VPN Access over Mobile Web Support...

VPNAccessoverMobileWeb1.2b.doc of 29

VPN Access over Mobile WebSupport Overview

Version 1.2 - November 2002

In Confidence


VPN Access over Mobile Web

Contents

1 INTRODUCTION ..............................................................................................................................4

2 VIRTUAL PRIVATE NETWORK (VPN) ......................................................................................5

2.1 VPNS ...................................................................................................................................................52.2 VPN ACCESS OVER MOBILE WEB.....................................................................................................52.3 THE BENEFITS OF A MOBILE VPN INCLUDE ......................................................................................6

3 BEFORE YOU START – WHAT DO YOU NEED TO KNOW?..............................................7

3.1 BASIC VPN SOLUTION REQUIREMENTS ...........................................................................................73.1.1 Nortel...........................................................................................................................................73.1.2 Cisco ...........................................................................................................................................73.1.3 Checkpoint .................................................................................................................................73.1.4 Sonic ...........................................................................................................................................83.1.5 Other IPSec based VPN solutions ........................................................................................83.1.6 Microsoft PPTP based VPN ...................................................................................................83.1.7 L2TP based VPN......................................................................................................................8

3.2 IPSEC AND NAT TRAVERSAL ............................................................................................................93.2.1 Overview ....................................................................................................................................93.2.2 Detailed Technical Explanation .............................................................................................9

3.3 COMPATIBLE DEVICES MATRIX........................................................................................................103.4 DETAILED VPN SPECIFIC REQUIREMENTS.....................................................................................10

4 GETTING SET UP..........................................................................................................................11

4.1 CHECKLIST AND FLOW DIAGRAM ......................................................................................................114.1.1 Define - Hardware and Connection Method......................................................................114.1.2 VPN - Product selection ........................................................................................................114.1.3 VPN – LAN set-up and configuration .................................................................................124.1.4 VPN - Client install and configuration.................................................................................124.1.5 Mobile Web –Tariff selection and Provisioning ................................................................124.1.6 Mobile Web - Connection set-up .........................................................................................124.1.7 Connect and use VPN over Mobile Web ...........................................................................124.1.8 Xda and Pocket PC devices.................................................................................................13

5 USING YOUR VPN OVER MOBILE WEB................................................................................14

5.1 LAPTOP USER GUIDE........................................................................................................................145.2 TIPS FOR USING LESS DATA..............................................................................................................14

5.2.1 Use Web based Outlook .......................................................................................................145.2.2 Keep alive functionality..........................................................................................................155.2.3 Logging into your domain at start-up..................................................................................155.2.4 Mapped network drives .........................................................................................................155.2.5 Outlook configuration.............................................................................................................15

5.3 TIPS FOR USING A MOBILE VPN ......................................................................................................155.3.1 Use in good coverage............................................................................................................16

5.4 HOW MUCH DATA ARE YOU USING? .................................................................................................165.4.1 Mobile Web Application.........................................................................................................16

5.4.2 Windows Dial Up Networking...............................................................................................16

6 TROUBLESHOOTING AND SUPPORT ...................................................................................17

In Confidence


6.1 CARE MODEL AND HANDOFF POINTS ...............................................................................................176.1.1 O2 Support ..............................................................................................................................186.1.2 VPN Support............................................................................................................................186.1.3 LAN Support ............................................................................................................................19

6.2 O2 PROFESSIONAL SERVICES.........................................................................................................196.3 TROUBLESHOOTING ..........................................................................................................................20

7 CHANGE REQUESTS ...............................................ERROR! BOOKMARK NOT DEFINED.

8 REFERENCES................................................................................................................................21

9 APPENDICES .................................................................................................................................22

9.1 APPENDIX A – MOBILE WEB SERVICE SUMMARY..........................................................................229.1.1 Key Benefits of Mobile Web .................................................................................................229.1.2 Mobile Web Core Features ..................................................................................................229.1.3 Devices .....................................................................................................................................239.1.4 Getting Started Application...................................................................................................239.1.5 Service Settings......................................................................................................................249.1.6 Resilience.................................................................................................................................249.1.7 Supported Protocols & Ports................................................................................................24

9.2 APPENDIX B – MOBILE WEB DEVICES MATRIX...............................................................................269.3 APPENDIX C – GLOSSARY OF TERMS .............................................................................................289.4 APPENDIX D – FURTHER XDA INFORMATION ..................................................................................29

9.4.1 How to set up the Microsoft PPTP VPN client on xda ....................................................299.4.2 Manual Connect Method 1 ...................................................................................................299.4.3 Manual Connect Method 2 ...................................................................................................299.4.4 How to upgrade your xda to the latest software version ................................................29

In Confidence


1 Introduction

Mobile Web is a GPRS service from O2 UK that provides consumer and business customers with ‘fullInternet access and email on the move’ up to 5 times faster than standard GSM access. A VPN (VirtualPrivate Network) is a technology used by companies to allow computers connected to the Internet tosecurely access the corporate LAN and therefore gain access to critical company information andapplications. The Mobile Web service can be used to gain mobile access to a wide number of VPNsolutions, allowing a business customer to access their LAN-based email, calendar and intranet securelywhen out of the office – anywhere with O2 network coverage.

The set-up of Mobile Web for use with a VPN solution is very quick, simple, and inexpensive. It is thereforean attractive method of gaining access to office email and applications for UK businesses and ITdepartments alike.

This document outlines the technical requirements for VPN access over Mobile Web so that a VPN solutionprovider, or an IT manager can ascertain whether or not their VPN solution may be used with the MobileWeb service. The goal is to clearly describe the capabilities of the Mobile Web service and its uses withVPNs, rather than the full details of how the service operates.

This Support Overview gives guidance on how to set up and use Mobile Web for VPN access, to assist ITmanagers to set up and use their VPN with Mobile Web. During pre-launch market research and trial, weidentified some of the information needs of the IT manager, and we hope that this document proves useful inhelping businesses take their VPN on the move over Mobile Web.

This is the second release of this document, which has been expanded to include a number of additionalVPN solutions that have been tested internally and with customers using Mobile Web.

