Chapter 8. Connecting your iSeries to the Internet: Scenarios 237
8.1.4 Test the configuration
In this scenario we enabled the HTTP server on the iSeries to the Internet. This configuration
should be tested to ensure that the firewall is preventing unauthorized access to the iSeries.
The only access that should be enabled is the HTTP service.
Testing should consist of the following steps:
1. Start HTTP server on iSeries by typing:
STRTCPSVR SERVER(*HTTP) HTTPSVR(DEFAULT)
2. Start a Web browser on workstation (that does not reside on your local area network) and
attempt to access the iSeries HTTP server via its public IP address
3. Attempt to access TCP/IP applications from the Internet
a. Open a Web browser to address: 68.13.103.103 from a public address. This should be
successful.
b. Open a Web browser to address: 192.168.1.201 from a public address. This should
fail.
a. Telnet to public address: 68.13.103.103 from a public address. This should fail.
b. FTP to public address:68.13.103.103 from a public address. This should fail
4. Perform port scan against firewall
This ends the iSeries Internet connectivity configuration test.
8.1.5 Review, conclusions, and references
This scenario demonstrated how to get started with connecting your iSeries to the Internet
securely for delivering read only HTTP content to the public. We utilized the existing
infrastructure that consisted of iSeries within a secure customer facing network along with an
Internet connection secured through a firewall.
We introduced the basic information needed to connect the iSeries to the Internet from
behind a firewall. Then we introduced the Internet setup wizard that created the basis for
connecting to the Internet. We followed the configuration steps to establish the connection
scenario and finally tested this secure configuration.
8.2 Connecting to the Internet from DMZ: Host to host VPN
This scenario describes the configuration for a VPN connection between two iSeries servers
at remote locations. This configuration will allow both systems to securely share information
over the Internet.
Problem Definition
For this scenario, let us envision that we have two remote locations that are connected to the
Internet. At each location, we have iSeries servers that need to securely share information
between applications residing on each server over the Internet connection. These
applications are not enabled for SSL, but still need to securely share information over the
Internet. We do not wish to allow any connections from the Internet to either of the iSeries.
Solution definition
We utilize a host to host VPN connection to securely share information between two iSeries
servers. The VPN connection will create a secure tunnel and allow all applications to function
238 V5 TCP/IP Applications on the IBM Eserver iSeries Server
as if they were locally connected. This solution will rely on a Protocol firewall between the
Internet and each of the iSeries, an Application/Domain Firewall between public IP of the
iSeries and the local network, and the VPN to protect the iSeries server’s communications.
We utilize the iSeries Navigators VPN wizard to create the connection. The wizard will also
create the IP packet filtering rules for VPN.
Figure 8-28 Connecting to the Internet from the DMZ
Assumptions
Here are the conditions assumed for this scenario:
򐂰 iSeries server running OS/400 Version 5 Release 2 (V5R2)
򐂰 Existing firewall protecting your internal network and DMZ
򐂰 Existing iSeries is outside your internal network; located in the DMZ
򐂰 Both iSeries servers have a public IP address
򐂰 Both iSeries servers have two network adapters and two IP interfaces
򐂰 Both iSeries servers are connected to the Internet
򐂰 Digital Certificate Manager is installed and configured
򐂰 iSeries software requirements
TCP/IP Connectivity Utilities for iSeries (5722-TC1)
IBM HTTP Server for iSeries (5722-DG1)
Digital Certificate Manager (5722-SS1 option 34)
Crypto Access Provider 128-bit for AS/40 (5722-AC3)
How-to
To configure the host to host VPN, perform the following tasks:
1. Planning worksheet for configuring a host to host VPN connection.
2. Configure iSeries server AS24 for the initiating VPN connection.
3. Configure iSeries server AS25 for the receiving VPN connection.
63.12.114.25
63.13.103.103
172.24.5.x
Network
192.168.1.x
Network
Internet
AS25
AS24
172.24.5.1
192.168.1.1
Protocol
Firewall
Protocol
Firewall
Application/Domain
Firewall
Application/Domain
Firewall
Switch
Switch

Get V5 TCP/IP Applications on the IBM eServer iSeries Server now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.