Chapter 8. Connecting your iSeries to the Internet: Scenarios 237
8.1.4 Test the configuration
In this scenario we enabled the HTTP server on the iSeries to the Internet. This configuration
should be tested to ensure that the firewall is preventing unauthorized access to the iSeries.
The only access that should be enabled is the HTTP service.
Testing should consist of the following steps:
1. Start HTTP server on iSeries by typing:
STRTCPSVR SERVER(*HTTP) HTTPSVR(DEFAULT)
2. Start a Web browser on workstation (that does not reside on your local area network) and
attempt to access the iSeries HTTP server via its public IP address
3. Attempt to access TCP/IP applications from the Internet
a. Open a Web browser to address: 188.8.131.52 from a public address. This should be
b. Open a Web browser to address: 192.168.1.201 from a public address. This should
a. Telnet to public address: 184.108.40.206 from a public address. This should fail.
b. FTP to public address:220.127.116.11 from a public address. This should fail
4. Perform port scan against firewall
This ends the iSeries Internet connectivity configuration test.
8.1.5 Review, conclusions, and references
This scenario demonstrated how to get started with connecting your iSeries to the Internet
securely for delivering read only HTTP content to the public. We utilized the existing
infrastructure that consisted of iSeries within a secure customer facing network along with an
Internet connection secured through a firewall.
We introduced the basic information needed to connect the iSeries to the Internet from
behind a firewall. Then we introduced the Internet setup wizard that created the basis for
connecting to the Internet. We followed the configuration steps to establish the connection
scenario and finally tested this secure configuration.
8.2 Connecting to the Internet from DMZ: Host to host VPN
This scenario describes the configuration for a VPN connection between two iSeries servers
at remote locations. This configuration will allow both systems to securely share information
over the Internet.
For this scenario, let us envision that we have two remote locations that are connected to the
Internet. At each location, we have iSeries servers that need to securely share information
between applications residing on each server over the Internet connection. These
applications are not enabled for SSL, but still need to securely share information over the
Internet. We do not wish to allow any connections from the Internet to either of the iSeries.
We utilize a host to host VPN connection to securely share information between two iSeries
servers. The VPN connection will create a secure tunnel and allow all applications to function
238 V5 TCP/IP Applications on the IBM Eserver iSeries Server
as if they were locally connected. This solution will rely on a Protocol firewall between the
Internet and each of the iSeries, an Application/Domain Firewall between public IP of the
iSeries and the local network, and the VPN to protect the iSeries server’s communications.
We utilize the iSeries Navigator’s VPN wizard to create the connection. The wizard will also
create the IP packet filtering rules for VPN.
Figure 8-28 Connecting to the Internet from the DMZ
Here are the conditions assumed for this scenario:
iSeries server running OS/400 Version 5 Release 2 (V5R2)
Existing firewall protecting your internal network and DMZ
Existing iSeries is outside your internal network; located in the DMZ
Both iSeries servers have a public IP address
Both iSeries servers have two network adapters and two IP interfaces
Both iSeries servers are connected to the Internet
Digital Certificate Manager is installed and configured
iSeries software requirements
– TCP/IP Connectivity Utilities for iSeries (5722-TC1)
– IBM HTTP Server for iSeries (5722-DG1)
– Digital Certificate Manager (5722-SS1 option 34)
– Crypto Access Provider 128-bit for AS/40 (5722-AC3)
To configure the host to host VPN, perform the following tasks:
1. Planning worksheet for configuring a host to host VPN connection.
2. Configure iSeries server AS24 for the initiating VPN connection.
3. Configure iSeries server AS25 for the receiving VPN connection.