It should be noted that each VPN is different and O2 does not take responsibility to support the VPN yourcompany runs nor guarantee its compatibility with the Mobile Web service from O2. O2 is only responsiblefor delivering the Mobile Web service under the terms of the Mobile Web Service agreement.

O2 Mobile Web will continue to evolve, and will over time have additional features and technical capabilitiesadded.

In Confidence


2 Virtual Private Network (VPN)

2.1 VPNs

VPN technology has emerged as one of the most effective and popular ways of allowing remote users tosecurely access corporate email and intranets. Conventionally the access to the corporate network has beenprovided through a fixed line be that leased line, PSTN, ISDN, or Broadband connection.

A VPN solution allows computers connected to the Internet to securely access the corporate LAN andtherefore gain access to critical company information and applications.

2.2 VPN Access over Mobile Web

It is now possible to extend the reach of a VPN solution to anywhere with O2 coverage, by connectingthrough the Mobile Web service from O2.

O2 has developed the Mobile Web service to support a wide number of VPN solutions, outlined in section3.1 below. The benefits of using a VPN are clearly understood by the organisations that use them. Gainingmobile access to a VPN allows the employees of the organisation to work with greater freedom, flexibility,and speed. Deployment of your VPN over the Mobile Web service is also a low cost and quick way to getyour workforce mobile, using your existing investment in a VPN infrastructure.

Note that O2 strongly recommends that Pocket PC based devices such as the xda, should be used only withthe pre-installed Microsoft PPTP client to enable VPN access over Mobile Web. During trial and testactivities where we did not use the Microsoft PPTP client, unsatisfactory customer experiences wereencountered due to VPN client set up and use characteristics.

In Confidence


2.3 The benefits of a Mobile VPN include

• Manage your corporate email on the move - now not later• Make productive use of ‘in-transit’ time - no need to wait until you’re in the office to clear your

company emails - link through your corporate VPN from wherever you are• Improve your level of customer service by accessing the price list requested during your meeting

from your Intranet - then email it to your customer from their offices!

• Business information you need, wherever and whenever you need it• Read up on your client en route to their office and impress with up to the minute knowledge of their

latest public announcement• Access company databases over your VPN - look up stock availability and take the order while you

are at your customer’s offices

• Get mobile using your existing kit• You’ve already invested in a VPN infrastructure – get more from your investment by giving your

team mobile access from anywhere• Only small changes are made to your VPN client to take your remote access mobile• Use your existing laptops to link to your VPN over Mobile Web with a GPRS handset or GPRS card• Use Pocket PC devices including the award winning xda from O2, with PPTP based VPNs

• Simple and flexible set up and pricing• IT Departments quote set up of the VPN to use Mobile Web can take as little as 30 minutes!• Provision mobile workers as and when you like – there are no minimum numbers of users of Mobile

Web, and there is a range of competitive tariffs to suit your needs• A cost effective method of providing remote access.

In Confidence


3 Before you Start – What do you need to know?

Getting Started Checklist:

� Suitable VPN infrastructure – Section 3.1� NAT Traversal set-up (if using an IPSec based VPN product) – Section 3.2� Devices with client software are compatible with the Mobile Web service – Appendix B

3.1 Basic VPN Solution RequirementsMost VPN solutions can be run over Mobile Web to provide secure connectivity to gain mobile access to abusiness LAN. This will complement existing fixed line access methods such as leased lines, PSTN, ISDN,or ADSL.

The following IPSec based VPN products have been tested successfully in conjunction with O2’s MobileWeb service:

3.1.1 Nortel• Server side: Contivity 2600 platform running version 04_00.781software.• Client side: Contivity VPN client version V04_12.03.• NAT Traversal required.

3.1.2 Cisco• Server side: Cisco VPN 3005 concentrator running version 3.5.2 release k9 software.• Client side: Cisco Systems VPN client version 3.5.1.• NAT Traversal required.

3.1.3 Checkpoint• Checkpoint Firewall 1• Server side: version 4.1 SP2.• Client side: version 4.1 SP2.• UDP encapsulation required.

The steps detailed below are known to allow Checkpoint 1 VPN clients to successfully work with O2’sMobile Web service:• Ensure that the VPN client is using UDP encapsulation - there is an option in the userc.c file on the

client - :force_udp_encapsulation (true).• Add the O2 private address range to the allowed addresses on the firewall’s Internet interface (e.g.

10.246.0.0 to 10.249.255.255). This is only necessary if anti-spoofing is enabled on that interface,which is not the default configuration (though many customers believe the use of anti-spoofing isadvisable).

• Add a manual address translation rule, so that any user coming from the O2 private address rangehas their source IP address converted to use one of the firewall’s external addresses. Theseaddresses are routable from internal services.

In Confidence


Practical experience indicates that the Checkpoint firewall solution will decrypt the packet from the clientand then apply the policy properties (including anti spoofing), address translation rules, and rule base tothe encapsulated packet.

3.1.4 Sonic• Server side: firmware version 6.3.0.0.• Client side: version 8.• UDP encapsulation required.

The steps detailed below are known to allow Sonic VPN clients to successfully work with O2’s MobileWeb service:

• Add a manual address translation rule, so that any user coming from the O2 private address range hastheir source IP address converted to use one of the firewall’s external addresses. These addresses areroutable from internal services.

Practical experience indicates that the Sonic solution will decrypt the packet from the client and thenapply the policy properties, address translation rules, and rule base to the encapsulated packet.

3.1.5 Other IPSec based VPN solutions• In principle other IPSec based solutions used in conjunction with NAT Traversal will function over

Mobile Web.

• An IPSec based VPN solution cannot be used with Mobile Web without NAT Traversal. NATTraversal is required to ‘wrap’ the IPSec traffic in UDP, as native IPSec is not supported.

• NOTE: ‘NAT Traversal’ is also known as ‘UDP Encapsulation’

3.1.6 Microsoft PPTP based VPN• Microsoft PPTP based VPN solutions can be used with the Mobile Web service.• The VPN client of the xda from O2 is a Microsoft PPTP client, which can be used for this purpose

(see Appendix D for further information).• NAT traversal will not be required when using a PPTP based solution.

