VPN Access over Mobile Web Support Overview

(1)

(2)

VPN Access over Mobile Web

1 Introduction

Mobile Web is a GPRS service from O2 UK that provides consumer and business customers with ‘full Internet access and email on the move’ up to 5 times faster than standard GSM access. A VPN (Virtual Private Network) is a technology used by companies to allow computers connected to the Internet to securely access the corporate LAN and therefore gain access to critical company information and applications. The Mobile Web service can be used to gain mobile access to a wide number of VPN solutions, allowing a business customer to access their LAN-based email, calendar and intranet securely when out of the office – anywhere with O2 network coverage.

The set-up of Mobile Web for use with a VPN solution is very quick, simple, and inexpensive. It is therefore an attractive method of gaining access to office email and applications for UK businesses and IT departments alike.

This document outlines the technical requirements for VPN access over Mobile Web so that a VPN solution provider, or an IT manager can ascertain whether or not their VPN solution may be used with the Mobile Web service. The goal is to clearly describe the capabilities of the Mobile Web service and its uses with VPNs, rather than the full details of how the service operates.

This Support Overview gives guidance on how to set up and use Mobile Web for VPN access, to assist IT managers to set up and use their VPN with Mobile Web. During pre-launch market research and trial, we identified some of the information needs of the IT manager, and we hope that this document proves useful in helping businesses take their VPN on the move over Mobile Web.

This is the second release of this document, which has been expanded to include a number of additional VPN solutions that have been tested internally and with customers using Mobile Web.

It should be noted that each VPN is different and O2 does not take responsibility to support the VPN your company runs nor guarantee its compatibility with the Mobile Web service from O2. O2 is only responsible for delivering the Mobile Web service under the terms of the Mobile Web Service agreement.

O2 Mobile Web will continue to evolve, and will over time have additional features and technical capabilities added.

(5)

2 Virtual Private Network (VPN)

2.1 VPNs

VPN technology has emerged as one of the most effective and popular ways of allowing remote users to securely access corporate email and intranets. Conventionally the access to the corporate network has been provided through a fixed line be that leased line, PSTN, ISDN, or Broadband connection.

A VPN solution allows computers connected to the Internet to securely access the corporate LAN and therefore gain access to critical company information and applications.

2.2 VPN Access over Mobile Web

It is now possible to extend the reach of a VPN solution to anywhere with O2 coverage, by connecting through the Mobile Web service from O2.

O2 has developed the Mobile Web service to support a wide number of VPN solutions, outlined in section 3.1 below. The benefits of using a VPN are clearly understood by the organisations that use them. Gaining mobile access to a VPN allows the employees of the organisation to work with greater freedom, flexibility, and speed. Deployment of your VPN over the Mobile Web service is also a low cost and quick way to get your workforce mobile, using your existing investment in a VPN infrastructure.

Note that O2 strongly recommends that Pocket PC based devices such as the xda, should be used only with the pre-installed Microsoft PPTP client to enable VPN access over Mobile Web. During trial and test activities where we did not use the Microsoft PPTP client, unsatisfactory customer experiences were encountered due to VPN client set up and use characteristics.

(6)

2.3 The benefits of a Mobile VPN include

• Manage your corporate email on the move - now not later

• Make productive use of ‘in-transit’ time - no need to wait until you’re in the office to clear your company emails - link through your corporate VPN from wherever you are

• Improve your level of customer service by accessing the price list requested during your meeting from your Intranet - then email it to your customer from their offices!

• Business information you need, wherever and whenever you need it

• Read up on your client en route to their office and impress with up to the minute knowledge of their latest public announcement

• Access company databases over your VPN - look up stock availability and take the order while you are at your customer’s offices

• Get mobile using your existing kit

• You’ve already invested in a VPN infrastructure – get more from your investment by giving your team mobile access from anywhere

• Only small changes are made to your VPN client to take your remote access mobile

• Use your existing laptops to link to your VPN over Mobile Web with a GPRS handset or GPRS card

• Use Pocket PC devices including the award winning xda from O2, with PPTP based VPNs

• Simple and flexible set up and pricing

• IT Departments quote set up of the VPN to use Mobile Web can take as little as 30 minutes!

• Provision mobile workers as and when you like – there are no minimum numbers of users of Mobile Web, and there is a range of competitive tariffs to suit your needs

(7)

3 Before you Start – What do you need to know?

Getting Started Checklist:

Suitable VPN infrastructure – Section 3.1

NAT Traversal set-up (if using an IPSec based VPN product) – Section 3.2

Devices with client software are compatible with the Mobile Web service – Appendix B

3.1 Basic VPN Solution Requirements

Most VPN solutions can be run over Mobile Web to provide secure connectivity to gain mobile access to a business LAN. This will complement existing fixed line access methods such as leased lines, PSTN, ISDN, or ADSL.

The following IPSec based VPN products have been tested successfully in conjunction with O2’s Mobile Web service:

3.1.1 Nortel

• Server side: Contivity 2600 platform running version 04_00.781software.

• Client side: Contivity VPN client version V04_12.03.

• NAT Traversal required.

3.1.2 Cisco

• Server side: Cisco VPN 3005 concentrator running version 3.5.2 release k9 software.

• Client side: Cisco Systems VPN client version 3.5.1.

• NAT Traversal required.

3.1.3 Checkpoint

• Checkpoint Firewall 1

• Server side: version 4.1 SP2.

• Client side: version 4.1 SP2.

