Nortel 400 Using Manual Download Page 188 | Manualshive

Page: 188 / 344

background image

188

Chapter 6 IP security and VPN

300868-G

It is important to understand that there is a separate SA for each possible
combination of subnets. For example, if the Instant Internet unit’s IPsec
configuration has two local subnets and four remote subnets, then a total of eight
separate SAs exists if all subnets are communicating with each other. In this case,
the CES has four subnets listed in the Local Accessible Networks and two subnets
listed in the Remote Accessible Networks for the branch office connection.

Either gateway can establish communications as needed. For example, an SA can
be initiated by either the Instant Internet unit or by the CES. The initiator of an SA
determines the timeout for that SA. Typically, the timeouts are set the same on
each end, so this is not an issue.

When the Instant Internet unit initiates a phase 1 connection, it sets the timeout to
be the same as that used for the phase 2 SAs. This approximates the effect of
perfect forward secrecy (PFS) because the phase 1 SA expires after the specified
timeout and must be renegotiated before any phase 2 SAs can be re-keyed. Note
that when the CES initiates a phase 1 SA, it does not specify a timeout.

Tunneling to CES when Instant Internet has a static IP address

When a tunnel is established between CES and Instant Internet and the Instant
Internet unit has a static IP address, the tunnel is called a branch-to-branch tunnel.

If you have a static IP address, you can configure a branch-to-branch VPN tunnel
between Instant Internet and a CES, Network address translation (NAT) is not
normally performed through the tunnel.

Note:

When troubleshooting a VPN tunnel, remember that each of these

SAs is established as needed and each is subject to its own possible
success or failure during negotiation.

Note:

If this behavior is undesirable, use the Forced Logoff parameter in

the CES to apply the specified timeout to the phase 1 SA. For details,
refer to your CES documentation.

«
...
186
187
188
189
190
...
»

Summary of Contents for 400

Page 1: ...Part No 300868 G November 2000 4401 Great America Parkway Santa Clara CA 95054 Using the BayStack Instant Internet Management Software Version 7 11 ...

Page 2: ...marks are the property of their respective owners Restricted rights legend Use duplication or disclosure by the United States Government is subject to restrictions as set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause at DFARS 252 227 7013 Notwithstanding any other license agreement that may pertain to or accompany the delivery of this computer software t...

Page 3: ...ation about the operation design performance or implementation of the Software and user manuals that is confidential to Nortel Networks and its licensors however Licensee may grant permission to its consultants subcontractors and agents to use the Software at Licensee s facility provided they have agreed to use the Software only in accordance with the terms of this license 3 Limited warranty Norte...

Page 4: ...se and disclosure of Nortel Networks confidential information shall continue in effect Licensee may terminate this license at any time The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license Upon termination for any reason Licensee will immediately destroy or return to Nortel Networks the Software user manuals and all copies Nortel N...

Page 5: ...net can function in your network 31 IP networks 32 IPX networks 32 Services Instant Internet provides 33 Deciding what to do next 34 Chapter 2 User access administration 35 Administration program overview 35 Starting Admin 36 Administration program icons 36 Default user and everyone group 37 Restoring the default user 37 Restoring the everyone group 38 Managing directory service users and groups 3...

Page 6: ...ting a user 46 Creating a group 47 Adding a user to a group 48 Deleting users and groups 49 Deleting a user 49 Deleting a group 50 Managing users and groups 50 Copying user and group Internet access settings 51 Viewing effective user access 53 Defining user and group access 54 Disabling user or group access 56 Ignoring group settings option 57 Enabling logging for a user 57 Configuring Internet ac...

Page 7: ...s to a few sites for everyone 88 Allowing access to a few sites 90 Managing a remote Instant Internet unit 91 Chapter 3 Internet activity logging 93 Activity logging overview 93 Monitoring an Instant Internet unit 95 Viewing statistics 95 Viewing users 99 Viewing Web site access 101 Viewing diagnostic information 104 Performing a Trace 106 Monitoring multiple Instant Internet units 107 Activating ...

Page 8: ...on program 122 Administration options that do not apply to SOCKS workstations 123 Host name access controls and SOCKS 123 Configuring socksified applications 124 Configuring common SOCKS enabled software 125 Third party socksifying software 126 Additional information 126 Chapter 5 Advanced IP configuration 127 Using Setup 127 Configuring a static route 128 Configuring IP forwarding 130 Enabling IP...

Page 9: ...otP relay agent feature 150 Configuring Instant Internet as a DHCP server 152 Using Instant Internet as a DHCP workstation 157 Configuring the routing information protocol 157 Configuring an alias for an interface 159 Example 159 Using a DMZ 160 Configuring Instant Internet to support a DMZ 161 Configuring the interface to support the DMZ 161 Publishing the server s 162 Deciding whether to enable ...

Page 10: ...de VPN tunnel 190 Tunneling to the CES when Instant Internet has a dynamic IP address 192 Example for configuring the non Contivity client connection on the CES 193 Configuring Instant Internet as an aggressive mode VPN tunnel 194 Troubleshooting a VPN tunnel connection 196 Viewing a unit s IPsec log 197 IPsec connection state information 197 Chapter 7 Web cache configuration 201 Introduction to W...

Page 11: ...e levels default values 213 Creating a custom cache level 214 Interpreting statistics 215 Using statistics to fine tune cache settings 215 Viewing why requests are not sent from the cache 216 Limiting the size of a cached entry 217 Setting options for special Web requests 219 CGI requests 219 Query requests 219 No cache requests 220 Setting the action the cache performs when a Web server error occ...

Page 12: ...236 I blocked a site but it still opens in a user s Web browser 236 I requested a Web page but the content looks outdated 236 I requested a Web page and the originating Web server takes a long time to respond 237 I am not able to configure a personalized Web page 238 I logged on to a Web site but I am prompted to log on again 238 I added an item to my online shopping cart but it s still empty 238 ...

Page 13: ...nection 254 Chapter 9 IPX configuration and support 257 Using Instant Internet as an IPX to IP gateway 257 Security considerations 257 Performance considerations 258 Normal delays 258 Number of simultaneous connections 258 When to consider a higher speed connection 259 Configuring IPX workstations to use a new unit name 259 Configuring IPX frame types 261 Resolving Winsock conflicts 262 16 bit Win...

Page 14: ...nstalling multiple units 272 Chapter 10 Instant Internet unit configuration support and diagnostics 273 Restarting the Instant Internet unit 273 Identifying the login workstation 274 Adding a unit to the selection list 275 Understanding the name server list order 276 Saving and restoring unit configurations 277 Backing up a unit configuration to disk 277 Restoring a unit configuration from disk 27...

Page 15: ...iles in setup 304 Viewing unit log information 304 Viewing a unit s users 304 Viewing a unit s update history 305 Viewing a unit s advanced TCP IP settings 305 Viewing a unit s port mappings 305 Viewing a unit s support hosts 306 Viewing system files through a Web browser 306 Viewing log files 307 Viewing the update history 307 Viewing the system settings file 308 Viewing a unit s port mappings 30...

Page 16: ...16 Contents 300868 G ...

Page 17: ...alog box 53 Figure 13 Change Settings of User dialog box 56 Figure 14 Change User Access dialog box 58 Figure 15 Change Settings of User dialog box 64 Figure 16 Change Internet Access dialog box 64 Figure 17 Add Internet Access dialog box 65 Figure 18 Change Settings of User dialog box 67 Figure 19 Change Internet Access dialog box 67 Figure 20 Delete access confirmation message box 68 Figure 21 C...

Page 18: ...log box 87 Figure 45 Change Internet access to deny access to a site example 88 Figure 46 Restrict Internet access example 89 Figure 47 Allow Internet access example 90 Figure 48 Monitor main window 94 Figure 49 Sample Stats window 96 Figure 50 Sample Users window 99 Figure 51 Sample Log window 102 Figure 52 Sample Diag window 104 Figure 53 Sample Trace results file 107 Figure 54 Multiple Instant ...

Page 19: ... Figure 80 Enter Server Address dialog box 156 Figure 81 RIP s dialog box 158 Figure 82 Enter IP Information for Interface dialog box 162 Figure 83 Enter IP Information for Interface dialog box 163 Figure 84 Server Publication dialog box 164 Figure 85 IPsec Configuration dialog box 170 Figure 86 IPsec Configuration dialog box 171 Figure 87 Enter IP Address dialog box 172 Figure 88 Pings dialog box...

Page 20: ... Configuration advanced dialog box 255 Figure 113 Windows 95 Run dialog box 260 Figure 114 Instant Internet Units dialog box 260 Figure 115 Select IPX Frame Types dialog box 261 Figure 116 Restarting Instant Internet dialog box 273 Figure 117 iiLogin icon 274 Figure 118 iiLogin Connected as username dialog box 274 Figure 119 Instant Internet Units dialog box 275 Figure 120 Enter Unit s IP Address ...

Page 21: ...ndow 291 Figure 134 Ping test started 293 Figure 135 Ping test finished 294 Figure 136 Trace test started 296 Figure 137 Trace test finished 297 Figure 138 Stress test started 298 Figure 139 Stress test finished 299 Figure 140 Options dialog box in Tools 300 Figure 141 About Instant Internet Setup dialog box Serial Number box 303 Figure 142 Instant Internet Web home page 307 ...

Page 22: ...22 Figures 300868 G ...

Page 23: ...n window toolbar buttons 94 Table 11 Stats window statistics 96 Table 12 Stats window statistics for a dial up or ISDN interface or a VPN tunnel 97 Table 13 Users window statistics 100 Table 14 Monitor main window toolbar buttons 100 Table 15 Sort options in the Users window 101 Table 16 Log statistics 102 Table 17 Log window toolbar buttons 103 Table 18 Sort options in the log window 103 Table 19...

Page 24: ...24 Tables 300868 G ...

Page 25: ...search for information participate in news groups and send and receive e mail Before you begin This manual is intended for network administrators and contains the following information Administering the Instant Internet unit Administering user and group Internet access Monitoring the Instant Internet unit Configuring the Instant Internet unit as a DNS Web or SOCKS proxy Configuring the IP services...

Page 26: ...it You can also view the serial number using the Setup utility For more information see Viewing the Instant Internet serial number on page 303 Model _____________________________________________ Example CQ1001104 or CQ2001E80 Serial _____________________________________________ Example I0300004F or I4000181CC404F Second review the basic installation process in Installing the BayStack Instant Inter...

Page 27: ...and command names and options Example Enter ipconfig release Example Use the winipcfg command italic text Indicates file and directory names new terms book titles and variables in command syntax descriptions Where a variable is two or more words the words are connected by an underscore Example If the command syntax is dns name_server name_server is one variable and you substitute one value for it ...

Page 28: ...p the BayStack Instant Internet 100 Unit Part number 300866 G Provides instructions on installing and administering the Instant Internet 100 hardware Setting Up the BayStack Instant Internet 100 S Unit Part number 209374 A Provides instructions on installing and administering the Instant Internet 100 S hardware Setting Up the BayStack Instant Internet 400 Unit Part number 300867 G Provides instruc...

Page 29: ...tant Internet 400 Unit Setting Up the BayStack Instant Internet 400 S Unit Using the BayStack Instant Internet Management Software Version 7 11 Reference for the BayStack Instant Internet Remote Access Commands Version 7 11 You can print selected technical manuals and release notes free directly from the Internet Go to the www25 nortelnetworks com library tpubs URL Find the product for which you n...

Page 30: ...Networks Technical Solutions Centers An Express Routing Code ERC is available for many Nortel Networks products and services When you use an ERC your call is routed to a technical support person who specializes in supporting that product or service To locate an ERC for your product or service go to the www12 nortelnetworks com URL and click ERC at the bottom of the page Technical Solutions Center ...

Page 31: ...Before you install the Instant Internet unit you should understand your network environment and how the unit functions in the network Instant Internet can function in your network in three ways It can Provide security You can isolate your network from the Internet to help ensure network security You do this for three reasons To prevent Internet users from outside your organization from seeing inte...

Page 32: ...esses You can also configure IP security IPsec to use a virtual private network VPN A VPN is a special type of connection that permits remote users or LANs to communicate with another LAN over a public network such as the Internet When you set up a VPN you are essentially using a public network as your own private secure network On IP networks with IP workstations there is no limit to the number o...

Page 33: ...st enable it DNS Proxy Server Instant Internet acts as a Domain Name Service DNS proxy server by translating host names into numerical IP addresses IP Routing Instant Internet provides access to the Internet through IP routing It maintains routing tables that help it determine the destination of data packets This enables non Windows workstations for example Macintosh UNIX and OS 2 to access the In...

Page 34: ...re the IP services on Instant Internet refer to Chapter 5 Advanced IP configuration on page 127 To use the Instant Internet unit in a virtual private network VPN refer to Chapter 6 IP security and VPN on page 167 To speed up the Internet response time even more by caching sites that are accessed on a regular basis refer to Chapter 7 Web cache configuration on page 201 Web Configuration This featur...

Page 35: ...oming ports and RAW sockets When you install Instant Internet all network users are automatically set up to use the default Instant Internet user profile giving them full Internet access If this suits your environment you do not need to further configure Instant Internet However if you want some users to have restricted access to the Internet or if you want to log the activity of a particular user...

Page 36: ...ight blue identifies an Instant Internet user Gold identifies Instant Internet groups Red identifies Novell Bindery or NetWare NDS users and groups Dark blue identifies NT users and groups The actual icon itself denotes the type of access granted to the user Table 2 describes the user icons in Admin From the Instant Internet program group or menu depending on your operating system select Admin Tab...

