02
Sat, Nov
2 New Articles

Universal Connection: The Faster ECS

Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Many customers today still use the Electronic Customer Support (ECS) command Send PTF Order (SNDPTFORD) to download PTFs over modem lines; it's reliable, and they know it works. What some customers don't know is that there is a solution to quicken PTF downloads. This solution is called the Universal Connection.

The Universal Connection is a virtual private network (VPN) solution that allows a customer to configure a VPN tunnel to different IBM service machines. Once the Universal Connection is configured, a customer can do the following:

Use the ECS commands Send PTF Order (SNDPTFORD), Send Service Request (SNDSRVRQS), Query Problem Status (QRYPRBSTS), and Order Supported PTFs (ORDSPTPTF). It is important to note that you can now download over 99 MB of PTFs through this connection.

Transfer Service Agent data to IBM service machines. IBM can then determine what system parameters, error conditions, and system and software configurations are on the customer's system. This helps IBM provide quality service to its customers, updating them on possible HIPER PTFs and upgrades.

Transfer PM/400 data to IBM service machines. IBM can then analyze this information and advise the customer as to when they might need an upgrade. IBM can also create graphical information about a customer's iSeries system performance and compare it to other customer systems.

Use remote support to allow a Customer Support Engineer in Rochester to connect to a customer's system for problem determination. This enhancement was released in V5R1. Simply load and apply PTFs SI02764, SI04969, and SI03364. This will allow the Rochester Support Center to gain access to Telnet sessions of the customer's system and also allow them to use GUI applications such as Operations Navigator, HTTP Administration Server, Lotus Notes Client, and WebSphere Console.

For customers, the advantage of having the Universal Connection configured for the iSeries is that it does things faster than a modem connection does. The key to all of this is the configuration of the Universal Connection. A customer's iSeries system must have a globally routed IP address to the Internet, meaning the system must look like it is located on the Internet either by giving it an Internet IP address or by configuring firewall filter rules--or even possibly by using different types of routing.

To configure the Universal Connection, a customer must know what is between the iSeries and the Internet because VPN packets need to be able to flow from the iSeries to the Internet. Many customers have firewalls between their iSeries systems and the Internet that block packets from being passed. When this occurs, filter rules need to be configured to allow the VPN tunnel to be established. Here are some examples:

For customers who use their iSeries as a Web server, the iSeries is most likely on the Internet. This means that there is no device between the iSeries and the Internet. The customer has to configure only the iSeries, not any other external devices such as a firewall.

Most customers have their iSeries system within a Demilitarized Zone (DMZ) with a firewall between the iSeries and the Internet. Later, I'll explain what filter rules need to be configured to allow a VPN connection to go through the customer's firewall.

An iSeries might sit within the local intranet, outside of the DMZ. Figure 1 below shows what this might look like. The local intranet is usually connected to the DMZ by a router, and the DMZ has a router of its own, which is connected to the Internet. Additional configuration must be done to the Cisco router to allow the VPN connection to be established from the iSeries to the Cisco router.

The types of configuration for the Universal Connection are explained in detail in Chapter 5 of the IBM Redbook iSeries Universal Connection for Electronic Support and Service (SG24-6224). This chapter explains the many different Universal Connection configuration scenarios, depending on where an iSeries sits within the network.

http://www.mcpressonline.com/articles/images/2002/VPNArticle600.jpg

Figure 1: An iSeries within the local intranet, outside of the DMZ

Once the customer knows where the iSeries sits within the network and once the system has a globally routed IP address to the Internet, configuring the Universal Connection is a matter of a few clicks. Keep in mind that the VPN connection can be set up only if the customer has an 0S/400 release of V5R1 or later as well as Client Access Express for Windows V5R1 with the latest service pack installed on their PC.

It is important to note that the Universal Connection doesn't currently support firewalls that perform Network Address Translation (NAT). If you have a NAT-performing firewall between your iSeries and the Internet, you will not be able to configure the Universal Connection. However, in V5R2, Universal Connection will support NAT firewalls and other NAT devices.

