Scenario: Configure a direct Internet connection from a
server that provides connectivity for other systems or partitions
Situation
Suppose you are responsible for maintaining an iSeries™ server for
MyCompany, a small manufacturing company in Boone, Iowa. As part of providing
this support, you need to establish a connection between electronic customer
support and MyCompany's iSeries server. Since MyCompany has an Internet
network connection and a fixed global routable IP address cable modem, you
can create a connection from your iSeries server through your cable modem. With
this system, your server provides connectivity (as a VPN multi-hop gateway
and a Service and Support proxy) for the three other MyCompany servers that
need to connect to electronic customer support services.
Solution
Create a Universal Connection to IBM® through a direct Internet connection.
The Universal Connection wizard creates all the required definitions for the
connection to electronic customer support. To provide connectivity for other
systems, the wizard will create an L2TP terminator profile, or you can select
an existing L2TP terminator profile. See L2TP (virtual
line) for additional information about L2TP terminator profiles. In addition,
the wizard will configure the Service and Support proxy.
Advantages
This scenario provides the following advantages:
- MyCompany can use its existing hardware and Internet provider
to receive benefit from electronic customer support. You can configure this
connection through the Universal Connection wizard or CL commands.
- The Internet connection provides a simple means of ensuring that MyCompany
has electronic customer support available for ease of troubleshooting server
problems, tracking current system hardware and software, or receiving software
updates and fixes.
- MyCompany's other three servers can remotely connect to electronic customer
support through a single server. MyCompany would only need connectivity from
one system.
- A direct Internet connection provides a high-speed connection to electronic
services.
- With this scenario the other MyCompany servers are protected from the
Internet.
Objectives
In this scenario, the customer wants to ensure that IBM can support
the MyCompany system over a direct connection to the Internet. The objectives
of this scenario are as follows:
- To create a direct connection between the MyCompany's four servers and
electronic customer support through the Internet.
- To automate customer support through electronic customer support and services
- To allow electronic customer support to create an electronic hardware
and software inventory of MyCompany's iSeries system
- To permit electronic customer support to send software fixes and updates
to MyCompany over the network
Details
The following diagram illustrates connecting the MyCompany iSeries server to
electronic customer support through a direct connection to the Internet.
Configuring Universal Connection
- iSeries Navigator launches the Universal Connection Wizard to configure
the connection. This only needs to be done once unless some configuration
information needs to be updated.
Using Universal Connection
When a Service Application wants to use the Universal Connection to communicate
with IBM the following will occur:
- If the service application is not providing
its own security and iSeries A is connecting: A Virtual Private Network
(VPN) is established through your existing Internet connection to a VPN Gateway
at IBM.
- If the service application is not providing
its own security and iSeries B, C, or D are connecting: An L2TP tunnel
is established to iSeries A which initiates a VPN through your existing Internet
connection to a VPN Gateway at IBM.
- If the service application is providing
its own security and iSeries A is connecting: An HTTP or HTTPS connection
is made with the appropriate IBM servers.
- If the service application is providing
its own security and iSeries B, C, or D are connecting and they support a proxy: An HTTP or HTTPS connection is made through the Service and Support
proxy server.
The service application communicates with the appropriate IBM servers to perform
the requested service.
Prerequisites
and assumptions
The prerequisites for enabling electronic customer support over a direct
Internet connection include:
- The iSeries server must have a globally routable IP address, or the server
must be behind a NAT firewall with a globally routable address.
- Ensure that the iSeries Access for Windows® and iSeries Navigator exist on your personal computer,
as described in the iSeries Access for Windows:
Installation and setup topic.
- Ensure that you install all of the latest service packs for iSeries Navigator.
The scenarios show using the V5R4 version of the software.
- Ensure that TCP/IP is active. You can start TCP/IP through the Start TCP/IP
(STRTCP) command.
- You must have security officer (*SECOFR) authority with *ALLOBJ,
*IOSYSCFG, and *SECADM special authorities in your i5/OS™ user profile and *USE authority to WRKCNTINF
in order to configure the connection using the Universal Connection wizard.
- You must install the TCP/IP Connectivity Utilities (5722–TC1).
- You must install the Digital Certificate Manager (DCM) (5722-SS1
option 34).
