Configuring a group access policy

 

The Group Access Policies folder under Receiver Connection Profiles provides options for configuring point-to-point connection parameters that apply to a group of remote users. It applies only to those point-to-point connections that originate from a remote system and are received by the local system.

To configure a new group access policy, follow these steps:

  1. In iSeries™ Navigator, select your system and expand Network > Remote Access Services > Receiver Connection Profiles.

  2. Right-click Group Access Policies, and select New Group Access Policy.

  3. On the General tab, enter a name and description for the new group access policy.

  4. Click the Multilink tab, and set up the multilink configuration.

    The multilink configuration specifies that you want to have multiple physical lines join together in a bundle. The maximum number of lines per bundle can be between 1 and 6. Because you do not know the type of line setting until a connection is made, the default value is always 1. The group policy can be used to extend or limit the Multilink protocol's capabilities for a specific user.

    Maximum links per bundle specifies the maximum number of links (or lines) that you want to become the one logical line. The maximum number of lines cannot be greater than the number of free lines when this group policy is applied to a session for a PPP profile.

    Check Require bandwidth allocation protocol if you want to specify that a connection is established only if the remote system supports the Bandwidth Allocation Protocol (BACP). If BACP cannot be negotiated, only a single link is allowed.

  5. Click the TCP/IP Settings tab to enable any of the following settings:

    Allow remote system to access other networks (IP forwarding). This option specifies whether you want IP forwarding. If you select this option, you are essentially enabling the system to act as a router for this connection. This allows IP datagrams not destined for this system to pass through this system onto a connected network. If you leave this option blank, the IP discards those datagrams from the remote system that are not destined for any addresses local to this system.

    There might be security reasons why you do not want to allow IP forwarding. In contrast, an ISP generally provides IP forwarding. Note that this takes effect only if system-wide IP datagram forwarding is enabled; otherwise, it is ignored even if marked. System-wide IP datagram forwarding can be displayed from the General tab on the IPv4 Properties page.

    Request TCP/IP header compression (VJ). This option specifies whether you want IP to compress header information after it establishes a connection. Compressing typically increases performance, particularly for interactive traffic or slow serial lines. Header compression follows the Van Jacobson (VJ) method defined in RFC 1332. For PPP, compression is negotiated when the connection is established. If the other end of the connection does not support VJ compression, the system establishes a connection that does not use compression.

    Use IP packet rules for this connection. This option specifies whether you want to apply a filter rule for this group policy. Filter rules control the IP traffic in your network. You can use this IP packet filtering component to protect your system by filtering packets according to the rules that you specify. The rules are based on packet header information.

 

Applying a group policy to a remote access user

You can apply a group policy to a remote access user when you complete the point-to-point properties for a new receiver connection profile.

To apply a group policy to a remote access user...

  1. Click Authentication to open the Authentication page.

  2. Click Require this iSeries server to verify the identity of the remote system.

  3. Select Authenticate locally using a validation list.

  4. If there is an existing validation list, select it from the list, and click Open. If you are creating it for the first time, enter a name for the new validation list, and click New.

  5. Click Add to add a new user to the validation list.

  6. On the Add User window, specify the following information:

    1. Select the authentication protocol for which the user name is defined.

    2. Enter the user name and password.

      For security purposes, it is suggested that you do not use the same password for a user defined for Challenge Handshake Authentication Protocol 22314 (CHAP), Extensible Authentication Protocol (EAP), and Password Authentication Protocol (PAP).

    3. Check Apply a group policy to the user, select a group policy from the list, and click Open.
    You can change the group policy properties or work with the existing setup.

  7. Click OK to complete the configuration and return to the Point-to-Point Properties page.

 

Parent topic:

Configuring PPP
Related reference
Scenario: Managing remote user access to resources using group policies and IP filtering