158 lines
8.1 KiB
HTML
158 lines
8.1 KiB
HTML
|
|
<!doctype HTML public "-//W3C//DTD HTML 4.0 Frameset//EN">
|
|
<html>
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
|
|
|
<meta name="generator" content="Adobe RoboHelp 9">
|
|
<title>Support for Remote Access via VPN - Introduction</title>
|
|
<!--[if lt IE 5.5000]><style type="text/css">@import "/wiki/skins/monobook/IE50Fixes.css";</style><![endif]-->
|
|
<!--[if IE 5.5000]><style type="text/css">@import "/wiki/skins/monobook/IE55Fixes.css";</style><![endif]-->
|
|
<!--[if IE 6]><style type="text/css">@import "/wiki/skins/monobook/IE60Fixes.css";</style><![endif]-->
|
|
<!--[if IE 7]><style type="text/css">@import "/wiki/skins/monobook/IE70Fixes.css?1";</style><![endif]-->
|
|
<!--[if lt IE 7]><script type="text/javascript" src="/wiki/skins/common/IEFixes.js"></script>
|
|
<meta http-equiv="imagetoolbar" content="no" /><![endif]-->
|
|
<!-- Head Scripts -->
|
|
<link rel="stylesheet" href="HtmlHelp.css" type="text/css">
|
|
|
|
</head>
|
|
|
|
<body class="ns-0 ltr">
|
|
<div id="globalWrapper">
|
|
<div id="column-content">
|
|
<div id="content">
|
|
<h1 class="firstHeading">Support for Remote Access via VPN
|
|
- Introduction</h1>
|
|
<div id="bodyContent">
|
|
<p id="siteSub">This section discusses some of the issues
|
|
regarding the access of Soundweb London networked devices
|
|
from a remote PC over the internet. For example, this
|
|
could allow monitoring of a Soundweb London installation
|
|
using HiQnet London Architect running on a remote PC with
|
|
Internet access. During the discussion, HiQnet London
|
|
Architect software version 1.12 is assumed.</p>
|
|
<p> <br>
|
|
One issue of importance during this remote access is security
|
|
of the data. Communication is taking place over a public
|
|
network and if no security measures are taken this data
|
|
could potentially be captured and used by anyone en-route.
|
|
Fortunately security measures such as use of a 'Virtual
|
|
Private Network' (VPN) can allow such communication over
|
|
the Internet in a secure way.</p>
|
|
<div class="editsection" style="float: right; margin-left: 5px;">
|
|
<p> </p>
|
|
</div>
|
|
<p><a name="Virtual_Private_Networks_.28VPNs.29" id="Virtual_Private_Networks_.28VPNs.29"></a></p>
|
|
<h2>Virtual Private Networks (VPNs)</h2>
|
|
<p>A 'Virtual Private Network' can be described as the
|
|
ability to tunnel through the Internet or other public
|
|
network in a manner that provides the same security and
|
|
other features formerly only available on private networks.
|
|
This is illustrated below for the typical scenario of
|
|
running HiQnet London Architect from a remote PC with
|
|
Internet access and connecting to a Soundweb London network
|
|
using a VPN connection: -</p>
|
|
<p><img src="VPN1.jpg" alt="Image:VPN1.jpg" title="Image:VPN1.jpg" style="border-width: 2px; border-style: solid;
|
|
margin-top: 0px; margin-bottom: 0px; margin-left: 0px;
|
|
margin-right: 0px;" border="2"></p>
|
|
<p>Using VPNs to communicate across the Internet allows
|
|
security to be maintained as the VPN uses a secure tunnelled
|
|
connection. Security measures include authentication of
|
|
users and encryption of data packets over the VPN. With
|
|
tunnelling, a message packet is encapsulated within an
|
|
IP packet for transmission across the public network,
|
|
with the encapsulating information being stripped off
|
|
upon arrival at the target.</p>
|
|
<p> <br>
|
|
In Windows XP, two types of remote access VPN technology
|
|
exist, these are: -</p>
|
|
<ul>
|
|
<li class="p"><p>PPTP (Point to Point Tunnelling Protocol)
|
|
-- This has good encryption and uses user authentication.
