Mitel 6000 Admin Guide

6000 Managed Application Server

(MAS)

Administrator's Guide - Release 5.6

by Mitel Networks Corporation

6000 Managed Application Server (MAS): Administrator's Guide ­Release 5.6

by Mitel Networks Corporation
Published October 2002

Copyright © 2002 Mitel Networks Corporation

The Mitel Networks logo is a trademark of Mitel Networks Corporation in the United States and other countries. Linux is a registered trademark
of Linus Torvalds. The terms "ssh" and "Secure Shell" are trademarks of SSH Communications Security Corp. Trend Micro is a registered trade­mark of Trend Micro Incorporated. All other trademarks are the property of their respective holders.

Table of Contents

1.Introduction...............................................................................................................................

1.1.About This Guide .............................................................................................................1

1.1.1. Who This Guide is Written For .................................................................................1

1.1.2. About Our Test Company: The Pagan Vegan .............................................................. 1

1.2. Welcome to your 6000 MAS .............................................................................................. 1

1.2.1.Aboutthe 6000 MAS .............................................................................................. 1

1.2.2.The AMC .............................................................................................................2

1.3.About ServiceLink ...........................................................................................................3

1.3.1.ServiceLink Architecture .........................................................................................3

1.3.2.24x7Monitoring and Alerts ..................................................................................... 3

1.3.3.Virus Protection ....................................................................................................4

1.3.4.Guaranteed E-mail .................................................................................................4

1.3.5.DNS Services ........................................................................................................4

1.3.6.IPSEC VPN Service ...............................................................................................5

1.3.7.Software Blades ....................................................................................................5

1.4.What's New .....................................................................................................................6

1.4.1.Features ...............................................................................................................6

1.5. Software Licensing Terms and Conditions ............................................................................6

2.The Server Console .....................................................................................................................

2.1.Usingthe Server Console ...................................................................................................7

2.1.1.Usingthe Text-based Browser .................................................................................. 7

2.1.2. Accessing the Linux Root Prompt ............................................................................. 8

2.2. On-going Administration Using the Server Manager ............................................................... 8

3.Configuration .............................................................................................................................

3.1.SetDate and Time ............................................................................................................ 10

3.2. Configuring Your Desktop Operating System ........................................................................10

3.2.1.Automatic DHCP Service ........................................................................................12

3.2.2. Manual Entry For Computers Not Using DHCP Service ................................................ 12

3.2.3.MSWindows Workgroup Configuration .................................................................... 13

3.3.Workgroup .....................................................................................................................13

3.3.1. 6000 MAS as Domain Controller ..............................................................................14

3.4.Remote Access ................................................................................................................16

3.4.1.RemoteAccess Using ssh ........................................................................................ 17

3.4.2.RemoteAccess Using SSL ......................................................................................18

3.5.Directory ........................................................................................................................18

3.5.1. Configuring Your Company's Directory on Clients ....................................................... 18

3.6.Printers ..........................................................................................................................23

3.7.Hostnames and addresses ...................................................................................................24

3.7.1.Creating New Hostnames ........................................................................................26

3.7.2. Reserving IP Addresses Through DHCP ....................................................................26

3.8.Virtual Domains...............................................................................................................27

3.9.E-mail ............................................................................................................................27

3.9.1.ConfiguringYour E-mail Application ........................................................................30

3.10.ConfiguringYour Web Browser ........................................................................................33

3.11. Choosing Your Web Browser Language ............................................................................. 34

3.12.Backup or Restore ..........................................................................................................35

3.12.1.Backup To Desktop .............................................................................................. 35

3.12.2.Restore From Desktop .......................................................................................... 35

3.12.3.VerifyDesktop Backup File ...................................................................................36

3.12.4.Configure Tape Backup .........................................................................................36

3.12.5.Restore From Tape ...............................................................................................36

3.13.Review Configuration .....................................................................................................37

4.Collaboration .............................................................................................................................

iv

6000 Managed Application Server (MAS)

4.1.User Accounts .................................................................................................................38

4.1.1.Disabling User Accounts .........................................................................................38

4.1.2.Changing User Passwords ....................................................................................... 39

4.2.Groups ...........................................................................................................................39

4.3.Quota Management ..........................................................................................................39

4.4.Pseudonyms ....................................................................................................................40

5.Information Bays (i-bays) .............................................................................................................

