Configure player

Close

WWDC Index does not host video files

If you have access to video files, you can configure a URL pattern to be used in a video player.

URL pattern

preview

Use any of these variables in your URL pattern, the pattern is stored in your browsers' local storage.

$id
ID of session: wwdc2007-544
$eventId
ID of event: wwdc2007
$eventContentId
ID of session without event part: 544
$eventShortId
Shortened ID of event: wwdc07
$year
Year of session: 2007
$extension
Extension of original filename: mov
$filenameAlmostEvery
Filename from "(Almost) Every..." gist: ...

WWDC07 • Session 544

Integrating Remote Access Client with Corporate VPNs

Information Technologies • 54:13

Apple's remote access client Internet Connect allows you to connect to corporate VPN solutions from Apple, Cisco, Juniper, and Nortel. Discover how to configure and deploy a VPN solution for your environment while learning about how the various VPN protocols such as L2TP/IPSec and PPTP interoperate.

Speaker: Shawn Geddis

Unlisted on Apple Developer site

Transcript

This transcript has potential transcription errors. We are working on an improved version.

For those of you that haven't been to one of my sessions I'm Shawn Geddis, enterprise consulting engineer and through my work with a lot of the government and enterprise customers, VPN access has been one of the trouble spots. Has anybody had that situation? Is that why you are all here? The typical environment, there's so many as you hopefully understand, there's far too many VPN remote access type solutions to be able to cover all this in a session.

So we are going to hit on a couple and I think one thing that we definitely want to do at the end, we want to have a really good Q&A cause I think that's kind of where we can drill down to a little bit more of the troubling area's that you might be facing that we haven't covered here. So this is going to be a little bit higher level overview then some of you may need to have for some low level trouble shooting but we'll do our best.

So we kind of want to talk about internet connect being the application for remote access and in some of your environments you know how we, what do we need to do to configure that. How do we need to get into your, setup your networks? So hopefully we are going to, first of all those not aware we want to help you understand what some of the challenges are in providing the services.

Understanding the services in OS X for remote access, some specific enhancements that we've done, even in the end of the Tiger train and with Leopard and hopefully cover some of the integration into some of the environments and vary little by the way of providing troubleshooting at least in this session right now, but we can help you with information going forward. So again hopefully you are going to learn a little bit what's going on in OS X in remote access, the compatible enhancements in 10.4 that we've added along the way and in 10.5.

So let's start with remote access, Internet Connect that's typically what you're all using for setting up your internet connections. On the VPN side of the house you've got layer two and point to point and it be kind of interesting to know who all's using layer two over point to point or taking other solutions. But we'll just hit on a couple of these and we can maybe talk a little more in dept with some of you maybe even in Q&A.

So if you look at the configuration within Internet Connect on here, within a setup for say a layer two for IPSec the user authentication options that you have obviously the password, one time passwords as well with securID with CRYPTOcard certificates Kerberos and then there is machine authentication, right some of you are wanting to do more in the machine authentication area.

We do support both the shared secret certificates and I think I have the enhancements we did along the way in Tiger so some of you may have seen this. Some of you may have been able to all of a sudden, things worked maybe after one of the software updates.

Kerberos related with IPSec, group filtering with Cisco. Anybody doing groups on Cisco Concentrators, okay a couple of you. And NAT traversal is a big issue. They did some definite improvements on the compatibility on the NAT traversal and during those builds to that's when we added CRYPTOcard as the second one time password support as well and we as Apple we use the CRYPTOcard solution quite extensively. So when, we were just covering the one time password, both CRYPTOcard and securID are available on there as well. I think I was just pointing that out to those folks that weren't aware of it.

Okay enhancements in Leopard, continuation with NAT traversal, that's a situation if you had both the client and the server behind a NAT. Hopefully people were able to leverage that if they were having trouble if there server itself was also behind a NAT. And of course the enhancements with DHCP over PPP in the same time frame with Leopard enhancements here with getting the static routes, search domains and all from the concentrator. That's adding the enhanced compatibility that both Microsoft and Cisco. So if you're in those environments that will improve when you get, when you come out with Leopard.

Hello. So here we go with, lets kind of walk through the situation to better understand what's going on with communication, the components that are in there and what you need to know with respect to the exchange of information. So first of all lets specifically look right now at just layer two tunneling protocol over IPSec, kind of connectivity here, in this scenario I've got one of our laptops set up with remote access with internet connect.

I'm going to say Cisco 3000 a line concentrator and in the end there we are looking at authentication server typically in this environment people are using like a Windows IIS server bound to AD. So as I am doing my request from my laptop, I'm going to do the request to the concentrator. The concentrator is then going to make the request back to me, to my client saying okay who are you? Prove your identity.

