IBM Proventia Network Multi-Function Security (MFS ...
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

IBM Proventia Network Multi-Function Security (MFS ...

on

  • 1,204 views

 

Statistics

Views

Total Views
1,204
Views on SlideShare
1,204
Embed Views
0

Actions

Likes
1
Downloads
6
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

IBM Proventia Network Multi-Function Security (MFS ... Document Transcript

  • 1. IBM Proventia® Network Multi-Function Security (MFS) Configuring VPN from Proventia Network MFS to Windows XP Systems December 19, 2007 Overview Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFS running a Firmware 2.1 operating system or later to Windows 2000 and XP operating systems. Intended use This document provides an example for configuring VPN from aProventia Network MFS to either of the following systems: ● Windows 2000 ● Windows XP ● Windows XP with Service Pack 1 installed The example is not designed for operational use without modification. A knowledgeable IPsec network administrator or advanced user should design new, custom polices for operational use. Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the “Related documentation” section of this topic. Related Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-Function documentation Security (MFS) Policy Configuration Guide for more information about the following: ● IKE settings ● IPsec and IPsec policies ● security gateways ● access policies ● NAT policies IBM Internet Security Systems 1
  • 2. Configuring VPN from Proventia Network MFS to Windows XP Systems For procedures for configuring the Windows XP system, refer to the documentation provided with your system. In this document This document contains the following topics: Topic Page Before You Begin 3 Task Overview 5 Configuring the Proventia Network MFS Security Gateway 6 Configuring the Proventia Network MFS IPsec Policy 8 Creating an IPsec Policy for VPN Antivirus Protection 9 Creating Related Access Policies for the Proventia Network MFS 11 Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS 12 Creating Access Policies to Enable Traffic from Subnet A to Subnet B 13 Creating NAT Rules 15 Creating the Windows XP IPsec Policy 17 Configuring the Windows XP IKE Policy 18 Creating a Windows XP IPsec Outbound Rule 19 Creating a Windows XP IPsec Inbound Rule 21 Contents of document subject to change. 2
  • 3. Before You Begin Before You Begin Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia Network MFS and Windows XP system. Topography The following graphic illustrates the network topography of a Proventia Network MFS configured for VPN with a Windows XP system. The example used in this document is based on the topography depicted. Note: You must statically configure the external interface of the M appliance. DHCP configurations will not function correctly for this connection. Subnet A 192.168.1.0/24 ` 192.168.1.1 a.a.a.a b.b.b.b ® Proventia Network Internet ` ` MFS Windows XP Client ` Figure 1: Topography for VPN tunnel from Proventia Network MFS to Windows XP system Contents of document subject to change. 3
  • 4. Configuring VPN from Proventia Network MFS to Windows XP Systems Checklist The following checklist indicates the information that you need before configuring your VPN tunnel. Task Description Proventia Network MFS Unit A External IP address _____________________________ Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia Network MFS Unit A Internal IP Address _____________________________ Subnet A IP address/mask _____________________________ Windows XP client IP address _____________________________ Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. Preshared key (minimum of 16 characters) _____________________________ Note: Windows XP stores the preshared key in cleartext in the registry, accessible by administrators. Active Directory stores IPsec configuration policies and preshared keys in cleartext. ISS recommends that you use signed certificates identifying the Proventia Network MFS and Windows XP client for better security. IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds _____________________________ IKE Phase 1 Key Lifetime Kbytes _____________________________ IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5 IKE Phase 2 (Quick Mode) Authentication MD5 SHA1 IKE Phase 2 Encryption 3DES DES AES If you select AES, select an AES key length: 128 192 256 IKE Phase 2 Key Lifetime Seconds _____________________________ IKE Phase 2 Key Lifetime Kbytes _____________________________ IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5 Access Policies Table 1: Checklist before configuring VPN tunnel Contents of document subject to change. 4