Page 37: ...as all the settings and attributes of the Default User You can then change the settings for the new user to be whatever you would like them to be You can also change the settings of the Default User to the settings that you want all new users to have To restore the Default User 1 On the toolbar click Users 2 Choose Users Create the Default User A new user icon labeled default is added to the List ...

Page 38: ... the folder 3 If you want all your users to be able to use Internet Explorer set the Internet Access to allow 127 Refer to Defining controlled Internet access on page 59 Managing directory service users and groups Instant Internet allows you to use the user groups that you already have set up in your network directory services This eases the administration setup process The directory services that...

Page 39: ... Internet access settings Setting the domain You can choose the domain of the users and groups you want to view To set the domain 1 Choose View Set Domain The Set Domain dialog box opens Figure 2 Figure 2 Set Domain dialog box 2 Select the domain you want to view and then click OK Note You cannot administer network directory users from Instant Internet If you want to make changes to users or group...

Page 40: ...e as JDOE This does not affect how the Novell Server identifies her IP workstations on Windows 95 Windows 98 Windows NT or Windows 2000 can check how they are identified from their workstation by clicking the Instant Internet icon in the status area of the taskbar Refer to Identifying the login workstation on page 274 To set user name order 1 Choose View Set User Name Order The Set User Name Order...

Page 41: ...ed Managing Windows 95 Windows 98 Windows NT and Windows 2000 domain users and groups In the Instant Internet Admin window Windows 95 Windows 98 Windows NT and Windows 2000 domain users are displayed as dark blue figure icons and groups are displayed as dark blue folders In the Windows 95 Windows 98 Windows NT and Windows 2000 domain environments Instant Internet uses the Windows 95 Windows 98 Win...

Page 42: ... must use NDS administration utilities refer to the Instant Internet Admin online Help for more information For more information on managing users and groups refer to Managing users and groups on page 50 To view or not view NDS users and groups Choose View View NT Users and Groups Note In a Novell environment if a user is logged in to the NetWare Directory Services NDS by default Instant Internet ...

Page 43: ...t displays Bindery users as red figure icons and groups as red folders in the Instant Internet Admin window For more information on managing users and groups refer to Managing users and groups on page 50 To view or not view Bindery users and groups Note You must use the Novell NetWare workstation to set context Choose View View Bindery Users and Groups Note In a Novell environment when a user is l...

Page 44: ...ur system tray You can double click the icon to find out how that workstation is logged on For more information refer to Identifying IP Workstations in Installing the BayStack Instant Internet Management Software Version 7 11 UNIX and Macintosh workstations cannot use the iiLogin workstation identification Others such as guests or temporary employees who use your network occasionally also may not ...

Page 45: ...roups within Instant Internet that are distinct and separate from your network This option is helpful if you want to add users or remove users on the basis of Internet access but do not want to make changes to the existing network directory service When you use Instant Internet to set up and maintain the Internet access settings for these users they do not appear in your network directory services...

Page 46: ...t want to use a template you do not need to select a user 3 On the toolbar click Create If you selected a user in step 2 you are prompted to verify that the user s profile is to serve as a template Figure 4 Figure 4 Prompt to use selected user as a template The Create a User dialog box opens Figure 5 Figure 5 Create a User dialog box 4 Enter the new user name User names can be up to 255 characters...

Page 47: ...se as a template If you do not want to use a template you do not have to select a group 3 On the toolbar click Create If you selected a group in step 2 you are prompted to verify that the group s profile is to serve as a template Figure 6 Figure 6 Prompt to use selected group as a template The Create a Group dialog box opens Figure 7 Figure 7 Create a Group dialog box 4 Enter the new group name Gr...

Page 48: ... add a user to a group using the Move toolbar button 1 On the toolbar click Users 2 Select the group folder to which you want to move the user 3 Select the user you want to move 4 On the toolbar click Move To remove a user from a group by dragging 1 On the toolbar click Users 2 In the List of Users area select the icon of the user 3 In the Groups the User Is In area select the group folder from wh...

Page 49: ...ve Deleting users and groups Only those users and groups that were created within the Instant Internet utility may be deleted by the Instant Internet utility When a user name is deleted Instant Internet uses the Default User access setting to control that user s Internet access Deleting a user To delete a user 1 From the List of Users select the user you want to delete 2 On the toolbar click Delet...

Page 50: ... all users and groups in the Instant Internet Admin window Icons displaying a figure represent a user those displaying a folder represent a group of users To display all users either click the Users toolbar button or choose Users View User List from the menu bar The Instant Internet Admin main window displays the following information List of Users Groups the User Is In Groups the User Is Not In N...

Page 51: ...up area All users who do not belong are displayed as figures in the Users Not In the Group area Copying user and group Internet access settings To simplify the process of adding users or modifying existing users you can copy the Internet access settings from one user or group and paste it to another user or group To copy the Internet access settings of one user to another user 1 On the toolbar cli...

Page 52: ... Internet access settings of one group to another group 1 On the toolbar click Groups 2 Select the group that has the access settings you want to copy 3 Do one of the following On the toolbar click Copy Choose Groups Copy a Group 4 Select the destination group 5 On the toolbar click Paste A confirmation message box opens Figure 11 Figure 11 Copy group confirmation message box 6 Click Yes to copy t...

Page 53: ... have Internet access designated through several groups and access might vary from group to group Instant Internet provides the View Effective User Access option so that you can view the user s effective actual Internet access To view a user s effective user access On the toolbar click Effect Choose Users View Effective User Access The Effective Settings of User dialog box opens Figure 12 Figure 1...

Page 54: ... administration set the Internet access control for groups rather than for individual users whenever possible After you set group access to a set of Internet resources access for every user in the group changes simultaneously when Internet access changes for the group A user can belong to several groups each with different Internet access settings When this happens Instant Internet assigns the use...

Page 55: ...the default Instant Internet user profile settings as the user s Internet access settings Use the Change option to limit or expand user and group Internet access It is most common to change Internet access for a group rather than for an individual user unless a particular user has unique Internet access requirements Changing access for a group simultaneously changes the access of each user in the ...

Page 56: ...it does for groups If you disable access for a user that user is denied access to the Internet If you disable access for a group access settings that have been defined for that group are ignored and individual settings are used to determine access for each member of the group Disabling access is most useful when dealing with groups you adopted from a directory service To disable user or group acce...

Page 57: ...es Refer to Viewing a unit s users on page 304 This log is separate from the User Log which is a continuous running total and summary kept for each user until the log is cleared The Automatic Logging utility refer to Activating automatic logging on page 109 collects this data and writes it to a file The log is maintained regardless of this setting The Enable Logging option controls only the detail...

Page 58: ...of week and time of day 1 In the Change Settings of User dialog box Figure 13 click User Access The Change User Access dialog box opens Figure 14 showing the days of week and hours in a day Figure 14 Change User Access dialog box 2 To select user access click the appropriate button Full Total uncontrolled Internet access Controlled Internet access is limited to specified IP addresses and ports Ref...

Page 59: ... have two colors in it 6 Select the days of the week and hours of each day for which Internet access is to be allowed and then click OK Internet access is available for the specified days and times only 7 Click OK After you make changes to User Access an asterisk appears to the left of the option indicating that specific Internet User Access settings have been defined For those times that you mark...

Page 60: ...ple if you open a browser and type in www xyz com the browser first asks the DNS proxy to look up the address of that name Instant Internet then checks the access controls having to do with host names and decides whether or not the site is allowable The access controls therefore determine whether or not a name can be resolved into an address Port numbers can be any number from 0 to 65535 where the...

Page 61: ...e Internet addresses as IP addresses or host names and you can select port numbers from the access list provided or enter them numerically Within this option Internet access is designated as follows An asterisk the wildcard symbol is all encompassing whether designating full access no access or specific addresses or ports Table 3 A check mark 3 designates user access to the specified address or po...

Page 62: ...tion 198 Allow both TCP UDP Specifies access to all ports at all IP addresses beginning with 198 80 Allow TCP only Specifies IP access only to port 80 at all connection oriented IP addresses Table 5 Designating Internet access X Address Type Explanation X 21 Disallow TCP Specifies no ftp access from any address Table 6 Sample Internet access control list Address Type Explanation Allow both TCP UDP...

Page 63: ...must first allow access to everything You can allow access to all IP addresses ports and host names and then disallow access one by one as desired Or you can disallow access to all IP addresses ports host names and then allow access one by one as desired The reverse is true if you have the user or group access set to Controlled In this case the user has no Internet access and you must specifically...

Page 64: ...300868 G Figure 15 Change Settings of User dialog box 3 Click Internet Access The Change Internet Access dialog box opens Figure 16 and displays the current access control list for the group or user Figure 16 Change Internet Access dialog box ...

Page 65: ...ies access Host Name Enter a host name for which you are defining access Lookup IP Address If you do not know the IP address of a host name you can enter the host name and then click Lookup IP Address Instant Internet looks up the IP address of the specified host name Type TCP connection oriented UDP connectionless Both TCP and UDP IP Address Enter the IP address of the host name If you do not kno...

Page 66: ...access from a group or user 1 In the Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 18 Note You can define access to a host name without specifying its corresponding IP address or addresses Some sites change their IP addresses regularly so to avoid editing the access list often you can specify the host name without ...

Page 67: ...gure 18 Change Settings of User dialog box 3 Click Internet Access The Change Internet Access dialog box opens Figure 19 and displays the current access control list for the group or user Figure 19 Change Internet Access dialog box 4 Select the Internet address for which the group or user is to be denied access ...

Page 68: ...o confirm the deletion The IP address is deleted from the group s or user s access control list and the user no longer has access to that Internet address Changing Internet access To change the Internet access of a user or group 1 In the Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 21 ...

Page 69: ...gure 21 Change Settings of User dialog box 3 Click Internet Access The Change Internet Access dialog box opens Figure 22 and displays the current access control list for the group or user Figure 22 Change Internet Access dialog box 4 Select the Internet address for which the group or user access is to be changed ...

Page 70: ...news group access The News Group button on the Change Settings of User dialog box Figure 24 enables you to designate specific news groups to which each user or group may gain or be denied access News group access is designated when a check mark is displayed next to the name of the news group If access is denied an X is displayed You can add delete or change news groups to which the selected user h...

Page 71: ...news group access To add a news group to group or user access 1 In the Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 24 Figure 24 Change Settings of User dialog box 3 Click News Groups The Change News Groups dialog box opens Figure 25 ...

Page 72: ...s Figure 26 Figure 26 Add News Group dialog box The following information is displayed Allow Allows access Do not allow Denies access News Groups Enter the name of the news group for which you are defining access 5 Do one of the following To allow access to the news group click Allow To deny access to the news group click Do not allow ...

Page 73: ... window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 27 Figure 27 Change Settings of User dialog box 3 Click News Groups The Change News Groups dialog box opens Figure 28 Note You can also add or remove an entire section of news groups by placing an asterisk after the news group address For example alt binaries pictures select...

Page 74: ...nfirmation message box opens Figure 29 Figure 29 Delete news group confirmation message box 6 Click Yes to confirm the deletion The news group is deleted from the group s or user s access list and the user no longer has access to that news group Changing news group access To change group or user access to current news groups 1 In the Admin window select a group folder or user icon ...

Page 75: ...et Management Software Version 7 11 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 30 Figure 30 Change Settings of User dialog box 3 Click News Groups The Change News Groups dialog box opens Figure 31 Figure 31 Change News Groups dialog box ...

Page 76: ...tton on the Change Settings for User dialog box Figure 33 enables you to designate incoming ports to which each user or group is allowed access An incoming port is the port number that outside workstations can access Incoming ports allow a user to run server applications on a local computer For example if a user has incoming port access to port 80 the user can start a Web server on a local compute...

Page 77: ... default You can have total control of port access by configuring incoming ports individually for any particular group or user Adding incoming port access To add an incoming port to group or user access 1 In the Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 33 Figure 33 Change Settings of User dialog box 3 Click In...

Page 78: ...ministration 300868 G Figure 34 Change Incoming Ports dialog box 4 Click Add The Add Incoming Port dialog box opens Figure 35 Figure 35 Add Incoming Port dialog box Table 8 describes the items in the Add Incoming Port dialog box ...

Page 79: ...er or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Figure 36 Table 8 Add Incoming Port dialog box items Item Description Allow Allows access Do not allow Denies access Type TCP connection oriented UDP connectionless Both TCP and UDP IP Address Enter the IP address of the host name If you do not know the IP address you can enter the host name and select the L...

Page 80: ...68 G Figure 36 Change Settings of User dialog box 3 Click Incoming Ports The Change Incoming Ports dialog box opens Figure 37 Figure 37 Change Incoming Ports dialog box 4 Select the incoming port to which the group or user is to be denied access ...

Page 81: ...ation message box 6 Confirm the deletion when prompted The incoming port is deleted from the group s or user s access list and the user no longer has access to that incoming port Changing incoming port access To change group or user access of current incoming ports 1 In the Admin window select a group folder or user icon 2 On the toolbar click Change The Change Settings of User dialog box opens Fi...

Page 82: ...8 G Figure 39 Change Settings of User dialog box 3 Click Incoming Ports The Change Incoming Ports dialog box opens Figure 40 Figure 40 Change Incoming Ports dialog box 4 Select the incoming port for which the group or user access is to be changed ...

Page 83: ... have been defined Managing RAW sockets The No RAW Sockets option on the Change Settings for User dialog box Figure 42 applies to IPX workstations IP workstations when Instant Internet address translation is enabled for the client side interface Some Internet applications typically diagnostics such as ping use a protocol of RAW sockets for communication Because these sockets require special low le...

