1 / 73

Sabre VPN 2.0

calixte
Download Presentation

Sabre VPN 2.0

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Sabre VPN 2.0 Support Training Gerry Davis October, 2005

    2. Overview What is Sabre VPN 2.0 Overview Methods of connecting MySabre and Desktop Applications with MySabre New Installations Migrating existing Users Using MySabre with SVPN SVPN Icon Troubleshooting Questions & Answers Agenda

    5. What is Sabre VPN 2.0? A combination of Sabre and Nortel technology that uses the SSL (Secure Socket Layer) port to establish a secure tunnel between a Port Forwarder and the Nortel 3050 Gateways Is an alternate means of connecting to the MySabre Emulator and the Sabre Print Module via a secure tunnel to utilize private and persistent connections to Sabre. SSL VPN 1.0 was released with Aeroflot March 2005 SSL VPN 1.1 was released (restricted) Globally June 2005 Available 24 October, 2005 Pending NOFEP/HSSP certification Improvement over SSL VPN 1.x Now a Java Web Start application running locally in the System Tray No longer uses multiple browser windows for the Nortel Portal and Port Forwarder Seamless user experience MySabre will launch the client automatically MySabre single sign on for MySabre Separation of Communication from Application

    6. What is Sabre VPN 2.0?

    8. Portal Public Connection MySabre Public or Portal connection today Java Applet only Requires an Internet connection Browser SSL Secure Socket Layer SSL session from the client to Dragonfly TA session from Dragonfly to OFEP Not a persistent connection Polling is used between Client and Dragonfly

    9. Portal Public Connection w/TA Sharing Public or Portal/TA Sharing connection today The Emulator uses the JCSAPI to communicate to Sabserv Sabserv driver JServer uses a separate HTTP client to provide a Secure Socket Layer connection to Dragonfly SSL session from the client to Dragonfly TA session from Dragonfly to OFEP Still not a persistent connection Polling is used between Client and Dragonfly

    10. Portal Private Connection Portal Private Connection today and tomorrow Private connection is a HSSP/NOFEP connection Uses the JCSAPI HSSP driver Requires a dedicated or VPN connection to Sabre Direct connection to HSSP TA Session from client to HSSP Persistent connection No Polling HSSP is inherently faster since it is a direct IP connection to Sabre

    11. Portal Private Connection w/TA Sharing Portal Private/TA Sharing connection today and tomorrow Emulator uses the JCSAPI Sabserv driver Jserver uses the JCSAPI HSSP driver

    12. Portal Private Connection w/TA Sharing - Configuration Sabserv Connections will always be displayed in the emulator as Sabserv There is no distinction between a public Sabserv connection vs. a private Sabserv connection Sabserv will be displayed in the connection box for both Public and Private Sabserv connections must be configured in two places Through SETUPTA.EXE (Workstation Setup) using the Portal Service Provider Configure Legacy Access (Jserver) for private or public Sabserv connection Located in Start/Programs/MySabre/Sabre Configurations If not present, update the MySabre module using the Check for Update tools. The Jserver must be restarted for changes in the Configure Legacy Access (Jserver) to take effect.

    13. Portal Private Connection w/TA Sharing - Configuration If Sabserv is configured for Public Sabserv will connect to Dragonfly

    14. If Sabserv is configured for Private Sabserv will connect directly to HSSP Portal Private Connection w/TA Sharing - Configuration

    15. Sabre Print Module Public Connection SPM SSL Printing today Layers of communications Client SSL Secure Socket Layer SSL session from the client to Dragonfly TA session from Dragonfly to OFEP Not a persistent connection Polling is used

    16. Sabre Print Module Private Connection SPM Printing tomorrow Less Layers Time proven OFEP connection Persistent connection Direct connection to OFEP Faster No Polling Will eventually move to HSSP