• UDP encapsulation required.

The steps detailed below are known to allow Checkpoint 1 VPN clients to successfully work with O2’s Mobile Web service:

• Ensure that the VPN client is using UDP encapsulation - there is an option in the userc.c file on the client - :force_udp_encapsulation (true).

• Add the O2 private address range to the allowed addresses on the firewall’s Internet interface (e.g. 10.246.0.0 to 10.249.255.255). This is only necessary if anti-spoofing is enabled on that interface, which is not the default configuration (though many customers believe the use of anti-spoofing is advisable).

• Add a manual address translation rule, so that any user coming from the O2 private address range has their source IP address converted to use one of the firewall’s external addresses. These addresses are routable from internal services.

(8)

Practical experience indicates that the Checkpoint firewall solution will decrypt the packet from the client and then apply the policy properties (including anti spoofing), address translation rules, and rule base to the encapsulated packet.

3.1.4 Sonic

• Server side: firmware version 6.3.0.0.

• Client side: version 8.

• UDP encapsulation required.

The steps detailed below are known to allow Sonic VPN clients to successfully work with O2’s Mobile Web service:

• Add a manual address translation rule, so that any user coming from the O2 private address range has their source IP address converted to use one of the firewall’s external addresses. These addresses are routable from internal services.

Practical experience indicates that the Sonic solution will decrypt the packet from the client and then apply the policy properties, address translation rules, and rule base to the encapsulated packet.

3.1.5 Other IPSec based VPN solutions

• In principle other IPSec based solutions used in conjunction with NAT Traversal will function over Mobile Web.

• An IPSec based VPN solution cannot be used with Mobile Web without NAT Traversal. NAT

Traversal is required to ‘wrap’ the IPSec traffic in UDP, as native IPSec is not supported.

• NOTE: ‘NAT Traversal’ is also known as ‘UDP Encapsulation’

3.1.6 Microsoft PPTP based VPN

• Microsoft PPTP based VPN solutions can be used with the Mobile Web service.

• The VPN client of the xda from O2 is a Microsoft PPTP client, which can be used for this purpose (see Appendix D for further information).

• NAT traversal will not be required when using a PPTP based solution.

3.1.7 L2TP based VPN

• L2TP based VPN solutions can be used with the Mobile Web service.

(9)

3.2 IPSec and NAT Traversal

3.2.1 Overview

NAT Traversal is required in order to run an IPSec based VPN over Mobile Web. NAT Traversal effectively ‘wraps’ the native IPSec protocol in UDP, which allows it to pass through the Mobile Web service. Without NAT Traversal a secure VPN tunnel cannot be established, and the VPN session cannot therefore be initiated. IPSec is not natively supported by the Mobile Web service.

Please note that NAT Traversal will not be required for PPTP based VPN solutions. A detailed technical explanation follows below.

3.2.2 Detailed Technical Explanation

IPSec is a framework of open standards that provide data confidentiality; data integrity and data authentication between participating peers at the IP layer. IPSec can be used to protect one or more data flows between IPSec peers.

Ensuring packet integrity is one of the major problems associated with IPSec based VPN solutions. Packets that are ‘Network Address Translated’ have their original packet modified. Modification of an IPSec packet will result in a failed integrity check and the VPN tunnel will not be created.

NAT can cause a number of problems when IPSec solutions are employed (refer to [1], [2]):

• Either in transport or in tunnel mode, the IPSec Authentication Header (AH) authenticates the whole IP datagram. When NAT modifies the IP header IPSec evaluates this is as a violation of integrity and discards the packet. Consequently, AH and NAT cannot work together.

• The IPSec Encapsulating Security Payload (ESP) in transport mode protects the TCP/UDP header, but does not care about the source and destination IP addresses. Thus, modification of the IP address does not violate the integrity check. However, when TCP or UDP are involved – as they are in transport mode ESP – there is a problem. Because NAT modifies the TCP packet, NAT must also recalculate the checksum used to verify integrity. If NAT updates the TCP checksum TCP verification will fail.

• Even if ESP is used in tunnel mode, problems may still arise with Internet Key Exchange (IKE). IPSec based VPN solutions use IKE to automate security association set-up and to authenticate end-points. The most basic and common method of authentication in use today is ‘pre-shared key’. Unfortunately, this method depends upon the source IP address of the packet. If NAT is inserted between endpoints, the outer source IP address will be translated into the address of the NAT router, and will no longer identify the originating security gateway,

In recognition of the issues associated with using IPSec VPN solutions in a NAT scenario the IETF has developed a technique called ‘NAT traversal’, (sometimes known as ‘UDP Encapsulation’).

NAT traversal causes the remote users PC to apply a UDP header between the IP encapsulation header and the Encryption Security Protocol (ESP) 50 header – ESP is a set of IETF standard encryption and packet authentication services per RFC 2406. When packets leave the users laptop and pass through the organisation’s firewall NAT or NAPT translates based on the new UDP header. The new UDP header is removed at the VPN concentrator along with the IP encapsulation header and the ESP 50 header [3].

NAT translation needs to be intact for the period of the VPN tunnel. Consequently, 'keep alive' packets must be sent between the VPN client and server. A keep alive is a small UDP packet sent on a regular basis to prevent the session from being lost. It should also be noted that the Mobile Web service will terminate UDP sessions if periods of inactivity exceed 30 minutes.

