Using Point to Point Tunneling Protocol (PPTP), VPN allows Windows users to setup a virtual private network using the Internet as their cabling medium. One of the key benefits of this is that Network and AS/400 administrators who already have an Internet connection through their Intranet, can have their users, clients, or sales reps connected, toll free, through the Internet to their AS/400 safely and securely. This article will outline those steps to do so.
What you’ll need:A dialup line with a dedicated IP address.AS/400: TCP/IP OS/400 V3R1 and laterWinNT: v4.0 with SP3, TCP/IP, RAS, PPTPWin98: OSR2 or DNUP (Dial-Up Network Upgrade w/PPTP)
TCP/IP internal Network addresses.
Let's take a moment to address the differences and importance of private versus public IP addresses. Every computer directly connected to the Internet has assigned to it a Public IP address. And as you know, IP addresses are essential for communicating via TCP/IP from one machine to another. Since Internal, Corporate TCP/IP networks must also have IP addresses assigned to each of those computers, blocks of IP addresses have been set aside for private, corporate use. In this way, should a company wish to connect its private TCP/IP network to the Internet, there will not be any conflicting IP addresses between the two networks. So when setting up your Intranet, be sure to use those blocks of IP addresses set side for private use. This will prevent a lot of headaches in the future. For more information on these private IP addresses, see the Bibliography at the end of this article.
Private IP address blocks:
10.x.x.x 192.168.x.x 172.16.x.x 172.31.x.x
AS/400 setup is the easiest of the machines to configure. If you have not already done so, you’ll need to decide which block of private IP addresses you are going to use for the Intranet. Using the AS/400 command go cfgtcp and take option 1, Work with TCP/IP Interfaces, and fill in the appropriate fields with the appropriate data: Internet Address, Subnet Mask, etc.
We will focus our example here on using a dedicated TCP/IP address on a dialup line to your Internet Service Provider (ISP). This is also possible with ISDN (Industry Standard Digital Network), Frame Relay, and T1/Fractional T1, but is beyond the scope of this article. A dedicated IP address for your ISP Internet connection is essential. Because your users will be "dialing" (discussed later) into your NT PC, they will need to know your Internet IP address. If you do not have a dedicated IP address assigned to your dialup account, your IP address will change every time you connect the NT System to the Internet and your users will be unable to find it!
First we need to install TCP/IP. Go to the Control panel and double-click on the Network icon. Select the Protocols tab and click on Add. Now select TCP/IP and click OK. Follow the instructions on the screen assigning your NT system an IP address in the same subnet as the AS/400. For instance, if your AS/400 has the IP address of 192.168.50.10, then a good choice for the NT system would be 192.168.50.20. This also requires that your NT server is on the same internal network cabling as your AS/400.
Second, we need to install a modem in the Windows NT server. I won’t get into the actual hardware installation and that is fairly straightforward. To install the drivers for the modem, go to the Control Panel and double-click on the Modems icon. Follow the instructions on the screen to auto-detect the modem and install the drivers.
Now, to install PPTP, open the Control Panel and double-click the Network Icon. Next select the Protocol Tab and click on Add. In the new dialog, select Point To Point Tunneling Protocol and click on OK.
Once PPTP has been installed, you will be prompted to configure the number of Virtual Private Networks. This must be at least 2.
Now we need to install and configure Remote Access Services (RAS) for dialup and dial-in connections. Again, go to the Control Panel and bring up the Networks Icon. Now click on the Services tab and click Add. Then select Remote Access Services and click OK. Once installed, the Remote Access Setup dialog will be displayed. You will have two entries in this window: one is your modem and the other is your Virtual Private Network (VPN), called RASPPTPM.
Select your modem and click on Configure, then set it for Dial-Out and Receive Calls and click OK. Now select RASPPTPM and click on Configure as well. Set it for Dial-Out and Receive Calls and click OK. Now click the Network Button. Select TCP/IP for the Dial-Out Protocol in Server Settings. Now click on the Configure button for TCP/IP. Select Entire Network for TCP/IP access and assign a static address pool in the same group as your AS/400 IP address. Click OK and Continue to close out all these dialogs. You will then be prompted to restart NT.
