111 When choosing IP addresses for a dynamic range, do not use addresses already in use on your network. The best policy is to use a subnet of your corporate network. Thus, if your corporate network is 1.196.0.0, the subnet 1.196.5.0 might be reserved for tunnel IP usage. Figure 7-1. The initial configuration screen The Description is not required for the configuration to work, but for administration purposes it may be helpful. Be sure to set routes to all computers that need to be accessed from the tunnel connections. You may add as many routes as needed and you may select one of these routing groups as a default route. This allows for easier configuration of tunnel groups later. See Section 7.3.3 later in this chapter. Once the route is added, add your dynamic address ranges. Figure 7-2 shows the configuration screen. The Range Name and Description are optional, but they are useful for keeping track of several dynamic address groups. The First IP entry is as you probably guessed for the first IP in the range of dynamic addresses. The Total Tunnels slide bar allows you to select the total number of tunnels allowed by the server for that IP group; the Netmask entry is the network mask for the corresponding IP group. Once this ordeal is finished, you are ready to start adding tunnel groups. 112 Figure 7-2. Adding the dynamic address ranges

7.3.1.2 Managing routes and dynamic IPs

From the main tunman window, select the Tunnels menu and the Configure menu option. This will yield a configuration screen, as shown in Figure 7-2 . The sequence of dialogs lets you set up routes and dynamic addresses. Information required for both routes and dynamic addresses is the same as those stated earlier in Section 7.3.1.1 .

7.3.2 Adding DNS and WINS Servers

Domain Name System DNS maps TCPIP host names to IP addresses, while WINS servers map NetBIOS names to IP addresses. Both of these name resolution methods are supported by the AltaVista Tunnel. To configure DNS and WINS properties, open the AltaVista Tunnel Configure window and select the Name Server tab. Both DNS and WINS have fields for primary and secondary resolution servers. Enter the Internet hostnames of the respective servers in these fields. Then click OK to accept the changes. It is important to note that incoming tunnels must have access to internal DNS and WINS servers if these servers are private i.e., not normally accessible to the public Internet. Thus, these servers addresses must be made available to all incoming tunnels via the tunnel group configuration.

7.3.3 Adding Tunnel Groups

Grouping users together by function makes administration much easier. The groups you choose here dont need to have any relationship to group membership on one of your systems or networks. 113

7.3.3.1 Group configuration

You can also add tunnel groups. Selecting the Add button sends you through a series of configuration screens. The first screen, shown in Figure 7-3 , allows you to select the type of tunnel you wish to configure: incoming, outgoing, or both. The Extranet server acts as a tunnel server andor a tunnel client. In this case, we are selecting an incoming tunnel. After clicking Next, you are asked to provide a password for this tunnel group. The connecting clients require this password, as well as the key file that is subsequently generated. Figure 7-3. Adding a tunnel group first screen The next screen asks for the Tunnel Name and Description. The Tunnel Name is required, and is likewise needed by the connecting clients. Also, from this screen, you select whether the dynamic IP range you configured for your tunnels is to be dynamically or statically assigned. The client connecting to the group can have either a virtual IP address assigned to it randomly or a fixed IP address every time it connects. Clicking Next sends you to the Dynamic IP address screen. This allows you to choose which range to use for this tunnel group. If you have only one dynamic range, it will be selected automatically. Next is the Specify Routes to Internal Network screen. Here you select which routing group is allowed to the tunnel group. You can select either the Default Route if youve defined one or a Specific Route. Selecting Specific Route will allow you to choose another routing group from your routing tables. The last screen is the Server Definition window. The hostname and port number are configurable as needed. By default, the name of the host where the server software resides is automatically entered into the hostname field. Also by default, the port number is 3265. You have to enter the interceding firewall IP addresses, if applicable. The firewalls should be specified from the client end to the server end. Thus, the First Firewall field is the IP address of the firewall that the client first encounters when attempting to reach the tunnel server. The Second Firewall field is the firewall on the local network. By default, the port number for the