And I'm going to provide that back to the concentrator and in this environment we're going to go in a little bit more in depth as to what's necessary her because in this case the Cisco 3000's not going to be able to terminate the EAP-TLS session here, so what happens is, its actually passing this off as a RADIUS request to the Windows IIS server, and that's some area's where some people may have had some issues. So were actually passing it off as a RADIUS request to the authentication server, if everything is okay with that identity, RADIUS success comes on back to the concentrator and of course then we're in, session complete.

So lets look a little closer at some of the configuration issues you might have with that 3000 line. One is that on the, on a Cisco concentrator side since we are doing layer two right, we are not doing a pure IPSec connection from the client to the concentrator, your actually having to set up the concentrator.

Set it up for eight proxies, right and then doing RADIUS to that authentication server, or in this case we are doing groups who are doing that shared key, and we're going to get into a little bit more about the fact that within those concentrators there's issues with the groups. You got the base group and then you got some additional configuration for various groups. So the fact that layer two of our, layer two of our tunneling protocol over our IPSec is kind of the key point here.

There's all kinds of stuff we can get into but one of the key pieces is that you're additionally on the concentrator, your having to set up the authentication servers. Many of you have got, are familiar with the administration on the concentrators here. Got some of the parameters that you can go back on the slides later on and check and compare along with your configuration on your concentrators but the key thing here I think is really coming up in a second as soon as I.

Now we get onto the authentication server, okay and we are doing this with RADIUS because that's what necessary to do that request to terminate the TLS validation that we started from the client's side. Not doing so well with my clicker here. In conjunction with this since most folks have been using potentially the Cisco client to go to the Cisco concentrator the client itself was doing pure IPSec. Once you have the need or you're shifting over to use internet connect to do layer two, most of you haven't done the corresponding opening of the ports for layer two to get that connection.

So be aware both between, be aware of which ports you need open between a client and your concentrator and of course between the concentrator and your authentication server, in this case RADIUS. Depending on which way you use, whether you are using a 1812 or kind of legacy 1645. E That's actually how I caught several people by surprise.

Just because they didn't have it configured that way before. So let's kind of look, step back a little bit at the client and how would you set this up. I have it here related to the smart card but it doesn't have to be that, again we are using EAP-TLS.

With user authentication every panel whether its layer two, point to point 802.1x others, you're always going to get the select certificate panel. How many people are doing EAP-TLS? How many people actually doing client side authentication with certificates? Is this in an area that most of you are not doing? Interesting.

Okay. How many of you are trying to do machine authent or machine authentication? No's, surprising. Same thing here just want to hit quickly on this same enhancements we had with point to point, one time passwords with both securID and CRYPTOcard certificate support and the enhancements that we have in there are of course the added CRYPTOcard components.

So if we do the same thing with our connections here, boy this clicker is not doing, with point to point again keep in mind the ports you need open on these, I am surprised how frequent that is again if you are doing the Cisco client you didn't have to have these open because you are doing a straight IPSec communication between the client and the concentrator. VPN on demand, any body using VPN on demand on internet connect, boy.

The VPN on demand is quite helpful particularly for your objectives maybe, people that aren't really familiar with how to start the internet connect or how to start the remote access session and just to kind of reaffirm here real quickly for you, okay we will get this. VPN on demand is your ability to configure what domains are tied to what configuration, so if I am going to a host here in my talkback.company.com domain, its instantly going to launch my VPN on demand configuration, whatever that is.

That now removes a layer of kind of complexity, gives a little bit more of ease of use for the user. I don't have to now launch remote access to know what's going on, it's going to be launched for me. The services if I have to authenticate with a token, with a password, whatever I need to do, that will take place automatically for me.

Now you shift from VPNs to 802.1x , more of you are doing 802.1x. I don't see too many hands going up, a couple maybe. Okay first off remember that 802.1x is on the wired and wireless side. But what we've done is added a few things, we still have course the support here, a lot of these are in reference my slides are in reference to use of TLS for certificates and smartcards. But we added some support, some enhancements to 802.1x but if you were doing 802.1x in 10.4, it was a little cumbersome.

What I mean by a little cumbersome, if you wanted to do it you had to log in, right we added that capability right at 10.4.6, why am I having so much problems? So there is a Kbase article to help you, to help walk you through the steps you need to do to setup 802.1x authentication log in.

So why is that an issue? Well if you're trying to authenticate to the network and the user at the same time, it's a catch 22, right you need access to the network first before you can authenticate but you can't authenticate until you get to the network so you got this catch 22 situation, we did some what or a workaround there in 10.4.6, you had to do some exporting Kbase article will help walk you through that process.