5.1.i-bay Directories ..............................................................................................................43

5.2.Accessing i-bays ..............................................................................................................43

5.3.Creating an i-bay ..............................................................................................................44

5.4.Modifying an i-bay ........................................................................................................... 46

5.5. An i-bay Used as a Customer Site: The Miles Gabriel Art Exposition ......................................... 46

5.6. An i-bay Used as a Shared Network Drive ............................................................................ 47

5.7. An i-bay Used as an Intranet: The Pagan Vegan "Vegemite" ..................................................... 49

5.8. An i-bay Used to Expedite Processes: Samson's Farms ............................................................50

5.9. An i-bay Used as Your Customer Download Site .................................................................... 52

6.Webmail ...................................................................................................................................

6.1. Enabling Webmail On Your System .....................................................................................54

6.2.Starting Webmail .............................................................................................................54

6.3.Logging In ......................................................................................................................55

6.4.Viewing The Inbox ...........................................................................................................55

6.5.LoggingOut of Webmail ...................................................................................................55

6.6.Composing Messages ........................................................................................................56

6.7.Reading Messages ............................................................................................................57

6.8.Deleting Messages ............................................................................................................58

6.9.Usingthe Address Book ....................................................................................................59

6.10.Changing Webmail Options .............................................................................................. 60

7.Server Administration ..................................................................................................................

7.1. Administration of Your Server Via Windows File Sharing ....................................................... 62

7.2.CreateStarter Web Site .....................................................................................................62

7.3. User File Storage on the 6000 MAS ..................................................................................... 62

7.3.1.Windows..............................................................................................................62

7.3.2.Macintosh ............................................................................................................64

7.4.Reinstallation Disk ...........................................................................................................66

7.5.Reboot or Shutdown .........................................................................................................66

8.Technical Support .......................................................................................................................

A. Introduction to the Ethernet Local Area Network (LAN) ....................................................................

B.Additional Software ....................................................................................................................

v

Chapter 1. Introduction

1.1. About This Guide

This Administrator's Guide walks you step-by-step through the straightforward process of configuring your 6000
Managed Application Server (MAS) and its Windows or Macintosh clients. The Appendices at the end of the guide
provide background information on subjects related to networking and the Internet and are intended to supplement
chapters in the main section of the guide.

1.1.1. Who This Guide is Written For

This guide is for administrators of the 6000 MAS. For more information, contact your Mitel Networks authorized re­seller.

1.1.2. About Our Test Company: The Pagan Vegan

In this guide, we use examples of a catering and event-planning company, The Pagan Vegan or TPV, that config­ures, administers and makes use of the 6000 MAS. As far as we know, no company of this name exists.

1.2. Welcome to your 6000 MAS

Congratulations on choosing the 6000 MAS as your network and communications server!
Companies all over the world are using the Internet to communicate more effectively and efficiently to a broader au-

dience. The 6000 MAS is founded upon state of the art technologies - such as the Linux operating system - which
have been mainstays in the infrastructure of larger organizations for several years. Mitel Networks Corporation has
customized these technologies to make them straightforward to use, while still giving you local control over your In­ternet services. The result is a cost-effective Internet infrastructure that will reliably serve your organization as it
grows and as its use of the Internet evolves.