Page 84: ... of User dialog box 3 Select the No RAW Sockets check box This prohibits the use of RAW sockets An error message that the Internet user will see when the No RAW Sockets option is selected is Error 10044 WSAESOCKTNOSUPPORT If messages are allowed IPX workstations will receive a RAW sockets restricted message panel and IP workstations will receive an ICMP restricted message panel Note In Tools ping ...

Page 85: ...xrated com which has been disallowed the message Host name restricted is displayed However if you select No Messages the user sees only the application s error message such as Host name does not appear in the DNS table or a similar message that does not reveal why the access failed Creating reports The Instant Internet Reports option lets you select user and group Internet access reports and save ...

Page 86: ...ccess to a few sites page 88 Allowing unlimited access for everyone To allow unlimited access for everyone in a group 1 Set the Everyone Group s access to Full access Refer to Configuring Internet access on page 58 for more information The Change User Access dialog box opens Figure 44 Table 9 Report options Item Description Selected If you choose this option you can choose the reports you want All...

Page 87: ...group access on page 70 for more information 3 Configure Incoming Ports to allow access to all ports and Both TCP and UDP Refer to Managing incoming port access on page 76 for more information After you complete the previous steps all users follow the Everyone Group access settings Note If a user s individual access settings are more restrictive than the Everyone Group settings Instant Internet us...

Page 88: ...formation 2 Configure Internet Access for the Everyone Group by restricting access to a site Figure 45 shows an example Refer to Defining controlled Internet access on page 59 and for more information Figure 45 Change Internet access to deny access to a site example 3 Repeat Step 2 for each site for which you want to restrict access You should now see a list of sites restricted to all users within...

Page 89: ...orts to allow access to all ports and Both TCP and UDP Refer to Managing incoming port access on page 76 for more information After you have completed these steps all users follow the Everyone Group access settings Note If a user s individual access settings are more restrictive than the Everyone Group settings then Instant Internet uses the more restrictive access settings ...

Page 90: ...t the Everyone Group s access to Controlled access Refer to Configuring Internet access on page 58 for more information 2 Configure Internet Access for the Everyone Group by allowing access to www nortelnetworks com Refer to Defining controlled Internet access on page 59 for more information 3 Repeat step 2 to allow access to the site www cnn com You should now see a list of sites allowed to all u...

Page 91: ...client rather than the Instant Internet unit obtains user or group information from the NT domain controller or NetWare server To use the remote site s groups and users rather than the local groups and users create an additional icon in the Instant Internet section of the Start menu called Admin Remote which runs Admin with the remote command Note If a user s individual access settings are more re...

Page 92: ...92 Chapter 2 User access administration 300868 G ...

Page 93: ...stant Internet unit or multiple units on bar graphs and histograms With Monitor you can monitor statistics logs and diagnostics of one or more Instant Internet units Because it provides multi document interface MDI you can use Monitor to view an individual Instant Internet unit or several units simultaneously To start the Monitor program 1 Locate the Instant Internet menu or program group dependin...

Page 94: ...dow toolbar buttons Button Description Opens a window that shows you statistics about the Instant Internet unit Opens a window that shows which users are currently using the Instant Internet unit Opens a window that shows the logging activity of the Instant Internet unit Opens a window that shows diagnostic information about the connections to the Instant Internet unit ...

Page 95: ...stant Internet unit 1 In the Monitor main window click the button for the information you want to view 2 When prompted select the Instant Internet unit you want to monitor The information for the selected unit is displayed If you do not see the Instant Internet unit you want to monitor refer to Adding a unit to the selection list on page 275 Viewing statistics The Stats windows displays the statis...

Page 96: ... running on the Instant Internet unit Up The number of days hours minutes and seconds the Instant Internet unit has been up since last reset Apps The number of applications currently accessing the unit Instant Internet can support an unlimited number of IP workstation application instances and up to 250 IPX workstation application instances Show Sends When you select this option only the data sent...

Page 97: ...s and minutes up or down For a VPN tunnel it shows authentication and encryption types for a connection For ISDN the status field always has the form up down n m active dialing x no MP y disabled up down The status of the interface This status depends on whether the interface is fully activated and IPCP negotiation is complete n m active Where n is the number of individual B channels active and m ...

Page 98: ... tunnel only if you are monitoring an IPsec interface You use it to test situations where you want to force the tunnel to be inactive To make a VPN tunnel connection inactive click the down arrow button The Stats menu contains options for the above buttons and it also contains the following options Connects The number of successful connections number of connection attempts and percentage of succes...

Page 99: ...s option cancels that selection for all Instant Internet units Viewing users You can view a list of all users connected to the Instant Internet unit The user name that appears in the log is controlled by the Set User Name Order you configure in Admin Refer to Setting user name order on page 40 IP workstations not logged in with the Instant Internet workstation login workstation are identified in t...

Page 100: ...cation instances and up to 250 IPX workstation application instances Table 14 Monitor main window toolbar buttons Button Description Refreshes the display to view up to the minute user information including users added Clears all columns for all users The displayed information is cumulative since the log was last reset When you select Clear the user s Sent Received Time and Last columns are reset ...

Page 101: ...record of each Internet Web site that a user accesses Note The Log Off toolbar buttons log off IPX users only Table 15 Sort options in the Users window Item Description Users Sorts the list by user name Bytes sent Sorts the list numerically by bytes sent Bytes received Sorts the list numerically by bytes received Time on Sorts the list numerically by the amount of time the user has been logged on ...

Page 102: ...dow Table 16 describes the information available in the Log window for each selected Instant Internet unit Click the Log toolbar button Table 16 Log statistics Item Information Time Shows the time and date of the activity Name Shows the name of the user When a user starts a task before you enable the monitoring feature the IP address is displayed here Event The type of event ...

Page 103: ...option cancels that selection for all Instant Internet units Table 18 describes the sort options when the Log window is open Table 17 Log window toolbar buttons Button Description Refreshes the display to view up to the minute information for the selected Instant Internet unit Clears all data from the log After you select Clear there is no user activity shown in this log until the next access Expo...

Page 104: ...n view diagnostic information for a particular Instant Internet unit To view diagnostic information The Diag window opens Figure 52 shows a sample Diag window Figure 52 Sample Diag window Click the Diag toolbar button Note The information in the Diag window is not automatically refreshed ...

Page 105: ...ss of the Instant Internet interface being monitored Last time The last day date time and year that data was sent and received Bytes The data sent and received since the last reset is displayed in kilobytes To calculate this speed in kilobits multiply the kilobytes by 8 Discards The number of packets discarded Errors The number of errors sent and received on the server selected for monitoring Last...

Page 106: ... file to the Nortel Networks Technical Support representative for analysis To perform a trace 1 In the Diag window select an interface For an ISDN interface select one of the channels such as ISDN B1 2 Click Trace 3 Select the appropriate options for running the trace based on what the Nortel Networks Technical Support representative tells you 4 Click Start to begin the trace 5 Click Stop to end t...

Page 107: ...ng the units to view and then specifying Tile or Cascade Cascading the view places one Instant Internet unit in front of the other stacks them on the screen Tiling the view shows multiple units side by side and above and below one another on the screen To monitor multiple Instant Internet units simultaneously 1 In Monitor click the appropriate toolbar button 2 From the list select the Instant Inte...

Page 108: ...it you want to monitor 4 To arrange the windows do one of the following Choose Window Tile Choose Window Cascade 5 Manually size each window to suit your needs Figure 54 shows a sample Monitor window with multiple Instant Internet units Figure 54 Multiple Instant Internet units window ...

Page 109: ...o effect on the user s activities To activate automatic logging In Windows 3 x select the AutoLog icon in the Instant Internet program group In Windows 95 Windows 98 Windows NT or Windows 2000 choose Start Instant Internet AutoLog The AutoLog window opens The AutoLog toolbar buttons Table 20 provide shortcut keys to the menu bar options Do one of the following Table 20 AutoLog toolbar buttons Butt...

Page 110: ...he type of log is a User log or a Connection log Server Name Shows the name of the selected Instant Internet unit Frequency Shows how often the logs are automatically saved When AutoLog activates for the first time the AutoLog window columns are blank You must configure the log types server names and frequency of auto saves To configure log types server names and the frequency of auto saves 1 In t...

Page 111: ... Addresses check box If you enable this option Instant Internet automatically turns numeric addresses into readable names 5 In the Log File directory box specify the name of the directory where you want Instant Internet to store the AutoLog files Instant Internet assigns log file names in the following manner U Specifies the file is a User log file C Specifies the file is a Connection log file y S...

Page 112: ...tes a new log file once a week Monthly Creates a new log file once a month Never Never creates a new log file Instant Internet repeatedly adds the selected log information to the same file name 8 Click OK Editing an automatic logging configuration To edit the automatic logging configuration 1 In the AutoLog window select the log configuration you want to edited 2 Click Edit The Event Information w...

Page 113: ...ed format so that any spreadsheet can easily read the file Access time information in both the User Log and Connection Log files is exported in seconds so that any spreadsheet can easily convert the seconds into an hours minutes seconds format Exported user log files include the following information User Name MAC or IP address First access time Last access time Time on in seconds Bytes sent Bytes...

Page 114: ...114 Chapter 3 Internet activity logging 300868 G ...

Page 115: ...e client When a client wants to make a connection to an application server the client connects to the proxy server The application server s address and port number are passed to the proxy server via a proxy protocol The proxy server then connects to the application server After the connection to the application server is established the proxy server relays data between the client and the applicati...

Page 116: ...window opens Configuring Instant Internet as a Web proxy server You can configure the Instant Internet unit to function as a Web HTTP proxy server which enables you to direct all workstations to a remote proxy You can also configure the Instant Internet unit as a Web cache in addition to or instead of the cache on an individual workstations Web caching is available only for Instant Internet 400 un...

Page 117: ...ant Internet unit as a Web HTTP proxy server 1 Start Setup and if prompted select a unit to configure 2 Choose Support Services The Services dialog box opens Figure 56 Figure 56 Services dialog box Web Proxy option 3 Select the Web Proxy check box 4 Click Configure The WEB Proxy Configuration dialog box opens Figure 57 Note To handle FTP requests using the HTTP proxy enable SOCKS on Instant Intern...

Page 118: ...ly if you want to effectively control user access Enter the Port usually 8080 where you want the Web proxy to run If you choose this option you must configure the Web browsers on all workstations to use Instant Internet as the Web proxy server 6 Click OK 7 Use your Web browser to configure Web caching and set other parameters Using a commercial proxy server You can use a commercial proxy server fo...

Page 119: ...alog box opens Figure 58 Figure 58 WEB Server Configuration dialog box 3 Enter the Port number for the Web proxy server The default is 80 4 Click OK Configuring workstations to use the Instant Internet unit as a Web proxy server If you chose to run the Web proxy transparently you do not need to change the browser configuration for each workstation If you chose not to have the Instant Internet unit...

Page 120: ...Instant Internet as a DNS proxy server A Domain Name Service DNS server translates host names into IP addresses Your ISP usually provides this server Instant Internet provides a DNS proxy service through which your IP workstations can access your ISP s server There are several advantages to using this service Access control By setting up Instant Internet as a DNS proxy server you can apply host na...

Page 121: ...k OK Configuring Instant Internet as a SOCKS proxy server A SOCKS proxy server provides a firewall for a network allowing a secure connection to the internet When you configure the Instant Internet unit as an Web proxy server it provides only HTTP proxy support therefore configuring the unit as a SOCKS proxy server also provides a means for handling FTP requests If you have IP workstations already...

Page 122: ...ons with the Administration program If you have IP workstations already configured as SOCKS workstations you can use the Instant Internet unit as a SOCKS proxy server to connect them to the Internet For details refer to Configuring Instant Internet as a SOCKS proxy server on page 121 If you are using SOCKS workstations there are some things you need to be aware of when using the Administration pro...

Page 123: ...ges from the SOCKS server Host name access controls and SOCKS SOCKS requires that the workstation software specify a destination when making a request to the SOCKS server It does allow the workstation to specify the destination either by IP address or by host name To enable access control by host name the Instant Internet unit must be allowed to resolve host names to IP addresses There are two way...

Page 124: ...ctions on configuring workstation software You typically need to provide the following information IP address of the SOCKS server The IP address is shown in the Interfaces list box and is associated with the LAN router interface Domain name Instant Internet needs to be set up as a DNS proxy in order to keep access control for host names SOCKS proxy port This is currently required to be 1080 which ...

Page 125: ...ns If you choose to use SOCKS you must configure the browser applications as follows To configure Netscape Navigator for the PC 1 Start Netscape Navigator 2 Choose Edit Preferences 3 Select Advanced 4 Select Proxies 5 Select the Manual Proxy Configuration option 6 Click View 7 Complete the Socks host and Port boxes 8 Click OK through all dialog boxes to save the settings Netscape Navigator now use...

Page 126: ...on and the platform s native TCP IP software For the PC platform several third party socksifying layers are available both commercially and publicly See your software product documentation for setup information Additional information More information on socksifying software packages can be found on the following Web sites www aventail com Aventail produces AutoSocks a completely transparent layer ...

Page 127: ... is the utility you use to create and configure servers and services for the Instant Internet unit When you install Instant Internet you create and configure general servers and services You can change these settings using Setup To start Setup 1 From the Instant Internet program group or menu depending on your operating system select Setup 2 The next step varies depending on your individual config...

Page 128: ...ers to the Internet but in certain situations it may refer to another router which in turn can reach both other internal networks as well as the Internet When direct Internet connectivity is available the default route always specifies the route to the Internet If you have more than one network using the Instant Internet unit you can specify static routes so that the networks can communicate with ...