But we did some enhancements to that within Leopard so within Leopard we also added EAP-FAST which is kind of a successor to LEAP here, kind of address some of the issues of kind of dictionary text and man in the middle pieces, so that's new with in Leopard, within 802.1x.

Now the other enhancement first if all you notice the window we're actually no longer in internet connect. In Leopard all of this configuration shifts over into your network interface configuration panels. Okay. In addition to that now with 802.1x we're not forcing you to go that sort of cumbersome method that you had in 10.4.6 of setting up 802.1x for login.

We actually now have three domains for authentication, we've got the login that is taking the same credentials for authenticating the user themselves and at the network and in addition to login if you don't, if you aren't authenticating that user log in you have the user domain, maybe for once your on a network your authenticating into another isolated area, isolated services and then you have a system domain, this is now where you are authenticating systems using 802.1x, also with certificates as well. Many folks have been talking to me about the need in their environment to do system level authentication and 802.1x with certificates.

So again all three you got, the login, the user and system domain authentication with 802.1x in Leopard, all done within the interfaces. So this is one reference that I was making to the some what simplicity approach that I am giving you with troubleshooting, with the remote access. Its some what of a hard guidance, we could be spending all day I think on some low level TCP dumps and we could bore many of you to tears.

But I think that particularly for first time admin's you are getting into this and you kind of want to keep this at a high level. The very first thing you should be looking at for instance within Internet Connect make sure you got verbose at a logging on, make sure you get as much information within the client itself, within the logs to determine where things may be failing.

Okay there's, the remote access gets a little bit complex with the various components that you have in place and it's hard to give you a simple cookie cutter approach of here's the five things you do and you've solved your problem. But start here with kind of verbose logging and the next thing is moving on into the PPP log right its going to give you information on establishment of that connection. Many folks have been able to diagnose where thing have failed, where they might have some configuration problems, simply by looking at the PPP logs.

Then if you really want to get down to the lower level, okay this is actually a successful session and I think in many areas of connectivity, networking and all kinds of area's the first thing that's best for you to be aware of or you to know is what does a good connection look like, right what should it look like cause if you don't know that when you are looking at a failed connection you're unsure of where things may have failed connection. You are unsure where things may have failed itself. And I'll quickly run through this, but this is really is an establishment of a layer two connection.

Here you're getting all the exchanges of, exchange back and forth with EAP-TLS. All those stars really represent your getting some encrypted content here. Your getting at the end exchange of a lot of your request, you look at the bottom and your getting the DNS, that's where your getting that DHCP over PPP request and then successful setting up of the local and the remote IP's, primary DNS, secondary DNS and you're a success you are in there, right.

If you know what it looks like when you have a successful connection, its better or its easier for you to understand where things maybe failing, each one of those components. And in conjunction with this, how do I do this again, I have many environments that are using cert-based so here's one that you are physically failing, the physical certificate wasn't available. I think I actually had removed my smartcard at this point to do this.

And we're doing an exchange and you see down about two thirds of the way EAP-TLS and we actually failed, we failed to authentication ourselves to the peer. So the peer, being between the client and the concentrator at this point, going on through all the way through to our authentication server.

So particularly in the 802.1x environment again as I kind of emphasized over and over in a lot of these areas is you got to know what's happening, who's requesting what to know where things fail. So in this kind of environment what are the exchanges that are going on between and typically again this is kind of standard environment with an 802.1x.

I'm getting this request to establish this EAP connection over LAN, EAP over L, EAP over LAN. I do that to start the authenticator. I get the request back from that authenticator, back to the supplicants, my client, my portable PowerBook, MacBook Pro. And I'm now doing the response of my identity that gets sent all the way over to the auth server. Right this is where that RADIUS request comes in, and all the way back through the authenticator back with a challenge, so I do the challenge response here with RADIUS.

I supply my credentials again the request on the auth side and I'm now successfully in. So if you understand those, the interplay between these components here again this is where a lot of folks can quickly identify if I have improperly configured my authenticator here, I'm going to be stopping or even failing to even start the session itself.

Extension of, folks have this question a lot and that is they have securID tokens and yet they want to use the Apple VPN server here and they wanted to know how to make that work, how to tie into the backend a server as well. I shared this with folks last year and it seemed to be quite helpful to those people.

So there is a knowledge base article on how to configure and unfortunately you have to kind of go under the hood of things and configure the VPN server, but you can do that authentication back to the RADIUS, not RADIUS the RSA ACE server sorry about that, directly from the Apple VPN.

Now I'm shifting away from standard VPN and 802.1x to another area that seems to be quite prevalent as a challenge with folks, even some folks earlier this morning were asking me about SSL VPN challenges they had. Well first of all why are folks using SSL VPNs? There's a lot of challenges for providing remote access to employees, to ultimate partner's maybe, maybe temporary, maybe the long term.

What are some of the reasons why there considering an SSL VPN kind of solution? Well first of all it doesn't require a client management, right you don't have to start loading software on each client, you don't on ours because the internet connects there but in this case you don't even have to change configurations. A client less architecture, your browser is already there. It doesn't require additional touch points systems actually pushing things out to each client.

The second point there is actually quite powerful though and that is largely the challenge that people have in shifting away from some of the other remote access type approaches is dealing with firewalls in remote offices or dealing with firewalls again in partners organizations or just remote sites. And so the SSL VPN solution helps them break through that challenge because now you aren't having to open up those additional ports since you probably can't even manage those, it's out of your control. Integrating with firewalls in this environment makes it quite a compelling solution. And the other thing with SSL VPN you can reduce the exposure down to particular services rather then opening up your full network.

So lets kind of look at this, its all going to look quite familiar to you, your just connecting from a browser to a server right, I'm doing a request to save my SSL VPN and now I'm doing my typical response and the challenges with certificates here. I finally do my sending of my certificate, my client side identity to the server, I get my authentication and now I have established my whole tunnel between my client and my server. Now all my interaction from my client is all going through that SSL tunnel to the server, right now I don't have to deal with additional ports. I don't have interaction with the rest of the network in my remote site.

But some of you have had some challenges with that. Some with so interaction most people have been deploying like Juniper SSL VPN solutions and they had some challenges with different versions of 10.4 and maintaining or actually initially establishing that connection. I wanted to run through some of this and explain what's happening both what you can do now and what is coming in Leopard that helps you address those particular kinds of problems. Okay so if got a single identity and your doing a connection to SSL VPN. Some of you have probably seen this slide several times now.

It's a typical exchange, OS X is going to pick that first valid certificate, send it off to the server, if you're challenged locally if it's stored in some protective container like smartcard you'd be challenged for the PIN during that exchange, the challenge response sent to the server, trust validation is either successful or failure and if its successful then you are granted access to your service, right.

If you have multiple identities now that same process is going to go through the step but you may potentially be rejected at the other end, so what happens is we talk about this ability to select an alternative certificate, alternative identity and once you select this you get a identity preference and this is kind of your work around too as some of the like Juniper SSL VPN issues that some folks have had.

Once there is an identity preference in your keychain, the next time Safari goes to that SSL VPN server its going to automatically look for and rely on that identity rather then just picking the first one, because a lot of you have had problems with which identity is being used because of the key usage you may have multiple identities that are valid associated with key usage.

So within Leopard we've done some enhancements here to give you the ability to manually creating those identities, this gives you the ability to set that identity up first and not getting in that catch 22 looping effec"t with connectivity to the server. This is one of the closer kinds of views to an identity preference, if you look physically in keychain on your builds and you want to look at your identities, your selection my certificates on the category area.

There's a contextual menu now, so get the contextual menu up and do new identity preference and you can now enter the URL to that SSL VPN, okay and select which certificate you want to use in this area. This is where if you were previously connecting to a Juniper SSL VPN switch, the system would be sending that first identity, first certificate and because the environment that most of the switches are in are windows based environment, what would happen is that Juniper switch would respond back to the browser with a page that says, basically tells the user please select the appropriate certificate.

And so you failed to actually be able to set one because Safari got back a page. Okay let's walk through that again. I use Safari, try to connect to the SSL VPN. The SSL VPN sends me back a web page that says you need to select your certificate.

It fails because Safari thinks things are successful because it got a successful response back with a page, what should of happened is that the SSL VPN box should actually have failed at the hands shake, the SSL hand shake level. Safari would have been notified up through our networking stack that, that identity was not accepted. Essentially it failed and then would have listed the sheet of all the additional certificates to select from.

So in Leopard what we have done is given you this additional capability of if you have solutions like that, that do not fail at the protocol level, they give you that page and tell you to manually select it, you now have the ability to over come that problem regardless of who's box it is, alright. This gives you a very workable solution in all those environments.

So here you're entering the URL, I'm selecting my certificate and again it adds it into the keychain. So if you've ever selected an identity or certificate in any one of those panels, if you look in your keychain you'll provably see a couple of these. In reference to websites or servers, so there is a lot of things that we can talk about on remote access.

Again like I had mentioned early on, we wanted to spend considerably more time in the Q&A area but with respect to customers that I have spoken to over the last several years, the predominate challenge has been connectivity to the Cisco 3000 line, that's been most prevalent use or in the SSL VPN side of the house, and hopefully I have walked you through some of this as a very high level.

Some of the capabilities that we have in the built-in services, hopefully you are still aware of some of the enhancements we've done, remember NAT traversal, DHCP over PPP, the groups, management and then with the transition as I kind of some what mentioned that and many of you clapped and that is the transitional way from internet connect to physically do all that configuration into the interface for each one of the network preferences itself.

And so what we want to do at this point is really kind of move into the kind of QA thing, the Q&A time and spend a little bit more in addressing some a little more esoteric, a little more interesting configurations that you may have and troubles that you've faced within connecting for remote access from an OS X client, and I think at this time I will ask Jason and Kristoff to join me.

  • Thank you Shawn.
  • So we have a fair amount of time if you have some questions you can probably go into detail. Can you guys hear me, okay. So I see you guys lining up, so lets start over here.
  • You said in 10.4.9, you can do group passwords?
  • Yep
  • And where do I find where to put the preshared key and all that?
  • That's actually in the panel itself
  • In internet connect?
  • Yes, Oh.
  • Okay great thanks.
  • I'll leave it up because I think that, that might be some questions that.
  • As he is going to the back, let's come over here.
  • Association of Corporate Council, couple question, hopefully quick enough answers. One and any experience using internet connects with Junipers Netscreen products?
  • In some very old environments that some folks have some Netscreens, we, I haven't personally been working with folks on the Netscreen side. We're hoping one of our other folks from our IT was going to be here because he has actually done a lot of work with the Netscreens.
  • Okay and then we actually do use the Apple VPN server just directly connect into it and two problems that I have come across. Number one is it doesn't seen to be exactly reliable I mean in 10.4.9 how reliable, I mean what kind of reliability should I be looking for on this because just now, literally I was iChatting with my guy back in my office to restart the server and all it is doing is VPN service and there's only like a few people actually hitting us, so I mean should I be looking, I mean this thing should be pretty reliable or?
  • Should be, that's the goal.
  • It should be reliable especially if you only have a couple of people connecting.
  • I mean its bound to an open directory masters on a separate box, I don't know if that causes any problems or extra anything there?
  • Well we use our own server at Apple and we terminate like hundreds of connections on each server.
  • Okay and one other thing I ran into which I did see on some other apps, somebody else had mentioned the same.

Problem was I had my VPN server as my file server I think at one time and for whatever reason when it's doing some exchanges it seems to mess up the AFP server. I had to move, once I disabled the VPN and moved it off onto a separate box the AFP problems went away. And I was just wondering if that was anything that was known or anything?

  • I don't know.
  • Okay. All right.
  • Up front here.
  • Thanks. Quick question, first of all thanks for the security session yesterday that was awesome. I am an admin on a network of about 200 Mac's, I don't know a whole bunch about connecting and using this software through to and authenticating into a Novell network.

Does the internet connect software in both Tiger and Leopard allow for that? I know they were thinking of using a product by a company called Apani to maybe pull that off but I don't know if these two pieces of software in conjunction in either of the OS builds allows for that so I just figured I'd ask a general question to see if I am even in the right place here.

  • At least can you back up to the earlier part of your question?
  • We're trying to connect to, thru VPN, thru the internet, authenticating into a Novell network.
  • Yes Apani is one of the only ones that really has been working that product. And that line is really the only one that is doing a fair amount of work with the Nortel stuff.
  • So internet connect is not the program to use for that at all?
  • Yea, there have been more issues on that side.

The Apani within our customer base, they had the most success with that product line.

  • Okay thank you
  • We're not sure yet whether its configuration related, we need to be experiencing a little bit more close work with the customers to determine what environment they have and why it's causing problems.
  • I would be more then happy to invite all of you to my place of work. It's a very nice place, they have good food anytime.
  • Are you in Hawaii by any chance?
  • No but I am at the Getty Center center and it is very nice, architectural landmark of Los Angeles, so you know.
  • Yea. We can talk offline.
  • Alright. Thank you very much again.
  • Thanks.
  • Let's clear here and then we will go to the back.
  • Hi, our internet connect works really well with Mac's but the problem we are experiencing is once we connect with VPN, we are no longer able to surf the web or go to other web pages, we like to be able to do both of those. Could you refer me to a website that might tell me how to configure that?
  • I'm sorry could you ask that again, I'm not sure I.
  • We can connect through internet connect to our VPN but once we do that we have no longer can go to the internet any other website besides our own through, we're using PPTP.
  • There is some way of configuring I know there is but I don't know where it is.
  • Well typically I think what you are doing is that once you connect, all your traffic goes through your VPN corporate server.
  • Right
  • And for some reason you corporate firewire's doesn't allow that outside. So it maybe a configuration issue or you can change that on the client to not send some of the traffic.
  • How do you do that? That's what I am asking, cause there's some, I'm sure that there is ability to do that I know there is cause some ones been able to do it, I just don't know where the website is that details how you do that.
  • Do we have a website for that or?
  • Shawn's going to do some research.
  • I was trying to pull this up.
  • Oh okay.
  • Options where, are you looking where to turn off the send all traffic over VPN?
  • Yea I want to be able to send traffic in both directions.
  • In internet connect there is a check box.
  • There is a check box in internet connect for that but it depends also on your server configuration. So what type of server are you using, is it a Mac server? So what server is that?
  • Windows.
  • It's a windows server.