Now, in order for your Remote Internet users to get into your local Network they will have to have a User Account on your NT system. Click on the Start button, Programs, Administrator Tools, and User Manager for Domains. Click on the User menu and New User. Fill in all the appropriate information for your user(s). Now click on the Dial-in button and select Grant Dial-in Permissions to User and click OK. At this point you can also restrict this user to particular hours of access using the Hours button.
Finally for NT, we need to setup Dialup Networking to dial your ISP and connect to the Internet. Click on the Setup button and select Program, Accessories and then Dialup Networking. Click on New to create a new connection. Follow the instruction given to create this connection. Once you’ve been returned to the Dialup Networking Window, click on the More button and select Edit Phone and Modem Properties. Click on the Server tab. Ensure that PPP is the Dialup Server type and select only TCP/IP in the Network Protocols. Now click on the TCP/IP settings button. In this new dialog, select Specify an IP Address and enter the dedicated IP address assigned to you by your ISP. Fill in all the other fields as instructed by your ISP as well. Click on Done and OK to finish all the open Windows back to the Dialup Networking Window.
You can now dial your ISP on your NT server and test the connection using IE, NetScape or any other Internet Client software.
We are assuming at this point that your remote Windows 98 users are already "on-line" on the Internet with their own ISP and dialup accounts.
For your Windows 98 dial-in Clients you will need to install OSR2 (a.k.a. Service Pack 2) for Windows 98 or download and install the Dialup Network Update and PPTP from the Microsoft Web Site: http://www.microsoft.com. Both of these files are Windows Self Extracting Zip files, so just execute them and follow the online installation instructions.
Once these updates have been installed, we will need to configure a new connection in the Windows 98 Dialup Networking program. Click on the Start button, Programs, Accessories, and then Dialup Networking. Double-click on "Create New Connection" and select the new device called "Microsoft VPN Adapter". Call this new connection "VPN to AS/400". Now click on the Next button and enter the host IP address of the WinNT Server that we set up in the previous section (remember, this is the Internet IP address the WinNT Server uses when it connects to the Internet with its dialup adapter). Now click on Done.
The last thing we need to do is Configure IP Client for TCP/IP. Click on the Start button, Programs, IP Client Emulation, and then Config. Click on Set Global Option and then select TCP/IP for the Router Interface. The dialog will extend to show additional TCP/IP options. Click on the Add button and enter the System Name of your company’s AS/400. Next, enter its Intranet IP address (remember this is the IP address we assigned to your AS/400 that is used internally by your company on its internal Local Network). Click on OK, and then Save, then End Configuration.
Now, and finally, to connect WinAPPC through the Internet and PPTP with VPN, dial your ISP and connect to the Internet as you normally do. Now run the new Dialup connection we created called "VPN to AS/400" - do not disconnect your current Internet Connection. When VPN to AS/400 is run, it will "dial" your company’s WinNT Server. Once it has connected to the WinNT server you will be prompted to enter your Username and Password to log in. This is the same Username and Password we set up in the WinNT Server that we created for dial-in access in the previous section.
Now that you are logged into the WinNT server through the Internet, start IP Clinet Display Emulation. Click on the Session menu and then "Connect" to connect to the AS/400. After a short delay, you will have a sign-on screen to your company’s AS/400! Depending on your dialup modem speed and the traffic on the Internet at that time, you can get fairly quick response from this connection method.
Because VPN uses 48bit encryption, the traffic to and from your Win98 PC and the AS/400 is fairly secure - more so than a straight dial-in line to the AS/400. And because users must be authenticated by the WinNT Server in order to log into the internal network, you have an extra level of security built in.
There are many more levels of security that can be set, as well as other options available with VPN and PPTP - all of which are beyond the scope of this article. Refer to the bibliography for additional resources.
I hope this has explained the general steps involved in getting IP Client Emulation access to your AS/400 over the Internet. And that based upon this article, you can research further the possibilities that this technology, along with IP Client, can bring to your company in an inexpensive and secure manner.
The Whole Internet, O’Reilly & Associates
Managing Internet Information Services, O’Reilly & Associates
TCP/IP Fastpath Setup, AS/400 manual SC41-3430
TCP/IP Tutorial and Technical Overview, AS/400 manual GG24-3376
TCP/IP Configuration and Reference, AS/400 manual SC41-3420