3.1.7 L2TP based VPN• L2TP based VPN solutions can be used with the Mobile Web service.• NAT traversal is not required when using a PPTP based solution.

In Confidence


3.2 IPSec and NAT Traversal

3.2.1 OverviewNAT Traversal is required in order to run an IPSec based VPN over Mobile Web. NAT Traversal effectively‘wraps’ the native IPSec protocol in UDP, which allows it to pass through the Mobile Web service. WithoutNAT Traversal a secure VPN tunnel cannot be established, and the VPN session cannot therefore beinitiated. IPSec is not natively supported by the Mobile Web service.

Please note that NAT Traversal will not be required for PPTP based VPN solutions. A detailed technicalexplanation follows below.

3.2.2 Detailed Technical ExplanationIPSec is a framework of open standards that provide data confidentiality; data integrity and dataauthentication between participating peers at the IP layer. IPSec can be used to protect one or more dataflows between IPSec peers.

Ensuring packet integrity is one of the major problems associated with IPSec based VPN solutions. Packetsthat are ‘Network Address Translated’ have their original packet modified. Modification of an IPSec packetwill result in a failed integrity check and the VPN tunnel will not be created.

NAT can cause a number of problems when IPSec solutions are employed (refer to [1], [2]):

• Either in transport or in tunnel mode, the IPSec Authentication Header (AH) authenticates the whole IPdatagram. When NAT modifies the IP header IPSec evaluates this is as a violation of integrity anddiscards the packet. Consequently, AH and NAT cannot work together.

• The IPSec Encapsulating Security Payload (ESP) in transport mode protects the TCP/UDP header, butdoes not care about the source and destination IP addresses. Thus, modification of the IP address doesnot violate the integrity check. However, when TCP or UDP are involved – as they are in transport modeESP – there is a problem. Because NAT modifies the TCP packet, NAT must also recalculate thechecksum used to verify integrity. If NAT updates the TCP checksum TCP verification will fail.

• Even if ESP is used in tunnel mode, problems may still arise with Internet Key Exchange (IKE). IPSecbased VPN solutions use IKE to automate security association set-up and to authenticate end-points.The most basic and common method of authentication in use today is ‘pre-shared key’. Unfortunately,this method depends upon the source IP address of the packet. If NAT is inserted between endpoints,the outer source IP address will be translated into the address of the NAT router, and will no longeridentify the originating security gateway,

In recognition of the issues associated with using IPSec VPN solutions in a NAT scenario the IETF hasdeveloped a technique called ‘NAT traversal’, (sometimes known as ‘UDP Encapsulation’).

NAT traversal causes the remote users PC to apply a UDP header between the IP encapsulation headerand the Encryption Security Protocol (ESP) 50 header – ESP is a set of IETF standard encryption andpacket authentication services per RFC 2406. When packets leave the users laptop and pass through theorganisation’s firewall NAT or NAPT translates based on the new UDP header. The new UDP header isremoved at the VPN concentrator along with the IP encapsulation header and the ESP 50 header [3].

NAT translation needs to be intact for the period of the VPN tunnel. Consequently, 'keep alive' packets mustbe sent between the VPN client and server. A keep alive is a small UDP packet sent on a regular basis toprevent the session from being lost. It should also be noted that the Mobile Web service will terminate UDPsessions if periods of inactivity exceed 30 minutes.

In Confidence


3.3 Compatible Devices MatrixO2 has tested a number of GPRS devices such as phones, Novatel Data Cards, and the ‘all in one’ xda toensure they function correctly with the Mobile Web service. Appendix B details the results of our testingactivity in the form of a ‘recommended combinations matrix’.

The matrix clearly shows which GPRS devices can be used with which Laptop or PDA operating system,and is prescriptive to the following level:

• GPRS device software version – some earlier versions of software will not function.• Connection method – specific attention should be drawn to whether you would like to connect using

infrared, cable or Bluetooth.• Laptop or PDA Operating System – in certain cases a later OS release will be required. Certain

devices such as the Novatel Data card place high IT demands during the set-up phase on NT4, andis therefore not recommended.

Please note that separate requirements may exist for any particular VPN client, and you should check withyour VPN solution supplier regarding which operating systems their clients are compatible with.

O2 recommends the use of a Novatel GPRS Data Card with a Laptop PC, and an xda using Microsoft PPTPfor the best Mobile VPN experience.

3.4 Detailed VPN Specific RequirementsYou should consult your VPN vendor, or Systems Integrator to establish if there are any specificrequirements that your existing VPN solution may have for using Mobile Web.

During trial and testing activity at O2, we have found instances where a certain Laptop software version isrequired in order to run a VPN client.

We have also received feedback about the set-up complexities of Pocket PC VPN clients. We havehighlighted these concerns in this document. You should carefully discuss the suitability of Pocket PC VPNclient software, and performance of the software when mobile, with your VPN software provider.

Furthermore it is important to be clear about the requirement for an IPSec based VPN solution to have aNAT Traversal function. An IPSec based VPN solution cannot be used with Mobile Web without NATTraversal.

Microsoft PPTP does not require NAT traversal as it is not IPSec based.

In Confidence


4 Getting Set up

4.1 Checklist and flow diagramThe flow diagram below indicates a likely flow of activities for a business customer to select and deploy aMobile VPN solution.

Where a customer already has an existing VPN solution, the process simply involves a reconfiguration of theexisting VPN solution to work over the Mobile Web service from O2 rather than a full installation.

The IT Manager should determine whether the existing VPN solution can be used with Mobile Web byreviewing section 3.1.

4.1.1 Define - Hardware and Connection Method• The business IT manager must determine based on the organisations needs, and the available

options, which devices and connection method the VPN service will be used with.• Consideration should be made of the devices supported by Mobile Web by referring to Appendix B.• Consideration should be made of the VPN vendor’s supported hardware matrix by consulting with

the VPN supplier or your systems integrator.• Please note that O2 recommends the use of a Novatel GPRS Data Card with a laptop Sec or

Microsoft PPTP based VPNs, or an xda using Microsoft PPTP for the best Mobile VPN experience.• O2 only recommends the use of Pocket PC based handheld devices for use with a Microsoft PPTP

based VPN service, as we have seen difficulties in both set up and use of IPSec based solutions onPocket PC devices during our test and trial activities.