So that's umm.

  • It's a local configuration on a Mac that does it, but I don't know what does it.
  • Right so if you launch internet config and you go to, there's like a menu option, its like the second to last one on the right had side if somebody has a machine open.
  • Say that again. Connect and there is an option at the bottom that say send all traffic over the VPN connection, you uncheck that and only traffic for your network goes over the VPN and then traffic that not on your network goes over the second IP address, the second network.
  • Actually a related piece of that and I think that some people weren't aware of that is within the port prioritization on the networking side you can actually set the prioritization of which core your traffic goes out of. So in other words, in addition to the VPN client saying that the sending all traffic over your internet connection, whichever your using point to point that within the network priority you can actually set your local network, built in Ethernet at a higher priority.

Right you can actually change and you could force everything to go over your VPN by putting your VPN configuration at the highest configuration as well, in addition to checking the option in internet connect.

  • Okay.
  • In Tiger its drag and drop and in Leopard you got a nice little sheet that lets you dictate what order you do.
  • Okay cool thank you very much.
  • And actually to extend, because some people have been asking, how do you force all of your traffic over the VPN without the user being able to change it. if the user is not an admin and you do the port prioritization and set Point to Point or layer two as your top priority port, they would have to have privileges to change that prioritization so it would force everything to go over as well.
  • Everybody we are talking about has admin privileges.
  • Okay, well that negates that.
  • Thank you.
  • Lets go back over here.
  • John Welch Kansas City Lawyer, I am one of those people using SSL VPN for pretty much every single reason Shawn listed. Its from F5 its been a good product, the problem is you know when we run into issues like the previous question were we want, we don't want everything to try to go out our little 12 man connection so configuring I got split DNS and that case is a little interesting cause its not really a port, its an SSL connection.

And in our case for admin's and some limited use people we actually allow full VPN connections but its all going through basically Safari, so I was wondering if there's any tips, tricks on.

  • You could make it work but it tends to get really boggy. It might work it might not.
  • Comments?
  • Sorry that sounded like feedback, versus a type of question. Its good feedback
  • If nothing else if you guys could take a closer look at SSL VPN and dealing with split DNS issues through those that would be a big help for people. Thank you.
  • Yes SSL VPN using AOL won't work out
  • Thank you.
  • Lets take two down here and we'll go to the back and then we'll come down to you.
  • I was wondering with if Tiger, is EAP-FAST supported in Tiger? Cause I thought that there was an update that came out for that and you just mentioned it in Leopard only.
  • It's a Leopard feature, it would been from Kristoff's.
  • I don't know.
  • It was only suppose to be in Leopard.
  • Cause I remember I think the 10.4.6 updates had something for EAP-FAST only on the Intel side though.
  • Yeah I don't remember if we added that into software update. I think we talked about that at some point but I don't remember.
  • Sometimes its hard for us to keep track of some of these get black boarded. It was intended to be a Leopard feature.
  • Okay.
  • If it is that's a bonus for you all.
  • The other thing was wondering if you could back up the..
  • Its in the release notes for 10.4.9
  • Oh it is?
  • Yea.
  • The comment was it was in the release notes for 10.4.9.
  • Was also wondering if you could back up the slides to show the ports that need to be open between I was also wondering if you could back up the slides to show the ports that need to be opened between for the SS, the, yeah that one, that one. Thank you. So, I'm glad that helps you because I don't know how many people I've talked to because what they're, they've got their VPN administrators, everything configured.

And they're saying, okay, we need to do layer two, and everything fails and the problem is they just don't have ports open, so. That's good.

  • Right here.
  • Al: Al Willis, MIT, excuse me, two things, Shawn are you saying that we can replace Cisco's VPN client with Apples VPN client if we have Cisco's concentrators?

[Shawn Geddis]

We have, there's several issues in the configurations get kind of tenuous at best. It'll work. We've gotten things to work, but there may be some complexities in your environment that may cause some other challenges. But, the scenario I showed you right here I fully in production and has been in production for like over a year going from a, from Internet Connect on 10.4 to a Cisco 3000, or 3060 Cisco concent`rator all the way to a windows IIS bound active directory yes. There's some of the key points and some of those slides where in a Cisco concentrator, you know how you have base groups. And probably most of you are just relying on the base group for all use coming in.

When you're creating these groups. When you're doing this you have to have the base group for layer two over IPSec as well. And that's typically not a common scenario. And if you have all your PC users coming in and they're all using the base group, first of all configure a new group for them.

Configure the base group for layer two. You're not using mode config because that's Cisco's method of passing back the configuration between the client and server. And within the Apple group your doing a lot of the configurations, we can switch back to slides, but you're doing a lot of the configurations specifically for the layer two over IPSec implementation as well.

  • So if somebody answers yes it is possible with some work.
  • It is, it's just careful because what happens when you're getting some of this the Concentrator drops into the values that are in your base group.

So, you almost have to configure base group for the Apple guys as well or it'll fail.

  • And my other quick question was; is it possible to create those identities that you showed in key chain access in Tiger in any programmatic way? Can I script back; can I do something to create those identities?
  • Oh yeah, the identity preference, is that what you meant?
  • Yes.
  • The identity preference yes, talk to me offline. It's not part of the product. We can help you do this as a manual process.
  • Okay.
  • Thank you.
  • Thank you, let's go up in front and clear it out straight back.
  • Ortwin from Equinox. I just want to mention a short side not to the one gentleman. Before using net screen and the other gentleman using Novel, maybe our product VPN Tracker might be of help for them just as a consideration. You can talk to me afterwards.
  • What's your company's name?
  • It's Equinox.
  • It does work.
  • Yeah, I should have mentioned that. Sorry Ortwin.
  • Alright you, yeah.
  • I didn't realize I was standing behind Ortwin. I love their product and it's terrific they're doing what they're doing. The problem that I've had is the push back from clients wanting to use the Mac client with their existing VPN whatever they're using solution. And then saying, well gee that's suppose to work.

Why do we have to spend more money for their product? And it seems to me, you know, nothing against what these guys are doing, but it seems like there needs to be a little more integration within the Apple VPN client number one. And number two; it would be helpful, I think, if Apple was evangelizing with some of these VPN device manufacturers, SonicWALL and Linksys come to mind, and saying look, you know, let's do something and not make this window centric and not make this impossible to use with a Mac and not make so many hoops to jump through to make it work.

Good point.

( Applause )

  • Thank you and I have noted. Back, let's go to the back.
  • Phil Goodman Los Angeles Goodman Consulting, piggy backing on Al from MIT's, question about the Cisco issue. One of the reasons why we're continuing to support the Cisco client directly is one of the features from a gooey user experience point of view is they have a feature for backup servers that's built in.

And I haven't been able to find that either in the Tiger. And if you have built it in the Leopard that would be great, so if the primary server fails it automatically goes to an unlimited list of backup servers.

  • So you're kind of doing load balancing?
  • Yeah, not just load balancing but VPN server failure.
  • Yeah, one of the features in Leopard is to implement the load balancing and failover mod. So, it was on server and on our clients we'll be able now to connect to the pool of VPN server and to pick up the one that's available.
  • Right. So I can do that now, let's say, in the Tiger Internet connect client by creating multiple configurations, one for each of the backup servers. And that means I have to reconfigure it all over again.

The question is, is there just in Leopard the ability to populate one field with a list of backup servers without having to reconfigure a whole new settings, set of settings?