(10)

3.3 Compatible Devices Matrix

O2 has tested a number of GPRS devices such as phones, Novatel Data Cards, and the ‘all in one’ xda to ensure they function correctly with the Mobile Web service. Appendix B details the results of our testing activity in the form of a ‘recommended combinations matrix’.

The matrix clearly shows which GPRS devices can be used with which Laptop or PDA operating system, and is prescriptive to the following level:

• GPRS device software version – some earlier versions of software will not function.

• Connection method – specific attention should be drawn to whether you would like to connect using infrared, cable or Bluetooth.

• Laptop or PDA Operating System – in certain cases a later OS release will be required. Certain devices such as the Novatel Data card place high IT demands during the set-up phase on NT4, and is therefore not recommended.

Please note that separate requirements may exist for any particular VPN client, and you should check with your VPN solution supplier regarding which operating systems their clients are compatible with.

O2 recommends the use of a Novatel GPRS Data Card with a Laptop PC, and an xda using Microsoft PPTP for the best Mobile VPN experience.

3.4 Detailed VPN Specific Requirements

You should consult your VPN vendor, or Systems Integrator to establish if there are any specific requirements that your existing VPN solution may have for using Mobile Web.

During trial and testing activity at O2, we have found instances where a certain Laptop software version is required in order to run a VPN client.

We have also received feedback about the set-up complexities of Pocket PC VPN clients. We have highlighted these concerns in this document. You should carefully discuss the suitability of Pocket PC VPN client software, and performance of the software when mobile, with your VPN software provider.

Furthermore it is important to be clear about the requirement for an IPSec based VPN solution to have a NAT Traversal function. An IPSec based VPN solution cannot be used with Mobile Web without NAT

Traversal.

(11)

4 Getting Set up

4.1 Checklist and flow diagram

The flow diagram below indicates a likely flow of activities for a business customer to select and deploy a Mobile VPN solution.

Where a customer already has an existing VPN solution, the process simply involves a reconfiguration of the existing VPN solution to work over the Mobile Web service from O2 rather than a full installation.

The IT Manager should determine whether the existing VPN solution can be used with Mobile Web by reviewing section 3.1.

4.1.1 Define - Hardware and Connection Method

• The business IT manager must determine based on the organisations needs, and the available options, which devices and connection method the VPN service will be used with.

• Consideration should be made of the devices supported by Mobile Web by referring to Appendix B.

• Consideration should be made of the VPN vendor’s supported hardware matrix by consulting with the VPN supplier or your systems integrator.

• Please note that O2 recommends the use of a Novatel GPRS Data Card with a laptop Sec or Microsoft PPTP based VPNs, or an xda using Microsoft PPTP for the best Mobile VPN experience.

• O2 only recommends the use of Pocket PC based handheld devices for use with a Microsoft PPTP based VPN service, as we have seen difficulties in both set up and use of IPSec based solutions on Pocket PC devices during our test and trial activities.

4.1.2 VPN - Product selection

• Based on the chosen hardware, and required connection methods, the IT manager would then evaluate the available VPN product candidates, and select a suitable candidate.

• Consideration should be made of the requirement for IPSec based VPN solutions to support NAT traversal for use of the VPN with Mobile Web.

Define Hardware and Connection Method VPN Product Selection Connect and Use Mobile VPN Mobile Web Connection Set-up Mobile Web Tariff Selection and Provisioning VPN Client Set-up and Configuration VPN LAN Set-up and Configuration

(12)

4.1.3 VPN – LAN set-up and configuration

• The IT manager would contract the VPN supplier or Systems Integrator to undertake any LAN set-up work required for the VPN to be used.

• Consideration should be made for configuring the VPN solution to accept a mobile connection from O2’s Mobile Web service – please discuss this with your VPN supplier or Systems Integrator if you have any questions.

4.1.4 VPN - Client install and configuration

• The IT manager would liase with the VPN supplier or systems integrator to understand the process for client install and configuration required for the VPN to be used.

• Detailed instructions on how to configure the Microsoft PPTP VPN client on the xda are contained in Appendix D.

• Consideration should be made for the various methods of connection required, including Mobile Web from O2.

4.1.5 Mobile Web –Tariff selection and Provisioning

• Based on discussion with the O2 account manager, the IT manager should choose the most appropriate tariff option for the intended number of VPN over Mobile Web users.

• The normal process will apply for signing up to a Mobile Web subscription. The O2 account manager or O2 service provider will explain this process.

• An existing O2 SIM card can have Mobile Web provisioned on it, or a new data only SIM card can be used. All new voice connections with O2 are automatically provisioned with Mobile Web Pay-as-you-use Data.

• Customers who would like to keep their mobile phones separate from their mobile data or VPN use are recommended to use a Novatel GPRS Data Card, or xda from O2 with a stand alone data sim for their Mobile Web connection.

4.1.6 Mobile Web - Connection set-up

• Where required the O2 Mobile Web application can be installed following the instructions set out in the O2 Mobile Web getting started guide.

• The ‘Getting Started’ document details the set-up process and user guide for Mobile Web on a Windows Powered Laptop PC.

• The latest version of the Mobile Web Getting Started Application and User Guide can be found by visiting www.o2.co.uk/mobileweb.

• In the case of setting up Mobile Web for use with the Novatel Merlin GPRS card, the card manufacturers CD software should be used.

• Please note that if using a Pocket PC device such as the xda from O2, we strongly recommend the use of the Microsoft PPTP client pre-installed on the device (see Appendix D for details).