4.1.2 VPN - Product selection• Based on the chosen hardware, and required connection methods, the IT manager would then

evaluate the available VPN product candidates, and select a suitable candidate.• Consideration should be made of the requirement for IPSec based VPN solutions to support NAT

traversal for use of the VPN with Mobile Web.

Define

Hardware and

ConnectionMethod

VPN ProductSelection

Connect and

Use MobileVPN

Mobile Web

ConnectionSet-up

Mobile Web

Tariff

Selection andProvisioning

VPN Client

Set-up andConfiguration

VPN LAN Set-

up andConfiguration

In Confidence


4.1.3 VPN – LAN set-up and configuration• The IT manager would contract the VPN supplier or Systems Integrator to undertake any LAN set-up

work required for the VPN to be used.• Consideration should be made for configuring the VPN solution to accept a mobile connection from

O2’s Mobile Web service – please discuss this with your VPN supplier or Systems Integrator if youhave any questions.

4.1.4 VPN - Client install and configuration• The IT manager would liase with the VPN supplier or systems integrator to understand the process

for client install and configuration required for the VPN to be used.• Detailed instructions on how to configure the Microsoft PPTP VPN client on the xda are contained in

Appendix D.• Consideration should be made for the various methods of connection required, including Mobile

Web from O2.

4.1.5 Mobile Web –Tariff selection and Provisioning• Based on discussion with the O2 account manager, the IT manager should choose the most

appropriate tariff option for the intended number of VPN over Mobile Web users.• The normal process will apply for signing up to a Mobile Web subscription. The O2 account

manager or O2 service provider will explain this process.• An existing O2 SIM card can have Mobile Web provisioned on it, or a new data only SIM card can

be used. All new voice connections with O2 are automatically provisioned with Mobile Web Pay-as-you-use Data.

• Customers who would like to keep their mobile phones separate from their mobile data or VPN useare recommended to use a Novatel GPRS Data Card, or xda from O2 with a stand alone data simfor their Mobile Web connection.

4.1.6 Mobile Web - Connection set-up• Where required the O2 Mobile Web application can be installed following the instructions set out in

the O2 Mobile Web getting started guide.• The ‘Getting Started’ document details the set-up process and user guide for Mobile Web on a

Windows Powered Laptop PC.• The latest version of the Mobile Web Getting Started Application and User Guide can be found by

visiting www.o2.co.uk/mobileweb.• In the case of setting up Mobile Web for use with the Novatel Merlin GPRS card, the card

manufacturers CD software should be used.• Please note that if using a Pocket PC device such as the xda from O2, we strongly recommend the

use of the Microsoft PPTP client pre-installed on the device (see Appendix D for details).• Alternatively DUN (Dial up Networking) profiles could be configured so that a seamless integrated

one click VPN connection experience could be achieved.• Manual DUN set-up instructions can be found by visiting www.o2.co.uk/mobileweb.

4.1.7 Connect and use VPN over Mobile Web• The VPN can be used when mobile in one of two ways, depending on whether the Mobile Web

application has been installed, or DUN settings have been manually used. Please note thatinstallation of the Novatel Merlin GPRS card software will automatically create a DUN profile.

• If the O2 Mobile Web application has been installed, the customer should first create a connectionby double clicking on the O2 icon on the PC screen, then clicking ‘Connect’. Once connected to theinternet over Mobile Web, the normal VPN connection process should then be followed to open upthe VPN access into the LAN.

In Confidence


• If a DUN profile has been set up, the customer would follow the normal VPN connection process.The VPN client should be able to initiate the dial up session to Mobile Web in a single integratedprocess. The actual customer experience in this scenario will depend on the VPN client used.

4.1.8 Xda and Pocket PC devicesIf you wish to use the xda from O2, or any other Pocket PC device, we recommended that the MicrosoftPPTP client pre-installed on the xda should be used.

During test and trial activities we found that a satisfactory customer experience is not assured at all times ifan IPSec based client is used on a Pocket PC device.

Due to the extremely mobile nature of Pocket PC devices, the device can often move in and out of coverage.In an IPSec base solution, the VPN sees the loss of the connection as a threat to the secure session, and itreacts by closing down the VPN session completely. A PPTP based connection will not ‘close down’ thewhole VPN session, it will resume it when the Pocket PC device moves back into coverage.

We do not expressly support or recommend any IPSec based Pocket PC VPN client. We stronglyrecommend that you discuss Pocket PC VPN client suitability with your VPN supplier or systems integratorbefore proceeding.

Please refer to Appendix D for more detailed xda information.

In Confidence


5 Using your VPN over Mobile Web

5.1 Laptop User GuideThe latest version of the Mobile Web Getting Started Application and User Guide can be found by visitingwww.o2.co.uk/mobileweb. This explains how to set up and use the Mobile Web service using the MobileWeb application.

Manual instructions for setting up DUN (Dial up Networking) connections can also be found at the url above.

The use of the VPN client on a laptop would be explained and supported by the VPN vendor or your systemsintegrator, as it is not a component that O2 supplies. O2 supplies the Mobile Web service and can onlyprovide advice and support on this service.

In general terms, the user of the Mobile VPN will have the same experience as if they are using the VPN ona fixed line connection, other than the following points:

• The GPRS phone should be connected to the Laptop by Infrared, Cable (recommended) orBluetooth, before the VPN session is initiated.

• If using a Novatel Merlin GPRS Data Card the card must be inserted before starting.• If using the Mobile Web application as the ‘dial up’ method, a Mobile Web connection should be

made before the VPN connection is attempted.• If using DUN as the dial up method, the GPRS connection process is likely to be integrated with the

VPN Client.

5.2 Tips for using less dataMobile Web is a GPRS based service, and charges are based on the amount of data sent and received, notthe time spent connected. Because of this, there are a number of steps that an IT manager may choose totake to reduce the overall amount of data transferred, and therefore the cost of the service to the business.

We provide these tips for your information only. O2 does not guarantee or support the effectiveness oraccuracy of these data reduction methods. However we do raise them as a guideline to improve the valueyou get from O2.

