ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajaboscenario.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Basic branch office connection" />
<meta name="abstract" content="In this scenario, your company wants to establish a VPN between the subnets of two remote departments through a pair of iSeries computers acting as VPN gateways." />
<meta name="description" content="In this scenario, your company wants to establish a VPN between the subnets of two remote departments through a pair of iSeries computers acting as VPN gateways." />
<meta name="DC.Relation" scheme="URI" content="rzajascenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajacompletetheplanningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaconfigurevpnoniseriesa.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaconfigurevpnoniseriesc.htm" />
<meta name="DC.Relation" scheme="URI" content="rajasartthevpnservers.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajatestconnection.htm" />
<meta name="DC.Relation" scheme="URI" content="http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245954.html" />
<meta name="DC.Relation" scheme="URI" content="../rzajw/rzajwkickoff.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajaboscenario" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Basic branch office connection</title>
</head>
<body id="rzajaboscenario"><a name="rzajaboscenario"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Basic branch office connection</h1>
<div><p>In this scenario, your company wants to establish a VPN between
the subnets of two remote departments through a pair of iSeries™ computers
acting as VPN gateways.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>Suppose
your company wants to minimize the costs incurred from communicating to and
among its own branches. Today, your company uses frame relay or leased lines,
but you want to explore other options for transmitting internal confidential
data that are less expensive, more secure, and globally accessible. By exploiting
the Internet, you can easily establish a virtual private network (VPN) to
meet the needs of your company.</p>
<div class="p">Your company and its branch office both
require VPN protection across the Internet, but not within their respective
intranets. Because you consider the intranets trusted, the best solution is
to create a gateway-to-gateway VPN. In this case, both gateways are connected
directly to the intervening network. In other words, they are <em>border</em> or <em>edge</em> systems,
which are not protected by firewalls. This example serves as a useful introduction
to the steps involved in setting up a basic VPN configuration. When this scenario
refers to the term, <em>Internet</em>, it refers to the intervening network
between the two VPN gateways, which might be the company's own private network
or the public Internet.<div class="important"><span class="importanttitle">Important:</span> This scenario shows the <span class="keyword">iSeries</span> security gateways attached directly
to the Internet. The absence of a firewall is intended to simplify the scenario.
It does not imply that the use of a firewall is not necessary. In fact, consider
the security risks involved any time you connect to the Internet.</div>
</div>
</div>
<div class="section"><h4 class="sectionscenariobar">Advantages</h4><p>This
scenario has the following advantages:</p>
<ul><li>Using the Internet or an existing intranet reduces the cost of private
lines between remote subnets.</li>
<li>Using the Internet or an existing intranet reduces the complexity of installing
and maintaining private lines and associated equipment.</li>
<li>Using the Internet allows remote locations to connect to almost anywhere
in the world.</li>
<li>Using VPN provides users access to all servers and resources on either
side of the connection just as though they were connected using a leased line
or wide area network (WAN) connection.</li>
<li>Using industry standard encryption and authentication methods ensures
the security of sensitive information passed from one location to another.</li>
<li>Exchanging your encryption keys dynamically and regularly simplifies setup
and minimizes the risk of your keys being decoded and security being breached.</li>
<li>Using private IP addresses in each remote subnet makes it unnecessary
to allocate valuable public IP addresses to each client.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
scenario, MyCo, Inc. wants to establish a VPN between the subnets of its Human
Resources and Finance departments through a pair of <span class="keyword">iSeries</span> servers.
Both servers will act as VPN gateways. In terms of VPN configurations, a gateway
performs key management and applies IPSec to the data that flows through the
tunnel. The gateways are not the data endpoints of the connection.</p>
<p>The
objectives of this scenario are as follows:</p>
<ul><li>The VPN must protect all data traffic between the Human Resources department's
subnet and the Finance department's subnet.</li>
<li>Data traffic does not require VPN protection once it reaches either of
the department's subnets.</li>
<li>All clients and hosts on each network have full access to the other's
network, including all applications.</li>
<li>The gateway servers can communicate with each other and access each other's
applications.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
figure illustrates the network characteristics of MyCo.</p>
<br /><img src="rzaja510.gif" alt="Branch office network diagram" /><br /><p><strong>Human Resources Department</strong></p>
<ul><li>iSeries-A runs on <span class="keyword">OS/400<sup>®</sup></span> Version
5 Release 2 (V5R2) or later and acts as the Human Resources Department's VPN
gateway.</li>
<li>Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data
endpoint of the VPN tunnel at the MyCo Rochester site.</li>
<li>iSeries-A connects to the Internet with IP address 204.146.18.227. This
is the connection endpoint. That is, iSeries-A performs key management and
applies IPSec to incoming and outgoing IP datagrams.</li>
<li>iSeries-A connects to its subnet with IP address 10.6.11.1.</li>
<li>iSeries-B is a production server in the Human Resources subnet that runs
standard TCP/IP applications.</li>
</ul>
<p><strong>Finance Department</strong></p>
<ul><li>iSeries-C runs on <span class="keyword">OS/400</span> Version
5 Release 2 (V5R2) or later and acts as the Finance Department's
VPN gateway.</li>
<li>Subnet is 10.196.8.0 with mask 255.255.255.0. This subnet represents the
data endpoint of the VPN tunnel at the MyCo Endicott site.</li>
<li>iSeries-C connects to the Internet with IP address 208.222.150.250. This
is the connection endpoint. That is, iSeries-C performs key management and
applies IPSec to incoming and outgoing IP datagrams.</li>
<li>iSeries-C connects to its subnet with IP address 10.196.8.5.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Configuration tasks</h4><p>You
must complete each of these tasks to configure the branch office connection
described in this scenario:</p>
<div class="note"><span class="notetitle">Note:</span> Before you start these tasks verify the
TCP/IP routing to ensure that the two gateway servers can communicate with
each other across the Internet. This ensures that hosts on each subnet route
properly to their respective gateway for access to the remote subnet.</div>
</div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzajacompletetheplanningworksheets.htm">Complete the planning worksheets</a><br />
</li>
<li class="olchildlink"><a href="rzajaconfigurevpnoniseriesa.htm">Configure VPN on iSeries-A</a><br />
</li>
<li class="olchildlink"><a href="rzajaconfigurevpnoniseriesc.htm">Configure VPN on iSeries-C</a><br />
</li>
<li class="olchildlink"><a href="rajasartthevpnservers.htm">Start the VPN servers</a><br />
</li>
<li class="olchildlink"><a href="rzajatestconnection.htm">Test connection</a><br />
</li>
</ol>

<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajascenarios.htm" title="Review these scenarios to become familiar with the technical and configuration details involved with each of these basic connection types.">VPN scenarios</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="../rzajw/rzajwkickoff.htm">TCP/IP routing and workload balancing</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245954.html" target="_blank">AS/400 Internet Security Scenarios: A Practical Approach, SG24-5954-00</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="concept" />`
			`<meta name="DC.Title" content="Scenario: Basic branch office connection" />`
			`<meta name="abstract" content="In this scenario, your company wants to establish a VPN between the subnets of two remote departments through a pair of iSeries computers acting as VPN gateways." />`
			`<meta name="description" content="In this scenario, your company wants to establish a VPN between the subnets of two remote departments through a pair of iSeries computers acting as VPN gateways." />`
			`<meta name="DC.Relation" scheme="URI" content="rzajascenarios.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajacompletetheplanningworksheets.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajaconfigurevpnoniseriesa.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajaconfigurevpnoniseriesc.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rajasartthevpnservers.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajatestconnection.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245954.html" />`
			`<meta name="DC.Relation" scheme="URI" content="../rzajw/rzajwkickoff.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzajaboscenario" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Scenario: Basic branch office connection</title>`
			`</head>`
			`<body id="rzajaboscenario"><a name="rzajaboscenario"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Scenario: Basic branch office connection</h1>`
			`<div><p>In this scenario, your company wants to establish a VPN between`
			`the subnets of two remote departments through a pair of iSeries™ computers`
			`acting as VPN gateways.</p>`
			`<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>Suppose`
			`your company wants to minimize the costs incurred from communicating to and`
			`among its own branches. Today, your company uses frame relay or leased lines,`
			`but you want to explore other options for transmitting internal confidential`
			`data that are less expensive, more secure, and globally accessible. By exploiting`
			`the Internet, you can easily establish a virtual private network (VPN) to`
			`meet the needs of your company.</p>`
			`<div class="p">Your company and its branch office both`
			`require VPN protection across the Internet, but not within their respective`
			`intranets. Because you consider the intranets trusted, the best solution is`
			`to create a gateway-to-gateway VPN. In this case, both gateways are connected`
			`directly to the intervening network. In other words, they are <em>border</em> or <em>edge</em> systems,`
			`which are not protected by firewalls. This example serves as a useful introduction`
			`to the steps involved in setting up a basic VPN configuration. When this scenario`
			`refers to the term, <em>Internet</em>, it refers to the intervening network`
			`between the two VPN gateways, which might be the company's own private network`
			`or the public Internet.<div class="important"><span class="importanttitle">Important:</span> This scenario shows the <span class="keyword">iSeries</span> security gateways attached directly`
			`to the Internet. The absence of a firewall is intended to simplify the scenario.`
			`It does not imply that the use of a firewall is not necessary. In fact, consider`
			`the security risks involved any time you connect to the Internet.</div>`
			`</div>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Advantages</h4><p>This`
			`scenario has the following advantages:</p>`
			`<ul><li>Using the Internet or an existing intranet reduces the cost of private`
			`lines between remote subnets.</li>`
			`<li>Using the Internet or an existing intranet reduces the complexity of installing`
			`and maintaining private lines and associated equipment.</li>`
			`<li>Using the Internet allows remote locations to connect to almost anywhere`
			`in the world.</li>`
			`<li>Using VPN provides users access to all servers and resources on either`
			`side of the connection just as though they were connected using a leased line`
			`or wide area network (WAN) connection.</li>`
			`<li>Using industry standard encryption and authentication methods ensures`
			`the security of sensitive information passed from one location to another.</li>`
			`<li>Exchanging your encryption keys dynamically and regularly simplifies setup`
			`and minimizes the risk of your keys being decoded and security being breached.</li>`
			`<li>Using private IP addresses in each remote subnet makes it unnecessary`
			`to allocate valuable public IP addresses to each client.</li>`
			`</ul>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this`
			`scenario, MyCo, Inc. wants to establish a VPN between the subnets of its Human`
			`Resources and Finance departments through a pair of <span class="keyword">iSeries</span> servers.`
			`Both servers will act as VPN gateways. In terms of VPN configurations, a gateway`
			`performs key management and applies IPSec to the data that flows through the`
			`tunnel. The gateways are not the data endpoints of the connection.</p>`
			`<p>The`
			`objectives of this scenario are as follows:</p>`
			`<ul><li>The VPN must protect all data traffic between the Human Resources department's`
			`subnet and the Finance department's subnet.</li>`
			`<li>Data traffic does not require VPN protection once it reaches either of`
			`the department's subnets.</li>`
			`<li>All clients and hosts on each network have full access to the other's`
			`network, including all applications.</li>`
			`<li>The gateway servers can communicate with each other and access each other's`
			`applications.</li>`
			`</ul>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following`
			`figure illustrates the network characteristics of MyCo.</p>`
			`<br /><img src="rzaja510.gif" alt="Branch office network diagram" /><br /><p><strong>Human Resources Department</strong></p>`
			`<ul><li>iSeries-A runs on <span class="keyword">OS/400<sup>®</sup></span> Version`
			`5 Release 2 (V5R2) or later and acts as the Human Resources Department's VPN`
			`gateway.</li>`
			`<li>Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data`
			`endpoint of the VPN tunnel at the MyCo Rochester site.</li>`
			`<li>iSeries-A connects to the Internet with IP address 204.146.18.227. This`
			`is the connection endpoint. That is, iSeries-A performs key management and`
			`applies IPSec to incoming and outgoing IP datagrams.</li>`
			`<li>iSeries-A connects to its subnet with IP address 10.6.11.1.</li>`
			`<li>iSeries-B is a production server in the Human Resources subnet that runs`
			`standard TCP/IP applications.</li>`
			`</ul>`
			`<p><strong>Finance Department</strong></p>`
			`<ul><li>iSeries-C runs on <span class="keyword">OS/400</span> Version`
			`5 Release 2 (V5R2) or later and acts as the Finance Department's`
			`VPN gateway.</li>`
			`<li>Subnet is 10.196.8.0 with mask 255.255.255.0. This subnet represents the`
			`data endpoint of the VPN tunnel at the MyCo Endicott site.</li>`
			`<li>iSeries-C connects to the Internet with IP address 208.222.150.250. This`
			`is the connection endpoint. That is, iSeries-C performs key management and`
			`applies IPSec to incoming and outgoing IP datagrams.</li>`
			`<li>iSeries-C connects to its subnet with IP address 10.196.8.5.</li>`
			`</ul>`
			`</div>`
			`<div class="section"><h4 class="sectionscenariobar">Configuration tasks</h4><p>You`
			`must complete each of these tasks to configure the branch office connection`
			`described in this scenario:</p>`
			`<div class="note"><span class="notetitle">Note:</span> Before you start these tasks verify the`
			`TCP/IP routing to ensure that the two gateway servers can communicate with`
			`each other across the Internet. This ensures that hosts on each subnet route`
			`properly to their respective gateway for access to the remote subnet.</div>`
			`</div>`
			`</div>`
			`<div>`
			`<ol>`
			`<li class="olchildlink"><a href="rzajacompletetheplanningworksheets.htm">Complete the planning worksheets</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rzajaconfigurevpnoniseriesa.htm">Configure VPN on iSeries-A</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rzajaconfigurevpnoniseriesc.htm">Configure VPN on iSeries-C</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rajasartthevpnservers.htm">Start the VPN servers</a><br />`
			`</li>`
			`<li class="olchildlink"><a href="rzajatestconnection.htm">Test connection</a><br />`
			`</li>`
			`</ol>`

			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajascenarios.htm" title="Review these scenarios to become familiar with the technical and configuration details involved with each of these basic connection types.">VPN scenarios</a></div>`
			`</div>`
			`<div class="relconcepts"><strong>Related concepts</strong><br />`
			`<div><a href="../rzajw/rzajwkickoff.htm">TCP/IP routing and workload balancing</a></div>`
			`</div>`
			`<div class="relinfo"><strong>Related information</strong><br />`
			`<div><a href="http://publib-b.boulder.ibm.com/Redbooks.nsf/RedbookAbstracts/sg245954.html" target="_blank">AS/400 Internet Security Scenarios: A Practical Approach, SG24-5954-00</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`