1.2.1. About the 6000 MAS

The 6000 MAS is a managed Internet security and productivity solution for single-site and branch-based enterprises.
It combines award-winning software, Mitel Networks SME Server with ServiceLink, with a suite of managed ser­vices delivered from the Mitel Networks Applications Management Center (AMC). The 6000 MAS manages your
connection to the Internet by routing Internet data packets to and from the network (which allows all the computers
on the network to share a single Internet connection) and by providing security for the network, minimizing the risk
of intrusions.

When one of the computers on the local network contacts the Internet, or is contacted by an outside machine on the
Internet, the 6000 MAS not only routes that connection, but seamlessly interposes itself into the communication.
This prevents a direct connection from being established between an external computer on the Internet and a com­puter on the local network, thereby significantly reducing the risk of intrusion onto the network.

The server also provides services that allow users to communicate better internally and with the rest of the world us­ing the Internet.

Throughout this guide, SME Server refers to the server software component installed at the end-user's site. 6000
MAS refers to the total solution - the server software as well as applications and subscription services delivered from
the AMC.

The word gateway is used to mean the computer that acts as the interface between the local, internal network and the
external world - typically the 6000 MAS itself.

1

Chapter 1. Introduction

If you prefer, you can also run your 6000 MAS in "server-only" mode. In "server-only" mode, your server provides
your network with services, but not the routing and security functions associated with the role of "gateway". Server­only mode is typically used for networks already behind a firewall. In that configuration, the firewall fulfills the role
of gateway, providing routing and network security.

Once installed, your 6000 MAS can be configured and managed remotely. Routine administration is handled from
your desktop using a web-based interface, so only on rare occasions will you require direct access to the server com­puter. Once installation is complete, most customers put the server in an out-of-the-way place like a utility closet. If
you wish, you can disconnect the keyboard and monitor. (Note that some computers may not operate correctly with­out an attached keyboard.)

1.2.2. The AMC

Mitel Networks has developed a suite of integrated network services - ServiceLink - that extend and enhance the
functionality of the 6000 MAS. ServiceLink maximizes the security, performance and reliability of the server
through real-time interaction with the Mitel Networks Applications Management Center (AMC). Note that until the
server is registered for ServiceLink, the links to ServiceLink pages in the Server Manager will take you to panels
that are not active.

Note

2

If your server is behind an additional firewall, that firewall will need to be configured to allow outbound
SSH packets on TCP port 22 in order for the server to communication with the AMC.

1.3. About ServiceLink

ServiceLink is a set of network services built into the 6000 MAS.
The services available include:

• 24x7 Monitoring and Alerts

• Virus Protection

• Guaranteed E-mail

• DNS Services

• IPSEC VPN Service

These services are centrally managed by the Mitel Networks Applications Management Center (AMC)
[https://mitel-amc.com/].

Chapter 1. Introduction

An additional feature of the 6000 MAS is the ability to quickly and easily download software "blades" from the
AMC. Blades can consist of updates to the server software, or entire applications that add new functionality to your
network.

Note

Each time a server is registered with the AMC, contact information must be entered so that Mitel Networks
can send notifications of software updates. However, it is good practice to periodically check the "Blades"
panel of the Server Manager for new update blades.

The following sections give more detail.

1.3.1. ServiceLink Architecture

As soon as your 6000 MAS is registered for ServiceLink services, it begins to communicate with the AMC on a reg­ular basis. It performs a "synchronization" once an hour, during which it will report its status to the AMC and may
also receive updated information from the AMC.

The information sent by a newly registered 6000 MAS consists of a few vital support statistics collected from the
server configuration database. When ServiceLink services are enabled, additional information may be sent to the
AMC for use in reports accessible to the reseller who registered the server. All information is transmitted through a
secure, encrypted channel using the ssh protocol. (See http://www.openssh.com/ for more information about ssh.)

1.3.2. 24x7 Monitoring and Alerts

This service provides round-the-clock monitoring of your server and Internet connection. By default, each server
will synchronize with the AMC once each hour (the interval can be customized). Your reseller can configure the
AMC to send a designated technical contact an alert via e-mail if the server fails to check in. This ensures that your
reseller is notified in the event of an outage.