Configuring a System That Has a Globally Routed IP Address

Let me take you through an example of the steps to configure the Universal Connection for a system that has an interface with a globally routed IP address. This iSeries sits right in front of a firewall that does not perform NAT but does block all ports except for 80.

  1. Open up Operations Navigator. Remember that you must have IBM Client Access Express for Windows V5R1 with the latest service pack. If you do not, you will not see the options shown below.
  2. Within Operations Navigator, click on the system for which you want to configure the Universal Connection. Then, enter the correct user name and password for that system.
  3. Click on Network and then Remote Access Services.
  4. Right-click on Originator Connection Profiles, as shown in Figure 2. You should then see the Universal Connection Wizard. Choose this option.

http://www.mcpressonline.com/articles/images/2002/VPNArticle601.png

Figure 2: The Universal Connection Wizard

  1. Once you click on the Universal Connection Wizard, you will see the Welcome screen shown in Figure 3. The Wizard will begin here and take you through the configuration. Click Next on this screen.

Figure 3: The Universal Connection Wizard Welcome screen

  1. The following screens will ask for service information and address information. The address information screen will extract information from the system's contact information, which many times is already filled out. After you verify that everything is filled out correctly for both screens, you will be shown the Location screen. In the Location screen, fill out the location information and hit Next, which will bring you to the Application screen.
  2. The options on the Application screen allow you to configure the connection for either Electronic Customer Support (ECS) or IBM Electronic Service Agent for AS/400. If you are looking to either use the ECS commands I discussed above or use remote support over VPN, choose the ECS option. If you are looking to transfer Service Agent information to IBM, choose the IBM Electronic Service Agent for AS/400 option.

http://www.mcpressonline.com/articles/images/2002/VPNArticle603.png

Figure 4: Configure the connection for the application of your choice

  1. The next screen is the Connection Type screen (Figure 5). This is the most important screen in this configuration. The only two options you are concerned about here are the direct connection to the Internet option and the multi-hop connection to the Internet option. The other two options deal with dial-up VPN connections, which is not in the scope of this article. In order to choose one of these options, you need to know where your iSeries system sits within your network. In this example, the iSeries system has an interface that reflects a globally routed IP address, so choose direct connection to the Internet.



http://www.mcpressonline.com/articles/images/2002/VPNArticle604.png

Figure 5: The Connection Type screen

  1. Since you know that the customer has an interface that is configured with a globally routed Internet IP address, you'll highlight that in the Interface screen, as shown in Figure 6.

http://www.mcpressonline.com/articles/images/2002/VPNArticle605.png

Figure 6: The Interface screen

  1. The last screen is the Summary (Figure 7). Verify what you chose and click the Finish button. The Universal Connection Wizard will then ask you if you want to test your connection. Hit the Test connection button to verify that your connection is configured correctly.

http://www.mcpressonline.com/articles/images/2002/VPNArticle606.png

Figure 7: The Summary screen

In this example, you configured the Universal Connection for ECS, so you will now be able to enter ECS commands such as SNDPTFORD, which allows you to download over 99 MB of PTFs over the Universal Connection. Since you now have Universal Connection configured, ECS commands will always go over the VPN connection instead of over modem lines. If the connection is not configured successfully, the ECS commands will still run over the modem lines.

Firewall Filter Rules

If you have a firewall between your iSeries and the Internet, you are not done yet. Certain filter rules must be configured on the firewall to allow the iSeries system to be configured.

After running the Universal Connection Wizard, you need to get the IP address that you are going to connect to within IBM. The reason you need this IP address is so that you can configure certain filter rules on your firewall. If you don't configure these filter rules, your iSeries will not be able to create the VPN connection through the firewall out to the Internet. Once you get the IP address, you will be able to configure very particular filter rules to IBM. To find this IP address, do the following:

  1. Within Operations Navigator, expand Network.
  2. Expand IP Policies.
  3. Expand Virtual Private Networking. (Note: If you don't see Virtual Private Networking when you expand IP Policies, it most likely means that you don't have 5722AC2 or 5722AC3 [Crypto Access Provider] installed on your iSeries system.)
  4. Expand IP Security Policies.
  5. Click on Internet Key Exchange Policies.
  6. Look for the IKE definition name that consists of four dot-separated numbers. The numbers refer to an IP address that we will designate as A.

IP Filter Rule That Needs to Be on Your Router Firewall
Filter Values
UDP Inbound traffic filter rule
Allow port 500 for source IP address A
UDP Outbound traffic filter rule
Allow port 500 for destination IP address A
ESP Inbound traffic filter rule
Allow ESP protocol (X'32') for source IP address A
ESP Outbound traffic filter rule
Allow ESP protocol (X'32') for destination IP address A

Going back to the Connection Type screen (Figure 5), let's look at the options for configuring a multi-hop connection. If your iSeries system is located on the local LAN and the correct configuration has been made on the Cisco routers, you will choose the option to configure a multi-hop connection to the Internet. In the following screen, you will enter the IP address of the router that will forward the packets from the local LAN either to the Internet or to an existing router. Once this IP address is entered, view the summary and test the connection to make sure it is running correctly. Again, the Redbook I mentioned above offers detailed descriptions.

Better, Faster

The Universal Connection has a lot to offer. It enhances customers' productivity by allowing them to quickly do such tasks as downloading PTFs, reporting problems, and sending Service Agent data and PM/400 data to IBM service machines. It also improves remote support by allowing Customer Support Engineers in Rochester to connect to customers' systems.

IBM is currently working on more productivity-enhancing changes to the Universal Connection and is also creating new software solutions that will also use the Universal Connection. Hopefully, many of you will configure the Universal Connection and take advantage of this VPN solution IBM has to offer.

Benjamin Garbers is a Software Engineer within the Rochester Support Center. He is currently spending time developing Internet applications for IBM's iSeries Technical Web site located at http://www.ibm.com/eserver/iseries/support.

BLOG COMMENTS POWERED BY DISQUS

LATEST COMMENTS

Support MC Press Online

$

Book Reviews

Resource Center

  • SB Profound WC 5536 Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application. You can find Part 1 here. In Part 2 of our free Node.js Webinar Series, Brian May teaches you the different tooling options available for writing code, debugging, and using Git for version control. Brian will briefly discuss the different tools available, and demonstrate his preferred setup for Node development on IBM i or any platform. Attend this webinar to learn:

  • SB Profound WP 5539More than ever, there is a demand for IT to deliver innovation. Your IBM i has been an essential part of your business operations for years. However, your organization may struggle to maintain the current system and implement new projects. The thousands of customers we've worked with and surveyed state that expectations regarding the digital footprint and vision of the company are not aligned with the current IT environment.

  • SB HelpSystems ROBOT Generic IBM announced the E1080 servers using the latest Power10 processor in September 2021. The most powerful processor from IBM to date, Power10 is designed to handle the demands of doing business in today’s high-tech atmosphere, including running cloud applications, supporting big data, and managing AI workloads. But what does Power10 mean for your data center? In this recorded webinar, IBMers Dan Sundt and Dylan Boday join IBM Power Champion Tom Huntington for a discussion on why Power10 technology is the right strategic investment if you run IBM i, AIX, or Linux. In this action-packed hour, Tom will share trends from the IBM i and AIX user communities while Dan and Dylan dive into the tech specs for key hardware, including:

  • Magic MarkTRY the one package that solves all your document design and printing challenges on all your platforms. Produce bar code labels, electronic forms, ad hoc reports, and RFID tags – without programming! MarkMagic is the only document design and print solution that combines report writing, WYSIWYG label and forms design, and conditional printing in one integrated product. Make sure your data survives when catastrophe hits. Request your trial now!  Request Now.

  • SB HelpSystems ROBOT GenericForms of ransomware has been around for over 30 years, and with more and more organizations suffering attacks each year, it continues to endure. What has made ransomware such a durable threat and what is the best way to combat it? In order to prevent ransomware, organizations must first understand how it works.