These methods may already be used in your LAN or VPN and may affect network traffic and overallperformance. In the GPRS world however the effects are more pronounced in terms of relative servicespeed, and billing impact since you are only charged for the data downloaded rather than how long youspend online.

5.2.1 Use Web based OutlookA standard feature of Microsoft Exchange is the ability to login to Outlook through a web interface. To usethis, an employee would open the VPN session using Mobile Web first. This can offer a very good level ofspeed, as this form of access minimises the amount of data that is transmitted over the GPRS connection.Using this form of access (i.e. opening your web browser, then logging in to your Web based Outlook) willonly be possible if a suitable version of Microsoft Exchange has been deployed by the company, and if the ITManager has chosen to allow access of this type.

Access may only be available to ‘online’ folders using the Web based Outlook connection. However aperson using Outlook in this way could also open offline folders by opening Outlook on the Laptop – allowingaccess to offline folders for reference.

In Confidence


5.2.2 Keep alive functionalityVPN solutions, and many LAN configurations may incorporate features that transmit data across the networkperiodically for a number of reasons. Such features will obviously produce traffic that will increase the totalmobile data bill each month. In the majority of cases this functionality is vital to the operation of the LAN orVPN. There are however cases where the IT manager may be able to make savings by modifying andreducing the frequency of data transmission.

5.2.3 Logging into your domain at start-upThe start-up sequence used on many LANs involves downloading a large profile, or a login process to theusers domain. This process creates a flow of data that will be billed.

The IT manager may wish to consider the options available for reducing the amount of data used duringinitial connection for VPN over Mobile Web users.

5.2.4 Mapped network drivesThe use of mapped or shared network drives on LANs produces data traffic that will impact service speedand data consumption.

The IT manager may wish to consider the options available for reducing the amount of data used, by alteringthe users network drive characteristics. Closing the mapped paths can have a positive effect on servicespeed and usability.

5.2.5 Outlook configurationThe IT manager may consider reconfiguring Outlook, or any other email client, in order to reduce the flow ofdata over the network.

Settings affecting the amount of the message or attachment that is downloaded can be used to improveremote access service speed. For example viewing headers only, rather than automatically downloadingattachments can reduce data usage dramatically.

5.3 Tips for using a Mobile VPN

In Confidence


5.3.1 Use in good coverage

By its nature, a VPN solution will prevent any form of interference to the flow of data in the interests ofmaintaining a high level of security. This is one of the positive aspects of using a VPN.

In the mobile world this can manifest itself as service disruption. If for instance the GPRS connection istemporarily unavailable (e.g. train goes through a tunnel), the VPN session may be dropped, as the VPNsoftware perceives this to be a form of interference.

We therefore recommend that users keep this in mind when using the VPN whilst mobile.

5.4 How much data are you using?Mobile Web is a GPRS based service, and charges are based on the amount of data sent and received, notthe time spent connected.

There are a number of ways for a user to determine how much data is being used, and therefore to get anestimated view on the cost of using the service each month.

Please note these methods are not precise and should be regarded as indicative only.

5.4.1 Mobile Web Application• The Mobile Web application includes a data counter tool that estimates the amount of data used,

and the monthly bill. This will be displayed each time the application is deployed.• A user can input their monthly bill characteristics if required by selecting ‘Options’, the ‘Advanced

Mode’, ‘AOU’, and then populating the appropriate fields.• Note that this tool will only function on PCs, with the exception of those running Microsoft Windows

Workstation NT4.

5.4.2 Windows Dial Up Networking• Windows dial up networking incorporates a feature that allows a user to view the amount of data

used in the current session.• During a dial up networking session, a user may click on the DUN connection icon (two PCs

connected and flashing) in the lower right hand corner of the screen to see this information.

In Confidence


6 Troubleshooting and support

6.1 Care model and handoff pointsO2 recognises that a Mobile VPN solution once implemented forms an extremely important part of yourorganisation’s LAN infrastructure. It is important for us to be clear about how O2 can help you to get started,and use the Mobile Web service to access your VPN.

The overall solution can be divided into three main parts – O2’s Mobile Web service, a VPN Client - Serverarchitecture, and the LAN infrastructure of the organisation.

NOTE An enhanced care package is available from O2 Professional Services. See section 6.2 belowfor more information. Charges may apply for these services.

The expected care model would be one where first line support for the overall solution is provided in-housewithin the customer’s IT department:

1. A VPN over Mobile Web user experiences a service-affecting problem, and calls their internal ITsupport number.

2. The IT support expert diagnosis the problem, and ascertains likely cause.3. If a LAN fault is suspected, the IT department undertakes remedial action as normal.4. If a VPN client or server fault is suspected, the IT department should liase with the VPN system

supplier to ascertain cause and undertake remedial action.5. If the cause is suspected to be related to Mobile Web connectivity, the IT support team should

contact their O2 service provider.o The service provider will check that the SIM is correctly provisioned, and will then pass to

the O2 Mobile Web support team.o The Mobile Web support team will then ascertain whether Mobile Web can be used

successfully independently of the VPN solution.o If no fault is found with Mobile Web connectivity, the O2 support team will recommend that

the IT desk investigate a LAN or VPN related source to resolve the problem.

VPN Infrastructure

Supported by VPN

Supplier / Systems

Integrator

• VPN Installation and support

• VPN Operational support

• VPN Client installation

• VPN Client configuration

• VPN Server installation

• VPN Server configuration

• All other VPN support

Mobile Web from O2

Supported by O2

Customer Care

• Mobile Web Operationalsupport

• Mobile Web Clientinstallation

• Mobile Web Clientconfiguration

• All other Mobile Websupport

LAN Infrastructure

Supported by IT

Department

• LAN Installation and support

• LAN Operational support

• Laptop general support

• Client software installation

• Client software configuration

• All other LAN support

In Confidence


NOTE: An enhanced care package is available from O2 Professional Services. See section 6.2below for more information. Charges may apply for these services.

6.1.1 O2 SupportMobile Web is a service that users themselves or an IT department can set up and use without any specialtraining or support.

Where problems are encountered by a user in setting up the service, O2 will provide support to get ourcustomers set up and connected.

Where a problem arises which affects the customer’s ability to connect to and use the Mobile Web service,O2 will actively work with the customer to resolve the problem. This will include the following:

• Advice on recommended device and operating system requirements for Mobile Web• Set-up and device configuration for Mobile Web• Problems encountered connecting to Mobile Web• Any issue relating to Mobile Web Quality of Service.

6.1.2 VPN SupportVPN solution specific support cannot be provided by O2, as we are neither the vendor nor the supportorganisation for the VPN that you are using.

Support for the following must be sourced from your VPN solution vendor or systems integrator:

• Advice on operating system requirements for the VPN solution• Installation, set-up, and configuration of the server elements of the VPN solution• Installation, set-up, and configuration of the client elements of the VPN solution• VPN problems unrelated to Mobile Web connectivity.

Customer

Experiences

Mobile VPN

Problem.Calls IT Desk

IT Desk

Diagnose

Cause

LAN, VPN, orMobile Web

LAN problem

IT Departmentremedy as usual

Customer

ProblemResolved

VPN problem

VPN supportsupplier remedies

O2 Mobile Web

ConnectivitySupported by O2

In Confidence


6.1.3 LAN SupportLAN specific support cannot be provided by O2, as we are neither the vendor nor the support organisationfor the LAN solution that you are using.

Whilst we offer certain recommendations based on our pre-launch market research, we cannot providefurther support in the following areas:

• Configuration and support of LAN settings and user profiles• Set-up and tuning of client software such as Microsoft Outlook or Internet Explorer• LAN problems unrelated to Mobile Web connectivity.

6.2 O2 Professional ServicesIn addition to the standard care model outlined above, O2 offers an enhanced care package to assist in theintegration of a mobile solution into your workplace. Charges may apply for these services.

• You define the need, we’ll develop the solution

We offer an industry-leading portfolio of innovative professional services and support solutions built uponyears of proven expertise in the wireless marketplace. So whether you need expert advice or a uniquelytailored solution, we can help you develop, integrate, manage and optimise your communications network.

• Technology. People. Vision

By understanding, anticipating and responding to your needs at every stage, we can ensure end-to-endintegration including network, applications and resources. In short, the Professional Services team from O2can give you a competitive edge by providing a solution that reflects your business and ensures that youstay ahead of your competition.

• Insight and Innovation

Over the service life of your network, we can work with you to optimise the performance of both yourtechnology and your business. Drawing upon our knowledge base, we can ensure that your businessbenefits from the latest technology and thinking to make the most of every possibility.

• Delivering promise

Through a blend of technical, commercial and project management experience, we can provide that vital linkto ensure that all parts of your organisation, however disparate, remain seamlessly connected. No hype, justtangible, measurable results that meet the challenge of modern business communications.

Everyone’s needs are different. If you would like to talk to the Professional Services team, please contact:

Phone 0800 587 5580Email [email protected]

In Confidence


6.3 TroubleshootingBefore you can access the Mobile Web service from your laptop, you will need a subscription.

Have you got the right devices?• Mobile Web is not accessible from all phones and laptop PCs. Note: Macintosh laptops are not supported.To check whether you have a suitable phone and laptop PC, visit www.o2.co.uk/mobileweb.

How do you want to connect?• Each Microsoft Windows operating system provides different levels of connectivity support. CheckAppendix B to make sure that your operating system will allow connection in the way you require.• Check you have chosen the correct default modem from the ‘Options’ menu in the O2 Mobile Webapplication.

Do you use a PDA or Blackberry with your laptop?• Your PDA ‘sync’ application can conflict with Mobile Web. You can read more about this in the sectionPDA, Blackberry and other devices using COM1’ on page 35 of the Mobile Web getting started guide.

Can’t find the O2 Mobile Web application on your laptop?• The application can be opened by double clicking on the O2 Mobile Web icon. Alternatively, go to start,programs, O2 Mobile Web.

Trouble using Mobile Web with infrared?• Not all operating systems support infrared connection. To check whether yours does see appendix B.• Make sure that your mobile phone’s infrared port is activated (see pages 37 – 40 of the getting startedguide), and that it is aligned with the infrared port on your laptop.

In Confidence


7 References

[1] PHIFER, L. “The Trouble with NAT”, The Internet Protocol Journal, Volume 3, Number 4,December 2000, Cisco Systems.

[2] AYDIN, H., “NAT Traversal: Peace Agreement between NAT and IPSec”, August 12, 2001,Sans Institute, http://rr.sans.org/encryption/NAT2.php.

[3] MEREDITH, G, “Tunnel Vision”, Packet Magazine, 4th Quarter, 2000, Cisco Systems.

In Confidence


8 Appendices

8.1 Appendix A – Mobile Web Service SummaryThis section outlines the core features of the Mobile Web service, in order to provide an understanding ofhow the service works.

Please note that some of the features of Mobile Web, such as web optimisation, will be bypassed by using aVPN solution. This is an unavoidable scenario, as the VPN solution by definition creates a secure tunnelthat cannot be manipulated in any way, and therefore cannot be optimised using the Mobile Web application.

It is important to be aware that in many cases the features outlined below will only be utilised when MobileWeb is used for direct connection to the Internet, without the VPN solution being used.

8.1.1 Key Benefits of Mobile Web

• Manage your email on the move - now not later– Make productive use of ‘in-transit’ time - no need to wait until you’re in the office to clear your

web-based emails− Improve your level of customer service by emailing the document requested during your

meeting, over the web

• Business information I need, wherever and whenever I need it− Read up on your client en route to their office and impress with up to the minute knowledge on

their latest public announcement.− Check stock status and place orders with your suppliers whilst on the move

• Get mobile using your existing kit− use your PDAs or lap tops to link to the Mobile Web with a GPRS handset, and many other

device options

8.1.2 Mobile Web Core FeaturesThe key features of Mobile Web:

• Access to HTTP and HTTPS web pages over the O2 UK GPRS or GSM network• Access over a GPRS or GSM roaming partner of O2 UK• Optimisation of HTTP web traffic to increase speed and reduce data transferred over GPRS or GSM• Support of internet email protocols POP3, IMAP4, SMTP, MAPI• Support for TCP based streaming• Support for Instant messaging protocols• Support for Cisco and Nortel IPSec based VPN solutions outlined in 4.1 below

Note for VPN over Mobile Web users

In Confidence


A VPN solution will form a secure ‘tunnel’ between the VPN client, and the VPN server in the corporatepremises; therefore the Mobile Web optimisation functionality described above is bypassed. The accessfeature set then becomes defined by the corporate firewall configuration. The tunnel is effectively a datapipe, and cannot be interfered with. If interfered with the VPN solution will terminate the connection.

8.1.3 DevicesMobile Web can be used with a variety of devices. The key combinations are as follows:

• ‘All in one’ PDA such as the xda exclusively from O2• Handheld PC/PDA with a GPRS handset• Laptop PC with a GPRS handset• Laptop PC with a GPRS Data card

A current matrix of the fully tested and recommended combinations of the above devices may be found inAppendix B, or at www.o2.co.uk/mobileweb. Devices other than those recommended may compromise theperformance of the Mobile Web service, or not function at all. In addition, we note in the device matrix whichdevices we recommend for use with VPNs. Currently for example the xda and other Pocket PC devices isnot recommended for use with IPSec based VPN access.

VPN clients may require a specific Laptop or PDA operating system. O2 does not make any claimconcerning which VPN clients will correctly function on each Laptop or PDA operating system. We adviseour customers to seek this information directly from their VPN supplier or support company.

8.1.4 Getting Started ApplicationMobile Web customers may use the O2 Getting Started application to prepare any of the following devicesfor use with the service. Manual configuration of the service settings is not recommended unless requiredfor Dial up Networking.

• Pocket PC2000• Pocket PC2002• Palm O/S 4.0• Microsoft Windows 95 (OSR2), 98, 98SE, Millennium, NT4 (SP 4 and higher), 2000 and XP.

The CD will install an application ‘O2 Mobile Web’ on the Laptop or PDA. The application once installedprovides the user with a simple interface to make a connection to Mobile Web. A desktop icon isautomatically installed on a Laptop, and in all cases the ‘O2 Mobile Web’ application will be installed in the‘programs’ folder. After the connection is made the default web browser will be opened, and thewww.o2.co.uk homepage will be opened.

The Mobile Web Getting Started application also includes an email wizard, which facilitates the process ofsetting up a POP3 email service in the default email client. A selection of UK email service providers hasbeen included in the Wizard. The Wizard operates with the following operating systems or applications:

• Pocket PC2000• Outlook or Outlook Express

For the GPRS card from Novatel, available from O2, the Novatel supplied Merlin card set up software shouldbe used instead of the Mobile Web Getting Started application. Then separate instructions for set up of thecard to use Mobile Web are available in the lap top Getting Started user guide.

In Confidence


The Mobile Web Getting Started application and getting started user guides are available either by visitingwww.o2.co.uk/mobileweb or as a pack at no charge from your O2 Service Provider.

8.1.5 Service SettingsThe service settings are installed as part of the Mobile Web application install.

GPRS access settings

APN mobile.o2.co.ukDNS 193.113.200.200

193.113.200.201Username usernamePassword passwordHomepage www.o2.co.uk for PCs, pda.o2.co.uk for handheld PC/PDAs

GSM access settings

Dial number +447712932932DNS 193.113.200.200

193.113.200.201Username usernamePassword passwordHomepage www.o2.co.uk for PCs, pda.o2.co.uk for handheld PC/PDAs

8.1.6 ResilienceThe Mobile Web service is fully resilient. No single component failure should cause service disruption.

8.1.7 Supported Protocols & PortsMobile Web handles different traffic in different ways, as outlined in the tables below. Whilst this form ofrouting is applied based on the ports defined, it is important to note that this only applies where MobileWeb is used as a form of direct Internet connectivity – not when used as a method of accessing aVPN.

Using a VPN solution over Mobile Web will establish a secure tunnel through which all traffic may flow,subject to the configuration of the customer’s firewall.

All TCP and UDP ports are open on Mobile Web firewall. The Mobile Web service does not restrict the flowof traffic on any port.

8.1.7.1 Traffic which goes through Netcache and BlueKite optimisation

Application Protocol Port Notes

Web browsing HTTP 80

In Confidence


HTTP 8080

8.1.7.2 Traffic which is proxied through Netcache


S e c u r e w e bbrowsing

HTTPS / SSL 443 This traffic is not cached.

File Transfer FTP 21

8.1.7.3 Traffic which goes through Port Address Translation only


E-mail SMTP 25

POP3 110

Secure POP3 995

IMAP4 143

Secure IMAP4 993

Instant Messaging MSN Messenger 1863 NB. Voice connections and file transfer will notfunction.

Yahoo Messenger 1863 NB. Voice connections and file transfer will notfunction.

ICQ 5050

AOL Instant Messenger 5190

Streaming Windows Media Streaming (TCP) 1755

R e a l P l a y e r S t r e a m i n gRTSP: RFC2326 (TCP)RTP: RFC1889 (TCP)

7070554

QuickTime Streaming (usesRTSP/RTP protocol) (TCP)

554

Other Ports LDAP Directory Servers 389

NNTP News Servers 119

All Other Ports All TCP and UDP ports have beenopened.

ALL All TCP and UDP ports were opened on the MobileWeb service on July 29th 2002.

In Confidence


8.2 Appendix B – Mobile Web devices MatrixMicrosoft Windows

95 OSR2Microsoft

Windows 98Microsoft

Windows 98 SEMicrosoftWindows

Millennium

MicrosoftWindows 2000

MicrosoftWindows

Workstation NT4

MicrosoftWindows XP

Pocket PC2000

Pocket PC2002

* Ericsson T39 software versions - R3B006

Infra Red - Yes Yes Yes Yes - - Yes Yes

Serial Cable Yes Yes Yes Yes Yes Yes Yes - -

Bluetooth OS support depending on the Bluetooth device/equipment used. No known issues - Yes

* Ericsson T65 software versions - R2B


* Ericsson T68 software versions - R2B013

Infra Red - Yes Yes Yes Yes - - Yes Yes


Bluetooth OS support depending on the Bluetooth device/equipment used. No known issues -

* Ericsson R520 software version - R2K

Infra Red - Yes Yes Yes - - Yes Yes

Serial Cable Yes Yes - Yes Yes Yes Yes - -

Bluetooth OS support depending on the Bluetooth device/equipment used. May not work with early versions of R520m -

*SonyEricsson T68i software version - R2B025

Infra Red - Yes Yes Yes Yes - Yes Yes Yes


Bluetooth OS support depending on the Bluetooth device/equipment used. Phone is slow in operation. - Yes

Motorola v60


USB3 - - Yes Yes - Yes - -

Motorola v66



Motorola T260

Infra Red - Yes Yes Yes - - - -


Motorola T280

Infra Red - Yes Yes Yes - - - -



* Nokia 8310 software version - 4.53




Serial Cable Yes Yes Yes Yes Yes Yes - -

Bluetooth OS support depending on the Bluetooth device used. Bluetooth bonding on 6310 is a poor experience and not recommended. - Yes

* Nokia 6310i software version – 4.80

Infra Red - Yes Yes Yes Yes - Yes Yes Yes

Serial Cable Yes Yes Yes Yes Yes Yes - -

Bluetooth OS support depending on the Bluetooth device used. Experience better than 6310 for bonding. Yes



Siemens S45

Infra Red - Yes Yes Yes Yes - Yes Yes


Siemens ME45

Infra Red - Yes Yes Yes Yes - Yes Yes


Siemens M50 software version - 09


Oz xda

Internal modem - - - - - - - - Yes

Trium Mondo

Internal modem - - - - - - - Yes -

Novatel Merlin

PC Card modem - Yes Yes Yes Yes - Yes - -

N.B. Nokia and Ericsson handset users should check they have the correct software version on their handset first.

E R I C S S ON. P re s s th e ri g h t ar ro w k e y o n c e , st a r ke y o n c e , le f t ar ro w k e y t wi c e , st a r k e y on c e , l e f t a rr o w ke y on c e , st a r k e y on c e . Pr e s s y e s 3 ti m e s . Fo r so f t w a r e u p g ra d e s ri n g t h e So n y E ri c s s o n h o t li n e fo r th e n e a r e s t Se r v i c e Ce n t re on : 0 8 7 0 5 23 7 2 3 7

NOKIA. To check which version you have you need to press *#0000#. For upgrades ring the Nokia hot line for nearest Nokia Service Center on: 0845 0545454

In Confidence


Key:

You can use the O2 software available on CD-ROM (version 2.1), or download from www.o2.co.uk/mobileweb

You must use the latest version of software - download from www.o2.co.uk/mobileweb.Alternatively for Laptop PCs click 'check for updates' under the 'options' menu of the CD software once you have installed it.

O2 only recommends the use of Pocket PC based handheld devices for use with a Microsoft PPTP basedVPN service, as we have seen difficulties in both set up and use of IPSec based solutions on Pocket PCdevices during our test and trial activities.

In Confidence


8.3 Appendix C – Glossary of terms

ADSL Asynchronous Digital SubscriberLine

ESP Encryption Security Protocol

GPRS General Packet Radio Service IETF Internet Engineering Task ForceIKE Internet Key Exchange IPSec IP Security protocolsIP Internet Protocol ISP Internet Service ProviderISDN Integrated Service Digital

NetworkIT Information Technology

NAT Network Address Translation NAPT Network Address Port TranslationPPTP Point to Point Transfer Protocol PSTN Public Switched Telephone NetworkTCP Transfer Control Protocol UDP User Datagram Protocol

VPN Virtual Private Network

In Confidence


8.4 Appendix D – Further xda Information

8.4.1 How to set up the Microsoft PPTP VPN client on xda• You must have a Mobile Web subscription• Ensure PPTP account is set up on your VPN Gateway• Go to the Connection Settings screen (e.g. Start - Settings - Connections Tab - Connections icon)• In "middle pull down box" (e.g. as default will say Work Settings) select ‘New’ and enter appropriate

name (e.g. ‘VPN’ as the name in this example)• Ensure new profile just created (e.g. ‘VPN’) is in the "middle pull down box" and select ‘Modify’• Select ‘VPN’ Tab and select ‘New’.• Enter a name for the connection (e.g. ‘PPTP’ in this example) and the IP address of the PPTP server –

you may be using a Win 2K server as the PPTP server element.• Tap ‘Advanced’• On TCP/IP tab ensure "User server assigned IP address" is selected.• Untick "Use software compression" and “Use IP header compression"• On Name Servers Tab ensure "Use server assigned addresses" is selected.• Select OK. OK.• Ensure the "top pull down box" says Internet Settings and select Modify.• Ensure the GPRS profile you want to be dialled is set so will be dialled (put pen over profile want to be

default and hold it down and select "Always Dial"). Select OK.

8.4.2 Manual Connect Method 1• Go to the Connection Settings screen (e.g. Start - Settings - Connections Tab - Connections icon)• Ensure "middle pull down box" has VPN profile name in it (e.g. ‘VPN’ in this instance) and select

‘Connect’.• The GPRS profile that is set to "Always Dial" in the "top pull down box (e.g. Internet Settings)" will be

dialled and you will be prompted for a user name and password. At this point you need to enter yourVPN user name and password e.g. as per your profile on the Windows 2K server.

8.4.3 Manual Connect Method 2• Go to the Connection Settings screen (e.g. Start - Settings - Connections Tab - Connections icon)• Connect to Mobile Web service by tapping ‘Connect’ below the “top pull down box” (or use web browser,

or tap ‘Start’, ‘Programs’, ‘GPRS Connection’, ‘O2 Mobile Web’).• Ensure "middle pull down box" has VPN profile name in it (e.g. VPN in this instance) and select Connect.• You should now get connected into the network via Microsoft's PPTP protocol.

8.4.4 How to upgrade your xda to the latest software version

The latest information on accessories and device software can be found at www.o2.co.uk/xda

VPN Access over Mobile Web Support...

Documents

Transcript of VPN Access over Mobile Web Support...