• Alternatively DUN (Dial up Networking) profiles could be configured so that a seamless integrated one click VPN connection experience could be achieved.

• Manual DUN set-up instructions can be found by visiting www.o2.co.uk/mobileweb.

4.1.7 Connect and use VPN over Mobile Web

• The VPN can be used when mobile in one of two ways, depending on whether the Mobile Web application has been installed, or DUN settings have been manually used. Please note that installation of the Novatel Merlin GPRS card software will automatically create a DUN profile.

• If the O2 Mobile Web application has been installed, the customer should first create a connection by double clicking on the O2 icon on the PC screen, then clicking ‘Connect’. Once connected to the internet over Mobile Web, the normal VPN connection process should then be followed to open up the VPN access into the LAN.

(13)

• If a DUN profile has been set up, the customer would follow the normal VPN connection process. The VPN client should be able to initiate the dial up session to Mobile Web in a single integrated process. The actual customer experience in this scenario will depend on the VPN client used.

4.1.8 Xda and Pocket PC devices

If you wish to use the xda from O2, or any other Pocket PC device, we recommended that the Microsoft PPTP client pre-installed on the xda should be used.

During test and trial activities we found that a satisfactory customer experience is not assured at all times if an IPSec based client is used on a Pocket PC device.

Due to the extremely mobile nature of Pocket PC devices, the device can often move in and out of coverage. In an IPSec base solution, the VPN sees the loss of the connection as a threat to the secure session, and it reacts by closing down the VPN session completely. A PPTP based connection will not ‘close down’ the whole VPN session, it will resume it when the Pocket PC device moves back into coverage.

We do not expressly support or recommend any IPSec based Pocket PC VPN client. We strongly recommend that you discuss Pocket PC VPN client suitability with your VPN supplier or systems integrator before proceeding.

(14)

5 Using your VPN over Mobile Web

5.1 Laptop User Guide

The latest version of the Mobile Web Getting Started Application and User Guide can be found by visiting

www.o2.co.uk/mobileweb. This explains how to set up and use the Mobile Web service using the Mobile Web application.

Manual instructions for setting up DUN (Dial up Networking) connections can also be found at the url above. The use of the VPN client on a laptop would be explained and supported by the VPN vendor or your systems integrator, as it is not a component that O2 supplies. O2 supplies the Mobile Web service and can only provide advice and support on this service.

In general terms, the user of the Mobile VPN will have the same experience as if they are using the VPN on a fixed line connection, other than the following points:

• The GPRS phone should be connected to the Laptop by Infrared, Cable (recommended) or Bluetooth, before the VPN session is initiated.

• If using a Novatel Merlin GPRS Data Card the card must be inserted before starting.

• If using the Mobile Web application as the ‘dial up’ method, a Mobile Web connection should be made before the VPN connection is attempted.

• If using DUN as the dial up method, the GPRS connection process is likely to be integrated with the VPN Client.

5.2 Tips for using less data

Mobile Web is a GPRS based service, and charges are based on the amount of data sent and received, not the time spent connected. Because of this, there are a number of steps that an IT manager may choose to take to reduce the overall amount of data transferred, and therefore the cost of the service to the business. We provide these tips for your information only. O2 does not guarantee or support the effectiveness or accuracy of these data reduction methods. However we do raise them as a guideline to improve the value you get from O2.

These methods may already be used in your LAN or VPN and may affect network traffic and overall performance. In the GPRS world however the effects are more pronounced in terms of relative service speed, and billing impact since you are only charged for the data downloaded rather than how long you spend online.

5.2.1 Use Web based Outlook

A standard feature of Microsoft Exchange is the ability to login to Outlook through a web interface. To use this, an employee would open the VPN session using Mobile Web first. This can offer a very good level of speed, as this form of access minimises the amount of data that is transmitted over the GPRS connection. Using this form of access (i.e. opening your web browser, then logging in to your Web based Outlook) will only be possible if a suitable version of Microsoft Exchange has been deployed by the company, and if the IT Manager has chosen to allow access of this type.

Access may only be available to ‘online’ folders using the Web based Outlook connection. However a person using Outlook in this way could also open offline folders by opening Outlook on the Laptop – allowing access to offline folders for reference.

(15)

5.2.2 Keep alive functionality

VPN solutions, and many LAN configurations may incorporate features that transmit data across the network periodically for a number of reasons. Such features will obviously produce traffic that will increase the total mobile data bill each month. In the majority of cases this functionality is vital to the operation of the LAN or VPN. There are however cases where the IT manager may be able to make savings by modifying and reducing the frequency of data transmission.

5.2.3 Logging into your domain at start-up

The start-up sequence used on many LANs involves downloading a large profile, or a login process to the users domain. This process creates a flow of data that will be billed.

The IT manager may wish to consider the options available for reducing the amount of data used during initial connection for VPN over Mobile Web users.

5.2.4 Mapped network drives

The use of mapped or shared network drives on LANs produces data traffic that will impact service speed and data consumption.

The IT manager may wish to consider the options available for reducing the amount of data used, by altering the users network drive characteristics. Closing the mapped paths can have a positive effect on service speed and usability.

5.2.5 Outlook

configuration

The IT manager may consider reconfiguring Outlook, or any other email client, in order to reduce the flow of data over the network.

Settings affecting the amount of the message or attachment that is downloaded can be used to improve remote access service speed. For example viewing headers only, rather than automatically downloading attachments can reduce data usage dramatically.

