Direct Connect Universal Connection Configuration

Resolving The Problem

The Direct Connect option of Universal Connection allows your IBM® iSeries™ family of servers system to connect to IBM using your existing LAN connection over the Internet via a VPN. At V4R5 and V5R1, your iSeries family system must reside outside of your firewall or Network Address Translation device to use this option. That is, your iSeries family system must be configured with an IP address that can be publicly routed. This is a network scenario that is uncommon with most users. Therefore, in the past, most did not use this option for their Universal Connection to IBM. However, with some hardware changes that were made at our IBM services location and some PTFs on the iSeries family systems, you can now use this option in the scenario when your iSeries family system is behind your Firewall or Network Address Translation device.

This new function became available on V5R2 of the IBM® OS/400® in October of 2003. Many users have already taken advantage of this new function. Before October, users without direct access from their iSeries family system to the Internet (no firewall nor Network Address Translation device) could not use this service.

The following PTFs that are required to use this new function (If your system is at the latest CUME level at V5R2, you already have these PTFs installed. This function is in the base code at V5R3 and later.):

o	SI09611
o	MF30153
o	SI09845 (this is required only if you have more than one iSeries family system behind your Firewall Network Address Translation device that may be connecting simultaneously)
o	SI09894 (this eliminates a 1-minute delay when using this function)

In addition to applying the PTFs to your system, the following types of traffic must be allowed through your Firewall/NAT device. (This traffic must be allowed to IP addresses 207.25.252.196 and 129.42.160.16 only):

o	Encapsulation Security Payload (ESP) protocol
o	UDP port 500
o	UDP port 4500 (if NAT device)

The following products must be installed on your iSeries family system:

o	5722AC3 - Crypto Access Provider 128-bit
o	5722SS1 Option 34 - Digital Certificate Manager

Note: As of October 2003, PTF SI10586 must be applied to your system to do native Direct Connect (however, an IP address must be used that can be globally routed) at V5R1 of IBM® OS/400®.

In addition, refer to IBM ℮-server iSeries Universal Connection, SG24-6224-00, available on the Web at:

http://www.redbooks.ibm.com/abstracts/sg246224.html?Open

Going through the iSeries Navigator Universal Connection Wizard setup screens:

Note: If your system is at V5R3, use the CRTSRVCFG CNNTYPE(*VPN) command rather than going through the Universal Connection Wizard process that is shown below. If you plan on using the wizard, you should ensure that the version of iSeries Navigator matches the version of OS/400 on your iSeries system. Otherwise, you may receive unexpected results.

Configuring a Direct Connect configuration

In this procedure, you will do the following:

o	Create a secure broadband connection to IBM using the Universal Connection Wizard.
o	Test the connection.

Figure 119
Perform the following steps to configure Universal Connection with a broadband connection on AS026:

Step 1: Start iSeries Navigator from the desktop.

Step 2: Expand the iSeries server (in this case, AS026). Sign on when prompted.

Step 3: Expand Network.

Step 4: Click Remote Access Services.

Step 5: Right-click Originator Connection Profiles. On the pull-down menu, choose Universal Connection Wizard as shown in Figure 119.

Step 6: Click Next in the Welcome dialog as shown:


Figure 120.

Step 7: Type the service contact information as shown:



Step 8: Type the service contact mailing address, national language version, and media for PTFs as shown:



Step 9: Choose the country, state, or province as shown:



Step 10: Select Electronic Customer Support (ECS) as shown:



Step 11: Select A direct connection to the Internet as shown:



Step 12: Select the LAN interface for the direct cable modem as shown:

Note: In V5R3 and later, this step is omitted because it is determined by the system.



Step 13: On the Summary display (Figure 127), click Finish.



Step 14: After clicking Finish, the pop-up window shown in Figure 128 appears. It asks if you want to test the Universal Connection now. Selecting Yes causes the Universal Connection to initiate a connection for testing purposes. No information is exchanged. A connection status window appears that shows if it was successful. Notice that the LAN interface must be active prior to the connection test. The Universal Connection Wizard does not activate it.



Note: If your system has more than one TCP/IP interface, add two additional routes as follows (one for each possible IBM VPN Gateway IP address):

ADDTCPRTE RTEDEST('207.25.252.196') SUBNETMASK(*HOST) NEXTHOP('<your gateway address>') +
BINDIFC('<the address you selected in the wizard>')

ADDTCPRTE RTEDEST('129.42.160.16') SUBNETMASK(*HOST) NEXTHOP('<your gateway address>') +
BINDIFC('<the address you selected in the wizard>')

If this is not performed, there could be routing issues, and the VPN cannot be established. This step is required only on V5R2. On V5R3, the wizard does not ask you to select the TCP/IP interface. The system selects it for you so there will be no routing issues.