In addition, the AMC can provide monthly reports summarizing all ServiceLink activity. These reports include such
details as network performance, e-mail delivery problems and viruses detected. This information can help you assess
the reliability and quality of your Internet connection. It can also assist in analyzing the security of your network.

3

1.3.3. Virus Protection

Viruses and worms which propagate via e-mail are becoming increasingly common. The most popular way of de­tecting these viruses is to use virus-scanning software. However, in order to be effective, virus-scanning software
must be updated regularly with information on existing viruses in. One of the most common reasons for failure in
virus software is that the user has not downloaded and installed the latest virus pattern files. The virus protection ser­vice provided by the 6000 MAS eliminates this problem.

This service provides automatic setup and configuration of virus-scanning services on the 6000 MAS. When the
virus scanning service is enabled, the virus-scanning software will be enabled on the server and the latest virus pat­tern files will be downloaded from the AMC on an ongoing basis. The service is entirely automated.

Warning

The number of users for whom virus protection is provided is limited by your 6000 MAS subscription. You
will not be able to configure the server for more than the supported number of users. If you do attempt to
add additional users beyond the number included in your subscription, you will receive a warning message.
The service can, however, be upgraded to support a higher number of users. Contact your Mitel Networks
authorized reseller for more information on upgrades.

Any e-mail delivered to the 6000 MAS will be examined against the latest virus patterns. If a virus is discovered
within a message (body or attachment, the message is quarantined in a special area. The administrator can then ex­amine the message and determine what to do with it.

Chapter 1. Introduction

You also have the option of scanning all files found in user directories or information bays on a nightly basis. When
an infected file is found, an e-mail message is sent to the administrator of the system.

1.3.4. Guaranteed E-mail

One of the risks of running a mail server on the Internet is that network difficulties may result in undelivered e-mail.
When this occurs, people who attempt to send e-mail to you will receive a message indicating that delivery failed,
and they will not be able to contact you until network connectivity is restored. The Guaranteed E-mail service is Mi­tel Networks Corporation's answer to this problem.

If for any reason a subscribed 6000 MAS is unable to receive e-mail, the AMC will automatically step in and collect
mail on behalf of that server. Mail received by the AMC is securely cached until connectivity is restored, at which
point the server will initiate a sync connection to the AMC. The AMC will then automatically download the queued
mail to your 6000 MAS. The entire transaction is transparent to end-users.

In addition to storing the e-mail and forwarding it at the earliest opportunity, the AMC provides notification and re­porting. This allows you to identify potential server or network outages.

1.3.5. DNS Services

Most businesses using the 6000 MAS will want to register a domain name reflecting their business, and will need a
DNS host to make this domain name accessible to the world.

The ServiceLink DNS Service automates this process, allowing you to publish domain name records for your server
via the AMC.

Note

The Security Plus and E-mail Plus subscription packages include support for two domains, one set as the
primary domain and another as a virtual domain. These domains must be in .com, .org or .net. Other
top-level domains and support for more than two domains are possible for an additional charge.

Each 6000 MAS is also entitled to a name within the e-smith.net domain, e.g. "mycompany.e-smith.net". This is
provided as a convenience for customers who do not have - or do not intend to register - another domain. Regardless

4

of whether you have registered a domain, you will always have the option of using your service domain as a way to
access your server from the Internet, e.g. "www.mycompany.e-smith.net".

The service domain feature can be found on the DNS Services panel of the Server Manager. If the service domain
you request is not available, you will be notified through the interface and will be invited to choose a different do­main. Changes you make will be uploaded to the AMC during the server's next synchronization.

1.3.6. IPSEC VPN Service

You can securely link together 6000 MAS servers in different physical locations to make one seamless Virtual Pri­vate Network (VPN). Information sent via this network is encrypted to prevent eavesdropping by others on the Inter­net.

The 6000 MAS uses the industry standard IPSEC protocol to encrypt network traffic between sites. This system uses
an encryption technique called "public key cryptography". This requires each server to know the "public key" for
other servers on the network. It then uses that public key to encrypt data intended for that server. A "private key" on
the receiving server is used to decrypt the data.

One of the traditional difficulties in setting up a VPN is securely exchanging the keys required to set up the VPN, as
each server must have the keys for all the other participating servers. With the 6000 MAS this process of configura­tion is automated by the AMC.

When you create a VPN, you designate one 6000 MAS as the "primary", together with one or more "secondary"
servers. The primary server is the one whose user accounts will be accessible via the VPN, while secondary servers
will act as gateways for the users on their local networks.

Chapter 1. Introduction

1.3.7. Software Blades

Blades allow you to easily install software modules via the Server Manager. Once your 6000 MAS has been regis­tered, your server will be regularly updated with a list of available blades, which can then be installed by clicking on
the desired items in the Server Manager.

Note

Blades are developed and made available by Mitel Networks Corporation, Mitel Networks Authorized Resellers or
by third-party developers.

The following is a list of blades currently available for downloading. Note that your ability to "see" and download
these blades depends upon the specific terms of your 6000 MAS subscription.

• Web Access Control
The Web Access Control Service allows you to filter the web sites available to users by blocking selected cate-

gories of sites. Potentially objectionable sites are grouped into categories, such as pornography, gambling, or
hacking sites. This "blacklist" of blocked web sites is updated regularly by the AMC. The service can block en­tire domains or specific URLs. Certain IP addresses (for example, the system administrator's workstation) can be
excluded from the filtering rules.

• Groupware Blade
This browser-based application allows calendar sharing and collaboration, including the ability to schedule

meetings between users, and maintain and share contact lists and to-do lists. This application does not integrate
with Microsoft Exchange Server but will provide similar functionality for an office that cannot afford the cost
and complexity of Exchange.

• Instant Messaging Blade

5

Chapter 1. Introduction

The Instant Messaging (IM) Blade allows instantaneous electronic conversations through the 6000 MAS as a
more secure alternative to publicly available services such as MSN, AIM and Yahoo. Conference rooms (group
chat) and a user directory are also provided. The IM service works across a ServiceLink IPSEC VPN, allowing
your organization to have its own secure IM infrastructure. As well, the solution allows IM users on the server to
communicate with IM users on certain other services, including MSN and Yahoo.

• IP Phone Support Blade
This blade configures the 6000 MAS to support Mitel Networks IP telephones, in conjunction with a Mitel Net-

works Integrated Communications Platform.

• Fax Server Blade
This application allows users to send faxes, with the use of an external fax modem.

• System Information Blade
This feature allows system administrators to view information about the 6000 MAS such as disk usage, CPU us-

age, etc.

• Free/Busy Scheduling Blade
The Free/Busy Scheduling blade integrates with Outlook 2000 (also known as Outlook 9.0) and Outlook 98 to

provide two services: users may publish their busy times to the 6000 MAS, and users may see another user's
busy times from within Outlook.

1.4. What's New

1.4.1. Features

The 6000 MAS release 5.6 provides many small enhancements, and in particular the following new features:

• Upgrade to Linux 2.4 kernel - The base SME software has been upgraded to the Linux 2.4 kernel. This upgrade
enhances the reliability of the server and provides support for a broader range of server hardware.

• Enhanced firewalling - With the upgrade to the Linux 2.4 kernel, the previous ipchains-based firewall rules have
been converted to iptables. This results in an even tighter firewall, using stateful packet inspection.

• Changes to ordering process - The 6000 MAS is a subscription-based product that is managed via the AMC.
With this release, changes have been made to the subscription ordering and activation process in order to sim­plify delivery of the product.

1.5. