Page 1

AT&T WorldNet®

Connectoid Guide

Virtual PrivateNetwork ServiceV

ers

ion 2

.6

Page 2

Copyright 1998 AT&T. All rights reserved.

Disclaimer: To our knowledge, all the information in this document was complete and accurate at the time itwas initially released. However, the information is subject to change. AT&T assumes no responsibility forany errors that may appear in the document.

AT&T WorldNet is a trademark and a service mark of AT&T. Microsoft, Windows, and Windows forWorkgroups are trademarks or registered trademarks of Microsoft Corporation. Apple, Macintosh and MacOS are trademarks of Apple Computer, Inc. PowerPC is a registered trademark of International BusinessMachines Corporation.

Other names are trademarks of their respective holders.

last updated: 1/22/98.

(Some pages of this document have been left intentionally blank so that chapter headingsappear on the right-hand page when the document is printed duplex)

Page 3

Introduction

Although AT&T strongly recommends using the AT&T WorldNet® ConnectionManager software to access AT&T WorldNet VPN Service, some of our custom-ers have asked how to configure Windows Dial-Up Networking to connect to theservice without using Connection Manager. This guide has been prepared inresponse to those requests.

However, please be aware that AT&T WorldNet VPN Service is a technicallycomplex offering. Using Dial-Up Networking by itself may prove confusing tothe average end user.

There are essentially three steps to configuring Dial-Up Networking:

1 Obtain the latest list of AT&T WorldNet VPN access telephone numbers.This will be required in Step 3.

2 Create a Dial Script for each login on a particular PC (if needed).

3 Configure a new set of Dial-Up Networking settings for each login. InWindows 95 and Windows 98, each collection of settings is called a“connectoid.” In Windows NT 4, these settings are stored as entries in the“phonebook.”

IMPORTANT: This guide covers domestic access to the AT&T WorldNet VPNservice only. Accessing the service internationally requires additional informa-tion not included in these instructions.

Page 4

Page 5

Step 1Obtain the latest list of access numbers

The latest list of domestic access numbers can be found on the AT&T WorldNetVPN web site. Go to the following URL.

http://www.worldnet-vpn.att.net/

Once the page appears, select “Our Network” and then “Access Numbers.”

Page 6

Page 7

Step 2Creating the Dial Scripts

Dial scripts are used by the Remote Access Service component of Windows.Essentially, they give Windows instructions for logging into particular remoteaccess servers and remote networks.

Although most AT&T WorldNet VPN Service logins require such a script, somedo not. Please read this entire chapter before you proceed.

Dial Script Basics

To create dial scripts, you will need to be familiar with RAS scripting commands.Microsoft copies a document called Script.doc into the Windows directory whenDial-Up Networking is installed. This document discusses RAS scripting indepth.

Each dial script is simply a DOS text file containing a series of scripting com-mands. To create a script file do the following:

1 Open Notepad.

2 Type the following 2 lines:

proc main

end proc

3 Add the required scripting commands between the two lines added in Step 2.The scripting commands required for a particular login depend on theService Option of the login (See AT&T WorldNet VPN Service Options onpage 8).

4 Save the file in the appropriate directory on the PC that is to use the dialscript. On Windows 95 and Windows 98 systems, these files are stored inC:\Program Files\Accessories\, but you can use script files stored in anotherdirectory if you want to. On Windows NT 4 systems, you must save thesefiles in C:\WinNT\System32\RAS\.

The filename must use the .scp extension.

Page 8

AT&T WorldNet Service Options

AT&T WorldNet VPN Service offers many different types of logins. AT&T usesthe term “Service Option” to describe the type of login. At the time of thiswriting, the following service options are available (the codes in parenthesesappear in the login names of the specified type):

• Basic IP (ics-ip)

• Basic IP with proxy RADIUS authentication (pics-ip)

• Closed User Group (ics-cug)

• Closed User Group with proxy RADIUS (pics-cug)

• Closed User Group with Internet access (ics-cugi)

• Closed User Group with Internet access and proxy RADIUS (pics-cugi)

• Network-Based Tunneling (tp+)

• Network-Based Tunneling with proxy RADIUS (ptp+)

Most of these service options require dial scripts. Since different service optionsrequire different dial scripts, the major types of service option are dealt withseparately on the following pages.

Page 9

Basic IP

Basic IP is the only service option that normally does NOT require a dial script.Once the dial up connection is established, Basic IP users are authenticated usingPPP secure (CHAP) authentication (which Windows does automatically).

This is also true of Basic IP logins that are authenticated using proxy RADIUS aslong as your RADIUS server authenticates using CHAP). If the RADIUS serveremployed does not support this method of authentication, you must construct aspecial dial script to support that server. See Proxy RADIUS scripts for IP andCUG logins on page 10.

ISDN Note: ISDN access is supported only for Basic IP service types that DONOT require a dial script.

Closed User Group

Most CUG and CUGI logins require the following dial script:

proc main

waitfor “on:”

transmit “%%cug%%^M”

endproc

This tells Windows to wait for the “logon:” prompt from AT&T’s network accessserver and then signal that it wants to logon as a CUG user. Having completedthe script, Windows completes the login process using PPP authentication.

The same dial script works for CUG and CUGI logins that are authenticatedusing proxy RADIUS as long as your RADIUS server authenticates using CHAP.If the RADIUS server employed does not support this method of authentication,you must construct a special dial script to support that server. See Proxy RA-DIUS scripts for IP and CUG logins on page 10.

ISDN Note: Although ISDN access is not supported for most service types thatrequire dial scripts, CUG and CUGI logins may be accessed via ISDN as long asthey do not employ a RADIUS server that does not support CHAP. When access-ing a CUG or CUGI login using an ISDN terminal adapter, DO NOT use a dialscript.

Page 10

Proxy RADIUS scripts for IP and CUG logins

If your RADIUS server does not support CHAP authentication, Windows mustuse a dial script to complete the login process. There are essentially two caseshere:

• RADIUS servers that require the username and password be forwarded tothem in an unencrypted format (as “clear text”).

• RADIUS servers with more complex login processes. For example, somesecurity servers will challenge the user to enter a second password if theythink the user took too long to enter the first one.

The first case requires a dial script that sends the user’s user name and passwordto AT&T’s network access server in an unencrypted format so that it can beforwarded to your RADIUS server (normally, it’s encrypted using CHAP authen-tication techniques).

proc main

waitfor “on:”

transmit “ <<login name>>^M”

waitfor “word:”

transmit “ <<password required by RADIUS server>>^M”

endproc

<<Login name>> is the login name required by your RADIUS server followedby the domain name provided by AT&T for this type of login.

For example if ABC corporation had a RADIUS server that contained an entryfor the user Joe25 with password Joe’s password, the login script might look likethis:

proc main

waitfor “on:”

transmit “Joe25@cug.abc.com.ics-cug.att.net^M”

waitfor “word:”

transmit “Joe’s password^M”

endproc

The second case requires that the user interact directly with your authenticationserver to respond to its prompts. This is accomplished using the following script:

proc main

waitfor “on:”

transmit “ <<login name>>^M”

set screen keyboard on

endproc

Page 11

The <<login name>> parameter is derived in the same way as before. However,instead of waiting for a password prompt, Windows is instructed to open aterminal window so that the user can view and respond to your authenticationserver’s prompts.

Page 12

Network-Based Tunneling

The login process required for Network-Based Tunneling is a little more in-volved than the process required for other service types. The user’s PC must firstidentify itself to AT&T WorldNet VPN Service so that a tunnel to the correctnetwork may be established. Once the tunnel is established, the user’s PC mustcomplete a second login process to connect the network at the far end of thetunnel.

As with the other service types, the most basic case involves tunnels to networksthat support CHAP authentication. In this case, the following script is requiredto establish the tunnel:

proc main

waitfor “on:”

transmit “ <<AT&T login name>>^M”

waitfor “word:”

transmit “ <<AT&T password>>^M”

endproc

Once the script is complete, Windows uses CHAP authentication to log into thenetwork at the other end of the tunnel.

<<AT&T login name>> and <<AT&T password>> are the login name andpassword received from AT&T. These will probably be the same for all userswithin a specific organization.

If, on the other hand, the network at the far end of the tunnel does NOT supportCHAP authentication, you must add script lines that handle the login processrequired. For example, once the tunnel is established, the following scriptresponds to the “User name:” prompt from the remote network and then opens aterminal window to complete the login process:

proc main

waitfor “on:”

transmit “ <<AT&T login name>>^M”

waitfor “word:”

transmit “ <<AT&T password>>^M”

waitfor “name:”

transmit “ <<remote server login>>^M”

set screen keyboard on

endproc

Page 13

Step 3Adding connectoids and phonebook entries

Each Windows 95/98 connectoid or Windows NT phonebook entry contains allthe networking and connection settings that are required to establish a link to aspecific remote network.

Since each AT&T WorldNet VPN Service login that is to be accessed from aparticular PC will most likely require different networking settings, you willprobably have to create a unique connectoid or phonebook entry for each login.However, the same connectoid or phonebook entry may be used if all of thefollowing are true:

• If the logins require a dial script (see pages 7 - 12), the dial script used mustbe identical for both logins. This implies that any login names and pass-words that are unique to an individual login MUST NOT appear in the dialscript.

• Login names and passwords that do not appear in the dial script may bedifferent.

• All other connection settings must be identical.

For example, if two users share the same PC and each of them needs to login toAT&T WorldNet VPN Service using the same settings, they can share aconnectoid even though they have unique PPP logins and passwords.

Windows 95 and Windows 98

Windows 95 and Windows 98 use a structure called a “connectoid” to establishconnections to remote networks. Each connectoid is represented as an icon in theDial-Up Networking folder. To open this folder, do the following:

1 Double click on the My Computer icon on the Windows desktop.

2 Double click the Dial-Up Networking folder.

Page 14

2 In the first box, enter a descriptive label for the connection that will beestablished by this connectoid. For example, “Internet access” or “Engineer-ing server.” This description helps the user identify which connectoid isrequired to establish a particular connection type.

3 Select the modem that will be used to establish the connection. DO NOTselect “Microsoft VPN Adapter.” Click Next when you are finished.

Adding a new connectoid

1 If there are not yet any connectoids on the PC being configured, the MakeNew Connection wizard will run automatically when you open Dial-UpNetworking. Otherwise, you will have to start it manually by double-clicking on the Make New Connection icon.

Page 15

4 Locate an appropriate access number in the list of AT&T WorldNet VPNaccess numbers. Enter the area code and number selected .

Click Next when you are finished.

5 Click Finish.

Page 16

Configuring connectoids

Once created, a connectoid will appear as an icon in the Dial-up Networkingfolder. Follow these steps to configure a newly-created connectoid to access theAT&T WorldNet VPN Service:

1 Right click on the icon representing the connectoid you want to configure.Select “Properties.”

2 Click the “Server Types” tab (the default settings on the “General” tab arecorrect).

3 Make sure that PPP is selected as the “Type of Dial-UP Server.”

4 If this connectoid will be used to establish a tunneled connection to your ownnetwork and you want this PC to log into your Windows NT domain whenthe connection is complete, check “Logon to network.” This option isrequired if the “Network Neighborhood” folder is to be populated once theconnection is established.

This option SHOULD NOT be checked if the connectoid is to be used forgeneral Internet access (Basic IP profiles).

5 Make sure that “Enable Software compression” is checked and that “Requireencrypted password” and “Require data encryption are NOT checked.”

Page 17

6 If you want this connectoid to generate a log file, feel free to check the“Record a log file for this connection” box.

7 If this connectoid will be used to establish a tunneled connection to your ownnetwork and you want the PC to communicate with that network using theNetBEUI and/or the IPX/SPX protocol, check the appropriate box(es). DONOT check these boxes if the connectoid is to be used for general Internetaccess.

8 Make sure that “TCP/IP” is checked.

9 Click the TCP/IP button.

10 Make sure that “Server assigned IP address” is selected.

11 If this connectoid will be used for general Internet access, we recommendentering the addresses of AT&T’s domain name servers (but you can useyour own if they can be accessed by this PC once the connection is estab-lished). AT&T’s DNS servers are:

12.127.16.67

199.191.128.104

If this connection will be used for a Closed User Group or for Tunneledaccess, you MUST use your own name servers (unless the closed user groupalso has general Internet access).

Page 18

WINS servers are used to populate the Network Neighborhood folder inWindows. Although AT&T does not provide WINS name resolution, you canspecify your own servers if you want.

12 Make sure that “Use IP header compression” and “Use default gateway onremote network” are checked.

13 Click OK.

14 Select the Scripting tab.

15 If you created a dial script that should be used with this connectoid, specifythat dial script here.

Note: The default settings (shown above) for the two check boxes are correctfor normal operation. However, they can be changed temporarily when youwant to debug a troublesome script.

16 Click OK to exit (the default setting for the Multilink tab, “Do not useadditional devices,” is correct for use with AT&T WorldNet VPN Service).

Page 19

Windows NT 4

Windows NT uses a structure called the “Phonebook” to establish connections toremote networks. To open the phonebook, do the following:

1 Double click on the My Computer icon on the Windows desktop.

2 Double click the Dial-Up Networking icon.

Page 20

Adding a new phonebook entry

To add a new entry to the phonebook, do the following:

1 Click the Add button. The Add New Phonebook Entry Wizard appears.

2 Enter a descriptive name for the connection that will be established using thisphonebook entry. For example “Internet access” or “accounting server.” Thedescription helps the user identify which phonebook entry is required toestablish a particular connection type.

3 Check the box near the bottom of the window and then click the Finishbutton.

Page 21

The New Phonebook Entry window appears.

4 Locate an appropriate access number in the list of AT&T WorldNet VPNaccess numbers provided. Enter the area code and phone number in thePhone number box.

5 If you want to use the Dialing Properties window to format the number to bedialed (recommended), check the “Use Telephony dialing properties” box.

6 Click the Server tab.

Page 22

7 Make Sure that PPP is selected as the Dial-up server type.

8 Make sure that the TCP/IP box is checked.

9 If this connectoid will be used to establish a tunneled connection to your ownnetwork and you want the PC to communicate with that network using theNetBEUI and/or the IPX/SPX protocol, check the appropriate box(es). DONOT check these boxes if this phonebook entry is to be used for generalInternet access.

10 Make sure that “Enable software compression” and “Enable PPP_LCPextensions” are checked.

11 Click the “TCP/IP Settings” button.

Page 23

12 Make sure that “Server assigned IP address” is selected.

13 If this connectoid will be used for general Internet access, we recommendentering the addresses of AT&T’s domain names servers (but you can useyour own if they can be accessed by this PC once the connection is estab-lished). AT&T’s DNS servers are:

12.127.16.67

199.191.128.104

If this connection will be used for a Closed User Group or for Tunneledaccess, you MUST use your own name servers (unless the closed user groupalso has general Internet access).

WINS servers are used to populate the Network Neighborhood folder inWindows. Although AT&T does not provide WINS name resolution, you canspecify your own servers if you want.

14 Make sure that “Use IP header compression” and “Use default gateway onremote network” are checked.

15 Click OK.

Page 24

16 If you created a dial script to use with this phonebook entry, click the Scripttab, select Run this script and then enter the name of the desired script file.

17 Click the security tab.

18 Make sure that Accept any authentication including clear text is selected.

19 Click OK (the settings on the X.25 tab are not used for AT&T WorldNetVPN connections).

Page 25

Dialing

Once you have finished configuring the connectoid or phonebook entry, it shouldbe ready to use.

Windows 95 and Windows 98

To establish a connection using a new connectoid, double-click on its icon in theDial-Up Networking folder. The following window appears:

For some types of service, the user must enter a User Name and Password. Forothers, these fields should be left blank (see Login Names and Passwords onpage 27). Enter them now if required.

Click Connect once these fields contain the correct information.

Page 26

Windows NT 4

To establish a connection using a new phonebook entry, select the entry you wantto use and then click the Dial button. The following window appears:

For some types of service, you must enter a User Name and Password. Forothers, these fields should be left blank (see Login Names and Passwords onpage 27). Enter them now if required.

If the phonebook entry is used to establish a Network-Based Tunnel and youwant Windows to login into a Windows NT domain once the connection iscomplete, enter the name of the domain in the Domain box.

Click OK when you have completed filling out these fields.

Page 27

Login Names and Passwords

If the authentication process will be completed using PPP(CHAP) authentication,enter the user name and password required for the server that will employ CHAPin the spaces provided. If the login process will not be completed using PPPauthentication, leave these fields blank (any values entered will be ignored).

For example, when establishing a Basic IP connection there are three possiblecases, corresponding to the dial script that was required.

• If no proxy RADIUS server is used, the user must enter the user name andpassword exactly as they were received from AT&T.

• If a proxy RADIUS server that supports CHAP authentication is employed,the user must enter the user name required by the RADIUS server followedby the domain name provided by AT&T in the User name box. The pass-word box should contain the password required by the RADIUS server.

• If a proxy RADIUS server the does not support CHAP authentication isemployed, these fields should be left blank.

Click the Connect button when once the User Name and Password have beencorrectly filled out.

Page 28