Table of Contents
Welcome ... iii
Guide Overview ... iii
System Requirements ... iv
Distribution... iv
Installation Checklist ... iv
AT&T Global Network Client and MSI... 1
Install... 1
Uninstall ... 1
AT&T Global Network Client... 2
Default Software Update Process ... 2
First Connection after Initial Install Updates... 2
Automated Check for Updates ... 3
Manual Check for Updates... 3
Servers and Directories... 4
Customizing the AT&T Global Network Client ... 6
Customization Option One ... 6
Customization Option Two ... 8
AT&T Global Network Firewall ... 9
Overview ... 9
AT&T Global Network Firewall Function ... 11
Operational Modes ... 11
Detail Explanation of AT&T Global Network Firewall ... 13
Stateful Inspection ... 14
Benefits of Kernel Level Implementation ... 14
Behavior When IPSec VPN is Not Active... 14
Trusted LAN Customization ... 15
Sharing Local Resources ... 16
Exceptions to the Static Deny All Unsolicited Policy ... 17
Centralized Administration... 17
Functionality... 17
Application Compatibility ... 18
Firewall Conflicts ... 18
NAT/Firewall Traversal ... 20
Configuring UDP Encapsulation ... 21
Extended Access ... 23
AT&T Business Internet Service (BIS)... 23
Internet Extended Access Authentication Options ... 23
AT&T VPN Tunneling Services (AVTS) ... 24
Managed VPN Extended Access Authentication Process ... 24
Custom Settings ... 26
Service Manager... 26
Configuration Server ... 29
Document Revision History ... 30
Glossary of Terms ... 31
Preface
Welcome
T
his guide will help you understand some of the advanced features of the AT&T Global Network Client. The AT&T Global Network Client is a program that enables your Windows1 computer to easily connect to your company’s private network and/or the Internet over dial and broadband connections. The AT&T Global Network Client provides a consistent, easy-to-use interface to access the network from all over the world. The simple installation and setup procedures provide quick access to the network. Advanced features provide convenient, time-saving options for even the most demanding traveling users.This document is intended for IT professionals that are deploying the AT&T Global Network Client to their employees, or wish to gain a better understating of the administration of AT&T’s remote access service.
Guide Overview
The remainder of this chapter includes System Requirements, Distribution and Installation Checklist. Those sections cover prerequisites to review before installing the AT&T Global Network Client.
This guide explains:
AT&T Global Network Client and MSI
Customizing the AT&T Global Network Client AT&T Global Network Firewall
Extended Access
Custom Settings (Service Manager and Configuration Server)
This administrator’s guide is provided to you on an "as is" basis and AT&T shall have no liability for any errors or inaccuracies herein. This administrator’s guide is subject to change without notice and you should consult your customer help desk or AT&T representative with specific questions.
System Requirements
The AT&T Global Network Client and its components are supported on the following operating systems and hardware:
Operating Systems Minimum System Requirements
Windows 95 (With DUN 1.3)
Pentium (or compatible) 133 MHz
Windows 98 32 MB RAM
Windows 98 SE 5 MB free disk space (AT&T Global Network Client)
Windows Me 12 MB free disk space (optional components) Windows NT 4.0 (SP 3 or
later) 9600 modem that is recognized and configured by Windows Windows 2000 Professional
Windows XP
Note: For NT environments like Windows NT, Windows 2000, and Windows XP,
administrator rights are required to install software.
Distribution
The AT&T Global Network Client can be downloaded from:
For AT&T VPN IPSEC services:
ftp://ftp.attglobal.net/pub/client/win32/nvsetup.exe
For all other services:
ftp://ftp.attglobal.net/pub/client/win32/ncsetup.exe
If you were given a customized version of the AT&T Global Network Client you should use only that version. Do not manually download one of the versions listed above.
The AT&T Global Network Client can be distributed on CD-ROM through coordination with your account administrator.
Installation Checklist
Before starting the AT&T Global Network Client installation and setup, complete the following checklist. If you are missing any information, please contact your account administrator.
Password
Admin rights to install or upgrade on Windows NT, 2000 and XP Verify Windows Dial-Up Networking is installed (Version 1.3 or later). Verify Windows TCP/IP is installed.
Your Windows install media (CD or installed CAB files) may be required. A modem and phone line is required for dial users
-or-
Chapter
1
AT&T Global Network Client and MSI
M
icrosoft Installer (MSI) utility packages can be installed locally and remotely. When installing locally the user must have Administrator rights or the installation will fail. A remote installation will likely be done using Active Directory Group Policy or SMS. The AT&T Global Network Client software must be installed per computer. The software is not designed for per user installation. Please consult the “Windows Installer: Benefits and Implementation for System Administrator’s” guide athttp://www.microsoft.com/windows2000/techinfo/administration/management/winins taller.asp for more information regarding Windows Installer.
Install
After the System Administrator publishes the package on the server for download to users, the AT&T Global Network Client, Driver, and Gina will install silently when the user is booting up the computer.
The AT&T Global Network Client will show up under programs. The Administrator will need to advise the users that the software has been installed on their computer. The user will then need to open the Client and continue with setup as described in the AT&T Global Network Client User’s Guide found at
http://help.attbusiness.net/index.cfm?§ID=500.
Uninstall
Chapter
2
Chapter
2
AT&T Global Network Client
Detail information regarding the installation and use of the AT&T Global Network Client can be found in the AT&T Global Network Client User’s Guide at
http://help.attbusiness.net/index.cfm?§ID=500.
Default Software Update Process
The AT&T Global Network Client checks for software updates in three different situations, first connection after initial install, automated check, and manual check. The following components are checked each time:
Phone List
AT&T Global Network Client
AT&T Global Network Firewall aka IPSec/Firewall Drivers (if Firewall is installed)
AT&T Global Network Location Database
AT&T Global Network Client Net Logon Extension (download checkbox only displayed if Net Logon Extension is installed)
First Connection after Initial Install Updates
The AT&T Global Network Client will automatically check for newer versions of the downloadable components during the first successful connection after the initial install.
The default process for initial install:
If the phone list on the server is newer than the Client installed phone list, the newer phone list will automatically download without prompting the user. If the Client on the server is newer than the Client installed, the user will be
prompted to install the newer Client, and if the currently installed Client includes the IPSec/Firewall drivers the Client and drivers will be installed. If the Net Location Database is installed and the one on the server is newer, the
user will be prompted to install the newer Net Location Database.
Network Domain Logon Guide at
http://help.attbusiness.net/index.cfm?§ID=500.)
Automated Check for Updates
The AT&T Global Network Client is programmed to automatically check for software updates every 30 days by default. The exception to this is the Net Location Database that automatically checks for updates every 90 days. The Client performs the first check 30 days after the install date which is determined by making a comparative check with the install date and the system date.
The default process for automated checks:
If the phone list on the server is newer than the Client installed phone list, the newer phone list will automatically download without prompting the user. If the Client on the server is newer than the Client installed, the user will be
prompted to install the newer Client, and if the currently installed Client includes the IPSec/Firewall drivers the Client and drivers will be installed. If the Net Location Database is installed and the one on the server is newer, the
user will be prompted to install the newer Net Location Database.
If the AT&T Global Network Client with Classic or Hook Mode Net Logon Extension is installed and the one on the server is newer, the user will be prompted to install the newer Net Logon Extension. (For more information on the AT&T Global Network Client Logon Extension, see the AT&T Global Network Domain Logon Guide at
http://help.attbusiness.net/index.cfm?§ID=500.)
Manual Check for Updates
New releases of each of the components of AT&T Global Network Client can be downloaded through the Check for Updates dialog box as shown in Figure 1. Users can access this window by clicking on the arrow in the upper left-hand of the logon window, and then clicking on “Check for Updates.” An AT&T network server is queried for the most recent version of each component, which is compared against the version of each component currently installed. By default, this function will run automatically every 30 days. The AT&T Global Network Logon Extension will only display in ‘Check for Updates’ if the component is installed.
Figure 1: Check for Updates Window
Servers and Directories
The FTP server used to download Client components is located on the Internet. The IP address is 165.87.194.246 (ftp://ftp.attglobal.net).
The directory paths and file names for each component follows:
Phone List Files
pub/dialtone/phonexn1.ph1 pub/dialtone/phonescp.ph7 pub/dialtone/phonelst.ver
Net Location Database pub/dialtone/phonelcz.ph5
Client Files
pub/client/win32/ (filename included in the ‘ncversion.ini’)
IPSec/Firewall Drivers
pub/client/win32/(filename included in the ‘ncversion.ini’)
AT&T Global Network Client with Classic or Hook Mode Net Logon Extension
pub/client/win32/(filename included in the ‘ncversion.ini’) Software Download ver File Pub/client/win32/ncversion.ini
If the AT&T Global Network IPSec/Firewall drivers are being used there is no reason to update the Client files as the IPSec/Firewall drivers contain the current Client within the executable.
Software updates are stored in the following directories on Windows® 2000 and Windows® XP:
phonexn1.ph1 is renamed to phonelst.ph1
phonescp.ph7 (both files are located in a hidden directory located in local settings of the logged on user context. e.g. “C:\Documents and Settings\RREY\LocalSettings\Application Data\AGNS\C~,PROGRA~1,AT&TGL~1,\Data”)
Net Location Database
pub/dialtone/phonelcz.ph5 (the file is located in the same place as the Phone List Files above)
Client Files
The file specified by the ‘ncversion.ini’ criteria is downloaded to the install directory and renamed to ‘ncsetup.exe’. It is then run from the Client install directory.
IPSec/Firewall Drivers
The file specified by the ‘ncversion.ini’ criteria is downloaded to the install directory and renamed to ‘nvsetup.exe’. It is then run from the Client install directory.
AT&T Global Network Client with Classic or Hook Mode Net Logon Extension
Chapter
3
Customizing the AT&T Global Network Client
T
here are two options to customize the AT&T Global Network Client; option one is to use FastPath codes and option two is a customized Client by AT&T.Customization Option One
This option of using FastPath code is a feature of the Client that allows certain characteristics to be customized very easily. By customizing the Client, customers optimize and simplify their user's experience.
The user simply runs the standard install program, enters the FastPath code on the first window, and the install and Client programs are automatically customized.
FastPath codes are generated by AT&T. System Administrators should contact their
AT&T representative with the request.
FastPath codes can control the following features
"Save password" can be checked and/or hidden. "Traveling user" can be checked and/or hidden.
"Use existing connection" can be checked and/or hidden. "Logon to network" can be checked and/or hidden. The Protocol setup window can be hidden.
An Internet registration offer code can be configured.
The Location Database component can be automatically installed. The Firewall component can be automatically installed.
The Component page of install can be hidden. The Program Group page of install can be hidden.
The setup windows can be configured to connect with customer-direct authentication.
Customization Option Two
The second option is to have AT&T create a customized client that all your users would use. This option is a billable option and must be done by an experienced AT&T custom developer. Here are some reasons why using a customized client (option 2) can be better than a standard install.
Branding
Change titles, icon, and graphics Customize text on panels
Additional security
Remove saved password check box.
Hide IP addresses such as your DNS and WINS.
Reduce help desk calls and increased ease of use
Reduce the number of panels your users will see during install and setup. Pre-select settings so users will not select incorrect information.
Locking down settings reduces the chance of users making changes causing the client not to connect.
Silent uninstalls of older versions of AT&T Dialer.
Administrative Control
Control what versions your users upgrade to by using a custom FTP site. Pre-install some of the client’s optional components.
Customized helpdesk numbers.
Display custom messages to your users during install.
It is important to know that the AT&T Global Network Client was engineered so that software updates will not affect your customized version of the client but will still allow you to benefit from getting updates.
Chapter
4
AT&T Global Network Firewall
T
he AT&T Global Network Firewall is an optional component and is not intended for all services. This component is intended for all AT&T Managed Tunneling Services using the Integrated AT&T Global Network Firewall of the AT&T Global Network Client. The Firewall:Blocks unsolicited non-tunnel IP traffic (does not block other protocols) Provides stateful inspection of all non-tunnel IP traffic
Both solicited and unsolicited VPN traffic are allowed. VPN traffic can be limited through an Access Control List of pre-defined network addresses.
Silently discards all unsolicited IP traffic
Overview
The AT&T Global Network Firewall component serves two purposes; it protects a computer as a network firewall and provides secure VPN connectivity. Therefore, the AT&T Global Network Firewall component is a requirement for all AT&T Managed Tunneling Services using the integrated AT&T Global Network Firewall of the AT&T Global Network Client. The AT&T Global Network Firewall is implemented through a Microsoft Windows Network Device Interface Specification (NDIS) Intermediate Device Driver on your computer. Using NDIS, the AT&T Global Network Firewall becomes a part of your operating system and has the ability to monitor any potentially malicious TCP/IP network traffic that is flowing into your computer. The firewall functions are performed as part of that monitoring process.
Virtual Adapter Existing NIC IP Stack IP Stack
Virtual Adapter Network Existing NIC Network
Configuration Configuration
IP Address: Secure VPN IP Address: Internet
Address Address
DNS Address: VPN DNS DNS Address: Internet
Address Address
WINS Address: VPN WINS WINS Address: Internet
Address Address
Figure 3: IPSec Intermediate Device Driver VNIC Architecture
o Existing NIC Network Configuration
IP Address: Internet Address (forcing AT&T Intermediate Device Driver t perform NAT using Secure VPN address)
DNS Address: VPN DNS Address WINS Address: VPN WINS Address
AT&T Global Network Firewall Function
Having the AT&T Global Network Firewall component installed and active helps protect your computer from potentially malicious attacks attempted by other users of a shared public infrastructure. If enabled, the Firewall is active whenever your computer is powered on. This is a meaningful security feature to help reduce exposure for always-active broadband connections and it is recommended that broadband users keep the AT&T Global Network Firewall active at all times.
Every IP packet received by the remote client machine is monitored and verified by the AT&T Global Network Firewall to determine if it is a potential threat. If the packet received is determined to be unsolicited by the client machine, it is silently discarded. The AT&T Global Network Firewall does not perform any user
notification of unsolicited traffic. If your computer did not request, negotiate, or grant permission for a connection with another machine, the traffic is silently rejected. By protecting your remote workstation from potentially malicious attacks, the AT&T Global Network Firewall also bolsters the security of your company’s secure network by insulating against potential attacks attempted through your computer. It will also inspect the traffic to insure that port and SYNC status are correct thereby thwarting attempts to use existing or recently expired session information for an attack. This blocks attacks from the Internet very effectively.
The only traffic that does not get checked by the firewall is the traffic that passes through an established VPN tunnel to resources defined by the Service Manager Access Control List. If all traffic is configured to pass through the tunnel, then any data not destined to a host contained in the Access Control List is discarded. If Dual Access is enabled, then all traffic that falls within the Access Control List is sent down the tunnel. Any traffic destined to a host not included in the Access Control List is sent out to the Internet. The firewall keeps track of these packets not destined down the tunnel and insures that only proper responses to these requests are allowed.
Operational Modes
The firewall can operate in one of four modes:
1. Default – The default firewall configuration sets the firewall enabled at all times, on
all adapters.
System Administrators have the ability to make basic changes to the default configuration via Service Manager:
Set firewall always enabled (Y) and set user control to N. The firewall is always enabled. The radio buttons on the AT&T Global Network Firewall
Configuration Window (see figure 3) are grayed out so the user cannot access. Set firewall always enabled (Y) and set user control to Y. The firewall is always
enabled. The user can access the radio buttons on the AT&T Global Network Firewall configuration window (see figure3) to turn the firewall off, but the setting in SM (enabled) takes precedence over the user’s selection.
2. VPN Only – This mode disables the firewall when a VPN tunnel is not established.
manage PCs on customer LANSs (Tivoli, SMS, etc.) since the firewall would incapacitate such software.
When installed, the Firewall shows up both as a program and as a network adaptor. The state of the Firewall should only be selected using the AT&T Global Network Firewall application, not via the Windows Network Control Panel.* To disable the Firewall, click the box next to each LAN adapter so that a check no longer appears in the box. The Firewall will automatically become active on all interfaces when the user initiates an IPSec tunnel, regardless of the settings manually selected. The Firewall will return to the manual settings after the user disconnects from their IPSec tunnel. The user needs to be aware that disabling the AT&T Global Network Firewall through the Firewall application will disable the firewall protection whenever the user has not established an IPSec tunnel, including those times when the user initiates an Internet-only connection using the Client. A device that is used for Internet browsing (no tunnel established) is not protected by the Firewall if the adaptor in use is not checked. This is particularly important for broadband users.
* Altering the configuration of the Firewall via the Network Control Panel will cause unpredictable results.
3. Trusted LAN – This option allows the customer to provide a list of IP subnets that
the customer dispenses IP addresses from via their DHCP servers. The firewall checks every time a new DHCP address is assigned to the PC. If the IP address falls within the configured trusted subnet then the firewall is disabled. If the IP address does not fall within the trusted subnet the firewall is enabled. Regardless of the assigned IP address if a VPN session is established the firewall is enabled on all interfaces. Currently this feature is only available via a custom kit. Once the trusted subnets have been established in the kit and the kit is deployed, there is no method available to dynamically update them.
Customers who are concerned about the effectiveness of the Firewall can install a secondary firewall that will function in addition to the AT&T Global Network Firewall. They may or may not see non-tunnel activity in their secondary firewall depending on the design of the third party firewall. In some instances the AT&T Firewall will have already discarded malicious traffic, and in other instances the third party will discard it first. The secondary firewall can, however, be used to inspect traffic received through the tunnel.
If you add a new network interface (i.e. a new Ethernet Network Interface Card) after the AT&T Global Network Firewall is installed, the AT&T Global Network Firewall will recognize the additional interface and automatically bind to it. This allows the AT&T Global Network Firewall to begin monitoring traffic sent across the new interface in addition to the existing interfaces.
4. Firewall Off Through Service Manager - In Service Manager the System
Administrator has the option of setting the firewall where it is always turned off. Set the firewall always disabled (N) and set user control to N. The firewall is
always disabled. If the user selects the AT&T Firewall configuration window (see figure 3), the user will receive a message stating “Your network
Detail Explanation of AT&T Global Network Firewall
Every IP packet that is received by the client machine is verified by the AT&T Global Network Firewall to determine if it is a potential threat. If the AT&T Global Network Firewall recognizes a packet as unsolicited by the client machine, it is silently
discarded. An algorithm using a rolling list of recently contacted remote hosts determines a packet's solicitation status. Therefore, if the client did not request or negotiate communication with another machine, the communication is rejected. By protecting the client from malicious attacks the AT&T Global Network Firewall feature also bolsters the security of the customer's secure network by insulating against attacks attempted through the client machine.
Example:
The client has IP address of 10.1.2.2 and telnets to an Internet IP address of 5.6.7.8. The AT&T Global Network Firewall would save the following information to the rolling list:
Source IP Destination IP Source Port Destination Port Protocol
10.1.2.2 5.6.7.8 1005 23 (telnet) TCP
Note that the destination port is specific to the Telnet protocol, and the source port was determined as an available port by the Telnet protocol during session
initialization. When the Telnet session is acknowledged by the remote host, an inbound packet would be presented to the client machine and evaluated by the AT&T Global Network Firewall:
Source IP Destination IP Source Port Destination Port Protocol Data
5.6.7.8 10.1.2.2 23 1005 TCP XXXX
The AT&T Global Network Firewall will receive the inbound packet, swap the source and destination ports, and verify the packet against the existing communications in the security list. In this instance, because the inbound packet matches an entry in the rolling security list, the inbound packet is allowed transport into the client machine. If a user on the machine hosting the Telnet session attempted to attack the remote client by initiating a secondary Telnet session back to the client, an inbound packet from the attacker would be presented to the client machine and evaluated as:
Source IP Destination IP Source Port Destination Port Protocol Data
5.6.7.8 10.1.2.2 1005 23 TCP XXXX
Stateful Inspection
When negotiating communication across the Internet, the IP traffic negotiates several port states to identify the current state of communication. For example, when the above telnet session had completed, a packet would be sent identifying the ports (23 & 1005) between those two hosts as closed. These port state messages are recognized and monitored by the AT&T Global Network Firewall, so that when an active session has expired, the session is automatically removed from the rolling list to limit
exposure to malicious attacks.
