22.5. Virtual Private Networking After reading the previous pages, you might assume that it's a piece of cake for business people to connect to their corporate networks across the Internet from wherever they happen to be: their homes , hotel rooms, or local Starbucks. But even though the steps on the preceding pages work fine if you're dialing into your home machine, they'll probably fail miserably when you want to connect to a corporate network. There's one enormous obstacle in your way: Internet security. The typical corporate network is guarded by a team of steely-eyed administrators for whom Job Number One is preventing access by unauthorized visitors . They perform this job primarily with the aid of a super-secure firewall that seals off the company's network from the Internet. So how can you tap into the network from the road? One solution is to create a hole in the firewall for each authorized user ”software that permits incoming Internet traffic only from specified IP addresses like your Mac's. Unfortunately, this setup isn't bulletproof, security-wise. It's also a pain for administrators to manage. Another solution: You could dial directly into the corporate network, modem-to-modem. That's plenty secure, but it bypasses the Internet, and therefore winds up being expensive. (Want proof? Try this simple test: Make a call from the Tokyo Hilton to the Poughkeepsie Sheet Metal home office. Have a look at your hotel bill when you check out.) Fortunately, there's a third solution that's both secure and cheap: the Virtual Private Network , or VPN . Running a VPN allows you to create a super-secure "tunnel" from your Mac, across the Internet, and straight into your corporate network. All data passing through this tunnel is heavily encrypted; to the Internet eavesdropper, it looks like so much undecipherable gobbledygook. And it's cheap ”whether you're accessing the Internet via your home DSL, a local ISP number from a hotel, or wirelessly from your stool at Starbucks. Remember, though, that VPN is a corporate tool, run by corporate nerds. You can't use this feature without these pieces in place: -
A VPN server . This is a big deal. If your tech department tells you they don't have one, then that's that ”no tunneling for you. If they do have one, then you'll need to know the type of server it is. Mac OS X's VPN software can connect to VPN servers that speak PPTP (Point to Point Tunneling Protocol) and L2TP/IPsec (Layer 2 Tunneling Protocol over the IP Security Protocol), both relatives of the PPP language spoken by modems. Most corporate VPN servers work with at least one of these protocols. You'll also need to know the Internet address of your VPN server (for example, vpn.ferrets-r-us.com ). -
An account on the remote network that allows VPN access . Your remote network can be set up in many different ways, but in every case, you'll still need to confirm with your network administrator that your account on it allows VPN access. -
All necessary account information . Make sure you have all the scraps of connection information you'll need to dial in. That would include your user (account) name , at the very least. You may also need an NT Domain name ; VPN servers are often part of Microsoft Windows NT networks, which won't let you in until you know this domain name. Some networks also may require that you type in the currently displayed password on an RSA SecurID card , which your administrator will provide. This James Bondish, credit card “like thing displays a password that changes every few seconds, making it rather difficult for hackers to learn "the" password. (If your network doesn't require a SecurID card, you'll need a standard password instead.) Finally, if your office offers L2TP connections, you'll need yet another password called a Shared Secret to ensure that the server you're connecting to is really the server that you intend to connect to. 22.5.1. Making the VPN Connection Once you know everything's in place, you connect to the corporate network as follows : -
Connect to the Internet . Connect the way you normally do ”via cable modem, DSL, office network, modem, AirPort, or whatever. -
Open Internet Connect . It's in your Applications folder. -
Click the VPN toolbar button (Figure 22-5) . The Mac asks you to choose either L2TP or PPTP. Find out which system your company's network uses, and then proceed. -
Click L2TP or PPTP, and then click Continue . The toolbar icon's name then changes to reflect your choice. (If you ever need to use the other protocol, choose File New VPN Connection; you'll be prompted to choose again.) -
Enter the VPN server address, your VPN account name, and your password. Click Connect .  | Figure 22-5. You're on your way to joining the corporate network ”from thousands of miles away. Virtual private networking is ideal for the paranoid (because it's very secure) and the cheap (because you're using the Internet as a giant wire connecting you to your home). | | If you need to enter a SecurID password or shared secret, click the Configuration pop-up menu, choose Edit configurations, and type them into the configuration sheet. If all goes well, several status messages go by. The last one says, "Connected To" and gives the IP address of the network equipment you've reached out and touched. At this point, you're connected to the corporate network. You can perform the same network- related tasks you could if you were actually in that office: check your email, view internal corporate Web pages, access internal FTP servers, make printouts on laser printers thousands of miles away, and so on. You generally can't browse things, though. That is, depending on your network, you might not be able to click the Network icon in your Sidebar to view a list of the other computers on the office network, or open Printer Setup Utility to see a list of networked printers. In this case, to access these services, you must know their IP addresses. For example, to connect to a shared folder on another computer, choose Go Connect to Server, type its network address, and press Enter.
Tip: To connect to a shared folder on a Windows machine, the address looks like this: smb://111.222.33.4/sales-docs . Of course, you'd substitute the correct IP address for the dummy one shown here, and insert the actual name of the shared folder. (You can also use its DNS name instead of the IP address, if you know it, like this: smb://big-blue-server. ferret -lan.com/sales-docs .)
Classic programs can use your VPN connection, too. -
When you're finished accessing the remote network, return to Internet Connect. In the VPN Connection window, click Disconnect . Once you're finished with the tunnel, it's a good idea to close it, if only because accessing other Web sites can be very slow while you're connected to the VPN.
Tip: Turning on "Show VPN status in menu bar" adds a VPN menulet to your menu bar, giving you a quick way to start and stop subsequent connections.
22.5.2. The Fine Points of VPN For all the wonders of VPN, here are some possible complications: -
If you're using a router at home (a little box that shares one cable modem or DSL box with several computers), it might not be able to handle the tunneling protocols, or it might not have that feature turned on. Check the router's manual, or ask its manufacturer for more information. For example, the first-generation (silver) AirPort base stations can't handle VPNs at all. Neither do the second-generation, white models unless you've upgraded to version 2.0.4 or later of the Airport software. (The current base stations, called AirPort Extreme and AirPort Express, work with VPNs just fine.) -
If the corporate network doesn't seem to like your name and password, you might need to add your NT domain name and a backwards slash to the beginning of your account name (like this: dom01\msmith ) before trying again. If you're able to make the connection, but experiencing trouble reaching services by their DNS names (for example, big-blue-server.com ), your Mac could be having difficulty finding the right DNS server. Working with your network administrator, open the Network pane of System Preferences. From the Show pop-up menu, choose the correct VPN interface (PPTP or L2TP); enter the desired DNS server addresses in the DNS Servers box. Click Apply Now, and then try the VPN connection again. -
If you're still having problems using the VPN, look at the logs (automatically kept technical records) for clues to share with your network administrator. To view these records, open Internet Connect and choose Window Connection Log. |