  • SB HelpSystems ROBOT GenericIT security is a top priority for businesses around the world, but most IBM i pros don’t know where to begin—and most cybersecurity experts don’t know IBM i. In this session, Robin Tatam explores the business impact of lax IBM i security, the top vulnerabilities putting IBM i at risk, and the steps you can take to protect your organization. If you’re looking to avoid unexpected downtime or corrupted data, you don’t want to miss this session.

  • SB HelpSystems ROBOT GenericCan you trust all of your users all of the time? A typical end user receives 16 malicious emails each month, but only 17 percent of these phishing campaigns are reported to IT. Once an attack is underway, most organizations won’t discover the breach until six months later. A staggering amount of damage can occur in that time. Despite these risks, 93 percent of organizations are leaving their IBM i systems vulnerable to cybercrime. In this on-demand webinar, IBM i security experts Robin Tatam and Sandi Moore will reveal:

  • FORTRA Disaster protection is vital to every business. Yet, it often consists of patched together procedures that are prone to error. From automatic backups to data encryption to media management, Robot automates the routine (yet often complex) tasks of iSeries backup and recovery, saving you time and money and making the process safer and more reliable. Automate your backups with the Robot Backup and Recovery Solution. Key features include:

  • FORTRAManaging messages on your IBM i can be more than a full-time job if you have to do it manually. Messages need a response and resources must be monitored—often over multiple systems and across platforms. How can you be sure you won’t miss important system events? Automate your message center with the Robot Message Management Solution. Key features include:

  • FORTRAThe thought of printing, distributing, and storing iSeries reports manually may reduce you to tears. Paper and labor costs associated with report generation can spiral out of control. Mountains of paper threaten to swamp your files. Robot automates report bursting, distribution, bundling, and archiving, and offers secure, selective online report viewing. Manage your reports with the Robot Report Management Solution. Key features include:

  • FORTRAFor over 30 years, Robot has been a leader in systems management for IBM i. With batch job creation and scheduling at its core, the Robot Job Scheduling Solution reduces the opportunity for human error and helps you maintain service levels, automating even the biggest, most complex runbooks. Manage your job schedule with the Robot Job Scheduling Solution. Key features include:

  • LANSA Business users want new applications now. Market and regulatory pressures require faster application updates and delivery into production. Your IBM i developers may be approaching retirement, and you see no sure way to fill their positions with experienced developers. In addition, you may be caught between maintaining your existing applications and the uncertainty of moving to something new.

  • LANSAWhen it comes to creating your business applications, there are hundreds of coding platforms and programming languages to choose from. These options range from very complex traditional programming languages to Low-Code platforms where sometimes no traditional coding experience is needed. Download our whitepaper, The Power of Writing Code in a Low-Code Solution, and:

  • LANSASupply Chain is becoming increasingly complex and unpredictable. From raw materials for manufacturing to food supply chains, the journey from source to production to delivery to consumers is marred with inefficiencies, manual processes, shortages, recalls, counterfeits, and scandals. In this webinar, we discuss how:

  • The MC Resource Centers bring you the widest selection of white papers, trial software, and on-demand webcasts for you to choose from. >> Review the list of White Papers, Trial Software or On-Demand Webcast at the MC Press Resource Center. >> Add the items to yru Cart and complet he checkout process and submit

  • Profound Logic Have you been wondering about Node.js? Our free Node.js Webinar Series takes you from total beginner to creating a fully-functional IBM i Node.js business application.

  • SB Profound WC 5536Join us for this hour-long webcast that will explore:

  • Fortra IT managers hoping to find new IBM i talent are discovering that the pool of experienced RPG programmers and operators or administrators with intimate knowledge of the operating system and the applications that run on it is small. This begs the question: How will you manage the platform that supports such a big part of your business? This guide offers strategies and software suggestions to help you plan IT staffing and resources and smooth the transition after your AS/400 talent retires. Read on to learn: