Scenario: Enable remote connections

Your company has a branch sales office that has several remote sales personnel who need to connect to your iSeries™ server. You also connect to your corporate office located in another state. Because the information that is transmitted between these areas of your company is sensitive, you are concerned about protecting it as it is sent across the Internet. Use this scenario to configure connections to remote clients and servers.

Situation

You are the network administrator for a branch sales office that manages several mobile sales employees. You also work with the corporate office located in another state. Both the remote sales personnel and the corporate office need access to your internal network; however, you are concerned about protecting information as it is transmitted over the Internet.

The corporate office often needs access to sensitive information like customer accounts and billing statements. Your mobile sales employees transmit information to your branch sales office by dialing an Internet service provider (ISP) through the Point-to-Point Protocol (PPP). Because they also transmit sensitive information, you need to ensure data integrity and privacy in these communications. You do not want sensitive credit card numbers or customer contact information exposed to the Internet. After researching your options for both groups of users, you have decided to use a virtual private network (VPN) to protect your connections to the corporate office and to use Layer Two Tunnel Protocol (L2TP) protected with a VPN for your remote employees.

Objectives

The administrators for MyCo, Inc have the following objectives:

  • To provide access to remote sales people and the corporate office
  • To use existing iSeries servers to support these goals
  • To allow remote sales people and the corporate office to access the branch office network

Details

The following network topology shows the connections between a branch sales office and a corporate headquarters and remote sales personnel. Connections to the branch sales office are protected through a VPN. The following descriptions of each part of this network provide details on their configuration.


Enable remote connections

Branch sale office

  • iSeries A runs on OS/400® Version 5 Release 2 (V5R2) and contains all pertinent business applications.
  • iSeries A acts as the gateway for the VPN connection with the branch sales office.
  • iSeries A has IP address 192.168.1.2, which is globally routable.
    Important: IP addresses used in this scenario are meant for example purposes only. They do not reflect an IP address scheme and should not be used in any actual configuration. Use your own IP addresses when completing these tasks.
  • Subnet mask is 255.255.255.0.
  • iSeries A connects to its subnet with the IP address 10.1.1.1.
  • Within the internal network of the branch sales office, all PCs have been configured with a default route that points to iSeries A.
  • The fully qualified host name of iSeries A is iseriesa.myco.min.com.
  • Both iSeries A and B can initiate connections.
  • Remote employees use a pool of IP addresses that range from of 10.1.1.100 to 10.1.1.150.

Corporate office

  • iSeries B runs on OS/400 Version 5 Release 2 (V5R2) and contains all pertinent business applications.
  • iSeries B acts as the gateway for the VPN connection for corporate office.
  • iSeries B has the IP address of 172.16.1.3 that is globally routable.
    Important: IP addresses used in this scenario are meant for example purposes only. They do not reflect an IP addressing scheme and should not be used in any actual configuration. You should use your own IP addresses when completing these tasks.
  • Subnet mask is 255.255.255.0.
  • iSeries B connects to its subnet with the IP address 10.2.1.1.
  • Within the internal network of the corporate office, all PCs have been configured with a default route that points to iSeries B.
  • The fully qualified host name of iSeries B is iseriesb.myco.wis.com.

Remote sales personnel

  • Laptop with a Microsoft® Windows® XP operating system
  • Remote employees use a pool of IP addresses that range from 10.1.1.100 to 10.1.1.150.

Prerequisites and assumptions

This scenario provides an example VPN configuration between a branch sales office and a corporate office. It also provides instructions on how to configure remote access for travelling sales people connecting to the branch office. This scenario assumes that several prerequisite steps have been completed and tested, and are operational before beginning these configuration steps. These prerequisites are assumed to have been completed for this scenario:

  1. Ensure that the following licensed programs have been installed:
    • OS/400 Version 5 Release 2 (5722-SS1)
    • Digital Certificate Manager (5722-SS1 Option 34)
      Note: This scenario assumes that DCM has been installed on both systems, but it has not been configured on either system.
    • TCP/IP Connectivity Utilities for i5/OS™ (5722-TC1)
    • IBM® HTTP Server for iSeries (5722-DG1)
    • IBM eServer™ iSeries Access for Windows (5722-XE1) and iSeries Navigator
    • IBM Developer Kit for Java™ (5722-JV1)
    • Ensure that you have the latest PTFs have been installed on your system.
  2. Ensure that the following server setup has been completed:
    • TCP/IP must be configured, including IP interfaces, routes, local host name, and local domain name.
    • Basic system security has been configured and tested.
    • The Network component of iSeries Navigator has been installed.
    • The retain server security data (QRETSVRSEC *SEC) system value has been set to 1.
    • The shared memory (QSHRMEMCTL) system value has been set to 1.
    • Normal TCP/IP communications has been established between required endpoints.
  3. Ensure that the following requirements are on the PC that is used for remote employees:
    • Windows XP client with a Windows 32-bit operating system is properly connected to your iSeries server and configured for TCP/IP.
    • A 233 Mhz processing unit.
    • Windows XP clients must have 64 MB RAM.
    • iSeries Access for Windows and iSeries Navigator have been installed on the client PC.
    • Software must support IP Security (IPSec) protocol.
    • Software must support Layer 2 Tunneling Protocol (L2TP).
    • Connection to an ISP has been established.

In addition to these prerequisites, it is assumed that both networks have set up and activated filter rules on their networks, configured routing, and established an IP addressing scheme. If you have not completed these tasks, see the following topics: IP filtering and network address translation (NAT) and TCP/IP routing and workload balancing.

Tip: This scenario shows the iSeries security gateways attached directly to the Internet. The absence of a firewall is intended to simplify the scenario. It does not imply that the use of a firewall is not necessary. In fact, you should consider the security risks involved anytime you connect to the Internet. Review AS/400® Internet Security Scenarios: A Practical ApproachLink to PDF, for a detailed description of various methods for reducing security risks.
  1. Set up Certificate Authority with Digital Certificate Manager
  2. Configure VPN connection between the branch sales office and the corporate office
  3. Configure VPN connection to remote users
Parent topic: Network scenarios
Related reference
IP filtering and network address translation (NAT)
TCP/IP routing and workload balancing
AS/400 Internet Security Scenarios: A Practical Approach, SG24-5954-00
DCM scenarios
VPN scenarios
PPP scenarios