Академический Документы
Профессиональный Документы
Культура Документы
Windows NT/2000/XP/2003
User Manual
VPNNOW! Manual
NOTICE
INTERNETNOW SDN BHD reserves the right to make improvements in the product described in this manual at any time and without notice. LIMITED WARRANTY ON MEDIA. INTERNETNOW SDN BHD or its distributor depending on which party produced the program diskette, warrants the diskettes on which the software is recorded to be free from defects in materials and faulty workmanship under normal use for a period of 90 days after the date of original purchase. If during this 90-day period a defect in this CD should occur, the CD will may be returned for replacement without charge, provided that you have completed the enclosed registration form and returned it to INTERNETNOW SDN BHD. Your sole remedy in the event of a defect in a CD is limited to replacement of the CD as provided above. EXCEPT AS EXPRESSLY PROVIDED ABOVE FOR MEDIA, INTERNETNOW, DISTRIBUTOR AND DEALERS MAKE NO WARRANTIES, EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THE SOFTWARE, ITS MERCHANTABILITY OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. THE SOFTWARE IS LICENSED SOLELY ON AN AS IS BASIS. THE ENTIRE RISK AS TO ITS QUALITY AND PERFORMANCE IS WITH YOU. INTERNETNOW SDN BHD IS IN NO WAY AFFLIATED WITH MICROSOFT CORPORATION. The software product, including this manual and the diskette supplied, is copyrighted and contains proprietary information. All rights are reserved. This document may not, in whole or in part, be copied, photocopied, reproduced, translated or reduced to any electronic medium or machine-readable form without prior consent, in writing, from INTERNETNOW SDN BHD.
InternetNow Sdn. Bhd. 6F-22, Pusat Perdagangan IOI, Persiaran Puchong Jaya Selatan, Bandar Puchong Jaya, 47100 Puchong, Selangor, Malaysia VPN-20040805
Page 2 of 36
Page 3 of 36
VPNNOW! Manual
TABLE OF CONTENTS CHAPTER 1 WHAT IS VPN? (VIRTUAL PRIVATE NETWORK) .................................................... 6 CHAPTER 2 WHAT CAN YOU DO WITH VPNNOW!......... 8
2.1 2.2 VPNNow!............................................................................................... 8 Integrations............................................................................................ 9
Page 4 of 36
Readme First
Read this page to get the most out of VPNNow! Choosing a server VPNNow! is designed only to run on Microsoft Windows NT/2K/XP environment. VPNNOW! SERVER REQUIREMENTS Description System Processor Operating System (For both Server and Client) For VPNNow! Server/Gateway: At least 50MB for application files, 256MB RAM For VPNNow! Roadwarriors: At least 8MB for application files, 128MB RAM Network Interface Card (Only applicable to Server and Client Gateways. Not applicable to Roadwarriors with dial-up connection) A Windows compatible NIC Requirement IBM PC/Compatible computer Pentium III or compatible processor and above Microsoft Windows NT/2000/XP/2003
Disk Space
Technical support If you have any technical problems that you couldnt solve even after going through this manual, please do feel free to drop us a line at support@internetnow.com.my or visit our website at http://www.internetnow.com.my.
Page 5 of 36
VPNNOW! Manual
CHAPTER 1
When we think about Private Network, we usually think about the Local Area Network (LAN). Generally speaking, a LAN is a group of computers link together physically within a single location via network cables. Having a LAN allows us to efficiently, privately and securely share information and resources between computers that are linked together. We can share files, share printer, access customers database, emailing and many more. But the moment we leave the office with our notebook or are at home, all the resources we usually to share easily either became unavailable or too insecure to be access over the Internet. This is where VPN becomes very useful. It allows access to the LAN remotely (at home or at hotspots location) privately, securely and affordably. A VPN is essentially a private network that uses existing telecommunications infrastructures (regular phone lines, T1 lines, DSL, cable lines, and so on). Privacy is achieved through the use of a tunnelling protocol and security procedures. VPN technology enables company offices or individuals in different locations to securely access a central network without having to dial directly into the company network.
Page 6 of 36
VPN is ideal for: Companies who need secure inter-office networking. Home or Mobile workers, who require a secure environment to connect to the office from remote locations. Administrator who wants to manage servers across different locations. Home users who wish to set up a secure peer-to-peer connection between remote PCs. Benefits of VPN 1. Convenience of accessing company network without physical connections. 2. Cost Savings especially for inter-office connections because access via the Internet infrastructure is much more cost-effective compare to having a physical leased-line link to different sites. VPN use cryptographic technology to provide data confidentiality and integrity for the data in transit. This improves security as at least 128bit encryption is use for secure data transfer. Capability to access Windows Terminal Services behind the firewall within the network.
3.
4.
Page 7 of 36
VPNNOW! Manual
CHAPTER 2
1.
Connect different offices or branches with the Headquarter via affordable Internet connections (dial-up, ISDN, Broadband, leased-line etc) - Files, folders and printers sharing between computers on different sites. - Access customers database. - Access Enterprise Resource Planning (ERP) applications. - Access customized organizational programs.
2.
Connect to Windows Terminal Services. Server for Windows Terminal Services can be securely access within the network with multiple connections. Connect your notebook or PC with any dial-up to your office and increase productivity and efficiency. - Access your corporate email even from home without having to open email server to be seen by the Internet public. - Print quotation using your office printer while out of office
3.
2.1 VPNNow!
IPSEC architecture with support for the latest high-level data encryption Advance Encryption Standard (AES). The current version supports AES 192 bit. Max 500 concurrent VPN connections Support connections for Gateway to Gateway or Road Warrior to Gateway Uses RSA 1024 PKI for setting up Key Exchanges Resource list is definable to restrict total access by VPN clients Supports Windows NT4, 2000, XP & 2003
VPNNow! uses the basic IPSEC for securing the VPN tunnels. IPSEC is industry best practice for protecting your corporate VPN today. However, the disadvantage of IPSEC is that there are too many options and flexibility. This results in code bloat that is detrimental for normal functional standard. For example, some VPN solutions have various supports for different encryption standard when only one strong encryption is required and various layers of encryption support over a single packet whereby each layer will induce significant payload overhead resulting in slower traffic output.
Page 8 of 36
Having a published port number that is fixed for IKE in IPSEC also produce a security weakness in giving hackers the foreknowledge of the port and the ability to launch a possible DOS attack. VPNNow! avoids all these complexity by concentrating on the core principles used in IPSEC that made it a secure implementation. By using ESP with built in authentication, 192-bit AES encryption as standard and a different port with custom IKE, VPNNow! is not only secure but faster in performance. VPNNow! is 100% software that runs on Win NT, Win 2000, Win XP and Win 2003 based platform. With the availability of better hardware standard for personal computers, software based solutions works better and faster with your investment in time.
2.2 Integrations
VPNNow! When integrate together with ProxyNow! and FirewallNow! provide organizations with a convenient, productive, cost-effective and secure Internet infrastructure.
Page 9 of 36
VPNNOW! Manual
CHAPTER 3
7.
Page 10 of 36
3.1.1
4.
Page 11 of 36
VPNNOW! Manual
5.
Note: When the page is loaded for the first time, it will take some time. 6. 7. Specify servers name. For example, ABCVPNServer. Then specify a name for private key and the public key under the RSA Key section. For example, ServerHQ. Note: Please be aware that the name specified here will determine the name of the servers public key and private key. For example, serverhq.pub for public key name and serverhq.pri for private key name. Also note that it will ask if you want to backup the previous keys with the existing keys. If this is a new configuration, you do not have to back up the previous settings. 8. Key in the contact IP address, which is the servers public IP address. If you are using Dynamic IP address, please be sure to key in your domain name instead. Note: Make sure that the DNS server is pointed to your Dynamic DNS on both the server and client. Otherwise the server and client will not be able to communicate with each other. 9. Then key in the internal IP address range of your network into IP Address. For example, if your organization is using the IP range of 192.168.1.X (i.e. with subnet of 255.255.255.0), then you should type in 192.168.1.0. And if you are using the IP range of 192.168.X.X, you should type in 192.168.0.0. 10. Then select your subnet mask. For example, 255.255.255.0. Page 12 of 36
11. Make sure that the IKE checkbox is not ticked since we are configuring the server. 12. Click Apply to finish your settings for the VPNNow! server. 13. Do not attempt to start the VPNNow! server just yet. You still need to create the client keys and configure your Participants.
3.1.2
Page 13 of 36
VPNNOW! Manual
3.
The Client Configuration console will appear. Fill in the fields as follow: a. Identification A name to identify the client, e.g. RoadWarriorPaul or ParisBranchGateway (make sure there are not spaces in between) b. LAN IP Range LAN IP range cannot be changed for Roadwarriors:. By default its 0.0.0.0. If the client is a gateway, it should be the IP range used by the remote LAN in which the gateway is located. For example, if the remote LAN is using the IP range of 192.168.1.X (i.e. with subnet of 255.255.255.0), then you should type in 192.168.1.0. And if you are using the IP range of 192.168.X.X, you should type in 192.168.0.0. Make sure that the LAN IP range specified here is unique and different from the server LAN IP range and other gateway clients LAN IP ranges. c. Subnet Mask This should be 0.0.0.0 if the client is a road warrior. If the client is a gateway, then the subnet of the gateways internal LAN (see (b) above) d. UDP Tunneling only needs to be enabled if you meet the situation whereby Roadwarrior/Gateway is behind router e. Contact/IP This should be 0.0.0.0 for both road warriors and gateways since both do not require to receive incoming VPN connections f. RSA Key Key in a unique key name for this client. Click OK and VPNNow will proceed by generating a private & public key for this client.
Add roadwarrior:
Page 14 of 36
3.1.3
b. c.
Specify where you should like the files to be exported to. Then click OK A directory, named after the client, will be created containing all the files that the client will need to connect back to this VPN server. The files in this directory should be securely transported to the client. Tips: An example on how to configure RoadWarrior: Refer to 3.2 EXAMPLE 1: CONFIGURING ROADWARRIOR page 19 for more information An example on how to configure Client GateWay: Refer to 3.3 EXAMPLE 2: CONFIGURING CLIENT GATEWAY page 21 for more information
Page 15 of 36
3.1.4
Configuring Participants
You will also need to specify which PCs (participants) in your network are accessible by remote VPN clients. In most cases you would not want to give complete access to the network to these remote clients. Instead for security reasons, their network access might be limited to those network resources that they really needed (e.g. mail server, file server etc) 1. On VPNNow! console click on Participants button on the left hand side of the console.
2. Key in an IP address you wish to add to the participants list. Then click on Add Single IP button to add single IP address to the participants list. 3. If you have a range of participants, key it under Add Range section. Then click on Add Range button to add the range. 4. The participants list will be listed at the bottom of the window. You may opt to view the participants list in large view or small view.
Page 16 of 36
3.1.5
Inactive participant 2. If all the participants are in MAC address unresolved status, it means that the server is not running at all.
Page 17 of 36
3.1.6
Legend: -> successful mesage ->14:20:11.233000, ipsec_arp_TrapHardwareAddress: All Hardware address resolved completed Legend: -> able to resolve all participants
Page 18 of 36
2.
Tip: Best if you name the road warrior according to the name of the branch or the person who will be using it to connect to the VPNNow! server. 3. 4. 5. If your VPN roadwarrior is connecting to the Internet via a router, enable the UDP tunneling checkbox. Else please do make sure you do not enable that checkbox. Key a name for the RSA key. For example vpnclient-sabah. Click OK to save the settings.
6. 7. 8.
The settings will look similar to the picture above. To export these settings, right click on vpnclient-sabah and select Export Settings. It will ask you to browse for a folder to export the settings to. Select your destination folder and click OK.
Page 19 of 36
9.
A pop-up message will confirm that you have successfully exported the settings to the preferred destination. Note: Please export the settings in order for the roadwarrior to be able to connect back into the server.
10. Click OK close the window and finish the exporting process.
Page 20 of 36
2.
Tip: Best if you name the gateway according to the name of the branch or the person who will be using it to connect to the VPNNow! server. 3. 4. 5. If your VPN gateway is connecting to the Internet via a router, enable the UDP tunneling checkbox. Else please do make sure you do not enable that checkbox. Key in the IP range of the gateway connection. For example, 192.168.0.0. As for the subnet mask, select the most appropriate one. For example, if the LAN IP addresses ranges from 192.168.0.1 to 192.168.0.254, then select 255.255.255.0 for the subnet mask. Note: Please ensure that the gateway LAN IP range and your VPNNow server IP range are of different ranges to avoid conflicts 6. 7. Key a name for the RSA key. For example vpngateway-sabah. Click OK to save the settings.
8.
Page 21 of 36
9.
To export these settings, right click on vpnclient-sabah and select Export Settings. Note: Please export the settings in order for the client gateway to be able to connect back into the server.
10. It will ask you to browse for a folder to export the settings to. Select your destination folder and click OK.
11. A pop-up message will confirm that you have successfully exported the settings to the preferred destination.
12.
Page 22 of 36
3.4 Monitoring VPN Client (Road Warrior and Client Gateway) Connection Status
1. 2. 3. After you have got the VPN server and VPN road warrior and client gateway set up. You can view the status of the connectivity in the observatory section. To start, go to tree on the left and select the Observatory icon. Once, you have selected the observatory. You will see the screen below appears. Choose either one (Tree View or List View) to view the connectivity and transmission rate.
Tree View
List View
Page 23 of 36
2.
In the page, you will see a set of setting. Below is the explanation of each of the setting. Virtual IP The virtual IP range assigned to the road warrior by the VPN server. It will increment based on number of client connected to the VPN server. Public IP/Name The DNS or IP of the router. (Disabled if Host Behind A Router check box is off) No Fragmentation No Packet Fragmentation. Debug Mode Enable extra debugging messages in the Real Time Log.
Page 24 of 36
IPSec Consult Table The list of IP which VPN server uses to connect to internet. Private LAN IP Internal IP address of the VPN server. Key Exchange Port VPN IKE port number.
3.5.1
Page 25 of 36
CHAPTER 4
6. 7.
Follow the instructions in the installation wizard and finish the VPNNow installation It will try to register a service. After successful, the window will pop up stating that the DLLRegisterServer has successfully registered. Click OK to finish registry.
8. Click on Finish to finish installation. 9. After installing the client, you will need to restart the workstation. 10. Congratulations you have successfully installed the client. Proceed to the next stage of configuring the VPNNow! client.
Page 26 of 36
Note: Make sure you have exported and saved the roadwarrior settings from the VPNNow! server. Please import the settings in order for the roadwarrior to be able to connect back into the server.
Page 27 of 36
Page 28 of 36
CHAPTER 5
7.
Page 29 of 36
Page 30 of 36
5.2.1
CONFIGURING PARTICIPANTS
You will also need to specify which PCs (participants) in your network are accessible by remote VPN clients. In most cases you would not want to give complete access to the network to these remote clients. Instead for security reasons, their network access might be limited to those network resources that they really needed (e.g. mail server, file server etc) 1. On VPNNow console click on Participants button on the left hand side of the console.
2. 3. 4.
Key in an IP address you wish to add to the participants list. Then click on Add Single IP button to add single IP address to the participants list. If you have a range of participants, key it under Add Range section. Then click on Add Range button to add the range. The participants list will be listed at the bottom of the window. You may opt to view the participants list in large view or small view.
Page 31 of 36
Page 32 of 36
Page 33 of 36
Page 34 of 36
INDEX
Console ...................................................................13, 14, 19, 21, 28, 31 Gateway ....................................................................5, 13, 21, 29, 30, 32 Microsoft DotNet platform ............................................................... 10, 29 Private Key ..........................................................................11, 12, 13, 15 Public Key............................................................................................. 11 Public Key............................................................................................. 11 Public Key............................................................................................. 12 Public Key............................................................................................. 13 Public Key............................................................................................. 13 Public Key............................................................................................. 15 Real Time Log ...........................................................................18, 28, 32 Road Warriors....................................................................................... 13 Roadwarriors .......................................................................................... 5 System.................................................................................................... 5 VPNNow! Client Gateway ..........................................................................21, 29, 30, 32 Gateway ........................................................................................... 29 RoadWarrior ............................................................................... 19, 26 RoadWarrior ..................................................................................... 27 RoadWarrior ..................................................................................... 28 VPNNow! Client .............................................................................. 11, 13 VPNNow! Client .................................................................................... 26 VPNNow! Client .................................................................................... 28 VPNNow! Console .......................................................................... 13, 16 VPNNow! Server..........................................................................5, 10, 11
Page 35 of 36
Page 36 of 36