  • 5. Task Overview Task Overview Introduction This topic describes the tasks required to establish a VPN connection between the Proventia Network MFS and Windows clients. Required tasks for To establish the VPN connection, you must complete tasks shown in the following table: certificate authentication Task Description 1 Configure the Proventia Network MFS security gateway. Reference: See “Configuring the Proventia Network MFS Security Gateway” on page 6. 2 Configure the Proventia Network MFS IPsec policy. Reference: See “Configuring the Proventia Network MFS IPsec Policy” on page 8. 3 Enable the firewall access policy in Proventia Manager to enable ISAKMP traffic. Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS” on page 12. 4 Create firewall access policies in Proventia Manager to enable traffic between subnets. Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B” on page 13. 5 Create NAT rules. Reference: See “Creating NAT Rules” on page 15. 6 Create the Windows XP IPsec policy. Reference: See “Creating the Windows XP IPsec Policy” on page 17. 7 Create the Windows XP IKE policy. Reference: See “Configuring the Windows XP IKE Policy” on page 18. 8 Create the Windows XP IPsec outbound rule. Reference: See “Creating a Windows XP IPsec Outbound Rule” on page 19. 9 Create the Windows XP IPsec inbound rule. Reference: See “Creating a Windows XP IPsec Inbound Rule” on page 21. Table 2: Required tasks to establish the VPN connection Contents of document subject to change. 5
  • 6. Configuring VPN from Proventia Network MFS to Windows XP Systems Configuring the Proventia Network MFS Security Gateway Introduction You must configure the security gateway on the Proventia Network MFS that represents the Windows XP client. The security gateway contains the IKE and IPsec communication settings. To configure the security gateway, create an Auto Key IPsec Security Gateway with the settings shown below. Security gateway Define the security gateway name, and configure IKE settings on the IKE Configuration IKE Configuration tab, as shown in the following table: settings Item Setting Name To_Windows_XP Enabled Selected Comment IPsec tunnel to Windows_XP Direction Both Directions Exchange Type Main Mode Encryption Algorithm 3DES AES Key Length N/A Note: This list is available if you select the AES encryption algorithm, to allow you to select the AES key length from the list. Authentication SHA1 Algorithm Authentication Mode Pre Shared Key Pre-Shared Key A text string value of at least 16 alphanumeric characters Example 1234567890abcdef Note: Use the same text string for the Windows XP client. Life Time Secs 7200 Life Time KBytes 1000000 DH Group Group2 Local IP Address Static Address Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS. Example a.a.a.a Remote IP Address Static Address Note: In the IP Address field, type the external interface IP address of the Windows XP client. Example b.b.b.b Table 3: IKE Configuration settings for the Proventia Network MFS Contents of document subject to change. 6
  • 7. Configuring the Proventia Network MFS Security Gateway Item Setting Local ID Static Address Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS. Example a.a.a.a Remote ID Static Address Note: In the IP Address field, type the external interface IP address of the Windows XP client. Example b.b.b.b Table 3: IKE Configuration settings for the Proventia Network MFS IKE XAuth settings In the XAuth area of the IKE Configuration tab, the Enabled check box is disabled by default. Make sure that this check box is cleared to disable the XAuth settings. IPsec Configuration Define the IPsec Configuration general settings on the IPsec Configuration tab, as shown general settings in the following table: Item Setting Encapsulation Mode Tunnel Perfect Forward Group2 Secrecy Table 4: IPsec Configuration general settings for the Proventia Network MFS Adding a security In the Security Proposal area of the IPsec Configuration tab, add a security proposal with proposal the settings shown in the following table: Item Setting Security Protocol ESP with Auth Auth Algorithm SHA1 ESP Algorithm 3DES Life Time Secs 7200 Life Time KBytes 1000000 Table 5: Security Proposal settings for the Proventia Network MFS Advanced settings In the Advanced Settings area of the IPsec Configuration tab, clear the Enabled check box to disable the advanced settings. Contents of document subject to change. 7
  • 8. Configuring VPN from Proventia Network MFS to Windows XP Systems Configuring the Proventia Network MFS IPsec Policy Introduction You must configure the IPsec policy to define what is encrypted between the Proventia Network MFS and the Windows XP client. The IPsec policy is configured without network address translation (NAT). Reference: See “Creating NAT Rules” on page 15. IPsec policy general Define the IPsec policy general settings as shown in the following table: settings Item Setting Name To_Windows_XP Enabled Selected Comment IPsec tunnel to Windows XP Security Process Encrypt Protocol All Table 6: IPsec general policy settings for the Proventia Network MFS IPsec policy Define the remaining IPsec policy settings as shown in the following table: remaining settings On this subtab... Select this item... With this setting... Security Gateway Auto Key Security Gateway To_Windows_XP Source Address Network Address/#Network Bits The subnet address and mask (CIDR) that is behind the Proventia Network MFS Example 192.168.1.0/24 Source Port Any N/A Destination Address Single IP Address The external interface IP address of the Windows XP system Example b.b.b.b Destination Port Any N/A Table 7: IPsec policy settings for the Proventia Network MFS Contents of document subject to change. 8
  • 9. Creating an IPsec Policy for VPN Antivirus Protection Creating an IPsec Policy for VPN Antivirus Protection Introduction The antivirus software proxies traffic to the external interface of the Proventia Network MFS for the following protocols: ● HTTP ● FTP ● SMTP ● POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPsec policy. Note: The Proventia Network MFS automatically creates the mirror inbound policy for antivirus protection for VPN. IPsec policy general Define the IPsec policy general settings as shown in the following table: settings Item Setting Name AV_To_Windows_XP Enabled Selected Comment IPsec policy to protect AV traffic to Windows XP Security Process Encrypt Protocol All Table 8: IPsec Configuration general settings for antivirus VPN protection IPsec policy Define the remaining IPsec policy settings as shown in the following table: remaining settings On this subtab... Select this item... With this setting... Security Gateway Auto Key Security Gateway To_Windows_XP Source Address Single IP Address The external interface IP address of the Proventia Network MFS Example a.a.a.a Note: This setting encapsulates traffic from the Proventia Network MFS external interface. Source Port Any N/A Destination Address Single IP Address The external interface IP address of the Windows XP system Example b.b.b.b Table 9: IPsec Configuration remaining settings for VPN antivirus protection Contents of document subject to change. 9
  • 10. Configuring VPN from Proventia Network MFS to Windows XP Systems On this subtab... Select this item... With this setting... Destination Port Any N/A Table 9: IPsec Configuration remaining settings for VPN antivirus protection (Continued) Contents of document subject to change. 10
  • 11. Creating Related Access Policies for the Proventia Network MFS Creating Related Access Policies for the Proventia Network MFS Introduction You must create additional access policies to do the following: ● enable Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia Network MFS external interface Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS” on page 12. ● enable traffic from subnet A to subnet B without NAT (Network Address Translation) Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B” on page 13. Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets. Reference: See “Creating NAT Rules” on page 15. Order of access The appliance processes access policies in the order that they appear in the Access Policy policies list. Contents of document subject to change. 11
  • 12. Configuring VPN from Proventia Network MFS to Windows XP Systems Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS Introduction Although you have created a VPN tunnel from the Windows XP client to the Proventia Network MFS VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS external interface. To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy that allows VPN traffic. You can identify this policy by the Comment field that includes the following default text: Enable this rule for VPN Connectivity Note: This access policy is disabled by default. You must enable it to allow VPN traffic. ISAKMP access Define the access policy general settings as shown in the following table: policy general settings Item Setting Enabled Selected Action Allow Log Enabled Not selected (optional) Comment Enable this rule for VPN Connectivity Table 10: ISAKMP access policy general settings for the Proventia Network MFS ISAKMP access Define the remaining access policy settings as shown in the following table: policy remaining settings On this subtab... Select this item... With this setting... Protocol Any N/A Source Address Single IP Address The external interface IP address of the Windows XP system Example b.b.b.b Source Port Any N/A Destination Address Self N/A Destination Port Specify Network Objects ISAKMP_UDP Table 11: ISAKMP access policy remaining settings Contents of document subject to change. 12
  • 13. Creating Access Policies to Enable Traffic from Subnet A to Subnet B Creating Access Policies to Enable Traffic from Subnet A to Subnet B Introduction You must create two additional access policies on the Proventia Network MFS to allow all traffic from subnet A to subnet B: ● a policy to allow inbound traffic ● a policy to allow outbound traffic Inbound access Define the inbound access policy general settings as defined in the following table: policy general settings Item Setting Enabled Selected Action Allow Log Enabled Not selected (optional) Comment Access policy to allow traffic from remote Windows XP system Table 12: Inbound access policy general settings Inbound access Define the remaining inbound access policy settings as shown in the following table: policy remaining settings On this subtab... Select this item... With this setting... Protocol Any N/A Source Address Single IP Address The external interface IP address of the Windows XP system Example b.b.b.b Source Port Any N/A Destination Address Network Address/#Network Bits The network IP address and (CIDR) mask for subnet A. Example 192.168.1.0/24 Destination Port Any N/A Table 13: Inbound access policy remaining settings Outbound access Define the outbound access policy general settings as defined in the following table: policy general settings Item Setting Enabled Selected Action Allow Log Enabled Not selected (optional) Table 14: Outbound access policy general settings Contents of document subject to change. 13
  • 14. Configuring VPN from Proventia Network MFS to Windows XP Systems Item Setting Comment Access policy to allow traffic out to remote Windows XP network Table 14: Outbound access policy general settings (Continued) Outbound access Define the remaining outbound access policy settings as shown in the following table: policy remaining settings On this subtab... Select this item... With this setting... Protocol Any N/A Source Address Network Address/#Network Bits The network mask for subnet A. (CIDR) Example 192.168.1.0/24 Source Port Any N/A Destination Address Single IP Address The external interface IP address of the Windows XP system. Example b.b.b.b Destination Port Any N/A Table 15: Outbound access policy remaining settings Contents of document subject to change. 14
  • 15. Creating NAT Rules Creating NAT Rules Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rules to bypass NAT and insure that the appliance does not translate packets that travel between subnets. The additional NAT rules are as follows: ● a Source NAT Rule ● a Destination NAT Rule Source NAT Rule Create a Source NAT Rule with general settings as defined in the following table: general settings Item Setting Name Windows_XP_BypassNAT_Src Enabled Selected Comment Source NAT Rule to bypass NAT Table 16: Source NAT Rule general settings Source NAT Rule Define the remaining Source NAT Rule settings as shown in the following table: remaining settings On this subtab... Select this item... With this setting... Protocol Any N/A Source Address Network Address/#Network Bits The network mask for subnet A. (CIDR) Example 192.168.1.0/24 Destination Address Single IP Address The external interface IP address of the Windows XP system Example b.b.b.b Destination Port Any N/A Translated Address Do Not Translate N/A Table 17: Source NAT Rule remaining settings Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules table. Destination NAT Create a Destination NAT Rule with general settings as defined in the following table: Rule general settings Item Setting Name Windows_XP_BypassNAT_Dst Enabled Selected Comment Destination NAT Rule to bypass NAT Table 18: Destination NAT Rule general settings Contents of document subject to change. 15
  • 16. Configuring VPN from Proventia Network MFS to Windows XP Systems Destination NAT Define the remaining Destination NAT Rule settings as shown in the following table: Rule remaining settings On this subtab... Select this item... With this setting... Protocol Any N/A Source Address Single IP Address The external interface IP address of the Windows XP system Example 10.1.0.0/16 Destination Address Network Address/#Network Bits The network mask for subnet A (CIDR) Example 192.168.1.0/24 Destination Port Any N/A Translated Address Do Not Translate N/A Translated Port Do Not Translate N/A Table 19: Destination NAT Rule remaining settings Note: Make sure that the Destination NAT Rule is in the first position in the Destination NAT Rules table. Contents of document subject to change. 16
  • 17. Creating the Windows XP IPsec Policy Creating the Windows XP IPsec Policy Introduction In this example, you are creating a Local IPsec policy for a Windows XP workstation that is not a member of a domain, or the domain does not assign an IPsec policy to the computer. An administrator must use the Active Directory group policy editor to assign an IPsec policy to a Windows XP workstation in a domain. Accessing the Local To access the Local IPsec Policy Snap-in: IPsec Policy Snap-in 1. Run MMC.EXE. 2. Select File Add/Remove Snap In. 3. Click Add, and then add the IP Security Policy Management. 4. Select Local computer for computer domain. Note: Selecting Active Directory domain only allows you to configure the IPsec policy, not assign it. 5. Close the Add Standalone Snap-In window. 6. Click OK to accept the snap-in on the Add/Remove Snap-In window. 7. Select Action Create IP Security Policy, and continue as follows: ■ Type a descriptive name. Example: Proventia Network MFS ■ Disable Activate the default response rule. ■ Enable Edit Properties. Contents of document subject to change. 17
  • 18. Configuring VPN from Proventia Network MFS to Windows XP Systems Configuring the Windows XP IKE Policy Introduction On the General tab for the policy, you can modify the settings for Phase 1 (Main Mode) negotiations. In this example, you change Windows XP IKE policy settings to correspond to the Proventia Network MFS settings. Procedure To configure IKE on Windows XP: 1. Select the General tab, and then continue as follows: 2. Type a descriptive Name for this policy. Example: Proventia Network MFS 3. If you are using Windows XP, select Advanced. 4. In the Key Exchange Settings window, continue as follows: ■ Disable Master key perfect forward secrecy (PFS). ■ Set Authenticate and generate key every to 480 minutes. ■ Set Authenticate and generate a new key after every to 0 session(s). 5. Click Methods for Key Exchange Security Methods. 6. Remove all security methods. 7. Add the following method: ■ Set Integrity algorithm to SHA1. ■ Set Encryption algorithm to 3DES. ■ Set Diffie-Hellman group to Medium (2). Contents of document subject to change. 18
  • 19. Creating a Windows XP IPsec Outbound Rule Creating a Windows XP IPsec Outbound Rule Introduction This part of the policy configures the encrypted VPN tunnel to the Proventia Network MFS. Here you set Phase 2 (Quick Mode) negotiations to consist of Encapsulating Security Payload (ESP) with Authentication and without Authentication Headers (AH). Since each Security Association is unidirectional, you must create both inbound and outbound IPsec rules for the VPN tunnel to the Proventia Network MFS. Procedure To create an IPsec outbound rule: 1. Select the Rules tab, and then continue as follows: ■ In the lower right area, disable Use Add Wizard. ■ Select Add to create a new IPsec rule. 2. Select the IP Filter List tab, and then click Add to set Filter Properties. 3. In the Name field, type a descriptive name for this policy. Example: Outbound Proventia VPN filter 4. Disable Use Add Wizard, and then add a new filter. 5. Select the Addressing tab, and then continue as follows: ■ Set Source address to My IP Address. ■ Set Destination address to A specific IP subnet, and then type the IP address and subnet for subnet A that is behind the Proventia Network MFS. ■ Disable Mirrored. 6. Select the Protocol tab, and then select protocol type Any. 7. Click OK, and then click OK again. 8. To enable the IP Filter List, select the left circle of the new rule. 9. On the Filter Action tab, disable Use Add Wizard, and then select Add. 10. Select the General tab, and then type a descriptive name. Example: Proventia Network MFS 11. On the Security Methods tab, select Negotiate Security. 12. Disable the following: ■ Accept unsecured communication ■ Allow unsecured communication ■ Session key perfect forward secrecy 13. Click Add. 14. Select Custom, and then click Settings. 15. Add a security method, as follows: ■ Enable Data integrity and Encryption (ESP). ■ Set Integrity Algorithm to SHA1. ■ Set Encryption Algorithm to 3DES. ■ Set Generate a new key every to 100,000 Kbytes. Contents of document subject to change. 19
  • 20. Configuring VPN from Proventia Network MFS to Windows XP Systems ■ Set Generate a new key every to 7200 seconds. 16. Click OK. 17. Click OK, and then click OK again to return to the Filter Action tab. 18. Select the Authentication Methods tab. 19. Click Add. 20. Select Use this string (preshared key). 21. Type a string that is at least 16 characters long for the preshared key. Example: 1234567890abcdef 22. Click OK. 23. Move the pre-shared key to the top. 24. Select the Tunnel Setting tab. 25. Select The tunnel endpoint is specified by this IP address. 26. Set the IP address to the Proventia Network MFS external IP address. Example: a.a.a.a 27. Select the Connection Type tab, and then select All Network Connections. 28. Click OK. 29. Click Close. Contents of document subject to change. 20
  • 21. Creating a Windows XP IPsec Inbound Rule Creating a Windows XP IPsec Inbound Rule Introduction The configuration for this rule is the same as the outbound rule except for the IP Filter. Procedure To create an IPsec inbound rule: 1. Select the Rules tab, and then continue as follows: ■ Disable Use Add Wizard. ■ Click Add to create a new IPsec rule. 2. Select the IP Filter List tab, and then click Add to set Filter Properties. 3. Disable Use Add Wizard, and then Add a new filter. 4. Select the Addressing tab, and then continue as follows: ■ Set the Source address to A specific IP Subnet, and then type the IP address and subnet for Subnet A which is behind the Proventia Network MFS. ■ Set the Destination address to My IP Address. ■ Disable Mirrored. 5. Select the Protocol tab, and then select protocol type Any. 6. Click OK, and then click OK again. 7. To enable the IP Filter List, select the left circle of the new rule. 8. On the Filter Action tab, select the left circle of the new Proventia Network MFS filter action to enable it. 9. Select the Authentication Methods tab. 10. Click Add. 11. Select Use this string (preshared key). 12. Type a string that is at least 16 characters long for the preshared key. Example: 1234567890abcdef 13. Click OK. 14. Move the pre-shared key to the top. 15. Select the Tunnel Setting tab. 16. Select The tunnel endpoint is specified by this IP address. 17. Set the IP address to the Windows XP client IP address. Example: b.b.b.b 18. Select the Connection Type tab, and then select All Network Connections. 19. Click OK. 20. Click Close. Contents of document subject to change. 21
  • 22. Configuring VPN from Proventia Network MFS to Windows XP Systems © Copyright IBM Corporation 2003, 2007. All Rights Reserved. IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both. Other company, product and service names may be trademarks or service marks of others. References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates. Contents of document subject to change. 22