Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XO™ VPN Technical Requirements Guide


Published on

  • Be the first to comment

  • Be the first to like this

XO™ VPN Technical Requirements Guide

  1. 1. XO™ VPN Technical Requirements Guide XO™ VPN Tech Requirements Guide v1.1 (August-2003) 1 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  2. 2. Table of Contents I. Purpose and Overview , 3 Summarizes the purpose of the Customer Support Guide and provides and overview of available information II. Features, 3 Lists the features available with purchase of the XO VPN product III. Standard VPN Configurations, 4 • Hub and Spoke • Full Mesh IV. IOS and PIX Firewall, 6 Explains the features and benefits of using the IOS and PIX Firewalls with the XO VPN product V. XO VPN and Standalone Firewall, 7 • XO Managed Standalone Firewall • XO VPN and Customer Managed Firewall VI. Remote Access VPN, 8 Describes Remote Access VPN capabilities and limitations VII. Network Demarcation, 9 The Demarcation point is defined as the boundary between the XO-managed CPE and the customer’s Local Area Network (LAN) interface VIII. Frequently Asked Questions, 11 XO™ VPN Tech Requirements Guide v1.1 (August-2003) 2 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  3. 3. I. Purpose and Overview The XO VPN Customer Support Guide provides a technical framework for the types of configurations and applications XO is able to support for its customers. XO VPN uses private communication tunnels over the public Internet, and/or XO’s OC192 IP backbone, to create secure, cost-efficient connections between multiple customer sites or to connect remote users to a corporate LAN. The platform creates virtual private networks by tunneling private network traffic between endpoints of the VPN. Endpoints are strongly authenticated before tunnels are established, and the encapsulated VPN packets are encrypted prior to transmission over the public Internet. These protections intend to prevent unauthorized or unintentional disclosure of private network traffic. XO uses a highly sophisticated operations platform to deploy and remotely manage the XO VPN service. XO will provide the customer read-only access to specific areas of the graphical user interface (GUI) to view security policies and to obtain VPN network reports of its network. XO provides a fully managed service and therefore all customer premise equipment (CPE) must be purchased or rented directly from XO. XO VPN is not a “partially managed” or “customer managed” service. Any required VPN network changes will need to be made by XO operations personnel. XO offers customers the option to Rent or Purchase the CPE. Both options are fully managed by XO, as XO does not offer customer self-managed VPN service nor does XO manage CPE that is customer provided. XO uses Cisco routers and PIX devices for the VPN and Firewall CPE. All tunnels must initiate and terminate on XO managed equipment, and therefore all customer sites must be managed by XO. II. Features • Site-to-site VPNs o Hub-and-spoke and full mesh topologies o IPSec tunnels o Payload encryption using DES (56-bit) or 3DES (168-bit) o Device authentication using pre-shared keys o 768-bit or 1024-bit Diffie-Hellman key exchange o SHA-1 or MD5 hashing o Supports all standard TCP and UDP protocols • Remote Access VPN o IPSec tunnels using DES (56-bit) or 3DES (168-bit) encryption o HMAC with MD5 or SHA-1 hashing o Fully RFC-compliant XO-custom RADIUS implementation o Fully compatible with Windows 9x/NT/2000/XP o Web-based interface for customer IT administrator access and administration • DHCP support for customer LANs o Dynamic designation of IP addresses, Windows Internet Naming Service (WINS), and DNS servers o Adjustable lease expiration o Static mapping of hardware address to IP for devices that support BOOTP. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 3 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  4. 4. • Network Address Translation (NAT) for customer LANs o Many-to-one translation based on Cisco’s Port Address Translation (PAT) o Static mapping of ports to an internal IP address (PAT) o Static one-to-one NAT for one-site firewall solutions • Demilitarized Zone (DMZ) network for customer servers o Protected Network that will be isolated from the secure LAN • BGP routing for customers with a Class C (/24) subnet or larger o Default Route: single route provided to access the Internet o XO Routes: 1,500 routes from the XO network to the Internet and vice versa o Full Routes: Approximately 90,000 routes, and this number is growing daily. • Stateful Inspection based IOS firewall policies featuring: o Cisco CBAC feature set o IP Spoofing prevention o Most standard TCP and UDP-based protocols • Out-of-band (OOB) access to customer premise equipment via a dialup modem connection o Customer provided analog phone line required III. Standard VPN Configurations Two typical strategies exist for creating the tunnels that connect the sites participating in a VPN: Hub and Spoke and Full Mesh. • Hub and spoke Hub and spoke configurations create a VPN tunnel between each Spoke Site, typically a branch office location, and a Hub Site. In the standard form of this configuration, VPN communication will be between Spoke Sites and the Hub Site. A Backhauled policy will be necessary to facilitate communication between the Spoke Sites, and will be routed through the Hub Site as an intermediate hop. Adding a new spoke site does not require the reconfiguration of all sites in the VPN, just the creation of a new tunnel between it and the Hub Site. A Hub and Spoke configuration reduces the number of tunnels that must be defined at each spoke site. Spoke sites typically make use of smaller security routers and can only terminate a limited number of tunnels. In some instances, this may be the technically required configuration. Note: A PIX firewall device cannot be used as the hub in a backhauled hub and spoke configuration. Spoke Site Spoke Site Hub Site Spoke Site Internet Spoke Site XO™ VPN Tech Requirements Guide v1.1 (August-2003) 4 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  5. 5. • Full Mesh A Full Mesh configuration connects each VPN site with an IPSec tunnel to all other VPN sites. Traffic from any site can reach any other site without transiting a Hub Site first. A fully meshed configuration adds connection redundancy to other sites due to a preexisting alternate VPN route. However, fully meshed VPNs usually require more management, larger endpoint routers and faster circuits because of the number of tunnels and intrinsic bandwidth consumption. In addition, adding or removing a site from fully meshed configuration requires that the Security Router at each site be reconfigured to add or remove the associated tunnels. VPN Site VPN Site VPN Site VPN Site VPN Site VPN Site Internet VPN Site VPN Site The XO VPN platform supports four types of standard transport methods: • Dedicated Internet Access (DIA) – Provided by XO or a 3rd party ISP • Integrated Access (IA) – XO provided or 3rd party with approval • xDSL – Broadband Internet access provided by XO or a 3rd party ISP • Datacenter – XO only While nearly all circuit types and speeds are supported, a few requirements must be met for all: • At least one (1) static publicly-routable IP address for the WAN interface of the security router • No customer-managed servers or workstations between the VPN router and the Internet circuit unless express approval is provided during the NeedsMS review process. • For circuits provided by a 3rd party ISP, an analog phone line must be supplied for the Out of Band (OOB) management. This feature is optional for XO access customers. If a phone line is not provided, XO will not assume responsibility for troubleshooting the VPN configuration until access through the circuit is reestablished. • The DSL device must present an Ethernet (10BASE-T) interface for connection to the Security Router. • DSL PPPoE requires an evaluation, and it may not be supported in all cases. Performance stipulations • For circuit speeds <230kbps at a hub site, latency may increase as additional spoke sites and remote access clients are connected. XO does not recommend the remote access feature for sites with <230kbps. • For sites with multiple subnets consisting of private address space (RFC 1918), a switch is highly recommended to handle traffic behind the VPN router. A WINS server may also be necessary to allow resource shares specified by server name. • For solutions utilizing a Backhauled Hub and Spoke VPN policy, the Hub site must have bandwidth scaled to meet the needs of all backhauled branch sites. XO recommends 2N, where N is the aggregate throughput of all backhauled branch sites. NeedsMS, the XO Managed Security evaluation committee, will assist in determining the necessary bandwidth required for your security solution. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 5 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  6. 6. • A DMZ or another additional interface configured with public IPs is not permitted on a spoke-site router that is part of a Backhauled Hub and Spoke VPN policy. • An 806 router or any PIX device may not act as the hub for a Backhauled Hub and Spoke VPN Policy. The PIX device does not have the capability • For configurations utilizing Port Address Translation to forward a specific port to an internal IP, users at other VPN sites and remote access clients will be unable to access that internal IP on the specific port that is being used in the NAT statement. They will be able to access it only on the public IP specified to forward the port. • XO will not guarantee Network Neighborhood functionality across the VPN. Engineers can forward the applicable ports and traffic, but all configuration and troubleshooting of the customer WINS or Active Directory server will be the sole responsibility of the customer network administrator. IV. IOS and PIX Firewall Cisco IOS and PIX Firewalls offer sophisticated security and policy enforcement for connections within an organization (intranet) and between partner networks (extranets), as well as for securing Internet connectivity for remote and branch offices. It enhances existing Cisco security capabilities, such as authentication, encryption, and multi-protocol routing, with state-of-the-art security features, such as stateful, application-based filtering (context-based access control) and defense against network attacks. CBAC creates temporary openings in access lists at firewall interfaces. These openings are created when specified traffic exits your internal network through the firewall. The openings allow returning traffic (that would normally be blocked) and additional data channels to enter your internal network back through the firewall. The traffic is allowed back through the firewall only if it is part of the same session as the original traffic that triggered CBAC when exiting through the firewall. Listed below are the Firewall configurations available with the XO Managed Security product: Basic Inspection Context Based Access Control (CBAC) configured to generically inspect TCP and UDP Prevents IP Spoofing Basic Inspection + FTP Inspects TCP, UDP, and FTP traffic generically using CBAC Allows for use of Active FTP service Prevents IP Spoofing Standard Inspection CBAC is used to inspect TCP, UDP, FTP, HTTP, and SMTP packets Allows for use of Active FTP service Prevents IP Spoofing Permits service management and monitoring Note: May interfere with use of ESMTP. Confirm you are not using ESMTP before choosing this option Advanced Inspection Inspects IP packets for many different applications using CBAC. IP applications include: FTP, SMTP, TFTP, HTTP, UNIX-R (such as rlogin, rexec, and rsh), CuSeeMe, H.323, Microsoft Netshow, RPC (only Sun RPC), SQL Net, Streamworks, and VDOLive Allows for use of Active FTP service Prevents IP Spoofing Permits service management and monitoring Note: May interfere with use of ESMTP as noted above. This level of inspection may impact performance. Please speak with your sales team before choosing this option. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 6 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  7. 7. No Inspection – Filtering Only Opens traffic to specific service points behind a device without the performance overhead of stateful inspection, intrusion detection, and antispoofing. This setting mimics a simple Cisco Access Control List (ACL). Custom Inspection Policy Customer Administrator may pick and choose from a specific list of available protocols to configure a custom inspection policy Note: High levels of inspection may impact performance. The basic Firewall templates described above apply to all internal (non-WAN) interfaces of the Cisco router, inspecting traffic headed from the internal networks to the Internet. Inbound traffic is only permitted by the configuration of a Firewall Policy, which can be applied to a specific interface, subnet or host IP. Performance stipulations • Active FTP is only permitted when FTP inspection is activated. • ESMTP (Extended SMTP, found most often with Microsoft Exchange) will be blocked if SMTP packets are inspected. • DMZ subnets and/or interfaces with publicly accessible IPs are not permitted at spoke sites of a backhauled VPN policy. • CBAC does not detect or block encapsulated (such as .zip or .jar) Java applets. CBAC also does not detect or block applets loaded from FTP, SMTP, HTTP, etc on a nonstandard port. V. XO VPN and Standalone Firewall These days, Internet Security is something that concerns all companies, whether they have five employees or 500,000. While XO’s Managed Firewall offering is appropriate for protecting most corporate networks, some customers may want or need increased security. In an effort to more fully develop the XO VPN product offering, XO has expanded the service to include compatibility with either the XO Managed Checkpoint Firewall solution or certain customer owned and managed standalone firewalls. • XO Managed Firewall The XO VPN and Managed Firewall product is quickly growing in popularity because it allows customers to utilize the versatile Cisco VPN platform while benefiting from the increased security provided by the industry-leading Checkpoint firewall. XO is able to combine a Backhauled Hub and Spoke VPN solution with the Checkpoint Firewall and route all Internet traffic from the branch sites through the firewall. This allows for more granular security and more extensive reporting via the WebTrends reporting system. Spoke Site Hub Site Spoke VPN Router Site Hub Site Firewall Circui Router Internet Spoke Cisco PIX Site Ethernet Spoke Site XO™ VPN Tech Requirements Guide v1.1 (August-2003) 7 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  8. 8. • XO VPN and Customer Managed Firewall XO VPN can also be configured in conjunction with a customer owned and managed standalone firewall. This configuration requires that XO engineers change the default route of the VPN router to one of the interfaces on a customer firewall. Because of the additional configuration necessary for this solution, it is only recommended for customers that can meet the requirements listed below. There is also extra information needed in the Site Surveys so that XO engineers can provide a functional security solution. Functional stipulations of XO VPN and Standalone FW (managed or unmanaged): • A separate router must be purchased or leased to use for XO VPN at the hub site location. • Bandwidth at hub site must be able to accommodate all Internet traffic from the spoke sites. XO only offers the Checkpoint solution with Dedicated Internet Access (T-1 or greater). • XO does not provide content filtering or anti-virus modules with the Checkpoint firewall • A minimum of 2 public IPs must be available for the external addresses of the Firewall and VPN router. • A DMZ or another additional interface configured with public IPs is not permitted on a spoke-site router that is part of a Backhauled Hub and Spoke VPN policy. • XO VPN and Standalone firewall is not available with a PIX device used for the VPN CPE. Requirements for XO VPN and Customer Managed Standalone FW: • Customer firewall must have at least two additional Ethernet ports available for the VPN router and LAN subnet. A port for a DMZ subnet is optional • Customer firewall must have the capability to allow the public IP on the VPN router full access to the Internet without NAT • Customer firewall cannot NAT the VPN traffic • Customer technical contact must be able to add static routes in the firewall for all branch site subnets pointed to the internal IP on the VPN router • Customer must provide an OOB line for access to the VPN router should direct access be lost during the configuration process VI. Remote Access VPN In addition to using hardware devices to access a VPN, customers may also use a software-based client running on their end users’ PCs or Laptops. This software client will allow users with an Internet connection to authenticate and temporarily join a corporate VPN. The remote VPN user can make use of this software from any location having Internet connectivity (e.g., a dialup connection (to XO or 3rd party ISP), DSL, or cable modem). The Internet service must not be filtered and must not make use of network address translation (NAT) in order to be compatible with the tunneling protocols. The software client implements this functionality using IPSec with DES or 3DES encryption. Clients joining the VPN will go through a double authentication procedure, including a group name and password and an individual username and password. This user authentication data will be stored in a fully RFC compliant custom RADIUS implementation that has evolved within XO and Concentric since 1995. A portion of the management interface will be extended to the specified technical contact to allow self- service administration. This administration will allow the customer to add, change and delete remote access users. The remote access client software is compatible with most Windows operating systems, including: • Windows 98 SE*** • Windows NT Service Pack 6a*** • Windows ME • Windows 2000 • Windows XP Home • Windows XP Professional ***no longer supported by Microsoft XO™ VPN Tech Requirements Guide v1.1 (August-2003) 8 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  9. 9. XO recommends that customers load a Microsoft-supported Operating System onto all workstations using the Cisco remote access client. XO is not responsible for troubleshooting Windows platform issues nor for ensuring non-Microsoft-supported Operating Systems work correctly with the Cisco remote access client. There is a client available from Cisco to support additional operating systems; it can be obtained from XO will not be responsible for the configuration, management, maintenance or support of a non-XO provided client interface. In addition, XO will not provide configuration or troubleshooting expertise for a customer’s end users. XO will only be responsible for support when contacted by the technical contact specified in the site survey. Functional Recommendations: • Certain applications may require too much bandwidth to run across a VPN if the user is connected with a dial account. Processor or memory-intensive applications should be reserved for users with high-speed access. • IPSec tunneling does not pass broadcast traffic, so NetBIOS names will not be transported across the VPN unless a WINS server is implemented into your network design. • Access to your Internal network will be limited by your network configuration. To ensure full access for your remote access users, confirm that shares are specified with correct permissions before contacting an XO engineer. • By default, XO configures all remote access clients using a “Split-Tunneling” solution. This forces clients to access the Internet directly instead of through the XO VPN router. Talk to your Managed Security Engineer if another solution is desired. VII. Network Demarcation The Demarcation point is defined as the boundary between the XO managed CPE and the customer’s Local Area Network (LAN) interface. XO is responsible for managing and troubleshooting up to the demarcation point that separates the customer’s LAN and the XO managed service point. Any issues beyond the demarcation point, LAN-facing and relating to or originating from the customer LAN and having impact on the XO VPN service are the responsibility of the customer. Typical demarcation points are considered to be RJ-x or Ethernet hand-off interfaces from the XO managed CPE to the customer owned CPE or directly to the customer LAN. As with all fully managed products, XO will be wholly responsible for the configuration, installation, management, and maintenance of the devices provided to the customer for the XO VPN. Any configuration requests after the time of installation shall require a trouble ticket in order for the support team to make the changes. XO will provide all relevant information for initial configuration of the customer network and a reporting interface for the customer to monitor network activity. Though devices on your network may function correctly prior to the XO VPN service installation, configuration changes may be necessary in order for them to be compatible with the VPN technology. XO shall not, in any way, be responsible for the configuration, installation, management, maintenance, troubleshooting or support of customer owned and/or managed servers, workstations, or network devices. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 9 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  10. 10. Relevant information provided by XO shall include: • An updated site survey and network diagram detailing IP schema, specified server locations, and initial security configuration (if firewall is applied) • Default route, netmask, and DNS if hosted by XO • Usernames and passwords for all accounts created during the provisioning process • Administrator and Installation guides and links to information resources • Testing information to show security configuration has been verified • Contact numbers for Managed Security Engineers Customer will be responsible for: • All server configurations, including IPs, default route, DNS, WINS, host files, active directory information, active server scripts, SMTP and POP3 relaying, etc. • Directing the XO engineers to open necessary ports according to how their servers are configured. • All application support • All IT and troubleshooting on customer owned servers, workstations, and network devices. • All other configuration, management, maintenance, and support of any equipment not expressly provided by XO for use with the XO VPN product. Remote Access VPN is sold as an unmanaged product, and support for this product will be the sole responsibility of the customer-specified technical consultant or network administrator. XO will communicate with the technical contact specified in the site survey to set up initial accounts and verify operability. XO will only take calls from the technical contact requesting support for the remote access product. Once XO Provisioning and Operations teams have verified the Remote Access product is functional, the customer will have 5 business days to perform network testing and present issues before the case is marked billable. XO will provide the following information pertaining to the remote access product: • Administrator guides • Pre-configured client software that includes WINS, DNS, and IP specifications provided by the customer • Proof of functionality (ie: ping test by name or IP) XO will not provide support directly to end users of the Remote Access VPN product. Support can only be requested by and provided for the aforementioned specified customer technical contact. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 10 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  11. 11. VIII. Frequently Asked Questions Will the XO VPN product allow us to build a tunnel from an XO managed VPN router to a non-XO provided Cisco router? No. XO must manage both ends of the tunnel as part of the managed VPN service. In order to assure correct functionality and compatibility between sites and CPE, XO provided CPE is required. Is the XO VPN compatible with H.323 video conferencing protocols? H.323 uses standard TCP and UDP packets, and should be compatible with the VPN product. Keep in mind that although H.323 traffic should run over a VPN, H.323 applications are not expressly sold by XO. Therefore, it will be the responsibility of the customer to install and troubleshoot any H.323 applications. XO is not responsible for any troubleshooting beyond the XO VPN router. Can I use an existing ISDN line through another provider for the XO VPN? ISDN is not a dedicated service and is not compatible with our management system, so we cannot support the placement of a VPN router behind an ISDN modem. ISDN is compatible with the Remote Access VPN product, which will allow individual users to access a corporate LAN. Does the XO VPN support IPX or AppleTalk? No. XO VPN only supports IP-based protocols. Any encapsulation from an unsupported network protocol needs to be performed by the customer before the packet is handed over to XO for transport. We hope to support this feature in a future enhancement. Do I have to have a full Class C (/24) block of IP addresses to add the BGP option? Yes. XO and most other ISPs will not announce network advertisements smaller than a class C IP block (/24). What information do I need to provide to order BGP with XO or Full Routes? XO engineers will request your Autonomous System number (AS number), which can be obtained from the American Registry for Internet Numbers; your routes that need to be accepted by XO; information about whether the connection is to be used primarily for redundancy or load-balancing; and, the BGP questionnaire that provides configuration details. What configuration changes do I need to make if I am running my own NAT server with the XO VPN? All NAT traffic will need to be denied to the remote site private subnets. XO will add static routes in the VPN routers to account for NAT’d subnets that will access the VPN. Does XO support URL Filtering on the firewall? No. We hope to support this feature in a future enhancement. Will XO allow any requested protocol through the firewall? Yes. XO engineers will work closely with the technical contact specified on the site survey to ensure all requested ports are opened for specified protocols. What if I know what application or protocol I am trying to use, but not what port(s) it requires? If it is a common application, XO engineers will know what ports are required. If it is an application specific to your company, you will have to contact the technical support representatives for that product and provide XO with the needed information. I can ping my FTP server, but am unable to connect. Is the XO firewall blocking FTP connections? Confirm that your FTP client is configured to utilize Passive FTP. If that is not the case, request that an XO engineer apply FTP inspection to allow Active FTP connections through the IOS Firewall. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 11 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  12. 12. Does the XO VPN/IOS Firewall option permit user authentication? No. XO cannot create authentication-based policies for the XO VPN/IOS Firewall product. This may be a product enhancement available at a future date. Can I use DHCP across the VPN? Yes. There are several different ways to use DHCP with the XO VPN. The first is to have XO configure DHCP on the Cisco router(s) and supply all the information from the router itself. A second is to run your own DHCP server and supply that information to XO during the provisioning process. The engineers can add a statement to pass DHCP traffic across the VPN. Remote Access users only have a choice to use DHCP to receive network settings. This will be configured by default on the Cisco router. ***NOTE*** DHCP uses broadcast traffic to populate the network with TCP/IP information. Passing broadcast traffic across a VPN will be bandwidth intensive. If you experience increased latency or decreased throughput after choosing to activate DHCP across the VPN, contact XO and the provisioning or support teams will suggest an alternate solution. Does XO offer a Macintosh or UNIX client? Yes, however, XO is not responsible for the installation, configuration, management, or maintenance of a non-Windows client. The client can be obtained from Will the remote access client support any remote access provider? What are the requirements? Yes. Remote VPN access requires an Internet connection (dial or other) that is unfiltered. Will the XO VPN remote access client work with PPPoE? Yes. However, you cannot install the client when the PPPoE session is live. Disconnect DSL/PPPoE session, install the client, reboot your machine, reconnect the DSL session, and then run the client. Will the remote access client work behind a NAT’d connection? Certain routers will support NAT Transparency. Speak to your security engineer to discuss your options. Do I have the ability to manage my remote users? Yes. The technical contact specified on the site survey will have access to a web-based GUI, which will allow them to manage their own remote access users. They can make additions, deletions and changes. What ports do I need to open on my firewall to allow the remote access client to connect from my internal network? This is an IPSec client, and therefore requires the following ports to be opened: Encapsulation Security Payload (ESP) – IP 50 Authentication Header (AH) – IP 51 Internet Security Association and Key Management Protocol (ISAKMP) – UDP 500 Does XO provide VPN to International locations? XO can provide International Dial connectivity through its partnership with GRIC (global roaming service). XO does not currently support International sites via dedicated access (DSL, DIA, customer provided access or otherwise). International Dial clients can use the remote access client to log into their corporate network. How do I map a drive across the VPN? Once logged on to the remote access client, go to Windows Explorer/Tools/Map Network Drive. Choose the drive letter, and the type in the path to the server with the shared drive. Format: x.x.x.xshare, where x.x.x.x is the IP of the server to which you are trying to connect. If WINS is enabled, format can be: servernameshare. Can I use my own RADIUS server? No. This feature may be available at a later date. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 12 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.
  13. 13. I keep getting a username or password is incorrect error when I try to access network resources. How do I fix that? Windows NT and Windows 2000 have built-in functionality for accessing resources not in the same domain as your workstation. When trying to map a network drive, fill in the “connect as” prompt with your domain and network username. Format: DOMAINusername. The server will then prompt you for your password. Windows 95 and 98 do not offer this functionality, so the username and password used to log on to the workstation will be the ones transmitted to the remote server. In order to access resources, the network administrator must add the usernames and passwords of all Windows 95 and 98 clients to the shared resources on the server. XO™ VPN Tech Requirements Guide v1.1 (August-2003) 13 ©2003 XO. All rights reserved. XO and XO design logo are trademarks of XO Communications, Inc.