114 AltaVista Tunnel is 3265. Ensure that this port number is not in use by any other service before entering it. Figure 7-4 shows the properties of a sample tunnel group. Once a tunnel group is configured, this information can be viewed by selecting the tunnel group entry in the AltaVista Configure window and the Tunnels tab, then clicking on the Properties button. This screen gives a full view of the tunnel group, including the name of the group, the name of the dynamic IP address range and routing groups, the tunnel server endpoint name, and firewall addresses. Information can be modified on this screen by clicking the Modify Wizard button, or more simply by changing the information in the appropriate fields and clicking the Update button. Figure 7-4. The Tunnel Properties screen

7.3.3.2 Tunnel client information

Once the tunnel group is configured, you need to extract information for the end users. This information is required for them to connect to the tunnel: .key file The public key for this tunnel group. This key is exchanged by the client and server for encryption purposes. .eta file The connection information file, including Tunnel Group name and password. The .key and .eta files are created when you complete the tunnel group configuration. If you are in doubt, when the configuration process completes, click on the Key Management tab in the AltaVista Configure window. An entry should be present with the tunnel group name and a long string of numbers and letters, which is the key. The key file is created in the \AltaVista\tunnel\data\key directory. If you want to make copies for backups or for other users, extract the files by clicking on the Extract button on the Tunnels tab in the AltaVista Configure window. Though only the .eta file is named when extracting the files, the .key file 115 is also copied. These files may be extracted onto a floppy disk or other writable media, and distributed to end users as needed.

7.3.4 Tools for Tunnel Management

Other than a handy configuration front end, the tunman application contains management and logging tools for those of you who dont get enough of this stuff with other network services. Figure 7-5 shows the main tunman window, with connected tunnels. From this GUI, you can keep tabs on existing connections, view a log of past and present tunnel connections, and view the status of the tunnel server, all at a glance. The interface is intuitive, and you should play with it at your leisure to find what information is useful to your network department. For the most part, the logs and such are particularly useful when troubleshooting connection problems, or when tracking attempted security breaches. Other than that, they could be used to prove to your manager that you are actually keeping logs of this stuff, or to liven up network operations meetings. Figure 7-5. Main tunman window

7.3.5 Changing Port Settings

The AltaVista Tunnel allows the system administrator to change the TCP port settings for tunnel communication. As noted earlier, the default port is 3265. If for some reason another port is required, the sysadmin must edit the Services file in the \drivers\etc directory of the servers system directory. Under Windows NT the path is: \system32\etc Use Notepad, or some text editor, to edit the Services file. Find the line below and change 3265 to the desired port: altav-tunnel 3265tcp After saving the file, restart the tunnel service.

7.3.6 Rekey Interval and Minimum Encryption Settings

The AltaVista Tunnel has a default setting of 30 minutes for the rekey interval. Thus, every 30 minutes, the encryption key used by two tunnel endpoints expires and a new one is generated and exchanged. This setting can be modified by editing the registry on Windows NT.