(16)

5.3.1 Use in good coverage

By its nature, a VPN solution will prevent any form of interference to the flow of data in the interests of maintaining a high level of security. This is one of the positive aspects of using a VPN.

In the mobile world this can manifest itself as service disruption. If for instance the GPRS connection is temporarily unavailable (e.g. train goes through a tunnel), the VPN session may be dropped, as the VPN software perceives this to be a form of interference.

We therefore recommend that users keep this in mind when using the VPN whilst mobile.

5.4 How much data are you using?

Mobile Web is a GPRS based service, and charges are based on the amount of data sent and received, not the time spent connected.

There are a number of ways for a user to determine how much data is being used, and therefore to get an estimated view on the cost of using the service each month.

Please note these methods are not precise and should be regarded as indicative only.

5.4.1 Mobile Web Application

• The Mobile Web application includes a data counter tool that estimates the amount of data used, and the monthly bill. This will be displayed each time the application is deployed.

• A user can input their monthly bill characteristics if required by selecting ‘Options’, the ‘Advanced Mode’, ‘AOU’, and then populating the appropriate fields.

• Note that this tool will only function on PCs, with the exception of those running Microsoft Windows Workstation NT4.

5.4.2 Windows Dial Up Networking

• Windows dial up networking incorporates a feature that allows a user to view the amount of data used in the current session.

• During a dial up networking session, a user may click on the DUN connection icon (two PCs connected and flashing) in the lower right hand corner of the screen to see this information.

(17)

6 Troubleshooting and support

6.1 Care model and handoff points

O2 recognises that a Mobile VPN solution once implemented forms an extremely important part of your organisation’s LAN infrastructure. It is important for us to be clear about how O2 can help you to get started, and use the Mobile Web service to access your VPN.

The overall solution can be divided into three main parts – O2’s Mobile Web service, a VPN Client - Server architecture, and the LAN infrastructure of the organisation.

NOTE An enhanced care package is available from O2 Professional Services. See section 6.2 below for more information. Charges may apply for these services.

The expected care model would be one where first line support for the overall solution is provided in-house within the customer’s IT department:

1. A VPN over Mobile Web user experiences a service-affecting problem, and calls their internal IT support number.

2. The IT support expert diagnosis the problem, and ascertains likely cause.

3. If a LAN fault is suspected, the IT department undertakes remedial action as normal.

4. If a VPN client or server fault is suspected, the IT department should liase with the VPN system supplier to ascertain cause and undertake remedial action.

5. If the cause is suspected to be related to Mobile Web connectivity, the IT support team should contact their O2 service provider.

o The service provider will check that the SIM is correctly provisioned, and will then pass to the O2 Mobile Web support team.

o The Mobile Web support team will then ascertain whether Mobile Web can be used successfully independently of the VPN solution.

o If no fault is found with Mobile Web connectivity, the O2 support team will recommend that the IT desk investigate a LAN or VPN related source to resolve the problem.

VPN Infrastructure Supported by VPN Supplier / Systems

Integrator

•

VPN Installation and support

•

VPN Operational support

•

VPN Client installation

•

VPN Client configuration

•

VPN Server installation

•

VPN Server configuration

•

All other VPN support

Mobile Web from O2 Supported by O2

Customer Care

•

Mobile Web Operational support

•

Mobile Web Client installation

•

Mobile Web Client configuration

•

All other Mobile Web support

LAN Infrastructure Supported by IT

Department

•

LAN Installation and support

•

LAN Operational support

•

Laptop general support

•

Client software installation

•

Client software configuration

(18)

NOTE: An enhanced care package is available from O2 Professional Services. See section 6.2 below for more information. Charges may apply for these services.

6.1.1 O2

Support

Mobile Web is a service that users themselves or an IT department can set up and use without any special training or support.

Where problems are encountered by a user in setting up the service, O2 will provide support to get our customers set up and connected.

Where a problem arises which affects the customer’s ability to connect to and use the Mobile Web service, O2 will actively work with the customer to resolve the problem. This will include the following:

• Advice on recommended device and operating system requirements for Mobile Web

• Set-up and device configuration for Mobile Web

• Problems encountered connecting to Mobile Web

• Any issue relating to Mobile Web Quality of Service.

6.1.2 VPN

Support

VPN solution specific support cannot be provided by O2, as we are neither the vendor nor the support organisation for the VPN that you are using.

Support for the following must be sourced from your VPN solution vendor or systems integrator:

• Advice on operating system requirements for the VPN solution

• Installation, set-up, and configuration of the server elements of the VPN solution

• Installation, set-up, and configuration of the client elements of the VPN solution

• VPN problems unrelated to Mobile Web connectivity.

Customer Experiences Mobile VPN Problem. Calls IT Desk IT Desk Diagnose Cause LAN, VPN, or Mobile Web LAN problem IT Department remedy as usual Customer Problem Resolved VPN problem VPN support supplier remedies O2 Mobile Web Connectivity Supported by O2

(19)

6.1.3 LAN

Support

LAN specific support cannot be provided by O2, as we are neither the vendor nor the support organisation for the LAN solution that you are using.

Whilst we offer certain recommendations based on our pre-launch market research, we cannot provide further support in the following areas:

• Configuration and support of LAN settings and user profiles

• Set-up and tuning of client software such as Microsoft Outlook or Internet Explorer

• LAN problems unrelated to Mobile Web connectivity.

6.2 O2 Professional Services

In addition to the standard care model outlined above, O2 offers an enhanced care package to assist in the integration of a mobile solution into your workplace. Charges may apply for these services.

• You define the need, we’ll develop the solution

We offer an industry-leading portfolio of innovative professional services and support solutions built upon years of proven expertise in the wireless marketplace. So whether you need expert advice or a uniquely tailored solution, we can help you develop, integrate, manage and optimise your communications network.

• Technology. People. Vision

By understanding, anticipating and responding to your needs at every stage, we can ensure end-to-end integration including network, applications and resources. In short, the Professional Services team from O2 can give you a competitive edge by providing a solution that reflects your business and ensures that you stay ahead of your competition.

• Insight and Innovation

Over the service life of your network, we can work with you to optimise the performance of both your technology and your business. Drawing upon our knowledge base, we can ensure that your business benefits from the latest technology and thinking to make the most of every possibility.

• Delivering promise

Through a blend of technical, commercial and project management experience, we can provide that vital link to ensure that all parts of your organisation, however disparate, remain seamlessly connected. No hype, just tangible, measurable results that meet the challenge of modern business communications.

Everyone’s needs are different. If you would like to talk to the Professional Services team, please contact:

Phone 0800 587 5580

(20)

6.3 Troubleshooting

Before you can access the Mobile Web service from your laptop, you will need a subscription.

Have you got the right devices?

• Mobile Web is not accessible from all phones and laptop PCs. Note: Macintosh laptops are not supported. To check whether you have a suitable phone and laptop PC, visit www.o2.co.uk/mobileweb.

How do you want to connect?

• Each Microsoft Windows operating system provides different levels of connectivity support. Check Appendix B to make sure that your operating system will allow connection in the way you require.

• Check you have chosen the correct default modem from the ‘Options’ menu in the O2 Mobile Web application.

Do you use a PDA or Blackberry with your laptop?

• Your PDA ‘sync’ application can conflict with Mobile Web. You can read more about this in the section PDA, Blackberry and other devices using COM1’ on page 35 of the Mobile Web getting started guide.

Can’t find the O2 Mobile Web application on your laptop?

• The application can be opened by double clicking on the O2 Mobile Web icon. Alternatively, go to start,

programs, O2 Mobile Web.

Trouble using Mobile Web with infrared?

• Not all operating systems support infrared connection. To check whether yours does see appendix B.

• Make sure that your mobile phone’s infrared port is activated (see pages 37 – 40 of the getting started guide), and that it is aligned with the infrared port on your laptop.

(21)

7 References

[1] PHIFER, L. “The Trouble with NAT”, The Internet Protocol Journal, Volume 3, Number 4, December 2000, Cisco Systems.

[2] AYDIN, H., “NAT Traversal: Peace Agreement between NAT and IPSec”, August 12, 2001, Sans Institute, http://rr.sans.org/encryption/NAT2.php.

(22)

8 Appendices

8.1 Appendix A – Mobile Web Service Summary

This section outlines the core features of the Mobile Web service, in order to provide an understanding of how the service works.

Please note that some of the features of Mobile Web, such as web optimisation, will be bypassed by using a VPN solution. This is an unavoidable scenario, as the VPN solution by definition creates a secure tunnel that cannot be manipulated in any way, and therefore cannot be optimised using the Mobile Web application. It is important to be aware that in many cases the features outlined below will only be utilised when Mobile Web is used for direct connection to the Internet, without the VPN solution being used.

8.1.1 Key Benefits of Mobile Web

•

Manage your email on the move - now not later

–

Make productive use of ‘in-transit’ time - no need to wait until you’re in the office to clear your web-based emails

−

Improve your level of customer service by emailing the document requested during your meeting, over the web

•

Business information I need, wherever and whenever I need it

−

Read up on your client en route to their office and impress with up to the minute knowledge on their latest public announcement.

−

Check stock status and place orders with your suppliers whilst on the move

•

Get mobile using your existing kit

−

use your PDAs or lap tops to link to the Mobile Web with a GPRS handset, and many other device options

8.1.2 Mobile Web Core Features

The key features of Mobile Web:

• Access to HTTP and HTTPS web pages over the O2 UK GPRS or GSM network

• Access over a GPRS or GSM roaming partner of O2 UK

• Optimisation of HTTP web traffic to increase speed and reduce data transferred over GPRS or GSM

• Support of internet email protocols POP3, IMAP4, SMTP, MAPI

• Support for TCP based streaming

• Support for Instant messaging protocols

• Support for Cisco and Nortel IPSec based VPN solutions outlined in 4.1 below

(23)

A VPN solution will form a secure ‘tunnel’ between the VPN client, and the VPN server in the corporate premises; therefore the Mobile Web optimisation functionality described above is bypassed. The access feature set then becomes defined by the corporate firewall configuration. The tunnel is effectively a data pipe, and cannot be interfered with. If interfered with the VPN solution will terminate the connection.

8.1.3 Devices

Mobile Web can be used with a variety of devices. The key combinations are as follows:

• ‘All in one’ PDA such as the xda exclusively from O2

• Handheld PC/PDA with a GPRS handset

• Laptop PC with a GPRS handset

• Laptop PC with a GPRS Data card

A current matrix of the fully tested and recommended combinations of the above devices may be found in Appendix B, or at www.o2.co.uk/mobileweb. Devices other than those recommended may compromise the performance of the Mobile Web service, or not function at all. In addition, we note in the device matrix which devices we recommend for use with VPNs. Currently for example the xda and other Pocket PC devices is not recommended for use with IPSec based VPN access.