Example:
If a user on the machine hosting the Telnet session above attempted to attack the remote client by initiating a new Telnet session on the open Telnet port (1005), an inbound packet from the attacker would be presented to the client machine and evaluated as:
Source IP Destination IP Source Port Destination Port Protocol Data
5.6.7.8 10.1.2.2 23 1005 TCP XXXX
The packet would be checked against the security list. The new session would attempt to SYNC the session. Because the session was already in progress, the port would no longer be in the initial SYNC state, so the packet is silently discarded. Again, the protected client machine will not respond to the communication.
Benefits of Kernel Level Implementation
Because of the use of the NDIS Intermediate Device Driver, the AT&T Global Network Firewall is unique from most competing products because it is implemented at the operating system kernel level rather than the user application level. This makes the AT&T Global Network Firewall more difficult to manipulate, circumvent, or remove from the client system than a firewall implemented at the application level. Implementation at the operating system level also provides additional protection from "Denial of Service" attacks. "Denial of Service" attacks attempt to render a user machine unusable by flooding it with useless network traffic. The AT&T Global Network Firewall recognizes the traffic as unsolicited and does not allow the traffic to route into the IP stack of the client machine. Finally, because of the kernel level implementation, the AT&T Global Network Firewall performs more efficiently than competing implementations, freeing more computing resources for the user
application, rather than firewall security.
Behavior When IPSec VPN is Not Active
session using the AT&T Global Network Firewall Configuration Window. The AT&T Global Network Firewall Configuration Window lists the available network interfaces and allows the user to select which interfaces the AT&T Global Network Firewall should monitor. An example is shown in . Any selections made in the AT&T Global Network Firewall Configuration Window only apply when there is no active AT&T IPSec Virtual Private Network connection. Whenever there is an active IPSec Virtual Private Network connection, the AT&T Global Network Firewall is automatically enabled on all network interfaces to protect both the remote user and the Intranet.
Figure 5
Figure 5: AT&T Global Network Firewall Configuration Window
If a customer does not wish to allow access to the AT&T Global Network Firewall Configuration Window, a custom version of the AT&T Global Network Client can be deployed that does not include the AT&T Global Network Firewall Configuration Window. Beginning with version 5.05 of the AT&T Global Network Firewall, account administrators can control if users have access to the AT&T Global Network Firewall Configuration Window through the AT&T centralized administration engine, AT&T Service Manager (See Custom Settings in Appendix A).
If a user does not have access to the AT&T Global Network Firewall Configuration Window, the AT&T Global Network Firewall is always active on all network interfaces by default.
Trusted LAN Customization
the AT&T Global Network Firewall will verify if the client resides on a trusted LAN when the machine is powered on.
If the user initiates an IPSec VPN while in the office, the AT&T Global Network Firewall automatically ignores the 'Trusted LAN' customization and follows the rules of the service.
The 'Trusted LAN' customization requires users be configured to use DHCP when running Windows 95, Windows 98, Windows 98 SE, or Windows ME. Windows NT 4.0, Windows 2000, and Windows XP users are supported for both static(v5.05+) and DHCP IP addressing. The subnets defining the trusted LAN are static and must be supplied at customization time, before client deployment. A maximum of 125 subnets can be used to define the trusted LAN. This feature is through a custom kit only.
Sharing Local Resources
Customers may still wish to access local resources (such as printers and other servers) outside the tunnel while an IPSec tunnel is established. This requires an IPSec dual access capable service on the AT&T Global Network Client. IPSec dual access allows users to access destinations outside the tunnel either locally or through the Internet in addition to resources down the tunnel.
Users that host shared resources to the local LAN (such as printers) will not be able to do so while an IPSec tunnel is established. This traffic will be viewed as unsolicited IP traffic, and will be silently discarded by AT&T Global Network Firewall.
Customers who need to provide this hosting capability will not be able to do so while the IPSec tunnel is established unless the AT&T Global Network Firewall is disabled administratively from Service Manager (see Operational Modes above). This does, however, leave users unprotected unless alternate firewall protection is employed.
Users on Windows 2000 or Windows XP connecting via the AT&T Global Network Client V5.08 or above will not have a DNS or WINS name resolution problem accessing local and non-local resources in a multi-homed environment. Otherwise in some Dual Access configurations, users may require special accommodations for DNS or WINS name resolution for local and non-local resources simultaneously. Customers have the option of specifying different DNS/WINS server addresses via Service Manager for use while the IPSec tunnel is established, or they may continue to use local or existing DNS/WINS settings. In pre-5.08 Clients or earlier OS’s, any negative reply from a DNS/WINS server is authoritative and final. In such a case, the DNS server to which the machine resolves must be configured to resolve for both environments. If this is not possible, some less optimal alternatives do exist. They include:
Referring to resources from one of the two environments using IP addresses only, Defining name to address translations in local “hosts” or “lmhosts” files on each
Exceptions to the Static Deny All Unsolicited Policy
The only exceptions to the static deny all unsolicited firewall policy exist when there is an active VPN connection. When VPN connected, the firewall does not interfere with VPN traffic. With an active VPN connection users receive all VPN traffic, solicited or unsolicited. Administrators have the ability to define an Access Control List identifying the hosts with which a user can communicate through the VPN. Then the user can only initiate communication to those hosts defined in the Access Control List. If an Access Control List is not defined, all traffic is considered VPN traffic. Administrators can also define an Access Control List for their non-VPN interfaces (aka Internet interface). This is known as the fenced Internet Access Control List. If a fenced Internet Access Control List is defined, when VPN connected, those hosts in the fenced Internet list can initiate unsolicited traffic to the user.
Centralized Administration
The current version of the AT&T Global Network Firewall does not allow for
centralized administration. Future plans include the ability to configure and administer the AT&T Global Network Firewall via the AT&T Service Manager.
Functionality
By default, the AT&T Global Network Firewall feature is active on all network card interfaces and all Microsoft Remote Access Services WAN/Dial-Up Networking interfaces whenever the client machine is powered on, regardless of whether there is a current connection to an AT&T network. This is a meaningful security feature to reduce exposure for always-active broadband connections. The user can be confident that the AT&T Global Network Firewall is constantly monitoring the IP traffic attempting to enter and exit the machine.