|
|
PPTP is used in Microsoft VPN clients and is the easiest
|
|
to setup as it does not require a certificate infrastructure
|
|
but uses the login credentials to create the encryption
|
|
keys for the session.</p></li>
|
|
<li class="p"><p>L2TP (Layer 2 Tunnelling Protocol)
|
|
-- This uses IPSec security for a higher level of
|
|
encryption than PPTP and adds user authentication
|
|
using a certificate scheme.</p></li>
|
|
</ul>
|
|
<p> <br>
|
|
In the diagram above, the remote PC user would set up a
|
|
VPN client connection to the Soundweb London installation.
|
|
This would normally be achieved by using a ' well-known'
|
|
name which has been registered for the VPN connection
|
|
(e.g. vpn.mySoundwebLondonInstall.com ), this is just
|
|
an easier way of connecting to the IP address of the VPN
|
|
server router. The next step would be to supply a username
|
|
and password which has previously been set up on the VPN
|
|
server router. Once the supplied user account has been
|
|
authenticated, the VPN server router will allocate an
|
|
IP address to the VPN client (i.e. the remote HiQnet London
|
|
Architect PC) which will make it appear like the PC is
|
|
just another node sitting on the same network as the Soundweb
|
|
London devices.</p>
|
|
<div class="editsection" style="float: right; margin-left: 5px;">
|
|
<p> </p>
|
|
</div>
|
|
<p><a name="Broadcast_Exchanges_over_the_VPN" id="Broadcast_Exchanges_over_the_VPN"></a></p>
|
|
<h2>Broadcast Exchanges over the VPN</h2>
|
|
<p>All unicast (i.e. point to point) IP traffic will be
|
|
transported over the VPN connection as if the VPN client
|
|
were on the same network. However, some forms of traffic
|
|
are not automatically transported over the VPN connection
|
|
and typically this will include broadcast based protocols.
|
|
Broadcast packets will go no further than the router at
|
|
the VPN client end of the connection. However, some protocols
|
|
such as ARP and DHCP get around this by having the router
|
|
'spoof' replies to the local broadcast packets. This 'spoofing'
|
|
of replies is handled by 'Proxy ARP' and 'DHCP Relay Agent'
|
|
software within the router.</p>
|
|
<p> <br>
|
|
HiQnet London Architect also uses broadcast packets: -</p>
|
|
<ul>
|
|
<li class="p"><p>HiQnet devices announcing their presence
|
|
on the network</p></li>
|
|
<li class="p"><p>HiQnet London Architect querying which
|
|
devices are present on the network</p></li>
|
|
</ul>
|
|
<p> <br>
|
|
No facilities exist in the router software to aid the transport
|
|
of these packets over the VPN. The way around this problem
|
|
is the use of the 'Static Routes' feature within HiQnet
|
|
London Architect. Essentially this is a way of defining
|
|
point to point routes to all Soundweb London devices with
|
|
which communication must be possible.</p>
|
|
<div class="editsection" style="float: right; margin-left: 5px;">
|
|
<p> </p>
|
|
</div>
|
|
<p><a name="VPN_Clients_within_Business_Organizations"
|
|
id="VPN_Clients_within_Business_Organizations"></a></p>
|
|
<h2>VPN Clients within Business Organizations</h2>
|
|
<p>If the remote HiQnet London Architect PC (VPN Client)
|
|
is operating from within a business environment (e.g.
|
|
with firewall, proxy web server, network address translators
|
|
etc.) then it is possible that the VPN connection to the
|
|
Soundweb London installation may not be established. This
|
|
could be associated to the network infrastructure within
|
|
the business organization. For example, in a business
|
|
environment it is common to use proxy servers to access
|
|
web pages for other computers. When a computer requests
|
|
a web page it is retrieved by the proxy server and then
|
|
forwarded to the requesting computer. The remote computer
|
|
hosting the web page is never in direct contact with the
|
|
requesting computer, only with the proxy server. This
|
|
behaviour can interfere with the establishment of VPN
|
|
connections unless the proxy server itself is 'VPN aware'.
|
|
The best solution in this case is to consult the IT department
|
|
within the business to determine what is preventing outgoing
|
|
VPN connections from being established.</p>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
<p style="margin-bottom: 0;"> </p>
|
|
</body>
|
|
</html>
|