Page 129: ...ic Route Configuration dialog box opens Figure 62 Figure 62 Static Route Configuration dialog box 4 In the Destination Address field enter the IP address of the network to which you are routing 5 In the Bits field enter the number of bits for the network portion of the address for example 24 If you do not specify the number of bits 32 an individual host is assumed ...

Page 130: ... routable IP traffic through with no filtering unless filters are defined By default IP forwarding is disabled If you want to configure IP security IPsec for a virtual private network VPN IP forwarding must be enabled Enabling IP forwarding If you have a network interface you can enable IP forwarding By default if two TCP IP interfaces are configured on the Instant Internet unit IP traffic cannot ...

Page 131: ...N account that provides you with a range of IP addresses Enabling IP forwarding for a unit To enable IP forwarding 1 Start Setup and if prompted select a unit to configure 2 Choose Support Other Settings The Other Settings dialog box opens Figure 63 Figure 63 Other Settings dialog box 3 Select the Enable IP Forwarding check box Instant Internet now allows IP forwarding for the Instant Internet uni...

Page 132: ...IP forwarding with two Ethernet interfaces Before enabling IP forwarding check with your ISP to ensure that you have a LAN account that provides you with a range of IP addresses Enabling IP forwarding for two Ethernet interfaces To enable IP Forwarding with two Ethernet interfaces 1 Configure your router to route the additional networks through the Instant Internet unit s router interface connecte...

Page 133: ...l communication and a completely different set of IP addresses for external communications thereby keeping the public from learning the private IP addresses Instant Internet supports both input and output NAT When input NAT is specified Instant Internet translates packets as soon as they are received When output NAT is specified Instant Internet translates a packet when it is sent The Setup utilit...

Page 134: ...lowing Internet access Acting as a firewall If the Instant Internet unit is currently running address translation and is logically installed between the servers you want to be public for example Web servers or mail servers and the Internet then you must add provide some additional configuration See Publishing a private server on page 135 Disabling address translation When Instant Internet hardware...

Page 135: ...rovides you with the ability to publish a server as a fully qualified domain name FQDN When you define the address translation for the server you specify the WAN interface name rather than its current IP address Using Dynamic DNS The Dynamic DNS functionality provided by Instant Internet performs a DNS update whenever the address of an interface changes Carefully consider the implications of using...

Page 136: ...name to be updated The IP address or fully qualified domain name for the DNS server that will accept the update This is normally the primary authority for the zone Configuring Instant Internet to publish a private server To configure Instant Internet to publish a private server regardless of whether you have a static or a dynamic IP address from your ISP you need the following information Public A...

Page 137: ...configure Instant Internet to publish a private server 1 Start Setup and if prompted select a unit to configure 2 Choose Support Server Publication The Server Publication dialog box opens Figure 65 Figure 65 Server Publication dialog box 3 Click Add The Server Publication Configuration dialog box opens Figure 66 ...

Page 138: ... address In this example you are setting up a server that has a static IP address Figure 67 to be reachable from the Internet Instant Internet has set up the IP network and the LAN addresses have IP addresses such as 192 168 1 nnn where nnn is a number between 0 and 255 The Instant Internet unit s client side IP address is 192 168 1 1 The SMTP server is on the LAN and has the address 192 168 1 10 ...

Page 139: ...d IP addresses The Instant Internet unit has a dialup connection to the Internet and an Ethernet connection to the LAN The Web server is to be called iibox dynamic myzone com The Web server has the IP address 192 168 1 10 The Dynamic DNS name server for dynamic myzone com has the IP address 192 122 98 75 To publish a Web server when you have a dynamic IP address from your ISP 1 Enter the public ad...

Page 140: ...Settings Figure 68 The Other Settings dialog box opens Figure 68 Other Settings dialog box 6 Enter the name under Notify DNS Server of dial up interface address change This is the FQDN of the Web server In this example use the name iibox dynamic myzone com 7 Enter the DNS address of the Dynamic DNS server In this example use the DNS address 192 122 98 75 8 Click OK 9 In the main Setup window click...

Page 141: ... unit make the call Instant Internet automatically configures itself for holding a NetMeeting with external computers However you must configure Instant Internet to route incoming NetMeeting data to a particular workstation In this example the Instant Internet unit s public address is 134 177 3 28 provided by your ISP The IP address of the PC that is set to accept an incoming NetMeeting call is 19...

Page 142: ...orks to which it is passing traffic Typically a filter permits the passage of a few well understood packets and denies the passage of everything else Each filter has a logical name and contains a list of rules You can apply filters to any interface on either input or output processing or both Filter rules are processed in the order specified and there is an implicit deny all filter at the end of t...

Page 143: ...ops through all the filters and a match never occurs Instant Internet has to know what to do with a packet There must be a default action The default action could be either to permit all packets that do not match or to deny them The default action in Instant Internet is to deny these types of packets Any packet that is referred to a filter list but does not find a match is automatically dropped Th...

Page 144: ...ure an IP filter 1 Start Setup and if prompted select a unit to configure 2 In the Interfaces area select an interface and then click Filters The interface name Filter Configuration dialog box opens Figure 70 Figure 70 Interface Filter Configuration dialog box ...

Page 145: ...nt Internet Management Software Version 7 11 3 Click Add The Filter Configuration dialog box opens Figure 71 Figure 71 Filter Configuration dialog box 4 In the Filter Name box enter a name for the filter 5 Click Add The Rule Configuration dialog box opens Figure 72 ...

Page 146: ...e default If you select TCP the Established check box becomes available You can select this option to match TCP packets belonging to established connections This is typically used to allow packets for established workstation sessions while preventing access to servers 8 In the Source area enter the following information Address The IP address of the source You can use any valid IP address or host ...

Page 147: ...inning port number This is meaningful only for TCP or UDP filter rules and specifies the port of the data packet Ending Port If you are specifying a range of ports this is the ending port number in the range This is meaningful only for TCP or UDP filter rules The ending port must be greater than the beginning port 10 Click OK You return to the Filter Configuration dialog box and the filter you jus...

Page 148: ... is a benefit of one over the other For example if you have a network with a host to which no one should be allowed to telnet you can apply an output filter to that interface to which the host is connected that blocks Telnet packets from being transmitted to that host Then there is no need to apply this filter to the input of all other interfaces To apply a filter to an interface 1 In the Interfac...

Page 149: ...g the BayStack Instant Internet Management Software Version 7 11 Scopes and leases A DHCP scope is a pool of IP addresses together with a subnet mask and default gateway Each subnet can have only one scope with a single contiguous range of IP addresses You can create the effect of several ranges if necessary by creating a scope that encompasses all the desired ranges and then excluding the address...

Page 150: ...gligible and need not be a concern when selecting a lease period Leases as short as 20 minutes are perfectly practical Using the DHCP BootP relay agent feature A DHCP server can provide IP addresses to workstations on remote subnets if a DHCP BootP Relay Agent exists on each workstation network A Relay Agent routes the workstation requests to the actual DHCP server The DHCP BootP Relay Agent funct...

Page 151: ...151 Using the BayStack Instant Internet Management Software Version 7 11 Figure 74 Services dialog box 3 Select the DHCP check box 4 Click Configure The DHCP Configuration dialog box opens Figure 75 Figure 75 DHCP Configuration dialog box ...

Page 152: ...If you already had a DHCP server running when you first set up the Instant Internet unit the Instant Internet unit did not set itself up to run as a DHCP server You may however later choose to have the Instant Internet unit become the DHCP server To configure Instant Internet as a DHCP server 1 Start Setup and if prompted select a unit to configure 2 Choose Support Services The Services dialog box...

Page 153: ...Click Configure The DHCP Configuration dialog box opens Figure 77 Figure 77 DHCP Configuration dialog box 5 In the Scopes area click Add The Scope Configuration dialog box opens Figure 78 where can you add a range of addresses for the Instant Internet unit to use You can also specify any addresses within that range that you want to exclude ...

Page 154: ... addresses you want the Instant Internet unit to use Subnet Mask This is automatically entered after you enter the Start Address and you move the cursor out of the Start Address field Router Address Enter the IP address of the router you want the workstations to use This should be the IP address of the Instant Internet unit To exclude any addresses in the range you specified above a In the Exclude...

Page 155: ...y the following Start Address The first address of the range of addresses you want to exclude End Address The last address of the range of addresses you want to exclude c Click OK You return to the Scope Configuration dialog box Figure 78 on page 154 7 Click OK 8 In the DHCP Configuration dialog box Figure 77 in the DNS Servers area click Add The Enter Server Address dialog box opens Figure 80 Not...

Page 156: ... 80 on page 156 12 Specify WINS Servers for the workstations to use 13 Click OK You return to the DHCP Configuration dialog box Figure 77 on page 153 14 In the WINS Servers area specify the Node Type for the WINS servers to use B Uses IP broadcast messages P Uses point to point communications M Tries a broadcast B first and if that fails it tries point to point P H Tries point to point P first and...

Page 157: ...t Internet unit as a gateway and DNS server Configuring the routing information protocol Routing information protocol RIP allows a router to select the best path for sending packets to help speed up data transfer Every 30 seconds all routers configured to use the RIP technology broadcast a message that contains their own destination network addresses and the number of hops it takes to get to them ...

Page 158: ...cept Announcements from other Router check box do one of the following Place a check mark in the check box to accept announcements from another router Clear the check box to ignore announcements from other routers 4 In the Announce Routes section select the interface s for which you would like to announce information All selected interfaces are highlighted To select or de select an interface place...

Page 159: ... are limited to computers with V2 Multicast enabled 6 Click OK 7 Continue with any other procedures or click Save and Exit Configuring an alias for an interface An Instant Internet unit can support multiple IP addresses and subnets on one physical interface Each IP address has a name that helps distinguish what each IP address is being used for The name that is given to each additional IP address ...

Page 160: ...that is separate from your internal network and usually contains publicly accessible servers The devices on a DMZ often have publicly announced IP addresses and require less security than your internal network Segmenting your Web FTP e mail or DNS servers in a DMZ allows you to host your own Internet services but keep your internal network secure You may use Instant Internet for a DMZ in one of tw...

Page 161: ... connector on the rear of the Instant Internet to a hub or switch to connect multiple machines to the DMZ When connecting to the seven port switch Eth1 on the Instant Internet 100 S or 400 S unit use either a straight through or a cross over cable Configuring Instant Internet to support a DMZ Once a DMZ has been connected to the Instant Internet unit you configure Instant Internet to support the D...

Page 162: ...unit to configure 2 From the menu bar choose Support Server publication For instructions see Configuring Instant Internet to publish a private server on page 136 Publishing the server s protects the DMZ by limiting traffic to only the published services Deciding whether to enable IP forwarding for your DMZ When IP forwarding is not enabled clients on the private LAN are restricted to public access...

Page 163: ...AN uses private addresses and you are using the seven port switch for your LAN and Eth2 for your DMZ To configure the interface for the DMZ 1 Start Setup and if prompted select a unit to configure 2 Click Add 3 Click Network The Enter IP Information for Eth2 dialog box opens Figure 83 Figure 83 Enter IP Information for Interface dialog box 4 Enter 134 177 3 1 as the IP address for the Instant Inte...

Page 164: ... unit to configure 2 Choose Support Server Publication 3 Click Add 4 In the following fields enter this information Protocol TCP Public IP address 134 177 3 28 Port www Private IP address 134 177 3 28 Port www 5 Click OK The Server Publication dialog box opens Figure 84 Figure 84 Server Publication dialog box ...

Page 165: ...can be accessed from the Internet but you also have a secure LAN Your own LAN clients can also access the Web server through this server publication but if IP forwarding is disabled only in the same way that external clients can access it from the Internet If IP forwarding enabled then unrestricted access is allowed between the private LAN and the DMZ ...

Page 166: ...166 Chapter 5 Advanced IP configuration 300868 G ...

Page 167: ... location or other IPsec compliant devices A VPN is a special type of connection that permits remote users or LANs to communicate with another LAN over a public network such as the Internet When you set up a VPN you are essentially using a public network as your own private secure network When users connect through the VPN you incur only the local toll charges to your ISP To create a VPN a special...

Page 168: ...hase 1 two ISAKMP peers establish a secure authenticated channel with which to communicate The ISAKMP is used to protect further negotiation traffic During phase 2 other Security Associations SA are negotiated on behalf of IPsec Internet Key Exchange IKE defines two basic methods used to accomplish a phase 1 authenticated key exchange Main mode Main mode provides identity protection because the id...

Page 169: ...e Instant Internet unit and the Contivity CES must match The Instant Internet unit responds to a phase 2 key exchange performed by the destination regardless of this setting Note that PFS also incurs significant additional computational overhead that you may want to avoid unless you understand the security implications and PFS is required The default setting for PFS depends on whether you add an I...

Page 170: ...default network This default network is used to select Instant Internet s source address for a packet whose destination is at the other end of an IPsec tunnel This feature allows Instant Internet to participate in its own IPsec tunnels for its own services such as DNS and proxies You can also combine the default network command with NAT so that all addresses can be translated to a single source ad...

Page 171: ...twork setting 1 Start Setup and if prompted select a unit to configure 2 Select the IPsec interface for which you want to modify the default network setting 3 Click Configure The IPsec Configuration dialog box opens Figure 86 Figure 86 IPsec Configuration dialog box 4 In the Default Network area select an interface from the list ...

Page 172: ...t outside of the IPsec tunnel and directly to the Internet and sends only the packets destined for the VPN over the IPsec tunnel The benefit of a split tunnel configuration is that each site s Internet traffic does not traverse the IPsec tunnel and the home office does not have to provide Internet connectivity for all of the branch offices Adding a local or remote IP address To add a local or remo...

Page 173: ...eep the connection active but you still want to check the status of a tunnel The following capabilities are available for the Ping command All Modes For all modes of ping the destination address interval and timeout can be specified The destination should be chosen as some device that is reachable and for which a response is representative of the desired connectivity For example if the purpose of ...

Page 174: ...a primary interface becomes unavailable and the primary interface does not have a reliable indication of its availability or both For example in xDSL and cable modem environments the Instant Internet interface that connects to the Internet is usually an Ethernet interface and that interface is always active as long as the link exists between Instant Internet and the xDSL or cable modem A ping in c...

Page 175: ...nds a ping to the specified destination which initiates a connection if required and counts as activity The receipt of a response or the lack of one has no effect on system operation To configure a ping 1 Start Setup and if prompted select a unit to configure 2 Choose Support Ping s The Pings dialog box opens Figure 88 Figure 88 Pings dialog box 3 Click Add The Ping Configuration dialog box opens ...

Page 176: ...ts 7 Enter the period of time to wait for a ping to come back 8 Select the type of ping to run Monitor Used for IPsec this option checks the validity of a tunnel After a series of failed pings this option destroys the tunnel This type of ping does not initiate a dial up connection or cause a dial up connection to be kept active The ping monitors the validity of the tunnel Control Manages the opera...

Page 177: ...can decide what types of connection you want to allow to your unit This option provides you with another means for selecting the level of security necessary You may specify whether or not you want to allow strictly incoming or outgoing connections to establish a tunnel You may also specify to allow both incoming and outgoing connections to establish a tunnel Allowing only incoming connections You ...

Page 178: ... 0 0 0 0 0 allows all IP addresses on your LAN to be reached through the tunnel This provides no security however To remove this address click the address and then click Remove You can also specify the addresses allowed in the tunnel For more information refer to Adding a local or remote IP address on page 172 9 In the main Setup window click Save and Exit 10 Click Yes to have the changes take eff...

Page 179: ...ox 6 In the Name box enter a name for the tunnel This name must match the one used on the other end of the tunnel 7 In the Key box enter a key for the tunnel The key is the password for the tunnel and must be mutually agreed upon by both Instant Internet units 8 In the Destination box enter the remote Instant Internet unit s public address or Fully Qualified Domain Name FQDN If an FQDN is specifie...

Page 180: ...tep 16 Yes You are given the opportunity to configure the monitor and control settings The Enter Monitor Control Connection Information dialog box opens Figure 92 Figure 92 Enter Monitor Control Connection Information dialog box 12 Choose whether you want to monitor or control the connection by clicking the option For more information refer to Using Pings on page 173 13 Enter the IP address of a d...

Page 181: ...tablish a tunnel Select this option only if security is not as much of an issue To allow both incoming and outgoing connections for a tunnel 1 Start Setup and if prompted select a unit to configure 2 Click Add 3 In the Select Connection Type dialog box click IPsec 4 In the Select Connection Device dialog box click BayStack II 5 In the Select Type of Connections dialog box click Both The IPsec Conf...

Page 182: ...You can specify an address here to force a packet to go through the tunnel The default local address is that of your Local Area Network 10 In the Remote Addresses area click Add to enter the IP addresses of the remote site that allowed to participate in the tunnel For more information refer to Adding a local or remote IP address on page 172 11 Click OK to close the IP Configuration dialog box 12 D...

Page 183: ...abilities are also designed to establish a tunnel with a Contivity Extranet Switch CES at another location You can configure an Instant Internet to CES VPN regardless of whether you get a static IP address or a dynamic IP address from your ISP When you get a dynamic IP address from your ISP the tunnel uses aggressive mode When you get a static IP address from your ISP the tunnel uses main mode If ...

Page 184: ...ss If the address is not the same create an alias interface on Instant Internet and assign the static address to that alias Set the default network to the interface that has the static address and enable output NAT on the IPsec interface This translates all packets leaving the IPsec interface before they are encrypted and encapsulated to have that interface s address as a source Alternatively inpu...

Page 185: ... data if it is configured as higher priority than DES Instant Internet does not support compression The fact that Instant Internet does not support compression does not affect compression on the CES Compression may be enabled on the CES even though it is not supported on Instant Internet Other issues If you enable the Instant Internet unit as a DNS proxy server the DNS addresses configured in Inst...

Page 186: ... and operates properly Instant Internet provides a Ping utility as a keep alive mechanism in order to circumvent the problems associated with losing one end of a tunnel For more information refer to Using Pings on page 173 Dial up environments and tunnel validity In a dial up or equivalent analog ISDN PPPoE environment the Internet connection may not exist at all times which can cause a problem wh...

Page 187: ...t amount of time on the model 400 unit this process requires approximately one second Use a ping to monitor or control the tunnel refer to Using Pings on page 173 Tunnel timeouts The Instant Internet unit s IPsec feature performs all communications across a Security Association SA also referred to as a tunnel An SA is negotiated using Internet Key Exchange IKE standards using two main types of neg...

Page 188: ... be the same as that used for the phase 2 SAs This approximates the effect of perfect forward secrecy PFS because the phase 1 SA expires after the specified timeout and must be renegotiated before any phase 2 SAs can be re keyed Note that when the CES initiates a phase 1 SA it does not specify a timeout Tunneling to CES when Instant Internet has a static IP address When a tunnel is established bet...

Page 189: ...bnet information if not using split tunneling specify an IP address of 0 0 0 0 and a mask of 0 0 0 0 or if you use split tunneling specify the IP addresses of all local subnets that will participate in the VPN To determine whether you are using split or non split tunnelling refer to Managing local and remote IP addresses on page 172 3 Click Add to create the new network 4 Click Close 5 Choose Prof...

Page 190: ...he Contivity Extranet Switch dialog box click Yes The IPsec Configuration dialog box opens Figure 95 Figure 95 IPsec Configuration dialog box 6 Enter the following information Name Select the default name suggested or enter a unique name for the tunnel This name should be one that you can associate easily with this particular tunnel This name does not have to match the one used at the other end of...

Page 191: ...owed to participate in the tunnel For more information refer to Adding a local or remote IP address on page 172 9 Click OK to close the IP Configuration dialog box The Enter Monitor Control Connection Information dialog box opens Figure 96 Figure 96 Enter Monitor Control Connection Information dialog box 10 Choose whether you want to monitor or control the connection by clicking the option For mor...

Page 192: ...tablished between the CES and an Instant Internet unit that gets a dynamic IP address from the ISP the tunnel is called an aggressive mode tunnel CES 2 6 includes additional support for aggressive mode clients Instant Internet can send identification information when a connection is made using aggressive mode therefore CES 2 6 allows Instant Internet to have a dynamic IP address However the CES ne...

Page 193: ...w non Contivity clients for the appropriate group and then click OK 3 From Profiles Users add a user or select an existing user from the group that was edited in step 2 to use the VPN You must create the user as a local user in the LDAP database internal or external you cannot use RADIUS authentication for this type of connection 4 Edit the new or selected user with the following information Assig...

Page 194: ...sec 4 In the Select Connection Device dialog box click Contivity 5 In the Contivity Extranet Switch dialog box click No The IPsec Configuration dialog box opens Figure 97 Figure 97 IPsec Configuration dialog box 6 Enter a name for the tunnel This name is the local user you configured in the CES 7 Enter a key for the tunnel The key is the password for local user configured in CES 8 Enter a destinat...

Page 195: ...s networks For more information on adding IP addresses refer to Adding a local or remote IP address on page 172 11 Click OK to close the IPsec Configuration dialog box The Enter Monitor Control Connection Information dialog box opens Figure 98 Figure 98 Enter Monitor Control Connection Information dialog box 12 Choose whether you want to monitor or control the connection by clicking the option For...

Page 196: ...Internet provides several methods for testing and troubleshooting IPsec Use the ipsec command to view a list of active tunnels For details refer to Reference for the BayStack Instant Internet Remote Access Commands Version 7 11 View the Instant Internet unit s IPsec log to refer to information on IPsec negotiations For details refer to Viewing a unit s IPsec log on page 197 You can also use the ip...

Page 197: ...g The IPsec log details low level protocol information regarding IPsec negotiations for a virtual private network VPN tunnel To view a unit s IPsec log 1 Start Setup and if prompted select a unit to configure 2 Choose View Ipsec Log 3 Review the file as needed To print the file choose File Print 4 To close the file choose File Close IPsec connection state information Table 21 Table 22 Table 23 and...

Page 198: ...curity Association waiting for Key Exchange 14 Sent Key Exchange waiting for Identification The pre shared keys did not agree 15 Sent Key Exchange waiting for Identification The pre shared keys did not agree 16 Phase 1 complete 17 Phase 1 complete Table 22 Phase 1 aggressive mode states No Meaning Reason 21 Sent Security Association waiting for Security Association Remote unit did not accept aggre...

Page 199: ...agree without local and remote configuration 33 Sent Security Association waiting for Security Association The other end did not choose any of the Instant Internet proposals The Instant internet subnets did not agree with the other end s local and remote configuration Perfect Forward Secrecy not configured other end requires it Perfect Forward Secrecy sent not received 34 Sent Security Association...

Page 200: ...200 Chapter 6 IP security and VPN 300868 G ...

Page 201: ...mance when you block cookies For details refer to Managing cookies on page 223 Reduce employee recreation on company time when you block access to certain sites For details refer to Managing Web site access on page 228 How the Instant Internet unit functions as a proxy server When configured as a Web proxy server the Instant Internet unit is a demand side downstream caching proxy server that helps...

Page 202: ... Internet unit functions as a server and returns requested Web content from the Internet to the user as if it was the originating Web server How Web caching works Each time a user requests Web content and the originating Web server returns a response to that request the response is stored in the cache as an entry An entry is generated for every element of a requested Web page including graphics te...

Page 203: ...s the new entry to the user How Web caching works with a user s local cache As a downstream caching proxy server the Instant Internet unit is located between a user s workstation on the network and the Internet If you disable the local cache on a user s Web browser the Instant Internet unit is the user s primary cache and all requests for Web content go directly to the cache server If you enable t...

Page 204: ...figure and manage all Web proxy and caching functions for the Instant Internet unit Before you can use a Web browser to manage Web cache options or configure system files you must enable the Instant Internet unit as a Web proxy and enable Web configuration You must also configure each workstation to use the Instant Internet unit as the Web proxy server For details refer to Configuring Instant Inte...

Page 205: ...es and information Web Cache Statistics click Statistics For more information on interpreting statistics refer to Increasing efficiency on page 207 Web Sites click Web Sites For more information on managing Web sites refer to Managing cookies on page 223 and Managing Web site access on page 228 Web Cache Configuration click Configure For more information on configuring the cache server refer to In...

Page 206: ...net unit as a Web proxy server it immediately begins caching Web entries Cache statistics are available but you do not have to monitor the cache server or change settings unless you want to The Web cache is configured with some default settings that help you start caching Web content and saving bandwidth immediately However if you want to fine tune the Instant Internet unit settings to take advant...

Page 207: ...ty of a network connection or device to carry data in this case your Internet connection The amount of data that is transmitted in a fixed amount of time depends on the bandwidth capacity of your connection The more efficiently you cache Web entries the less bandwidth is required and the lighter the network load The Instant Internet unit helps save bandwidth by caching frequently requested Web ent...

Page 208: ...an Change the cache level The Instant Internet unit is shipped with three predefined cache levels and an additional custom level that sets expiration and certain special Web request options for the Instant Internet unit The first thing you can do to increase efficiency is change from the default Moderate cache level to the Aggressive level For details refer to Selecting a cache level on page 209 R...

Page 209: ...ul data For example if the cache fills up in 2 days run your experiment for twice the amount of time 4 days to see the effects of your changes on the cache statistics Running the experiment for the same amount of time as it takes the cache to fill up may not provide accurate statistics Selecting a cache level The Instant Internet unit is shipped with three predefined cache levels Conservative Mode...

Page 210: ...d time stamp the Instant Internet unit calculates the expiration time based on the following formula of current date and time entry s last modified date and time Setting the percentage high allows for more cache usage at the risk that the cache may return a stale or outdated entry Setting the percentage low ensures that the entry is more current at the risk of less cache usage The degree of stalen...

Page 211: ...a last modified date and time of 365 days ago at noon on 7 4 1999 With the Aggressive non text expiration set to 200 the bard gif file will expire 730 days into the future at noon on 7 4 2002 In this case the cached entry is sent to the user Minimum expiration time The minimum expiration time entered in minutes specifies how the Instant Internet unit extends the freshness time of a text or non tex...

Page 212: ...page calls a list of the previous day s top eight most requested stocks called 8stocks html that has a last modified date and time of seven hours ago at 5 00 AM on 7 4 2000 With the Aggressive text minimum expiration time set to 30 minutes the 8stocks html page should expire at 5 30 AM Because the Aggressive text minimum expiration time is set to 200 the calculated time 14 hours is more than the m...

Page 213: ...ther extends expiration times and allows cached responses to CGI and query requests This level provides the most bandwidth savings Table 25 shows the default expiration settings for text and non text entries and request and response settings for each predefined cache level No cache requests are not enabled for any predefined cache level If you want to enable no cache requests you must create a Cus...

Page 214: ...fine tune the individual settings you want Table 25 For example if the Aggressive level expiration settings work for you but you want to disable CGI and query requests select the Aggressive level and then disable those two options To create a Custom cache level 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Configure The unit Configuration page opens 3 In...

Page 215: ...stics page opens Click Help for more information about each field on any page Using statistics to fine tune cache settings On the Web Cache Statistics page you can view information on the response rate maximum and average entry size entry expiration settings entry request counts cache utilization request and response settings and why requests are not sent from the cache Experiment with the various...

Page 216: ...Web content Typically when the statistics for entries with a single hit are 70 or less the cache statistics are higher 40 to 50 hit ratio If the statistics for single hit entries are above 80 the cache statistics are lower 20 to 30 hit ratio These statistics can vary depending on cache usage Viewing why requests are not sent from the cache When a user requests Web content the request passes throug...

Page 217: ...el to Moderate or Aggressive refer to Selecting a cache level on page 209 or you can create a Custom cache level and enable the option individually refer to Setting options for special Web requests on page 219 If the statistics show that requests are not returned from the cache because a no cache header was embedded in the request or the response enable no cache responses to be cached For details ...

Page 218: ...c displays the average size of each entry stored in the cache If the average entry size is small you can set the maximum size entry lower If it is large set it higher To review the statistics 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Statistics The Web Cache Statistics page opens Click Help for more information about each field on any page To adjust ...

Page 219: ...r information in return You can select whether to retrieve the same CGI requests from the cache or from the originating Web server If you select to retrieve the same CGI requests from the cache and two users use a CGI program to request the same information from the same Web server and the results are the same the results are sent from the cache rather than the originating Web server To determine ...

Page 220: ...stant Internet unit searches the URL for an indication that the request may contain a CGI request or a query request For example a dictionary Web site may receive a query request that contains the word to be defined in the URL In most cases the results of these types of requests are cached However if an originating Web server uses CGI or query requests to generate a response that contains a user s...

Page 221: ... you do not enable this option To set options for special Web requests 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Configure The unit Configuration page opens 3 In the Web Cache Level area click Customize The Custom Cache Level page opens 4 In the Request Response Options area configure the special Web request settings Click Help for more information a...

Page 222: ...nating Web server error 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Configure The unit Configuration page opens 3 In the Web Cache Level area click Customize The Custom Cache Level page opens 4 In the Request Response Options area select or clear the Return expired cache entry on server error check box Click Help for more information about each field o...

Page 223: ...site to personalize your browsing session according to your past preferences and generally make navigating the Web site or purchasing items easier A Web site is said to be serving cookies if it places a cookie file on your computer s hard drive When you browse through the site the cookie is returned with the information about your movements to the Web server In this case the workstation is said to...

Page 224: ...of the Instant Internet unit Nortel Networks recommends that you block all cookies for all unconfigured Web sites and permit cookies only for individual Web sites that require them Note In this manual the term unconfigured Web site is used to refer to any Web site that is accessed for the first time through the Instant Internet unit as well as any Web site that does not have site specific settings...

Page 225: ...es for all unconfigured Web sites provides two benefits Allows more entries to be cached By default the Instant Internet unit does not cache text requests that contain cookies Protects your organization s online privacy by preventing cookies from being set and returned to anonymous Web servers Managing cookies for all unconfigured Web sites You can restrict unconfigured Web sites from setting cook...

Page 226: ...e problem site Sorting by most recent access is helpful because the actual Web site serving cookies is often not the Web site name For example a user trying to access the Web site www abcnews com may receive a message that cookies are required but the actual site that requires the cookie may be www my myabc com When you identify the site click the site name in the list to configure site specific o...

Page 227: ... list of all recently requested Web sites Each record displays the IP address or host name of the requested site the date and time of its most recent access and the number of times an entry has been requested from the Web site You can sort the list by name access time and number of requests The Instant Internet unit records the IP address or host name of each requested Web site Each time a user re...

Page 228: ...y page Managing Web site access Establishing a Web site access policy helps you determine how to configure Web sites Your Web site access policy will be the result of experimentation When you establish your policy consider the following If you block access to all unconfigured Web sites users will not have access to any Web site on the Internet and you must permit access to each site individually F...

Page 229: ...s to all unconfigured Web sites you restrict access to all new and previously unconfigured Web sites accessed through the Instant Internet unit To block access to all unconfigured Web sites 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens 3 Click Default Options The Default Web Site Options page opens Note After you block ...

Page 230: ...On the Web Cache page click Web Sites The Web Sites page opens 3 Click the IP address or host name for the individual Web site The cache settings page for the individual Web site opens 4 In the Site Specific Options area select the Block access to this server check box Click Help for more information about each field on any page Setting Web site activity display options On the Web Sites page you c...

Page 231: ...ge click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens 3 Click Default Options The Default Web Sites Option page opens 4 In the Display Options area do any of the following Select or clear the Display most recent access and activity notices for each site check box Enter the Number of entries to display per page Click Help for more information a...

Page 232: ...b site list by most recent access refer to Sorting the Web sites list on page 227 and look for Web servers that have site names related to the problem site To bypass the cache for a particular Web site 1 On the Home page click Web Cache The Web Cache page opens 2 On the Web Cache page click Web Sites The Web Sites page opens 3 Click the IP address or host name for the individual Web site The cache...

Page 233: ...he Web Cache page click Web Sites 3 Click Backup 4 In the Filename box enter a name for the file that you can easily remember or associate with this file 5 Click Save The Save As dialog box opens 6 Navigate to the place on your local machine where you would like to save the Web site configuration file 7 Click Save To restore a Web site configuration 1 On the Home page click Web Cache The Web Cache...

Page 234: ...s Nortel Networks recommends that you set active refresh to operate during your company s normal business hours For example if your company s business hours are Monday through Friday from 8 AM to 5 PM select each week day and set the start time to 8 00 AM and the duration to 9 hours and 00 minutes The same time is used for each selected day To enable active refresh and set refresh options 1 On the...

Page 235: ...ect a hit rate of between 40 to 60 but the percentage will vary based on usage A high percentage indicates that users are requesting actively refreshed entries A lower percentage 10 to 15 indicates that active refresh is not providing much of a benefit and you may want to disable this option to save bandwidth To view active refresh statistics 1 On the Home page click Web Cache The Web Cache page o...

Page 236: ...m Web site For details refer to Bypassing the cache for a Web site on page 231 If bypassing the cache does not solve the problem the originating Web server may be down or is not responding Be sure to reenable the cache for the problem Web site I blocked a site but it still opens in a user s Web browser Problem The user may have the local cache enabled on the user s workstation and the content requ...

Page 237: ...ernet unit is configured to return expired Web entries when a Web server error occurs Solution Create a custom cache level and disable the option to return expired Web entries when a Web server error occurs For details refer to Creating a custom cache level on page 214 and Setting the action the cache performs when a Web server error occurs on page 222 I requested a Web page and the originating We...

Page 238: ... cookies are blocked Solution Enable cookies for the problem Web site For details refer to Managing cookies for a particular Web site on page 226 Problem The cache server is incompatible with the originating Web server Solution Bypass the cache for the problem Web site For details refer to Bypassing the cache for a Web site on page 231 I added an item to my online shopping cart but it s still empt...

Page 239: ...g advanced communication settings for an ISDN connection If you have an ISDN interface on the Instant Internet unit you can configure a backup connection phone number bandwidth on demand settings inbound voice and outbound priority 100 S and 400 S units only and the inactivity timeout You configure these settings through the ISDN Configuration dialog box To open the ISDN Configuration dialog box 1...

Page 240: ...vices select the Do not disable second channel on PPP negotiation failure check box Adding a backup phone number Instant Internet dials the primary phone number first after each successful connection However for those times when the primary ISDN phone number is busy or fails you can designate a backup phone number When Instant Internet detects a busy signal or problem in dialing the main phone num...

Page 241: ...ty timeout The inactivity timeout saves connect time charges during times when no one is requesting Internet access It specifies the number of minutes or seconds of inactivity over the ISDN connection after which Instant Internet terminates the connection When you need access again Instant Internet automatically reestablishes a connection within a few seconds To configure the inactivity timeout fo...

Page 242: ...on advanced dialog box opens This dialog box differs depending on the type of hardware that you have Figure 102 is for the Instant Internet 100 S and Instant Internet 400 S units and Figure 103 is for the Instant Internet 100 and Instant Internet 400 units Figure 102 ISDN Configuration advanced dialog box for the 100 S and 400 S units ...

Page 243: ...lick Advanced The ISDN Configuration advanced dialog box opens Refer to Figure 102 or Figure 103 depending on your hardware 2 Select the Dial on demand check box 3 Change any of the following information Dial threshold Enter the percentage of bandwidth that must be in use before an additional interface can dial Hangup threshold Enter the percentage of bandwidth below which an interface hangs up Ti...

Page 244: ...first priority for control of the line when you are making a voice call If you make a voice call and all channels are busy one of the data channels is dropped to allow the voice call to continue 3 In the Inbound Voice area select one of the following POTS Specifies that an inbound call marked as voice is sent to the telephone line DOVBS Specifies that an inbound call marked as voice is sent to the...

Page 245: ...lect this option enter the local phone numbers for the two B channels Call ISP disconnect wait for call back Instant Internet initiates a call to your ISP When the ISP answers the call it validates your account disconnects and then calls the Instant Internet unit Select this option if you are charged by the minute for placing calls but your ISP is not This option may not be available in all areas ...

Page 246: ...alog box Adding a backup phone number Instant Internet dials the primary phone number first after each successful connection However for those times when the primary dial up phone number is busy or fails you can designate a backup phone number When Instant Internet detects a busy signal or problem in dialing the main phone number it automatically dials the backup phone number to make a connection ...

Page 247: ...n you need access again Instant Internet automatically reestablishes a connection within a few seconds To configure the inactivity timeout for a dial up connection Enabling bandwidth on demand If you have a dual analog modem configuration you can set the dial and hang up thresholds and the demand timeout for the dial up connection To configure bandwidth on demand 1 Click Advanced The Dialup Config...

Page 248: ...mber of minutes with no traffic before the interface hangs up A value of zero prevents the interface from timing out 4 Click OK Configuring the modem speaker To configure the modem speaker 1 Click Advanced The Dialup Configuration advanced dialog box opens Figure 106 Figure 106 Dialup Configuration advanced dialog box 2 Set the Modem Speaker to On or Off 3 Set the Speaker Volume 4 Click OK Note If...

Page 249: ...dvanced communication settings for a T1 connection If you have T1 interface on the Instant Internet unit you can configure the starting channel line style clock auto loopback settings and a backup interface To configure advanced communication settings for a T1 interface 1 Start Setup and if prompted select a unit to configure 2 In the Interfaces area select the T1 interface and then click Configur...

Page 250: ...r 8 Advanced communications configuration 300868 G Figure 107 T1 Configuration dialog box 3 Click Advanced The T1 Advanced Configuration dialog box opens Figure 108 Figure 108 T1 Advanced Configuration dialog box ...

Page 251: ...16 This value should be supplied by your T1 service provider If this value is set incorrectly the performance data may not be available and a loopback request may not be recognized Clock If the network provides the clock for the T1 line select External If the Instant Internet unit provides the clock select Internal In almost all cases the network provides the clock Auto loopback Auto loopback is u...

Page 252: ...terfaces area select the E1 interface and then click Configure The E1 Configuration dialog box opens Figure 109 Figure 109 E1 Configuration dialog box 3 Click Advanced The E1 Advanced Configuration dialog box opens Figure 110 Figure 110 E1 Advanced Configuration dialog box ...

Page 253: ...mands such as loopback This data may follow one of two standards ANSI T1 403 or AT T 54016 This value should be supplied by your E1 service provider If this value is set incorrectly the performance data may not be available and a loopback request may not be recognized Clock If the network provides the clock for the E1 line select External If the Instant Internet unit provides the clock select Inte...

Page 254: ...onnection you can configure dial on demand settings to establish a connection to the Internet as needed To configure dial on demand settings 1 Start Setup and if prompted select a unit to configure 2 In the Interfaces area select the PPPoE interface and then click Configure The PPPoE Configuration dialog box opens Figure 111 Figure 111 PPPoE Configuration dialog box ...

Page 255: ...Configuration advanced dialog box opens Figure 112 Figure 112 PPPoE Configuration advanced dialog box 4 Select the Demand mode check box When you clear this check box the Instant Internet unit establishes and maintains a connection indefinitely 5 In the Timeout boxes enter the number of minutes of no traffic before the interface hangs up 6 Click OK ...

Page 256: ...256 Chapter 8 Advanced communications configuration 300868 G ...

Page 257: ... the Internet stops With the IPX configuration of the Instant Internet you do not need to load TCP IP anywhere on the LAN not on any workstation nor on any server All Internet packets stop at the unit Internet users cannot see LAN resources and hackers cannot get in To achieve the same level of security using Instant Internet with a router as with a dial up connection you should use the dual Ether...

Page 258: ...simply busy if the path is congested or if there is a temporary Internet circuit failure anywhere along the line These types of delays are beyond the control of the Instant Internet unit By the very nature of the Internet s structure any operation is prone to delays Number of simultaneous connections Instant Internet is limited to 250 simultaneous IPX applications which can be 250 users each runni...

Page 259: ...stations to use the new name For details on changing a unit s name refer to Changing a unit s name on page 285 You can configure IPX workstations using the workstation software you copied to a network drive or the BayStack Instant Internet Software and Documentation Version 7 11 CD To configure and IPX workstation to use a new unit name 1 Do one of the following If you are using Windows 95 Windows...

Page 260: ... of the network drive or the CD ROM drive 3 Click OK The update process begins If you have only one unit the update process completes and the name is updated If you have more than one unit the Instant Internet Units dialog box opens Figure 114 Figure 114 Instant Internet Units dialog box 4 Select the new Instant Internet unit name and then click OK ...

Page 261: ...ou know that they are not used To select the frame types you want the Instant Internet unit to support 1 Start Setup and if prompted select a unit to configure 2 Choose Support IPX Frame Type The Select IPX Frame Types dialog box opens Figure 115 Figure 115 Select IPX Frame Types dialog box 3 Do the following Select the check boxes of the frame types you want the Instant Internet unit to use Clear...

Page 262: ...insocks work and some limitations of using multiple Winsocks Install TCP IP on the workstations that are having Winsock conflicts refer to Installing TCP IP on a Workstation of Installing the BayStack Instant Internet Management Software Version 7 11 and configure them to use the Instant Internet unit as an IP to IP gateway As an IPX client the client applications share the Instant Internet TCP IP...

Page 263: ...d Winsock 2 0 The Install program always installs the Winsock 2 0 client software on Windows 98 Windows NT and Windows 2000 workstations On a Windows 95 workstation the Install program auto detects what Winsock standard is installed on the workstation If for some reason this does not happen during installation you can force the Install program to install the Winsock 2 0 compliant Winsocks with the...

Page 264: ...ation before you open another Using multiple 32 bit Winsocks Using multiple versions of Winsock in a 32 bit environment allows you to have more than one loaded into memory at a time If you want to use the Microsoft wsock32 dll file for some applications and the Instant Internet file for others then you need to make sure that the appropriate wsock32 dll file is in the appropriate application direct...

Page 265: ...s 3 x workstation 16 bit only c windows winsock ini c windows winsock dll renames existing file and replaces c windows ptnetwrk dll Windows 95 and Windows 98 The following files are copied on a Windows 95 or Windows 98 workstation for Winsock 1 1 16 bit and 32 bit c windows winsock ini c windows winsock dll renames existing file and replaces c windows ptnetwrk dll c windows ptnetwrk vxd c windows ...

Page 266: ... bit and 32 bit winnt winsock ini winnt system32 drivers pti sys winnt system32 oemnxpii inf winnt system32 ptnetwrk dll winnt system32 ptnet32 dll winnt system32 ws2pt dll winnt system32 winsock dll renames existing file and replaces Resolving Winsock conflicts during installation When you install a local or network copy of the Instant Internet software certain computer specific files such as dll...

Page 267: ...twork interface This address works because internally generated packets destined for hosts on the network connected to the network interface always have a source IP address of the network interface Refer to Configuring an IP filter on page 142 for more information on IP filtering Configuring the Instant Internet unit in a multiple unit environment When you use multiple Instant Internet units in an...

Page 268: ...s unit iibox1 backupii where you have two Instant Internet units one called iibox1 and the second called backupii To allow load balancing across multiple Instant Internet units see the following example The brackets define the set of units to which a user is randomly connected unit instant1 salesii iibox2 In the following example the user connects randomly to iia or iib If one fails the unit tries...

Page 269: ... the individual workstation installation from which the user selects a workgroup The Default section at the beginning of the install cgf file must contain DEFAULT select Sales Accounting Marketing IS Normal This entry creates the menu the user sees at the individual workstation installation The workgroups are Sales Accounting Marketing IS and Normal You can further configure the default installati...

Page 270: ...unit is iibox1 The second default unit is iibox2 The third default is backupii The administrative utilities are not installed and you are not prompted to install them Example Accounting In this example this set of defaults is called Accounting ACCOUNTING description Accounting type private directory c instinet unit iibox2 iibox1 backupii choice admin The software installs to a private directory an...

Page 271: ...Instant Internet Management Software Version 7 11 The user is connected randomly to either iibox1 iibox2 or backupii page 268 The administrative utilities are not installed and you are not prompted to install them Example IS In this example this set of defaults is called IS IS description IS type network directory f instinet unit iibox1 iibox2 backupii choice admin The software installs to a netwo...

Page 272: ...Instant Internet unit rather than by distributing all requests to one unit Installing more than one unit also provides fault tolerance allowing users to restart an Internet application quickly in the rare event that one unit fails Tips for installing multiple units If you are installing multiple units be sure to install each unit individually plug in one unit configure it and then complete the ins...

Page 273: ...This chapter describes how to view and change the Instant Internet unit configuration Restarting the Instant Internet unit To restart the Instant Internet 1 Start Setup and if prompted select a unit to restart 2 Choose File Restart Unit The Restarting Instant Internet dialog box opens Figure 116 Figure 116 Restarting Instant Internet dialog box ...

Page 274: ...7 appears in the system tray Figure 117 iiLogin icon You can view the user name user type unit IP address and the name order of directory services For more information refer to Identifying IP Workstations of Installing the BayStack Instant Internet Management Software Version 7 11 To identify the Login workstation The iiLogin Connected as username dialog box opens Figure 118 Figure 118 iiLogin Con...

Page 275: ...Instant Internet units may not appear in the selection list If you do not see the unit you want you can add the unit to the list of available units To add an Instant Internet unit to the list of available units 1 Start any administration utility The Instant Internet Units dialog box opens Figure 119 Figure 119 Instant Internet Units dialog box 2 Click Add The Enter Unit s IP Address dialog box ope...

Page 276: ...ist Understanding the name server list order Name servers translate readable host computer names into numeric IP addresses Your ISP supplies you with one or more name server addresses and also creates and maintains the name servers If you enter more than one name server Instant Internet tries to connect to the first name server and if it fails continues down the list until a successful connection ...

Page 277: ...et it is a good idea to make a backup of the Instant Internet unit s current configuration before making any changes You can then restore the original configuration if the changes you make cause problems Backing up a unit configuration to disk To back up the new configuration to disk 1 Start Setup and if prompted select a unit to configure 2 Choose File Backup to Disk The Backup Setup Configuratio...

Page 278: ...tart Setup and if prompted select a unit to configure 2 Choose File Restore from Disk The Restore Setup Configuration dialog box opens Figure 122 Figure 122 Restore Setup Configuration dialog box 3 Navigate to the drive and directory of the backup configuration file 4 Select the File Name of the backup configuration file 5 Click OK You are prompted to restore the users and groups Figure 123 Note C...

Page 279: ...his backup file Refer to Saving and restoring unit configurations on page 277 To change the Instant Internet unit s configuration The Setup program first ensures that the unit is functioning properly and then displays the main Setup window Refer to the appropriate sections that follow for instructions on changing the Instant Internet unit s configuration Change the information as your ISP or as a ...

Page 280: ...u respond No you may choose to test now or anytime later by selecting either option from the Setup menu Changing your ISP If you change ISPs or any information about your connection changes user name password connection phone number you must reconfigure the Instant Internet unit with the new information To ensure a smooth transition to a new ISP and minimal interruption of your Internet access che...

Page 281: ... Start Setup and if prompted select a unit to configure 2 In the Interfaces area select the dial up or ISDN interface 3 Click Configure One of two things happens If you selected a dial up interface the Dialup Configuration dialog box opens Figure 124 Figure 124 Dialup Configuration dialog box If you selected an ISDN interface the ISDN Configuration dialog box opens Figure 125 ...

Page 282: ... In the Provider box select the new ISP s name from the list If you do not see your ISP in the list select Default 5 In the Phone box enter the new phone number 6 In the Backup box enter the new backup phone number if available 7 In the User ID box enter your new user ID 8 In the Password box enter your new password 9 Click OK ...

Page 283: ...formation periodically so that you can receive the latest product news and information on upgrades through e mail from Nortel Networks To review or update your registration information 1 Start Setup and if prompted select a unit to configure 2 Choose Setup Registration The Registration Information dialog box opens Figure 126 Figure 126 Registration Information dialog box 3 Change or add the approp...

Page 284: ...assword dialog box 3 Enter the new password and then click OK The password is case sensitive therefore password is not the same as PASSWORD or Password The Re enter Password dialog box opens Figure 128 Note If you forget your password and need to configure the Instant Internet unit you can do so by resetting the DIP switches on the back of the unit For details refer to Setting Up the BayStack Inst...

Page 285: ...portant that you give each unit a unique name To change the name of the Instant Internet unit 1 Start Setup and if prompted select a unit to configure 2 Choose Setup Change Name The Unit Name dialog box opens Figure 129 Figure 129 Unit Name dialog box 3 Enter the new unit name You can enter up to 13 letters digits and symbols with no spaces Note When you change the name of the Instant Internet uni...

Page 286: ...p Time The Unit Time dialog box opens Figure 130 showing the current date and time Figure 130 Unit Time dialog box 3 Select one of the following options Enter the date and time manually Continue with step 4 Set the date and time to that of the workstation Continue with step 5 Use an NTP server for the date and time Continue with step 6 4 Enter the new date and time in the appropriate boxes and the...

Page 287: ... server and then click OK To remove an NTP server select the server to be removed Click Remove and then click Yes When you use an NTP server for the time and date the Instant Internet unit checks that server every 12 hours for the correct time If you have a dial up connection this check occurs only when a line is up You can view the NTP log provided in Setup to verify that the correct server suppl...

Page 288: ...nt Internet has several diagnostic tools available These tools are automatically set up during installation Typically you will use these diagnostic tools for troubleshooting at the direction of technical support personnel Chargen A service that generates a test pattern characters at the maximum possible rate The default is to leave this option turned off Discard A service that discards any message...

Page 289: ... use this service with the Instant Internet unit refer to Reference for the BayStack Instant Internet Remote Access Commands Version 7 11 To enable diagnostic IP tools 1 Start Setup and if prompted select a unit to configure 2 Choose Support Services The Services dialog box opens Figure 132 Figure 132 Services dialog box 3 Select the check box of each diagnostic IP tool you want to enable 4 Click ...

Page 290: ...a set of utilities to assist you with testing and troubleshooting host connection problems iiLogin allows you to determine how an IP workstation is identified and to which Instant Internet unit the workstation is connected Tools allows you to view host connections through various features such as ping trace and stress It also allows you to troubleshoot problems that might occur Tools provides a us...

Page 291: ... The Tools main window opens Figure 133 Figure 133 Tools main window The troubleshooting tools include Ping Finds a host and determines the response time for that host Trace Finds the route used to get to a specific host Stress Tests the echo port of a selected host In the Instant Internet program group or menu depending on your operating system select Tools ...

Page 292: ...st To perform a ping test 1 Select the Host you want to ping If the host you want to ping is not in the list type the host name or IP address in the Host box 2 Click Ping The ping test begins and you can watch its progress If you want to stop the ping test before it is complete click Stop This can be useful if you see the problem before the test completes You can set options for the ping test such...

Page 293: ...c representation of how long it took each ping trial to complete The bottom area shows the statistics of the ping test In the bottom area of the window the first column of data displays the sequence of trials the second column describes the number of milliseconds it took to complete each trial and the third column shows the address pinged After the ping test completes the percentage of lost packet...

Page 294: ... sites in the route for a specific trace to pinpoint any problems in data communication The trace tool shows the path taken to get to a specified host For instance if you perform a trace on the host name www baynetworks com you will see a list of the locations hops used to get to www baynetworks com Using the trace tool you can View the number of hops needed to reach a particular host Find the las...

Page 295: ...he trace test before it is complete click Stop This can be useful if you see the problem before the test completes You can set options for the trace test such as the number of hops per trace See Setting host connection test options on page 300 for more information A trace test returns the following information The selected host address with the maximum number of hops The host addresses traced The ...

Page 296: ...ch trace trial to complete The bottom area shows the statistics of the trace test In the bottom area of the window the first column displays the sequence of hops the second column describes the number of milliseconds per test that it took to get to the specified host and the third column shows the host address traced After the trace completes the percentage of lost packets and the average number o...

Page 297: ...st the echo port of a selected host An echo port is a well known port that returns any data sent to it The stress test generates a load on the system to see what the throughput is to a host Using the stress tool you can Load a host for testing Measure the throughput of a host To test the echo port of a host 1 Choose the Host you want to test If the host you want to stress is not in the list type t...

Page 298: ...ompletes You can set options for the stress test such as the number of times the test is performed See Setting host connection test options on page 300 for more information A stress test returns the following information The milliseconds per transmission block The size of the transmission block The number of bytes per second The total number of bytes and seconds The average number of bytes per sec...

Page 299: ...atistics of the stress test In the bottom area of the window the first column shows the number of transmits performed The second column displays the number of milliseconds per test that it took to get to the specified site or host The third column shows the number of bytes sent and received and the fourth column shows the number of bytes sent per second After the stress test completes the total nu...

Page 300: ... Trace and a Stress To set options for a test 1 Click Options The Options dialog box opens Figure 140 Figure 140 Options dialog box in Tools 2 Set any of the following options Ping Number of pings The number of pings you want the ping test to complete Length of ping data The size of the data sent Timeout in seconds The number of seconds allowed before the test fails ...

Page 301: ...nds allowed before a hop is considered unreachable Stress Repeat count The number of times the stress test is performed Block size The size of the data packet sent or received not including the headers Send Receive echo When selected this option allows data to be sent and received Send only discard When selected this option allows data to be sent only Receive only chargen When selected this option...

Page 302: ...302 Chapter 10 Instant Internet unit configuration support and diagnostics 300868 G ...

Page 303: ... messages Viewing the Instant Internet serial number To view the serial number through the Instant Internet Setup program 1 Start the Instant Internet Setup program For details see Using Setup on page 127 2 Choose Help About IISetup The About Instant Internet Setup dialog box opens and the serial number is displayed in the Serial Number box Figure 141 Figure 141 About Instant Internet Setup dialog...

Page 304: ...rnet unit s log users update history advanced TCP IP settings port mappings and hosts Viewing unit log information The unit log details a unit s activity since it was last restarted To view the unit log 1 Choose View Unit Log 2 Review the file as needed To print the file choose File Print 3 To close the file choose File Close Viewing a unit s users A list of users currently connected to a specific...

Page 305: ...rint 3 To close the file choose File Close Viewing a unit s advanced TCP IP settings To view the advanced TCP IP settings for a unit 1 Choose Support Advanced TCP IP Settings 2 Review the file as needed To print the file choose File Print 3 To close the file choose File Close Viewing a unit s port mappings To view a list of the port mappings for a unit 1 Choose Support Port Mappings A window opens...

Page 306: ...date history system settings port mappings and hosts To connect to the Instant Internet unit using a Web browser 1 In the Address or Location box of your Web browser type the IP address of the Instant Internet unit If the unit is password protected the Username and Password Required dialog box opens A user name is not required 2 Enter the password for the unit The Home page opens Figure 142 Cautio...

Page 307: ...es are generated to help troubleshoot a connection The log files generated depend on your configuration To view the log files The page for the selected log opens Viewing the update history Each Instant Internet unit maintains a record of the software versions that have been installed and upgraded To view the unit s update history The Update History page opens On the System Administration page clic...

Page 308: ...tion assists you in interpreting and troubleshooting error messages workstations see when running third party applications that access the Internet IP workstations must be running iiLogin in order for these error messages to be shown In addition the administrator must decide whether or not the workstations should be shown these error messages Refer to Specifying the message a user sees upon an err...

Page 309: ...ion assists you in interpreting and troubleshooting error messages workstations see when running third party applications Access errors Access denied to server Error 2 indicates the user does not have access to the specified Instant Internet unit You can configure the user to access this unit in Admin For details refer to User access administration on page 35 Any other error number indicates a pro...

Page 310: ...er and contact Nortel Networks Technical Support Unable to locate server Error 1 indicates that the Instant Internet unit specified in the winsock ini file is down at this time Any other error number indicates a problem accessing the Instant Internet unit You should note the error number The problem might be that the server entry in the winsock ini file is not a valid Instant Internet unit name Yo...

Page 311: ...s on page 54 Server name errors The following error messages indicate that the Instant Internet unit s name is not properly configured in the winsock ini file or that there is no server entry in the winsock ini file No server names Server name not configured Server name syntax error Do one of the following Run the Instant Internet Installation program Start the Run program and enter install select...

Page 312: ... for the selected unit Errors connecting to the network The following errors might occur when Instant Internet tests the network connection These messages indicate that the network might not be properly installed to the local workstation Note the error number and contact Nortel Networks Technical Support Error determining name Network not available Unable to register name These error messages indi...

Page 313: ... old domain users How can I delete the old users Answer You must set the access for the old users to the default user Use the following procedure 1 Start the Admin utility 2 Select the users that you want to delete and then click Change 3 Select User Access 4 Click Clear and then click OK 5 Repeat steps 1 4 for Internet Access News Groups and Incoming Ports 6 Clear the Disable Ignore Group Setting...

Page 314: ...314 Appendix A Troubleshooting and error messages 300868 G ...

Page 315: ...identifier assigned to networks and stations that allows each device individually to receive and reply to messages AMI Alternate Mark Inversion A signal encoding scheme in which a 1 is represented alternately as positive and negative voltage It does not use translation coding but can detect noise induced errors at the hardware level ANSI American National Standards Institute asynchronous A method ...

Page 316: ...Internet adopts the information about the users BNC connector A small coaxial connector with a half twist locking shell BootP bootstrap protocol A protocol that allows a diskless workstation to boot and obtain necessary information such as an IP address CES Contivity Extranet Switch CGI Common Gateway Interface CHAP Challenge Handshake Authentication Protocol A method of establishing security on P...

Page 317: ...server about your identity and browsing habits CRC Cyclic Redundancy Check A method for detecting data transmission errors CSU Channel Service Unit A device that terminates a T1 digital circuit to perform certain line conditioning functions and ensure network compliance day time access control The Day Time Access Control restricts user access to the Internet on specified days of the week and or ho...

Page 318: ...ent to it DLL Dynamic Link Library DMZ Demilitarized Zone DMZ A less secure publicly accessible network segment that sits between the Internet and your internal network DNS Domain Name Server or Domain Name Service Addressing system that incorporates the domain name into the IP address domain name Used to organize Internet names into manageable groups such as nortelnetworks com or instant net DOVB...

Page 319: ...o a secret code To read an encrypted file you must have access to a secret key or password that enables you to decrypt it When configuring IPsec for a VPN you can choose from DES 3DES and null FAS Frame Alignment Signal A distinctive signal inserted within a frame that helps maintain synchronization filtering The process of examining a data packet on the network and determining the destination of ...

Page 320: ...ly assigned by the ISP the host name can also be dynamically assigned based on the actual port accessed each time you make a connection host name access control The host name access control is used to restrict users from contacting specified hosts by host name Wildcards may be used to restrict access to hosts matching general patterns HTTP HyperText Transfer Protocol A client server protocol for l...

Page 321: ...P IP suite of protocols Describes the software responsible for routing packets and addressing devices IP address Internet Protocol address A means of communication that allows communication over the Internet to be directed to the appropriate destination Every computer on the Internet must have a unique IP address IP addresses are allocated by an ISP in following format nnn nnn nnn nnn where nnn is...

Page 322: ...Internet terminates the connection and hangs up the phone When you need a new connection Instant Internet dials the ISP and re establishes a connection which takes about 30 seconds interface A set of instructions that allows one device or protocol to send and receive data In the case of Instant Internet an interface represents the protocol used to connect to the Internet and might be described as ...

Page 323: ...the data link layer in 802 x networks that controls addressing information of the packet and enables data to be sent and received across a local area network MAU Media or medium attachment unit In token ring networks a device defined by the IEEE 802 5 standard that supplies a physical connection to the network cabling medium and includes circuitry to convert signals between a form suitable for the...

Page 324: ...d DNS NAT Network Address Translation The modifying of IP addresses and or port numbers as they pass through a router or other such device There are various types and implementations of NAT but Instant Internet provides a many to one NAT whereby many internal IP addresses are represented as a single IP address to the outside world This method is also sometimes called PAT for Port Address Translati...

Page 325: ... Private Branch Exchange PING Packet Internet Groper A program in the Tools application that is useful for testing and debugging networks PING sends an echo packet to the specified host waits for a response and reports success failure and statistics about its operation PFS Perfect Forward Secrecy A method of encryption that uses a single key exchange POP Point of Presence The local or long distanc...

Page 326: ...r wireless environment proxy server A server that acts on behalf of another protocol A formal set of rules developed by international standards bodies LAN equipment vendors or groups governing the format control and timing of network communications provider An Internet Service Provider that offers Internet access and services to its customers Access can be provided through dial up ISDN or leased l...

Page 327: ...at enables routers in the same autonomous system to exchange routing information by means of periodic updates ROM Read Only Memory router A device that forwards traffic between networks based on network layer information and routing tables A router decides which path network traffic follows using routing protocols to gain information about the network and algorithms to choose the best route based ...

Page 328: ...ts of the 10 digit telephone number area code plus phone number followed by the digits 0101 Other variations of this number are possible and your telephone company can provide you with the correct information for your ISDN line STP Shielded Twisted Pair subnet mask A value used to route packets on TCP IP networks The subnet mask is automatically computed based on the IP address and might differ de...

Page 329: ...ring A network topology and data signaling scheme in which a special data packet called a token is passed from one station to another along an electrical ring A transmitting station takes possession of the token transmits the data then frees the token after the data has made a complete circuit of the electrical ring token ring source routing This option is available only on token ring units and en...

Page 330: ...AN on which the clients it will serve are also located or it can be embedded within the enterprise WAN or at the client s Internet service provider Web configuration Allows you to configure the Instant Internet unit using a Web browser Web proxy or HTTP proxy Acts as a go between between the requester of pages from an HTTP server and the Internet Winsock A software layer that isolates the network ...

Page 331: ...234 and bandwidth savings 234 and increased response times 208 recommended times 234 statistics 235 address translation basic information 33 configuring 134 server publications 135 addressing types of 60 Admin icons 36 overview 35 starting 36 116 127 administration program activating 36 116 127 icons 36 overview 35 adopting users and groups Bindery 43 NDS 42 NT domain 41 advanced TCP IP settings 3...

Page 332: ...times 208 234 performance increasing 207 reasons to bypass 232 cache level Aggressive 213 and bandwidth savings 208 Conservative 213 default values 213 defined 210 Moderate 213 predefined 209 selecting 209 settings 213 cache server network layer 201 transparent 201 cache settings and bandwidth savings 208 experimenting 209 fine tuning 208 caching proxy server 201 CGI request 219 chargen 288 301 cl...

Page 333: ... IP tools 288 dial threshold 243 244 247 249 dia lup connection backup phone number 246 dial up connection bandwidth on demand 247 modem speaker 248 statistics 97 tunnel validity 186 directory services adopt users and groups from 38 Bindery 43 NDS 42 NT domain 41 set user name order 40 discard 288 301 DMZ adding a Web server 161 configuring Instant Internet for 161 example publishing a Web server ...

Page 334: ... errors 309 IP client 308 IPX client 309 network related 312 server name 311 version 312 Web cache server 212 winsock dll 311 error setting the action the cache server performs 222 Ethernet 149 257 everyone group restoring 38 expiration percent about 210 automatically expiring 214 example 211 setting to zero 214 expiration time about 211 calculating 211 example 212 setting to zero 214 F fault tole...

Page 335: ...services address translation 134 alias 159 DHCP servers 149 IP filters 142 IP forwarding 128 130 RIP 157 static routes 128 using additional 127 IPX 261 multiple unit environments 267 name server list order 276 PFS 169 Proxy Servers DNS 120 SOCKS 121 Web 116 proxy servers DNS 115 SOCKS 115 Web 115 restarting your unit 273 Saving and restoring unit configurations 277 testing connections 289 Virtual ...

Page 336: ... IKE 187 IP addressing types of 60 IP clients accessing a DNS proxy 120 accessing the Internet 33 configuring for Internet access 125 error messages 308 identification 40 identifying 99 identifying the login workstation 274 system tray addition 44 using RAW sockets 83 IP filtering function 142 winsocks compatibility 267 IP forwarding basic information 130 dial up ISDN and Leased line 132 Ethernet ...

Page 337: ... specifying 217 message access denied 229 messages enabling disabling 85 minimum expiration time about 211 calculating 211 example 212 setting to zero 214 modem analog 245 dual analog 245 modem speaker configuring 248 modes aggressive 168 determining 168 main 168 Monitor utility activating 93 stats 98 trace function 106 user 101 monitoring multiple Instant Internet units 107 real time 93 starting ...

Page 338: ...asuring effect 188 understanding 169 phone number secondary 241 ping background controlling connection state 173 control 174 monitor 174 setting options 300 using 292 port control access to 61 62 in IP address 60 incoming control access to 76 77 79 81 numbers 60 Web proxy 118 well known numbers 60 PPPoE connection advanced communications 254 preferred server setting for Netware 44 private server p...

Page 339: ...8 Routing Information Protocol RIP 157 S scopes DHCP 149 153 secondary phone number 241 Security Association SA 187 security IPX 257 selection list Instant Internet unit not in 275 serial number recording 26 viewing 303 server publication Web server 139 server SMTP 138 139 services IP address translation configuring 134 function 33 client login 33 configuring 127 diagnostic tools 288 DNS proxy con...

Page 340: ...cal support 29 Telnet 33 telnet definition 289 templates for creating users and groups 45 terminal emulation 33 testing Internet connection 290 text conventions 26 text entry 210 time changing 286 expiration for an entry 202 211 no time stamp 210 time zone changing 286 timeout definition 243 248 300 301 demand 243 inactivity 97 setting in Stats 97 token ring 149 288 tools ping 292 setting options ...

Page 341: ...anging 167 273 restore 278 unit information advanced TCP IP settings 305 date 286 hosts 306 ISP 280 name 285 name server list 276 password 284 port mappings 305 registration 283 time 286 time zone 286 unit log 304 update history 305 307 users 304 UNIX 33 44 update history 305 user name not required 306 user name set order 40 users access changing 58 day and time 58 defining 55 disabling 56 effecti...

Page 342: ...2 reviewing 218 Web cache introduction 201 Web caching 202 Web configuration basic information 34 enabling 119 Web entry defined 202 Web page content troubleshooting 236 personalized troubleshooting 238 Web proxy basic information 34 configure clients to use 119 configuring 116 run transparently 118 Web server response time troubleshooting 237 Web site access information viewing 230 access blockin...

Page 343: ...ement Software Version 7 11 wildcard user 44 Winsock files 265 winsock dll error messages 311 winsocks 16 bit dll requirements 262 multiple 264 32 bit dll requirements 263 multiple 264 conflicts 262 installation error 266 IP filtering compatibility 267 ...

Page 344: ......

Reviews:

No comments

Related manuals for 400

Brand: Barracuda Networks Pages: 2

Brand: National Instruments Pages: 5

Brand: National Instruments Pages: 76

Brand: National Instruments Pages: 34

ROADRECORDER 8000

Brand: Safety Vision Pages: 40

Brand: Alesis Pages: 46

RUGGEDSWITCH RS900G

Brand: RuggedCom Pages: 23

Compact Emulator M30620T-CPE

Brand: Renesas Pages: 52

Brand: Campbell Pages: 38

Brand: Tandy Pages: 24

Brand: Dataprobe Pages: 5

SinoCon C2000-C2-SHK0401-BB1

Brand: KonNad Pages: 12

RocketCache 3240X8

Brand: HighPoint Pages: 17

EK-FC980 GTX Classy

Brand: ekwb Pages: 2

Brand: ADTRAN Pages: 4

Developer's Board

Brand: Sony Ericsson Pages: 28

Brand: ST Pages: 67

Brand: Freescale Semiconductor Pages: 42

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands