Many customers today still use the Electronic Customer Support (ECS) command Send PTF Order (SNDPTFORD) to download PTFs over modem lines; it's reliable, and they know it works. What some customers don't know is that there is a solution to quicken PTF downloads. This solution is called the Universal Connection.
The Universal Connection is a virtual private network (VPN) solution that allows a customer to configure a VPN tunnel to different IBM service machines. Once the Universal Connection is configured, a customer can do the following:
Use the ECS commands Send PTF Order (SNDPTFORD), Send Service Request (SNDSRVRQS), Query Problem Status (QRYPRBSTS), and Order Supported PTFs (ORDSPTPTF). It is important to note that you can now download over 99 MB of PTFs through this connection.
Transfer Service Agent data to IBM service machines. IBM can then determine what system parameters, error conditions, and system and software configurations are on the customer's system. This helps IBM provide quality service to its customers, updating them on possible HIPER PTFs and upgrades.
Transfer PM/400 data to IBM service machines. IBM can then analyze this information and advise the customer as to when they might need an upgrade. IBM can also create graphical information about a customer's iSeries system performance and compare it to other customer systems.
Use remote support to allow a Customer Support Engineer in Rochester to connect to a customer's system for problem determination. This enhancement was released in V5R1. Simply load and apply PTFs SI02764, SI04969, and SI03364. This will allow the Rochester Support Center to gain access to Telnet sessions of the customer's system and also allow them to use GUI applications such as Operations Navigator, HTTP Administration Server, Lotus Notes Client, and WebSphere Console.
For customers, the advantage of having the Universal Connection configured for the iSeries is that it does things faster than a modem connection does. The key to all of this is the configuration of the Universal Connection. A customer's iSeries system must have a globally routed IP address to the Internet, meaning the system must look like it is located on the Internet either by giving it an Internet IP address or by configuring firewall filter rules--or even possibly by using different types of routing.
To configure the Universal Connection, a customer must know what is between the iSeries and the Internet because VPN packets need to be able to flow from the iSeries to the Internet. Many customers have firewalls between their iSeries systems and the Internet that block packets from being passed. When this occurs, filter rules need to be configured to allow the VPN tunnel to be established. Here are some examples:
For customers who use their iSeries as a Web server, the iSeries is most likely on the Internet. This means that there is no device between the iSeries and the Internet. The customer has to configure only the iSeries, not any other external devices such as a firewall.
Most customers have their iSeries system within a Demilitarized Zone (DMZ) with a firewall between the iSeries and the Internet. Later, I'll explain what filter rules need to be configured to allow a VPN connection to go through the customer's firewall.
An iSeries might sit within the local intranet, outside of the DMZ. Figure 1 below shows what this might look like. The local intranet is usually connected to the DMZ by a router, and the DMZ has a router of its own, which is connected to the Internet. Additional configuration must be done to the Cisco router to allow the VPN connection to be established from the iSeries to the Cisco router.
The types of configuration for the Universal Connection are explained in detail in Chapter 5 of the IBM Redbook iSeries Universal Connection for Electronic Support and Service (SG24-6224). This chapter explains the many different Universal Connection configuration scenarios, depending on where an iSeries sits within the network.
Figure 1: An iSeries within the local intranet, outside of the DMZ
Once the customer knows where the iSeries sits within the network and once the system has a globally routed IP address to the Internet, configuring the Universal Connection is a matter of a few clicks. Keep in mind that the VPN connection can be set up only if the customer has an 0S/400 release of V5R1 or later as well as Client Access Express for Windows V5R1 with the latest service pack installed on their PC.
It is important to note that the Universal Connection doesn't currently support firewalls that perform Network Address Translation (NAT). If you have a NAT-performing firewall between your iSeries and the Internet, you will not be able to configure the Universal Connection. However, in V5R2, Universal Connection will support NAT firewalls and other NAT devices.
Configuring a System That Has a Globally Routed IP Address
Let me take you through an example of the steps to configure the Universal Connection for a system that has an interface with a globally routed IP address. This iSeries sits right in front of a firewall that does not perform NAT but does block all ports except for 80.
- Open up Operations Navigator. Remember that you must have IBM Client Access Express for Windows V5R1 with the latest service pack. If you do not, you will not see the options shown below.
- Within Operations Navigator, click on the system for which you want to configure the Universal Connection. Then, enter the correct user name and password for that system.
- Click on Network and then Remote Access Services.
- Right-click on Originator Connection Profiles, as shown in Figure 2. You should then see the Universal Connection Wizard. Choose this option.
Figure 2: The Universal Connection Wizard
- Once you click on the Universal Connection Wizard, you will see the Welcome screen shown in Figure 3. The Wizard will begin here and take you through the configuration. Click Next on this screen.
Figure 3: The Universal Connection Wizard Welcome screen
- The following screens will ask for service information and address information. The address information screen will extract information from the system's contact information, which many times is already filled out. After you verify that everything is filled out correctly for both screens, you will be shown the Location screen. In the Location screen, fill out the location information and hit Next, which will bring you to the Application screen.
- The options on the Application screen allow you to configure the connection for either Electronic Customer Support (ECS) or IBM Electronic Service Agent for AS/400. If you are looking to either use the ECS commands I discussed above or use remote support over VPN, choose the ECS option. If you are looking to transfer Service Agent information to IBM, choose the IBM Electronic Service Agent for AS/400 option.
Figure 4: Configure the connection for the application of your choice
- The next screen is the Connection Type screen (Figure 5). This is the most important screen in this configuration. The only two options you are concerned about here are the direct connection to the Internet option and the multi-hop connection to the Internet option. The other two options deal with dial-up VPN connections, which is not in the scope of this article. In order to choose one of these options, you need to know where your iSeries system sits within your network. In this example, the iSeries system has an interface that reflects a globally routed IP address, so choose direct connection to the Internet.
Figure 5: The Connection Type screen
- Since you know that the customer has an interface that is configured with a globally routed Internet IP address, you'll highlight that in the Interface screen, as shown in Figure 6.
Figure 6: The Interface screen
- The last screen is the Summary (Figure 7). Verify what you chose and click the Finish button. The Universal Connection Wizard will then ask you if you want to test your connection. Hit the Test connection button to verify that your connection is configured correctly.
Figure 7: The Summary screen
In this example, you configured the Universal Connection for ECS, so you will now be able to enter ECS commands such as SNDPTFORD, which allows you to download over 99 MB of PTFs over the Universal Connection. Since you now have Universal Connection configured, ECS commands will always go over the VPN connection instead of over modem lines. If the connection is not configured successfully, the ECS commands will still run over the modem lines.
Firewall Filter Rules
If you have a firewall between your iSeries and the Internet, you are not done yet. Certain filter rules must be configured on the firewall to allow the iSeries system to be configured.
After running the Universal Connection Wizard, you need to get the IP address that you are going to connect to within IBM. The reason you need this IP address is so that you can configure certain filter rules on your firewall. If you don't configure these filter rules, your iSeries will not be able to create the VPN connection through the firewall out to the Internet. Once you get the IP address, you will be able to configure very particular filter rules to IBM. To find this IP address, do the following:
- Within Operations Navigator, expand Network.
- Expand IP Policies.
- Expand Virtual Private Networking. (Note: If you don't see Virtual Private Networking when you expand IP Policies, it most likely means that you don't have 5722AC2 or 5722AC3 [Crypto Access Provider] installed on your iSeries system.)
- Expand IP Security Policies.
- Click on Internet Key Exchange Policies.
- Look for the IKE definition name that consists of four dot-separated numbers. The numbers refer to an IP address that we will designate as A.
IP Filter Rule That Needs to Be on Your Router Firewall | Filter Values |
UDP Inbound traffic filter rule | Allow port 500 for source IP address A |
UDP Outbound traffic filter rule | Allow port 500 for destination IP address A |
ESP Inbound traffic filter rule | Allow ESP protocol (X'32') for source IP address A |
ESP Outbound traffic filter rule | Allow ESP protocol (X'32') for destination IP address A |
Going back to the Connection Type screen (Figure 5), let's look at the options for configuring a multi-hop connection. If your iSeries system is located on the local LAN and the correct configuration has been made on the Cisco routers, you will choose the option to configure a multi-hop connection to the Internet. In the following screen, you will enter the IP address of the router that will forward the packets from the local LAN either to the Internet or to an existing router. Once this IP address is entered, view the summary and test the connection to make sure it is running correctly. Again, the Redbook I mentioned above offers detailed descriptions.
Better, Faster
The Universal Connection has a lot to offer. It enhances customers' productivity by allowing them to quickly do such tasks as downloading PTFs, reporting problems, and sending Service Agent data and PM/400 data to IBM service machines. It also improves remote support by allowing Customer Support Engineers in Rochester to connect to customers' systems.
IBM is currently working on more productivity-enhancing changes to the Universal Connection and is also creating new software solutions that will also use the Universal Connection. Hopefully, many of you will configure the Universal Connection and take advantage of this VPN solution IBM has to offer.
Benjamin Garbers is a Software Engineer within the Rochester Support Center. He is currently spending time developing Internet applications for IBM's iSeries Technical Web site located at http://www.ibm.com/eserver/iseries/support.
LATEST COMMENTS
MC Press Online