    18. New Installations - Operating Systems Requirements Same as MySabre 128MB of RAM or better is suggested Minimum amounts of RAM + Another JVM application=? Windows 95/98/ME Sabre supplied Windows registry patch required https://my.sabre.com/migration/migSupport.jsp http://installs.cert.sabre.com/Cert/support/vpn/1536.reg Appendix A for additional notes: Windows XP with Service Pack 2 Microsoft Update must be installed https://my.sabre.com/migration/migSupport.jsp http://support.microsoft.com/default.aspx?scid=kb;en-us;884020 Appendix B for additional notes: Sun JRE 1.3.X Java Web Start (JWS) and Java Secure Socket Extensions (JSSE) updates Separate installations for JRE 1.3.X Compatibility check will prompt user if this update is required. http://installs.cert.sabre.com/Support/sslvpn/

    19. New Installations Other Points to Consider Sun JVM 1.4.2_06 is the current JVM supported by Sabre The applet can use a JVM supplied by Microsoft as well, but the Sabre preference is the Sun JRE 1.4.2_06, which is the certified version for both Sabre VPN and the MySabre portal. Utilizing the Sun version of the JVM also allows the installer or support desk to capture console logs for troubleshooting purposes. Has been certified on Sun JVM 1.3.1_xx User will have to install Java Web Start (JWS) and Java Secure Socket Extensions (JSSE) if they are running JVM 1.3.1_xx System will detect whether these updates have been installed or not and advise user as necessary.

    20. New Installations All operating Systems

    21. New Installations Windows XP with Service Pack2

    22. New Installations Windows XP with Service Pack2

    23. New Installations Windows XP with Service Pack2

    24. New Installations Windows XP with Service Pack2

    25. New Installs Windows 9X

    26. New Installations JRE 1.3.X

    27. New Installations JRE 1.3.X

    28. New Installations All Operating Systems

    29. New Installations Network Explanations

    30. New Installations All Operating Systems

    32. Migrating Existing Users User changes their Profile settings User will click on the My Profile link Click on the Advanced Sabre System Settings link Change the Protocol setting from Public Network to Sabre Virtual Private Network User will click on Compatibility Check link Windows 95/98/ME Sabre supplied Windows registry patch required https://my.sabre.com/migration/migSupport.jsp http://installs.cert.sabre.com/Cert/support/vpn/1536.reg Appendix A for additional notes: Windows XP with Service Pack 2 Microsoft Update must be installed https://my.sabre.com/migration/migSupport.jsp http://support.microsoft.com/default.aspx?scid=kb;en-us;884020 Appendix B for additional notes: Sun JRE 1.3.X Java Web Start (JWS) and Java Secure Socket Extensions (JSSE) updates Separate installations for JRE 1.3.X Compatibility check will prompt user if this update is required. http://installs.cert.sabre.com/Support/sslvpn/ User will log out and then log back in via Sabre VPN

    33. Migrating Existing Users

    34. Migrating Existing Users

    36. Using MySabre with SVPN MySabre launches SVPN Multiple ways to launch the SVPN client Allow MySabre to launch the client Single sign on for MySabre and SVPN client Slightly longer launch time MySabre detects that the SVPN is selected in the profile MySabre looks for existing client running If SVPN client is running, MySabre continues to launch If SVPN client is not running, MySabre will launch the SVPN client and then continue to launch MySabre Launch the SVPN client independently of MySabre Must be manually added to the startup group Requires multiple sign ons (SVPN client and MySabre) Slightly faster launch time? Use SVPN or Private protocol in profile Faster connect time for SPM

    37. Using MySabre with SVPN MySabre launches SVPN

    38. Using MySabre with SVPN

    39. Using MySabre with SVPN Manually Launching the SVPN

    40. Sabre Emulator displays the Private connection type

    41. Other points to consider Session authentication or signing into the https://my.sabre.com website should be kept to 1 sign-in/ID per workstation. Using the same sign-in on multiple workstations consecutively may exceed the number of VPN connections allowed per ID. HSSP S02 errors Sessions currently will timeout after 75 minutes of inactivity. Server capacity will determine session timers Printers should have a heartbeat and will retain the tunnel indefinitely until the connection is lost

    42. Sabre VPN Time Out If the session times out, the user can simply make another entry in the emulator and the Sabre VPN Client will restart automatically. User can right click on a red icon and select Restart from the menu if necessary

    44. Sabre VPN ICON Sabre VPN Icon will run in the System Tray Icon will appear Green when connected Icon will appear Yellow when not connected/authenticated Icon will appear Red when stopped Gui to the Port Forwarder

    45. SVPN Icon - Status Status Provides a status of the SVPN client Open Opens up the SVPN log file Test Checks LMHOST, Pings res.sabre.com, Tests socket connection to Port Forwarder Restart Restarts the client from this window Close Closes this Window

    46. SVPN Icon - Configuration Configuration Tools for Troubleshooting and Proxy Servers Listener Port Allows change of the port between GUI and Port Forwarder Remove Unistalls Client Logging For troubleshooting Proxy Server Allows for configuration of Proxy servers Will not work with NTLM based servers Changes will take effect the next time the SVPN client is restarted.

    47. SVPN Icon Restart & Quit

    48. Sabre Print Module (SPM) Users running SPM who connect via Sabre VPN will need to change the service provider from PORTAL to OFEP Standard Sabre Print Module configuration for OFEP as done with SfW

    49. Sabre VPN Client Sabre VPN Client can be downloaded separately for Legacy Sabre products (e.g. Turbo Sabre, Sabre Print Module, etc.) System will automatically check workstation for compatibility and advise user of any required updates User will be prompted to authenticate Will run in the System Tray as a service User will have to manually start the Sabre VPN Client

    51. Troubleshooting Maximum connections reached error The Registry was not updated or updated correctly on Windows 98 See Appendix A: Obtain the registry patch from the Installation Support page and install it Reboot and try again

    52. Troubleshooting, contd Restricted User error Give the restricted user full rights to the \DRIVERS\ETC directory which contains the LMHOST and HOST files Restart the SSL VPN Portal

    53. Troubleshooting, contd Port Forwarder window will not start Check for Pop-up Blockers this is common on Windows XP Port Forwarder window will not completely load Check for Personal Firewalls, or ISPs who block the local host address Correct or fall back to a Public Connection Port Forwarder will be displayed as a JAVAW.EXE in Task Manager Allow JAVAW in firewall software

    54. Troubleshooting, contd Not enough Sockets for other applications. Bump up the Windows 98 Registry patch by increments of 256. Check for other applications that are using Internet connections Increase memory Still under investigation

    55. Troubleshooting, contd T3000 error in emulator Emulator attempted to connect to HSSP but was unable to make a connection to HSSP or never got a response from HSSP. Check that the Port Forwarder is running Validate that there is a VPN tunnel Ping Telnet T3006 error in emulator Usually occurs after another error such as the T3000 Hotel Module continues to load even though a Sabre session could not be obtained. Indicates that there was NULL information regarding the LNIATA typically caused by cleanup from the previous error

    56. Troubleshooting, contd SO2 Error in emulator The Lock ID for the HSSP session is in use and does not match the one sent by the client. The connection attempt did reach HSSP and this is a response from HSSP. LockID is maintained in the HSSPSessionRegistry.SER and is used by the JCSAPI Help Desk can clear with ZUDWS ZUDWS LNIATA CLEAR Proper exiting of the MySabre portal/emulator will prevent this type of error This is not a Port Forwarder issue but an emulator/JCSAPI issue

    57. Troubleshooting, contd Printer displays Unknown Service Provider OFEP The device is unable to connect to OFEP Restart the service or SPM Sometimes the heartbeat or reconnection logic fails Windows XP with Service Pack 2 Is the patch installed?

    58. Troubleshooting, contd Ports, Proxies, and Firewalls The Port Forwarder updates the LMHOST file with the appropriate Sabre resources Res.sabre.com for the emulator with a private connection Lb1.dcs.amrcorp.com, ofepxx.dcs.amrcorp.com ,and config.sea.eds.com for SPM When an application makes a request for one of the above resources, the DNS request is handled by the local host and not by the proxy. The Port Forwarder listening on the local host forwards the request out on port 443 via a SSL connection This is a socket connection and not an http connection Since the application has already made a connection to the local host via the resource port, the port # (example 30031) is not used to connect to the SSL VPN Gateway. The SSL Gateway completes the request from the application using the correct port and address Response is returned in the same method

    59. Troubleshooting, contd Sabre VPN Client can be configured to use a Proxy Server Right click on icon and select Configuration Select the Use Proxy Server check box and fill in the appropriate Address and Port number

    60. Troubleshooting, contd Test button has been incorporated for easy diagnostics Checks the LMHOSTS file for the res.sabre.com entry If res.sabre.com is found, it opens a network connection to res.sabre.com Performs a PING test Test button does not analyze the PING results, but simply displays the results in the console

    61. Troubleshooting, contd Try to ping res.sabre.com Since the LMHOST file has been modified, it should intercept the request and respond to the Ping command. Successful ping example notice the Reply From 127.0.0.1

    62. Troubleshooting, contd Example of unsuccessful ping Reply from a public (151.193.X.X) address Was not intercepted by the Local Host and attempted to resolve though the normal public internet. Port Forwarder is not running or down or not connected

    63. Troubleshooting, contd Example to successfully ping to ofep04.dcs.amrcorp.com Notice the reply from 127.0.0.X Port Forwarder is up

    64. Troubleshooting, contd Unsuccessful ping to ofep04.dcs.amrcorp.com with the Port Forwarder down or not connected Reply is from a public address (151.193.141.41)

    65. Troubleshooting, contd Successful telnet to res.sabre.com with the Port Forwarder up telnet res.sabre.com 30031 It will connect and then show a blank screen Use CTRL + ] to end session and Q to return to the command prompt

    66. Troubleshooting, contd Unsuccessful telnet to res.sabre.com with the Port Forwarder down or not connected

    67. Troubleshooting, contd Successful telnet to ofep04.dcs.amrcorp.com with the Port Forwarder up Telnet ofep04.dcs.amrcorp.com 13004 Blank screen just like res.sabre.com but if you make about 5 entries you will be disconnected.

    68. Troubleshooting, contd Unsuccessful telnet to ofep04.dcs.amrcorp.com with the Port Forwarder down or not connected

    69. Troubleshooting, contd Restarting the Sabre VPN with MySabre Right click on the icon in the System Tray Select Restart - or Right click on the icon in the System Tray Select Status Click on the Restart button in the Status window

    70. Troubleshooting, contd Logging can be enabled in the VPN Client when necessary Right click on the icon and select Configuration Set logging level to HIGH Two files are created sslvpn-client.log sslvpn-client-out-err.log These files can be attached to Tracker logs, or emailed to developers for further investigation Logging level remains set until user changes it back to NONE (unlike the MySabre emulator log which automatically resets itself)

    71. Appendix A Windows 9X by default has 100 to 250 TCP connections configured. The patch expands the number to 1536.

    72. Appendix B: The Port Forwarder is required to update the LMHOST/HOST files with multiple local host addresses. Windows XP, Service Pack 2 by default limits the local host addresses to 127.0.0.1. This Microsoft Update allows the number of local hosts to be increased. Sample Host file below: 127.0.0.1 localhost 127.0.0.21 ofep21.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.33 ofep33.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.1 config.sea.eds.com # Nortel SSL-VPN 127.0.0.6 ofep06.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.18 ofep18.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.1 res.sabre.com # Nortel SSL-VPN 127.0.0.13 ofep13.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.25 ofep25.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.32 ofep32.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.20 ofep20.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.5 ofep05.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.29 ofep29.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.17 ofep17.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.12 ofep12.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.24 ofep24.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.2 lb2.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.9 ofep09.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.31 ofep31.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.4 ofep04.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.16 ofep16.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.28 ofep28.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.11 ofep11.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.35 ofep35.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.23 ofep23.dcs.amrcorp.com # Nortel SSL-VPN 127.0.0.1 lb1.dcs.amrcorp.com # Nortel SSL-VPN

More Related