit troublesome in this respect. See below.
When you run Internet Explorer on your ISP connection alone, the settings should be what you see at left. But they may not be that way. Happily, you can make modifications on the fly, within Internet Explorer itself. Go to Tools, then Internet Options and click on the Connections tab. Make sure your ISP is highlighted and then click on Settings. Disable the proxy data and enable “Automatically detect settings.” Click OK out of this, and away you will surf on the World Wide Web.
But wait! There are more IE settings! See the next page.
42
Your Internet Explorer opera-tions will be more efficient andsecure if you pay further atten-tion to Internet Propertiessettings. Go to InternetOptions, as instructed on Page39, then click on theAdvanced tab. The window atright will open. If you knowwhat you are doing, make yourown selections. If you don’t,join the club and slavishly fol-low Times recommendations asshown here. Scroll until youreach the bottom, checking andunchecking the boxes.
This list of settings may notcorrespond exactly withyours. It depends on yourInternet Explorer version. Justdo the best you can, referringalways to the Times recom-mendations.
One more page to go.See the next page.
43
Keep on scrolling, checkingand unchecking, folks! You’llonly have to do this once forultimate Internet Explorer per-formance.
The “Security” settings at leftmay be the most important ofall. They will give a measureof protection to both you andthe Times. Click OK out ofInternet Properties andagain out of InternetOptions. Finished at last!
MTU & RWIN Settings: If you are a dialup VPN user, and if you are runningWin95, 98, 98SE or ME, you can improve performance significantly by followingthese instructions. Don’t bother (don’t even try) if you are running Win2000,WinNT or WinXP. They are smart enough to handle things themselves. Also,don’t bother if you are equipped with a DSL or cable modem, which is as good asit gets. What we are talking about here is strictly for VPNers who dial out to ISPsfrom machines running the earlier Microsoft operating systems.
What is MTU? It means Maximum Transmission Unit and is recorded inyour PC’s registry, where only the brave dare go. The Windows default MTU set-ting is 1500. This is the optimum setting for LAN connections, which, in a remotesense, mean DSL and cable modems. It is too large, however, for dial-up connec-tions. Since you are a dial-up VPN user, you’ll need to lower this setting to 576.
What is RWIN? It means Receive Window and is defined as “the amount ofunacknowledged data that can be outstanding on a TCP connection.” Don’t askwhat that means. Just accept the recommendation that RWIN should be set at 4.
Slip the Times VPN installation into your CD drive. The menu will appear.Select “Update System Registry with MTUSpeed Pro v4.10” and click InstallApplication, or just double-click the menu item.
44
45
Don’t worry about this being “for Windows 95.” It will work on Win98,Win98SE and WinME as well. Select Dial-Up Adapter, as shown above. You mayhave to drill down to select it. “Drill down” means clicking on the down arrow toreveal a list of your adapters. Make sure the “Apply same values” box at lowerleft is not checked and the “RWIN enabled” box at lower right is checked. Slidethe RWIN trackbar to 4. (If the bar won’t slide, click the Optimum Settings but-ton and try again.) Now click the Change MaxMTU button. The New MTUSetting dialog box will appear.
Enter 576 as a new MTU value. Click OK. Now you must also set theMTU for the VPN Extranet adapter. Yes, Contivity’s adapter is still called“Extranet.” Follow directions on the next page.
46
To seal the bargain, click the UpdateRegistry button. Click a final OK andreboot. Your dialup VPN sessions shouldgo much better now, with fewer problemswhen transmitting or receiving long storiesand other data.
Drill down and select Extranet Access Client Adapter, as shown below.Slide the RWIN trackbar to 4, click Change MaxMTU, enter 576 and click OK.