- Ensure that the QRETSVRSEC system value is set to 1. You can check this
value with the Display System Value (DSPSYSVAL) command. If this value is
not set to 1, enter a Change System Value (CHGSYSVAL) command.
- Ensure your default TCP/IP route, or a host route, directs
traffic out the appropriate TCP/IP interface to the Internet to allow the
VPN and other service connections to be established to IBM. For VPN details,
see Determine the IBM VPN Gateway addresses and Determine the IBM Service Destination addresses.
- Ensure your filter rules allow Universal Connection traffic to flow to
the Internet. For details, see IP Packet Filter Firewall.
Current® system configuration steps
Assuming that TCP/IP configuration already exists and works, complete the
following steps to set up the Universal Connection when your local server
acts as a connecting point for the other three servers in MyCompany:
- Complete the planning work sheet.
- Start the iSeries Navigator and select the Universal
Connection wizard.
- Enter the service, address, and country information
on the Universal Connection wizard dialogs.
- Under Connect from the current system, select
a direct connection to the Internet as a connection type.
- For proxy option, configure a proxy destination.
- Specify that you want this iSeries server to
function as a connecting point through which other servers or partitions connect
to electronic customer support.
- Select an interface the other servers use when
connecting to electronic customer support.
- Create or select L2TP terminator profiles.
- Configure a Service and Support proxy
server.
- Review the Summary window to ensure that the
configuration meets your requirements, and click Finish to
save your configuration.
- When prompted, test the connection from your
server to electronic customer support.
- Configure a backup configuration
(optional).
Scenario details: Configure a direct Internet connection
from a server that provides a connection point for other systems
After you complete the prerequisites, you
are ready to begin configuring the Universal Connection through the wizard.
Step 1: Complete
the planning work sheet.
The following planning work sheet illustrates the type of information you
need before configuring the direct Internet connection. You use this information
when running the Universal Connection wizard.
| Planning work sheet |
Answers |
Service information
- Company
- Contact name
- Telephone number
- Help desk or pager number
- Fax number
- Alternate fax number
|
- MyCompany
- Tom Smith
- 515–870–9990
- 515–870–9942
- 515–870–5586
- 515–870–5587
|
Company address
- Street address
- City or locality
- State or province
- Country (or region)
- Postal code
- National language version
- Electronic mail address
- Alternate electronic mail address
- Media for PTFs (fixes)
|
- 94 West Proctor St.
- Boone
- Iowa
- United States
- 55902
- English (2924)
- myname@company.com
- myname@othercompany.com
- Automatic selection
|
Location
- Country (or region)
- State
|
|
| Connection method |
Through current iSeries server |
| What is the interface description for other systems
to use as a connecting point? |
10.1.1.1 |
| L2TP terminator profile name |
QL2TP00 |
If you prefer using CL Commands to
create the configuration, use the Change Contact Information (CHGCNTINF) and
the Create Service Configuration (CRTSRVCFG) commands.
Step 2: Start
the iSeries Navigator and select the Universal Connection wizard.
To start the Universal Connection wizard and begin establishing your connection:
- Open iSeries Navigator software.
- Select the server under the My Connections folder that you want to configure
for electronic customer support.
- Expand Network.
- Expand Remote Access Services.
- Right-click Originator Connection
Profiles.
- Select Configure IBM Universal Connection to start the Universal Connection wizard. The Welcome dialog appears.
Note:
A progress bar indicates that iSeries Navigator
is loading the Universal Connection wizard. If you encounter problems while running the wizard, see
Troubleshoot the Universal Connection wizard for a solution. Run the wizard again after solving the
problem.
Step 3: Enter
the service, address, and country information on the Universal Connection
wizard dialogs.
To enter information about your company and connections:
- On the Select Configuration dialog, select either Primary connection configuration or Backup connection
configuration. The default is primary. Check the View
and modify contact information box and click Next
- On the Service Information dialog, enter the following information about
MyCompany and click Next:
- Company – MyCompany
- Contact name – Tom Smith
- Telephone number – 515–870–9990
- Help desk or pager number— 515–870–9999
- Fax number — 515–870–5586
- Alternate fax number — 515–870–9942
If this information exists on your server, the company data already
appears in the fields. For example, if MyCompany previously created a configuration,
the wizard retrieves the data from the existing configuration.
- On the Company Address dialog, enter MyCompany's address and click Next.
- Street address – 94 West Proctor St.