The AT&T Global Network Firewall automatically supports all standard business applications and protocols. In some cases, users may be using their personal PC to support business connectivity. For them, the firewall may affect the functionality of their non-business applications, such as Internet gaming. Users may be able to disable the AT&T Global Network Firewall when not accessing their corporate network through the AT&T Global Network Firewall Configuration Window.
The customer's secure network can be a shared secure network such as the AT&T Managed Data Network or a secure network private to an individual customer. Negotiation includes a list of pre-determined network addresses as well as
communication initiated by the client machine to communicate with another machine via a specific protocol. The account administrator sets the pre-determined Access Control List when the account is created. The Access Control List is used during secure IPSec tunnel sessions. During a secure session, data flowing to or from a machine on the Access Control List can flow freely without blocking. This allows users on the secure network to initiate communication with a remote peer.
client initiates an FTP transfer with a remote host, the initiating port is opened, as well as the data return port, which is different than the initiating port.
A WAN connection is equivalent to a connection made through a PC com port. The Access Control List is determined at the account administrator level and is communicated to the AT&T IPSec Intermediate Driver during authentication to a secure session.
Application Compatibility
It is important to note that because of protocol negotiation, some applications do not work through a standard firewall without special processing. An example of this is Net2Phone, which communicates on several ports and embeds port and address information within the data stream. Without additional logic supporting the Net2Phone negotiation in the firewall, a user would not be able to successfully implement the application through a firewall. The AT&T Global Network Firewall has a commitment to perform the necessary logic to support the unique requirements of all business applications.
Firewall Conflicts
The Client program uses IP to communicate with other computers on the network just like other network programs (such as web browsers and e-mail programs). Third-party personal firewalls (like ZoneAlarm and BlackICE) can prohibit certain types of network communication.
The following list describes some of the network communication that the Client performs during a connection. Some firewalls must be configured to allow the Client to communicate with the network in order for these features to function properly.
1. Dial Authentication
The Client uses a proprietary enhanced authentication process. After dialing and completing PPP negotiation with a bogus password, the dialer attempts to ping the dialed gateway (using ICMP). Then the dialer opens a TCP socket on port 5053 to the gateway to perform enhanced authentication. During enhanced authentication, a session key is exchanged and authentication credentials are verified across an Advanced Encrypted Standard (AES)-encrypted data stream.
A customization could be made to the Client to disable enhanced authentication and use PAP instead, but the following consequences would occur:
Meaningful error messages are lost. Instead of "invalid user ID", "expired password", "revoked password", etc. the user only sees "authentication failed". Login retries are lost. The user must redial to change user ID or password. The ability to warn a user if a closer access number is available is lost. Ability to change passwords is lost.
AT&T recommends adding policy rules to the firewall to allow enhanced authentication to be used.
2. Disconnect warning
The Client communicates with the dialed gateway after connecting to be notified of pending disconnects. For example, a user can configure an inactivity timeout in the Client of 20 minutes with a warning 1 minute before disconnecting. The Client sends a UDP datagram on port 7000 to the dialed gateway informing it of the settings. The dialer then listens on UDP port 7000. If the connection is idle for 19 minutes a datagram is sent from the gateway to the Client and the Client displays a warning that the connection will be disconnected in 1 minute unless the user takes the appropriate action.
Maximum inactivity timeouts are set in the AT&T network at the account level. The AT&T gateways will timeout inactive connections regardless of the client used. However, the warning will only be displayed if the Client is allowed to communicate on UDP port 7000.
This is not a critical feature, but AT&T recommends adding policy rules to the firewall to allow disconnect warnings to be used.
3. Software updates
The Client periodically checks for updates to its phone list and the program itself. The Client uses standard, anonymous FTP (TCP port 20 and 21) to check and download updates. Normally updates are downloaded from 165.87.194.246, but this can be customized to download from any address.
AT&T recommends adding policy rules to the firewall to allow software updates from that server. Alternately, the customer can have the Client customized to download updates from a server on the customer's internal network. The customer is responsible for maintaining the FTP server and keeping its software and phone list current. This customization is not recommended because experience has shown that most customers have regretted maintaining their own server.
4. SLA data collection
The Client uploads data about all connection attempts to a server after connecting. All connection attempts including busy signals, failed authentication, retries, modem failures, etc. are included in the data sent to the server. This data is used for measuring SLAs (Service Level Agreements). In Client versions prior to 5.05 the data was sent using HTTP (TCP port 80) to one of the following addresses: 32.77.2.202,
32.97.255.53, 32.77.2.203, or 32.97.255.54. Beginning with version 5.05, the data is sent using HTTP (TCP port 80) to one of the following addresses: 129.37.0.113 and 32.97.118.242. If this SLA data is not collected, AT&T will not provide service-level guarantees.
AT&T recommends adding policy rules to the firewall to allow SLA data to be sent to those servers.
5. Config server updates
programs with these settings. The request is sent from the client on TCP port 1800 to one of the following addresses 165.87.194.250, 165.87.194.203, 32.96.130.100, 32.96.130.100.
AT&T recommends adding policy rules to the firewall to allow config server data to be requested from those servers.
6. VPN Tunneling
When connecting with a service that requires VPN tunneling, the Client uses IPSec to communicate with the tunnel server. The IPSec protocol uses the following ports for key exchange, encrypted data flow, and digital certificate checking.
Port Protocol Direction Application
ESP (50) in/out IPSec tunnel
21 TCP out Passive FTP for Client Updates
80 HTTP out Remote Access Repository
500 UDP in/out IPSec ISAKMP negotiation
1024+ UDP in UDP Wrapper Users
1800 TCP out Configuration Server Query
4500 UDP in IPSec with NAT-Traversal
5080 TCP out Service Manager authentication
AT&T recommends adding policy rules to the firewall to allow IPSec tunneling if needed. Note: The addresses and protocols specified in this note are subject to change in future versions of the Client.
NAT/Firewall Traversal
The AT&T Global Network Client/Network Firewall IPSec implementation supports NAT/Firewall traversal by UDP encapsulation IPSec traffic. UDP encapsulation offers many advantages for remote access users:
1. Traverse NAT/Firewall devices that perform port address translation. IPSec is an IP protocol not a TCP or UDP protocol. The AT&T Client drivers operate in tunnel mode (not transport mode) where the entire original IP packet is encrypted and encapsulated with the outer IPSec IP packet. In this case the UDP/TCP port values are not available for a NAT device to evaluate, therefore a NAT mechanism based on the TCP or UDP port values will not work with IPSec in tunnel mode. Therefore, all tunneled IPSec traffic is UDP encapsulated such that the traffic appears to be UDP traffic to
2. Traverse NAT/Firewall devices that do not allow IPSec ESP packets to pass through. Some firewall/routers are configured to prevent IPSec ESP or IP Protocol 50 to pass through. By encapsulating this traffic as UDP, the IPSec ESP traffic will appear to be UDP and pass through the firewall.
3. Multiple users can establish VPN connections through a NAT/firewall device to the same VPN Endpoint. When multiple users connect to the same VPN endpoint from behind a NAT/firewall device, the VPN endpoint only
communicates with a single IP address, the NAT/firewall device’s IP address. When multiple tunnels are established to the VPN endpoint with normal IPSec EDP traffic it is not possible for the VPN endpoint to uniquely identify multiple tunnels. By UDP encapsulating the ESP traffic, the NAT/firewall device will perform port address translation, thus presenting a unique UDP source port to the VPN endpoint for each tunnel. This allows the VPN endpoint to manage multiple IPSec tunnels individually even when established using the same source IP address.
Configuring UDP Encapsulation
A preference labeled “Negotiate UDP Encapsulation with VPN server for NAT Traversal.” is available in the Login Properties/Preferences panel as shown in Figure 6 to allow an end user to specify the use of UDP encapsulation. Starting with version 5.08+, the default value for this preference can be centrally configured in Service Manager. To utilize UDP encapsulation, this preference must be selected along with configuring the UDP Encapsulation/NAT Traversal settings on the VPN endpoint.
IPSec and NAT/Firewall traversal is currently a high priority for the IPSec Working Group, but the proposed solution are still in draft format and have not been accepted as RFCs. Since the industry has not adopted a standard approach, our implementation varies based on tunnel endpoint as listed below:
SIG
NAT devices are auto-detected through a series of hashes during IKE negotiations.
The AT&T Global Network Firewall uses UDP port 4500 as the source port and UDP port 500 as the destination port in IKE negotiations and ESP IPSec data flows.
This implementation is based off the following Internet drafts: http://www.ietf.org/internet-drafts/draft-ietf-ipsec-nat-t-ike-00.txt
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-00.tx
Nortel
NAT devices are auto-detected through a series of hashes during IKE negotiations.
IKE and IPSec ESP traffic are UDP encapsulated using available UDP ports above 1024 combined with the UDP port specified in Nortel switch configuration (typically UDP port 4500).
CISCO
NAT devices are auto-detected through a series of hashes during IKE negotiations.
The AT&T global Network Firewall uses UDP port 4500 as the source port and UDP port 4500 as the destination port in IKE negotiations and ESP IPSec data flows.
This implementation is based off the following Internet drafts:
http://www.ietf.org/internet-drafts/draft-ieft-ipsec-nat-t-ike-02.txt
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-02.tx
The AT&T Global Network Client/Network Firewall supports most NAT/firewall devices. There are known difficulties when tunneling IPSec traffic through NAT/Firewalls which are documented in the IPSec Working Group draft as
Chapter
5
Extended Access
E
xtended Access is an AT&T offering that allows remote users to access the network through local points of presence (PoPs) that are owned and managed by another Internet Service Provider (ISP) that is an AT&T partner. Extended Access provides local access in over 90 countries where AT&T does not have PoPs. There is an hourly access charge for the use of Extended Access based on region. The Extended Access ISP proxies users’ authentication requests to AT&T to allow access to the Internet. The protocol and data flow for connecting to Extended Access PoPs vary depending on the service being accessed. For more information, go to the AT&T Extended Access web site at http://info.attbusiness.net/e-access.AT&T Business Internet Service (BIS)
New AT&T customers registered in the United States and Canada that have signed an AT&T Master Agreement dated 10/21/02 or later, and existing customers that have previously signed an agreement that references the AT&T Business Internet Services Global Service Description are eligible to use the feature immediately. All other customers should contact their account representative.
Extended Access for BIS requires a custom Client--the generally available E-Access Client, or a customization added to the customer's already customized Client.
Internet Extended Access Authentication Options
When connecting to an Extended Access PoP for AT&T’s Business Internet Service, clear-text user IDs and passwords are typically used for the connection process as shown in . However, if the AT&T Global Network Client and Firewall are used to connect, the connection process is encrypted and enhanced (see Figure 8).
Figure 7: Internet Extended Access with Clear-Text Password - Overview Diagram
AT&T VPN Tunneling Services (AVTS)
Contact your AT&T Account Representative to order this feature.
AVTS customers do not require a custom Client. The System Administrator gives the users access to the extended PoPs by enabling the Extended Access field in Service Manager (see Appendix A.)
Managed VPN Extended Access Authentication Process
When connecting to AT&T’s Managed VPN service through an Extended Access PoP, the connection flows are encrypted and enhanced. This connection requires the AT&T Global Network Client and Firewall on the remote user’s computer. The connection process involves three phases as described and illustrated below.
Phase 0 The dial link to the Extended Access PoP is established. In most cases, an “authenticated” status is granted to the user so that the Extended Access PoP grants the user limited Internet access. Internet access is limited by the AT&T firewall to only allow communication to the AT&T authentication servers so that phase 1 authentication can commence.
Phase 1 Enhanced authentication is conducted between the AT&T client and an AT&T authentication server. Enhanced authentication flows are encrypted and provide a robust protocol that allows authentication challenges and meaningful error messages. (Authentication challenges include scenarios such as invalid password, next card code, new PIN, etc.)
Appendix
A
Custom Settings
A
T&T provides System Administrators the tools to define settings pushed down to the AT&T Global Network Client (AKA Client). These settings are sent to the Client by Service Manager or by the Configuration Server (AKA Config Server).System Administrators supply AT&T Enablement with their customer specific information for variables pushed down by Service Manager or the Config Server. System Administrators have access to a web based tool to enter the customer specific values pushed down from Service Manager.
Service Manager
Administrators can update the following fields on Service Manager for your corporate Internet users. Administrators can access the web page for updates at
http://globalnetwork.support.att.com.
1. Authentication method - Specifies the way the user is to be authenticated. Must be
D, L, R, S, or W for a regular (non-model) ID. Must be D, L, R, S, W, or blank for a model ID. Valid values are:
D – Radius L – LDAP R – RACF S – SecurID W - SafeWord
2. Help Desk number – The help desk number you want your users to call for help. 3. Default service type – Optional. A two character code to be used when authenticating
03 = LAN Dial 05 = Secure IP Dial 06 = Internet
07 = Async Terminal Services (ATS) 08 = Async Pass Through
09 = Dual Access
0A = VPEF (VCOM, XPC)
0B = Multi-Protocol Tunneling (MPT, LAN Dial V2) 0C = Fixed IP
0D = Managed Tunneling Service using PPTP (MTS/PPTP 0E = Managed Tunneling Service using PPTP with Multi-Protocol 0F = TCP Clear
10 = Managed Tunneling Service using IPSec (MTS/IPSec) 11 = 3D (Internet, Common Services, Tunneling)
12 = Managed Tunneling Services using IPSec with Dual Access
4. Idle dial timeout – Specifies a service-level value. A blank which is the default,
implies the value is provided by the LIG. If specified, the value must be between 1 and 720 for all services except Internet for which the value range is 1 to 35. For “not timeout”, you will set it to 999, but 999 is not allowed for Internet service.
5. Tunnel Dual access – Specifies whether the user is enabled for the dual access
feature of IPSec Managed Tunneling. A ‘Y’ in this field will also allow the user to access Internet locations. The default is blank. The values are as follows:
Y = Dual Access enables N = No Dual Acess
6. Analog auto dial backup – Optional. The default is blank. Valid Values:
0 = Automatic Backup is not allowed
1 = Automatic Backup is allowed using 1 line
2 = Automatic Backup is allowed using 2 bundled lines
U = Automatic Backup is allowed using an unlimited number of bundled lines
7. ISDN auto backup – Optional. The default is blank. Valid Values:
0 = ISDN Automatic Backup is not allowed
1 = ISDN Automatic Backup is allowed using 1 B channel
2 = ISDN Automatic Backup is allowed using 2 bonded B channels
8. Dial session timeout – Specifies the time, in minutes, that the Dial Session will
maintain a connection before a timeout occurs and the session is dropped. Valid range is 1 through 7,200.
9. Enable AT&T firewall – Optional. The default is blank. It can be inherited from a
model ID. Specifies that the firewall is always enabled. Valid values: Y = Firewall is enabled
N = Firewall is completely disabled
10. User controlled firewall – Optional. The default is blank. It can be inherited from a
model ID. This will allow the user to turn the firewall on or off. Valid Values: Y = user is allowed to turn firewall off
N = user is not allowed to turn firewall off
11. Time for password to expire – Can only be updated by AT&T.
12. Activity threshold timeout – Optional. It can be inherited from a mode. Specifies a
3 bytes numeric value in minutes for the AT&T Global Network Client to timeout the user. The valid range is from 1 to 60 minutes.
13. Activity threshold bytes – Optional. It can be inherited from a model. Specifies a 5
bytes numeric value in bytes for the AT&T Global Network Client to control the maximum bytes allowed in a packet for the user. The valid range is from 50 to 50,000 bytes.
14. Extended Access allowed – Specifies whether the user can access the network via
extended reach Points of Presence (POPs) which are provided by partner ISPs. The default is blank. Valid Values:
Y = user is allowed Extended Access N = user is not allowed Extended Access
15. DNS – Specifies the primary and secondary DNS values for your account 16. WINS – Specifies the primary and secondary WINS values for your account. 17. Domain name – The name of the domain for the client session.
18. Domain Search Suffix 1-5 – Up to 5 domain suffixes may be entered to aid in web
address searching (for example, att.com).
19. Negotiate UDP - Specifies the default setting for whether the Client is to negotiate
UDP encapsulation with the tunnel end point. The default is blank Y = Negotiate UDP Encapsulation
Configuration Server
Administrators can update the following fields on the Configuration Server for your corporate and virtual private network users. The value of “LEAVE ALONE” (must be in upper case) can be specified in any of the available Config Server settings, which will result in nothing being sent to the users’ PC for the specified values.
1. Browser home page – The default web page all employees should access upon
connection to the Internet.
2. E-mail ID – The e-mail ID
3. Mail server (SMTP ASYMTP and POP3) – The IP address of the mailer server
your company uses.
4. Mail server User ID – The ID user on you mail server.
5. News Server – A News Server will allow access to newsgroups that is a discussion
about a particular subject consisting of notes written to a central Internet site and redistributed through Usenet, a worldwide network of news discussion groups.
6. Socks server – The IP address of your SOCKS server [A socks server handles
requests from clients (PCs) inside a company’s Firewall].
7. Proxy server – A proxy server is a server that acts as an intermediary between a
workstation/user and the Internet so that a company can ensure security, administrative control, and caching service.
8. Auto-proxy URL – Auto Proxy allows different proxies based on URL wild card
pattern matching. It also allows multiple proxies to provide proxy failover support if the primary proxy becomes unavailable.
9. Pop-up messages – This is a feature where you can send your users a message. When
the user signs on to your service, the message will pop-up for the user to read.
10. Mail Domain – Your company’s mail domain name such as “attglobal.net”. 11. Permanent settings – These are settings your users cannot change.
Appendix
B
Document Revision History
Date Version Description
April 18, 2003
5.07 Original document.
May 20, 2003
5.08 Updates to Firewall, added information regarding Extended Access.
June 9, 2003
5.08 Updates to Customizing the AT&T Global Network Client
June 23, 2003
5.08 Updates to Firewall, added sections “NAT/Firewall Traversal” and “Configuring UDP Encapsulation”, added chapter for AT&T Global Network Client
Written by: Mark Colley Cyndy Lobb
Becky Claxon
Glossary of Terms
A
Access ControlLlist - An Access
Control List (ACL) is a table that tells a computer operating system which access rights each user has to a particular system object, such as a file directory or individual file. Each object has a security attribute that identifies its Access Control List. The list has an entry for each system user with access privileges. The Access Control List referenced in this document is a list of network addresses in relation to the VPN tunnel that limits VPN traffic.
D
DualAccess – The DualAccess service is the same as the SecureIP service with the addition of being able to access the Internet at the same time as the company’s private network, using the same network connection.
F
FixedIP – The FixedIP service provides
remote access to a company's private network via a network-based VPN to a tunnel server on the company’s private network. The client IP address can be static or assigned from a customer-specific address pool on the tunnel server. The service supports multiple protocols and provides centrally managed network-based subnet filtering and network-based firewall security.
Fixed IP DualAccess – The Fixed IP
DualAccess service is the same as the Fixed IP service with the addition of being able to access to the Internet using the same network connection.
I
Internet - An Internet dial service,
which gives you multiple email accounts and access to news groups.
Users can connect to their Internet account in over 50 countries.
IPX/SPX Compatible – IPX/SPX
compatible is a transport protocol used in Novell NetWare networks.
IPsec - IPsec (Internet Protocol
Security) is a developing standard for security at the network or packet processing layer of network communication. IPsec is especially useful for implementing virtual private networks and for remote user access through dial-up connection to private networks. A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers.
M
Managed Tunneling Service - IPSec –
The Managed Tunneling Service - IPSec service provides remote access to a company's private network via an end to end IPSec VPN from the client to a tunnel server on the company’s private network. The service provides centrally managed subnet filtering on the client and client firewall security as well as centrally managed network-based subnet filtering and network-based firewall security. The authentication for the VPN is provided through the AT&T Global Network Service Manager, or through a customer managed authentication server via the AT&T Global Network Service Manager. The AT&T Global Network authentication infrastructure has direct communication with the customer managed
authentication engine.
Managed Tunneling Service - IPSec DualAccess – The Managed Tunneling
managed authentication server via the AT&T Global Network Service Manager. The AT&T Global Network authentication infrastructure has direct communication with the customer managed authentication engine.
Managed Tunneling Service - IPSec –
The Managed Tunneling Service - IPSec service provides remote access to a company's private network via an end to end IPSec VPN from the client to a tunnel server on the company’s private network. The service provides centrally managed subnet filtering on the client and client firewall security as well as centrally managed network-based subnet filtering and network-based firewall security. The authentication for the VPN is provided through a customer managed authentication server, residing on the customer premise. The AT&T Global Network authentication infrastructure does not communicate with the customer managed
authentication engine.
Managed Tunneling Service - IPSec DualAccess – The Managed Tunneling
Service – IPSec is the same as the Managed Tunneling Service - IPSec service with the addition of being able to access the Internet using the same network connection. The authentication for the VPN is provided through a customer managed authentication server, residing on the customer premise. The AT&T Global Network authentication infrastructure does not communicate with the customer managed authentication engine.
N
NAT (Network Address Translation) is the translation of an Internet Protocol address (IP address) used within one network to a different IP address known within another network. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or
incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its
communication with the world.
NetBEUI – NetBEUI is used by IBM or
Microsoft LAN servers for access to network drives or printers. An example of an application that uses NetBEUI is Windows Network Neighborhood.
NIC - A network interface card (NIC) is
a computer circuit board or card that is installed in a computer so that it can be connected to a network. Personal computers and workstations on a local area network (LAN) typically contain a network interface card specifically designed for the LAN transmission technology, such as Ethernet or token ring. Network interface cards provide a dedicated, full-time connection to a network. Most home and portable computers connect to the Internet through as-needed dial-up connection. The modem provides the connection interface to the Internet service provider.
S
SecureIP - The SecureIP service
provides remote access to a company's private IP network (Intranet) via a shared private AT&T network. The service provides centrally managed network-based subnet filtering and network-based firewall security.
Synchronous (SYNC) - In
program-to-program communication, synchronous communication requires that each end of an exchange of communication respond in turn without initiating a new communication. A typical activity that might use a synchronous protocol would be a transmission of files from one point to another. As each
returned indicating success or the need to resend. Each successive transmission of data requires a response to the previous transmission before a new one can be initiated.
Simple Mail Transfer Protocol (SMTP)
- SMTP is a TCP/IP protocol used in sending and receiving e-mail.
T
TCP/IP - TCP/IP is most commonly
used to view web pages, to send and receive e-mail, and to browse newsgroups. TCP/IP is required to connect to the network and always available.
U
UDP (User Datagram Protocol) is a communications protocol
that offers a limited amount of service when messages are exchanged between computers in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP) and, together with IP, is sometimes referred to as UDP/IP. Like the Transmission Control Protocol, UDP uses the Internet Protocol to actually get a data unit (called a datagram) from one computer to another. Unlike TCP,
Index
3D (Internet, Common Services, Tunneling), 22
F A Fastpath, 2, 3
Access Control List, 5, 7, 13, 14, 15 Fixed IP, 22, 26
Activity Threshold Bytes, 23 Frequently Asked Questions, 25 Activity Threshold Timeout, 23
H Analog Auto Dial Backup, 22
Application Level, 10 Help Desk Number, 21
Hosts, 12 Async Pass Through, 22
Async Terminal Services (ATS), 22
I AT&T Business Internet Services (BIS), 18
AT&T Global Network Firewall, 5, 7, 8, 9, 11,
12, 14, 15 Idle Dial Timeout, 22 Inactivity Timeouts, 16 Installation Checklist, iv AT&T Global Network Firewall Configuration
Window, 8, 11, 15 Internet, 22
AT&T IPSec VPN, 10 IPSec, 17
IPSec Managed Tunneling Service, 13, 22 AT&T Managed VPN Services, 19
AT&T Remote Acess Services, 13 IPSec tunnel, 8, 12 AT&T VPN IPSEC Services, iv IPSec VPN, 12, 13
IPX, 26 AT&T VPN Tunneling Services (AVTS), 19
Authentication Method, 21 ISDN Auto Backup, 22
Authorized SMTP Server Name, 24
L Authorized SMTP User Name, 24
Auto Proxy URL, 24 LAN adapter, 8
LAN Dial, 22
B LDAP, 21
Broadband, 13 Lmhosts, 12
Browser Home Page, 24 Local Resources, 12
C M
Clear Text User IDs, 18 Mail Domain, 24
Configuration Server (Config Server), 21, 24 Mail Server, 24
Configuration Server Updates, 17 Mail Server User ID, 24
Managed Tunneling Service, 5, 26, 27
D Managed Tunneling Service using IPSec
(MTS/IPSec), 22 Default Service Type, 21
Managed Tunneling Service using PPTP (MTS/PPTP), 22
Denial of Service Attacks, 10 DHCP, 8, 12
Dial Authentication, 16 Managed Tunneling Service using PPTP with Multi-Protocol, 22
Dial Session Timeout, 23
Disconnect Warning, 16 Managed Tunneling Services using IPSec with Dual Access, 14, 22
Domain Name, 23
Microsoft Installer (MSI), 1 Domain Name System (DNS), 4, 12, 23
Domain Search Suffix, 23 Multi-Protocol Tunneling (MPT, LAN Dial V2), 22
Dual Access, 13, 22
E N
E-Mail ID, 24 NDIS Intermediate Device Driver, 10
Negotiate UDP, 23 Enable AT&T Firewall, 23
Enhanced Authentication, 16 NetBEUI, 27
Network Device Interface Specification (NDIS) Intermediate Device Driver, 5
Network Interface Card (NIC), 6 News Server, 24
O Operating system, iv
Operating System Kernel Level, 10 P
PAP, 16
Permanent Settings, 24
Points of Presence (PoPs), 18, 19 Pop-Up Messages, 24 Port, 16, 17 PPP, 16 Proxy Server, 24 R RACF, 21 Radius, 21 Revision History, 25 S SafeWord, 21 Secure IP Dial, 22 SecureIP, 13 SecureIP Service, 13 SecurID, 21
Service Level Agreements (SLA), 17 Service Manager, 8, 12, 14, 21 SLA Data Collection, 17 Socks Server, 24 Software Updates, 16 Stateful Inspection, 10 System requirement, iv T TCP Clear, 22 TCP/IP, v, 27
Third Party Personal Firewalls, 15 Time for Password to Expire, 23 Trusted LAN, 8, 11, 12
Tunnel Dual Access, 22 U
User Controlled Firewall, 23 V
Virtual Network Interface Card (VNIC), 5 Virtual Private Network (VPN), 5, 26, 27 VPEF (VCOM, XPC), 22
VPN Tunneling, 17 W