VPN clients may require a specific Laptop or PDA operating system. O2 does not make any claim concerning which VPN clients will correctly function on each Laptop or PDA operating system. We advise our customers to seek this information directly from their VPN supplier or support company.

8.1.4 Getting Started Application

Mobile Web customers may use the O2 Getting Started application to prepare any of the following devices for use with the service. Manual configuration of the service settings is not recommended unless required for Dial up Networking.

• Pocket PC2000

• Pocket PC2002

• Palm O/S 4.0

• Microsoft Windows 95 (OSR2), 98, 98SE, Millennium, NT4 (SP 4 and higher), 2000 and XP.

The CD will install an application ‘O2 Mobile Web’ on the Laptop or PDA. The application once installed provides the user with a simple interface to make a connection to Mobile Web. A desktop icon is automatically installed on a Laptop, and in all cases the ‘O2 Mobile Web’ application will be installed in the ‘programs’ folder. After the connection is made the default web browser will be opened, and the

www.o2.co.uk homepage will be opened.

The Mobile Web Getting Started application also includes an email wizard, which facilitates the process of setting up a POP3 email service in the default email client. A selection of UK email service providers has been included in the Wizard. The Wizard operates with the following operating systems or applications:

• Pocket PC2000

• Outlook or Outlook Express

For the GPRS card from Novatel, available from O2, the Novatel supplied Merlin card set up software should be used instead of the Mobile Web Getting Started application. Then separate instructions for set up of the card to use Mobile Web are available in the lap top Getting Started user guide.

(24)

The Mobile Web Getting Started application and getting started user guides are available either by visiting

www.o2.co.uk/mobileweb or as a pack at no charge from your O2 Service Provider.

8.1.5 Service

Settings

The service settings are installed as part of the Mobile Web application install. GPRS access settings APN mobile.o2.co.uk DNS 193.113.200.200 193.113.200.201 Username username Password password

Homepage www.o2.co.uk for PCs, pda.o2.co.uk for handheld PC/PDAs GSM access settings Dial number +447712932932 DNS 193.113.200.200 193.113.200.201 Username username Password password

Homepage www.o2.co.uk for PCs, pda.o2.co.uk for handheld PC/PDAs

8.1.6 Resilience

The Mobile Web service is fully resilient. No single component failure should cause service disruption.

8.1.7 Supported Protocols & Ports

Mobile Web handles different traffic in different ways, as outlined in the tables below. Whilst this form of routing is applied based on the ports defined, it is important to note that this only applies where Mobile

Web is used as a form of direct Internet connectivity – not when used as a method of accessing a VPN.

Using a VPN solution over Mobile Web will establish a secure tunnel through which all traffic may flow, subject to the configuration of the customer’s firewall.

All TCP and UDP ports are open on Mobile Web firewall. The Mobile Web service does not restrict the flow of traffic on any port.

8.1.7.1 Traffic which goes through Netcache and BlueKite optimisation

Application Protocol Port Notes

(25)

HTTP 8080

8.1.7.2 Traffic which is proxied through Netcache

S e c u r e w e b browsing

HTTPS / SSL 443 This traffic is not cached.

File Transfer FTP 21

8.1.7.3 Traffic which goes through Port Address Translation only

E-mail SMTP 25

POP3 110

Secure POP3 995

IMAP4 143

Secure IMAP4 993

Instant Messaging MSN Messenger 1863 NB. Voice connections and file transfer will not function.

Yahoo Messenger 1863 NB. Voice connections and file transfer will not function.

ICQ 5050

AOL Instant Messenger 5190 Streaming Windows Media Streaming (TCP) 1755

R e a l P l a y e r S t r e a m i n g RTSP: RFC2326 (TCP)

RTP: RFC1889 (TCP)

7070 554 QuickTime Streaming (uses RTSP/RTP protocol) (TCP)

554 Other Ports LDAP Directory Servers 389

NNTP News Servers 119

All Other Ports All TCP and UDP ports have been opened.

ALL All TCP and UDP ports were opened on the Mobile Web service on July 29th 2002.

(26)

8.2 Appendix B – Mobile Web devices Matrix

Microsoft Windows 95 OSR2 Microsoft Windows 98 Microsoft Windows 98 SE Microsoft Windows Millennium Microsoft Windows 2000 Microsoft Windows Workstation NT4 Microsoft Windows XP Pocket PC 2000 Pocket PC 2002

* Ericsson T39 software versions - R3B006

Infra Red - Yes Yes Yes Yes - - Yes Yes

Serial Cable Yes Yes Yes Yes Yes Yes Yes -

-Bluetooth OS support depending on the Bluetooth device/equipment used. No known issues - Yes

* Ericsson T65 software versions - R2B

-* Ericsson T68 software versions - R2B013

Infra Red - Yes Yes Yes Yes - - Yes Yes

-Bluetooth OS support depending on the Bluetooth device/equipment used. No known issues

-* Ericsson R520 software version - R2K

Infra Red - Yes Yes Yes - - Yes Yes

Serial Cable Yes Yes - Yes Yes Yes Yes -

-Bluetooth OS support depending on the Bluetooth device/equipment used. May not work with early versions of R520m

-*SonyEricsson T68i software version - R2B025

Infra Red - Yes Yes Yes Yes - Yes Yes Yes

-Bluetooth OS support depending on the Bluetooth device/equipment used. Phone is slow in operation. - Yes