  • Well the way we work in all the VPN clients whether you connect to Cisco or to your own servers is you just connect to one single IP address, which would be a virtual address of a pole of servers. And one of the servers available will reply. And the client will connect will connect with specific one. So you don't populate a list from the client you just have one single address that you specify and the client will take care of the rest.
  • Okay, so allow me to do my now standing plug for bugreport.apple.com, if that's an important feature for you please file an enhancement request. It'll go to our team. They'll evaluate it if you can give as much detail in terms of why you find it valuable that'll be very useful for us.
  • Great. And another request for being able to script all that being, you know, defaults and so on.
  • Thank you.
  • Let's stay in the back and then we'll come up front down here.
  • Hi. Fi Sanders with Vital Source Technologies, we're using OS X server VPN and have been since Panther. Upgraded it to Tiger and all my Mac clients work great. We're just doing shared secret and open directory where the VPN server's a replica. But my windows clients can now connect and for about a minute ping works and they can start getting data on our internal network. And then they just stop transferring data.
  • Sounds like a bug. Bugreport.apple.com
  • (Inaudible)
  • Okay.
  • Yeah, it sounds familiar somehow. But I don't remember the specifics.
  • If it's not fixed in Leopard please, you know, test it and let us know and Kristoff I'm sure will be happy to get right on that and get his team working on it.
  • We'll get him to work on the weekend.
  • Thank you we'll have him work weekends.
  • Eddie Martinez Vmix media. Is it possible to configure, enable and bring up a VPN via command line?
  • Is it possible to configure the VPN, VPN via command line?
  • The VPN server or the VPN client?
  • I'm sorry.
  • The VPN server or the VPN client?
  • Client's side.
  • Probably, you're trying to script it?
  • Well, actually I have SSH access to multiple machines but I also need to set up the VPN. And then I can do ARD from there.
  • Yes you can use a VPN from the command line the problems start with authentication because all authentication is designed to prompt and ask the user for password and certificate. So depending on the type of authentication you are using you can or cannot do it from the command line.
  • Okay, if I don't need the authentication from a particular type of VPN where could I read about that so I could bring that up and then perhaps configure over ARD?
  • Just come to me after and we can.
  • Thank you.
  • Look at it.
  • Thanks, let's clear out here.
  • Sirus Dahaji (Assumed spelling.) Best Buy, and I'm wondering if there is a way to utilize machine certificates on a predominantly PC dominate environment? Currently I'm using user certificates and it's just kind of painful. So I'm wondering if we can generate the machine certificates for 802.1x, for wireless and VPN?
  • So the machine, you're trying to do this on 10.4?
  • 10, 10.3.
  • 10.3?
  • Yeah.
  • Do we do 10.3? This is where I'm having to rely on Kristoff because he did a lot of that work. But I.
  • Machine certificate is a difficult issue. And we did a lot of improvements along the way. I remember about 10 (unclear) specifically but we did a lot of improvements in 10.4 and in Leopard to better support machine certificate. The problem with machine certificate is to generate a certificate with a high values insight.
  • So it's not supported in Leopard then?
  • Yeah, I mean it's all Leopard, but I was trying to be sure you were wanting it back in.
  • 10.3 yeah.
  • It's all in Leopard yeah.
  • Okay.
  • The next version.
  • Thank you.
  • Yes Zane Christianson at Tmobile I actually have a question, a more general question about how, who should I direct our IT folks to if they need hand holding and reassurance on how to open up and echo system to be more Mac friendly? Specifically with VPN because we have a, we just went to a certificate based system from a group password system.

Before it would work occasionally, slightly, sort of but now it doesn't work at all. And there's issues with firewall rules and things like that that aren't present even in the Cisco version of the client itself. So, I'm trying to figure out how to, who to plug them into over at Apple to kind of help evangelize and reassure and.

  • Probably the easiest thing I could suggest to do is have them work with their sales reps and they'll probably pull me into that.
  • Okay, because they're actually, it's all, pretty much all windows environment. So most of the Mac support's exception based. And it's like big high powered executives that say give me a VPN access. And then they do it. So I'm trying to kind of funnel them toward a resource that they could go to just to get all the questions answered and to get, you know, reassurance that it is secure, it is a feasible thing to offer.
  • So the presales.
  • Yeah somebody that kind of helps, help me get my foot in the door a little bit.
  • With presales, it would be a work, first of all you may have to locate who the sales rep is that deals directly with either your group within Tmobile or within Tmobile, ultimately I'd get involved so, if you wanted to contact me as well.
  • Okay, thanks.
  • Thank you.
  • Right here.

- Rich: Rich Trodden, National Institutes of Health, our VPN access for the NI is just handle at a global level. I have a central IT group who keeps our Cisco VPN's set up pretty much as black box as possible. One feature that would help out a lot within integrating the remote access client built in the Mac OS X would be the ability to import Cisco profiles if that's possible at all. Because at this point we don't have the.

( Applause )

We don't have the group passwords or anything like that. We basically just get an installer package with two sets of profiles, we install it and it's pretty much a black box to us.

  • Thank you for the feedback. But again it always helps to put it at bugreport.apple.com just to make sure it's logged there. Looks like the last question goes to you sir.
  • Jodie: Alright thanks. Jodie from Adobe Systems. That was partly my question. We're in a similar situation. You mentioned some issues that come up with the Cisco 36 concentrator.

And I looked up in the document that's typed, the session the network services administration guide. And unfortunately there's none of this and what's on the slide in there. Where do we get that kind of guidance so we can share those with our IT peers?

Yeah, I wish it was all in there.

So that's definitely good feedback that Apple needs to improve that documentation. All the contents from this, of course you'll get all these slides accesses developer stuff. But if you need more than that information, more urgent method, again you can get in touch, let's talk afterwards.

  • Okay thanks.
  • Alright thank you folks.