Scenario: Enabling remote connections
Your company has a branch sales office that has several remote sales personnel who need to connect to your system. You also connect to your corporate office located in another state. Because the information that is transmitted between these areas of your company is sensitive, you are concerned about protecting it as it is sent across the Internet. Use this scenario to configure connections to remote clients and servers.
Situation
You are the network administrator for a branch sales office that manages several mobile sales employees. You also work with the corporate office located in another state. Both the remote sales personnel and the corporate office need access to your internal network; however,
you are concerned about protecting information as it is transmitted over the Internet.
The corporate office often needs access to sensitive information like customer accounts and billing statements. Your mobile sales employees transmit information to your branch sales office by dialing an Internet service provider (ISP) through the Point-to-Point Protocol (PPP). Because they also transmit sensitive information, you need to ensure data integrity and privacy in these communications. You do not want sensitive credit card numbers or customer contact information exposed to the Internet.
After researching your options for both groups of users, you have decided to use a virtual private network (VPN) to protect your connections to the corporate office and to use Layer Two Tunnel Protocol (L2TP) protected with a VPN for your remote employees.
Objectives
The administrators for MyCo, Inc have the following objectives:
- To provide access to remote sales people and the corporate office
- To use existing systems to support these goals
- To allow remote sales people and the corporate office to access the branch office network
Details
The following network topology shows the connections between a branch sales office and a corporate headquarters and remote sales personnel. Connections to the branch sales office are protected through a VPN. The following descriptions of each part of this network provide details on their configuration.
Branch sale office
- System A runs on i5/OS® Version 5 Release 4 (V5R4)
- System A acts as the gateway for the VPN connection with the branch sales office.
- System A has IP address 192.168.1.2, which is globally routable.
IP addresses used in this scenario are meant for example purposes only. They do not reflect an IP address scheme and should not be used in any actual configuration. Use your own IP addresses when completing these tasks.
- Subnet mask is 255.255.255.0.
- System A connects to its subnet with the IP address 10.1.1.1.
- Within the internal network of the branch sales office,
all PCs have been configured with a default route that points to System A.
- The fully qualified host name of System A is systema.myco.min.com.
- Both System A and B can initiate connections.
- Remote employees use a pool of IP addresses that range from of 10.1.1.100 to 10.1.1.150.
Corporate office
- System B runs on i5/OS Version 5 Release 3 and contains all pertinent business applications.
- System B acts as the gateway for the VPN connection for corporate office.
- System B has the IP address of 172.16.1.3 that is globally routable.
IP addresses used in this scenario are meant for example purposes only. They do not reflect an IP addressing scheme and should not be used in any actual configuration. You should use your own IP addresses when completing these tasks.
- Subnet mask is 255.255.255.0.
- System B connects to its subnet with the IP address 10.2.1.1.
- Within the internal network of the corporate office, all PCs have been configured with a default route that points to System B.
- The fully qualified host name of System B is systemb.myco.wis.com.
Remote sales personnel
- Notebook with a Microsoft® Windows® XP operating system
- Remote employees use a pool of IP addresses that range from 10.1.1.100 to 10.1.1.150.
Prerequisites and assumptions
This scenario provides an example VPN configuration between a branch sales office and a corporate office. It also provides instructions on how to configure remote access for travelling sales people connecting to the branch office. This scenario assumes that several prerequisite steps have been completed and tested, and are operational before beginning these configuration steps. These prerequisites are assumed to have been completed for this scenario:
- Ensure that the following licensed programs have been installed:
- i5/OS Version 5 Release 2 (5722-SS1), or later
- Digital Certificate Manager (5722-SS1 Option 34)
This scenario assumes that DCM has been installed on both systems, but it has not been configured on either system.
- TCP/IP Connectivity Utilities for i5/OS (5722-TC1)
- IBM® HTTP Server for i5/OS (5722-DG1)
- IBM iSeries™ Access for Windows (5722-XE1) and iSeries Navigator
- IBM Developer Kit for Java™ (5722-JV1)
- Ensure that you have the latest PTFs installed on your system.
- Ensure that the following system setup has been completed:
- TCP/IP must be configured, including IP interfaces, routes, local host name, and local domain name.
- Basic system security has been configured and tested.
- The Network component of iSeries Navigator has been installed.
- The retain server security data (QRETSVRSEC *SEC) system value has been set to 1.
- The shared memory (QSHRMEMCTL) system value has been set to 1.
- Normal TCP/IP communications has been established between required endpoints.
- Ensure that the following requirements are on the PC that is used for remote employees:
- Windows XP client with a Windows 32-bit operating system is properly connected to your system and configured for TCP/IP.
- A 233 MHZ (megahertz) processing unit.
- Windows XP clients must have 64 MB RAM.
- iSeries Access for Windows and iSeries Navigator have been installed on the client PC.
- Software must support IP Security (IPSec) protocol.
- Software must support L2TP.
- Connection to an ISP has been established.
In addition to these prerequisites, it is assumed that both networks have set up and activated filter rules on their networks, configured routing, and established an IP addressing scheme.
Tip: This scenario shows the system security gateways attached directly to the Internet.
The absence of a firewall is intended to simplify the scenario. It does not imply that the use of a firewall is not necessary. In fact, you should consider the security risks involved anytime you connect to the Internet.
- Setting up certificate authority with Digital Certificate Manager
Before setting up a certificate authority (CA), the administrator for the branch office needs to ensure that several planning tasks are completed. Ensure that all the prerequisites for this scenario have been completed before performing these tasks. - Configuring VPN connection between the branch sales office and the corporate office
The administrator of the branch sales office needs to configure a virtual private network (VPN) connection between the branch sales office and the corporate office to enable the remote connections. - Configuring VPN connection to remote users
The administrator needs to configure a virtual private network (VPN) connection to remote users to enable the remote connections.
Parent topic:
Network scenarios