- City or locality – Boone
- State or province – Iowa
- Country or region – United States
- Postal code – 55902
- National language version – English (2924)
- Electronic mail address – myname@company.com
- Alternate electronic mail address – myname@othercompany.com
- Media for PTFs – Automatic selection
- On the Location dialog, select the country (or region) and the state or
province where your iSeries server resides and Click Next.
- Country (or region) – United States
- State – Iowa
Step 4: Under
Connect from the current system, select a direct connection to the Internet
as a connection type.
Note:
There is a checkbox to Additionally configure
a proxy connection. If your enterprise has an HTTP proxy or you've configured
a service and support proxy on another system or partition, and you wish to
use that for Universal Connection applications which support going through
a proxy, check this box. If this box is checked, Step 5 will appear.
Step 5: For
proxy option, configure a proxy destination.
Note:
This screen only appears if the proxy option was selected
in Step 4.
To configure a proxy destination
- Attempt proxy connection first
- Choose this option if you want the proxy to take precedence
over the configuration for this scenario.
- If necessary, check the Proxy destination
requires HTTP basic authentication box and fill in the User name and Password fields.
- Click Next and proceed to the next Step.
- Attempt proxy connection if previously defined configuration
fails
- Choose this option if the proxy is to be used only in the
event that the configuration for this scenario fails.
- Fill in the Proxy IP address or host name field.
- Fill in the Proxy port field.
- If necessary, check the Proxy destination requires HTTP
basic authentication box and fill in the User name and Password fields.
- Click Next and proceed to the next Step.
Step 6. Specify
that you want this iSeries server to function as a connecting point through
which other servers or partitions connect to electronic customer support.
Select Yes to indicate that this server
provides connectivity for other servers or partitions and click Next.
Step 7: Select
an interface the other servers use when connecting to electronic customer
support.
Select the interfaces that the other MyCompany servers will use when connecting
to IBM. Select one of the following options:
Note:
In addition, the wizard configures the Service
and Support HTTP Proxy to start with TCP and to listen for connection requests
on the interfaces you select.
In this case, MyCompany selects 10.1.1.1 Ethernet Interface.
Step 8: Create
or select L2TP terminator profiles.
- Select an L2TP terminator profile for each of your selected interfaces.
Choose one of the following options:
- Click Create a new profile named QL2TPnn where nn represents a number from 00 to 99. With this selection, the wizard
creates, names, and consecutively numbers the new L2TP profile.
- Click Select an existing profile to choose a specific
L2TP profile for the associated interface.
In this case, MyCompany lets the Universal Connection wizard create
an L2TP profile.
- Ensure that the Start selected L2TP terminator profiles
when TCP/IP is started check box is checked. MyCompany wishes to start
this profile when starting TCP/IP.
Note:
By starting the selected
L2TP terminator profile when the system starts TCP/IP, all other L2TP terminator
profiles for this interface will be modified not to start with TCP/IP.
If you specify that you do not want to start the selected L2TP terminator
profiles when TCP/IP is started, you must manually start the L2TP terminator
before using the connection to the systems.
Step 9: Configure
a Service and Support proxy server.
To configure a service and support proxy server
- Fill in the Server port field.
- If desired, check the Require HTTP basic
authentication box and fill in the User name and Password fields. Authentication is optional. If specified,
all other partitions or systems using this proxy must provide these security
credentials.
- Click Next and proceed to the next Step.
Step 10: Review
the Summary window to ensure that the configuration meets your requirements,
and click Finish to save your configuration.
To complete and save your server configuration:
- Review the configuration summary. Click Back if you need to change a value on any of the wizard dialogs.
- When the configuration is correct, click Finish to save the configuration. A progress bar indicates that the wizard
is in the process of saving the configuration.
Step 11: Test
the connection from your server to electronic customer support.
To test the configuration:
- Click Yes when the wizard prompts you to test the
configuration. The Verify Universal Connection dialog appears.
- Make note of any problems as the wizard displays verification progress.
- Click OK when the wizard indicates that verification
is complete.
- If the wizard finds errors, restart the Universal Connection wizard, make
necessary corrections, save, and retest the corrected configuration.
Step 12: Configure a backup configuration (optional)
If an additional connection method is available to you, it is suggested
that you rerun the wizard to configure a backup. This backup will be used
automatically in the event that the primary connection fails.