Motorola v60

-USB3

- - Yes Yes - Yes -

-Motorola v66

-USB3

- - Yes Yes - Yes -

-Motorola T260

Infra Red - Yes Yes Yes - - -

-Serial Cable Yes Yes Yes Yes Yes Yes Yes -

-Motorola T280

Infra Red - Yes Yes Yes - - -

-Serial Cable Yes Yes Yes Yes Yes Yes Yes -

-USB3

- - Yes Yes - Yes -

-* Nokia 8310 software version - 4.53

* Nokia 6310 software version - 4.20

Serial Cable Yes Yes Yes Yes Yes Yes -

-Bluetooth OS support depending on the Bluetooth device used. Bluetooth bonding on 6310 is a poor experience and not recommended. - Yes

* Nokia 6310i software version – 4.80

Infra Red - Yes Yes Yes Yes - Yes Yes Yes

Serial Cable Yes Yes Yes Yes Yes Yes -

-Bluetooth OS support depending on the Bluetooth device used. Experience better than 6310 for bonding. Yes

* Nokia 6510 software version - 4.00

Siemens S45

Infra Red - Yes Yes Yes Yes - Yes Yes

-Siemens ME45

Infra Red - Yes Yes Yes Yes - Yes Yes

-Siemens M50 software version - 09

-Oz xda

Internal modem - - - Yes

Trium Mondo

Internal modem - - - Yes

-Novatel Merlin

PC Card modem - Yes Yes Yes Yes - Yes -

-N.B. Nokia and Ericsson handset users should check they have the correct software version on their handset first.

E R I C S S ON. P re s s th e ri g h t ar ro w k e y o n c e , st a r ke y o n c e , le f t ar ro w k e y t wi c e , st a r k e y on c e , l e f t a rr o w ke y on c e , st a r k e y on c e . Pr e s s y e s 3 ti m e s . Fo r so f t w a r e u p g ra d e s ri n g t h e So n y E ri c s s o n h o t li n e fo r th e n e a r e s t Se r v i c e Ce n t re on : 0 8 7 0 5 23 7 2 3 7

(27)

Key:

You can use the O2 software available on CD-ROM (version 2.1), or download from www.o2.co.uk/mobileweb

You must use the latest version of software - download from www.o2.co.uk/mobileweb.

Alternatively for Laptop PCs click 'check for updates' under the 'options' menu of the CD software once you have installed it.

O2 only recommends the use of Pocket PC based handheld devices for use with a Microsoft PPTP based VPN service, as we have seen difficulties in both set up and use of IPSec based solutions on Pocket PC devices during our test and trial activities.

(28)

8.3 Appendix C – Glossary of terms

ADSL Asynchronous Digital Subscriber Line

ESP Encryption Security Protocol

GPRS General Packet Radio Service IETF Internet Engineering Task Force

IKE Internet Key Exchange IPSec IP Security protocols

IP Internet Protocol ISP Internet Service Provider

ISDN Integrated Service Digital Network

IT Information Technology

NAT Network Address Translation NAPT Network Address Port Translation

PPTP Point to Point Transfer Protocol PSTN Public Switched Telephone Network

TCP Transfer Control Protocol UDP User Datagram Protocol

(29)

8.4 Appendix D – Further xda Information

8.4.1 How to set up the Microsoft PPTP VPN client on xda

• You must have a Mobile Web subscription

• Ensure PPTP account is set up on your VPN Gateway

• Go to the Connection Settings screen (e.g. Start - Settings - Connections Tab - Connections icon)

• In "middle pull down box" (e.g. as default will say Work Settings) select ‘New’ and enter appropriate name (e.g. ‘VPN’ as the name in this example)

• Ensure new profile just created (e.g. ‘VPN’) is in the "middle pull down box" and select ‘Modify’

• Select ‘VPN’ Tab and select ‘New’.

• Enter a name for the connection (e.g. ‘PPTP’ in this example) and the IP address of the PPTP server – you may be using a Win 2K server as the PPTP server element.

• Tap ‘Advanced’

• On TCP/IP tab ensure "User server assigned IP address" is selected.

• Untick "Use software compression" and “Use IP header compression"

• On Name Servers Tab ensure "Use server assigned addresses" is selected.

• Select OK. OK.

• Ensure the "top pull down box" says Internet Settings and select Modify.

• Ensure the GPRS profile you want to be dialled is set so will be dialled (put pen over profile want to be default and hold it down and select "Always Dial"). Select OK.

8.4.2 Manual Connect Method 1

• Ensure "middle pull down box" has VPN profile name in it (e.g. ‘VPN’ in this instance) and select ‘Connect’.

• The GPRS profile that is set to "Always Dial" in the "top pull down box (e.g. Internet Settings)" will be dialled and you will be prompted for a user name and password. At this point you need to enter your VPN user name and password e.g. as per your profile on the Windows 2K server.

8.4.3 Manual Connect Method 2

• Connect to Mobile Web service by tapping ‘Connect’ below the “top pull down box” (or use web browser, or tap ‘Start’, ‘Programs’, ‘GPRS Connection’, ‘O2 Mobile Web’).

• Ensure "middle pull down box" has VPN profile name in it (e.g. VPN in this instance) and select Connect.

• You should now get connected into the network via Microsoft's PPTP protocol.

VPN Access over Mobile Web Support Overview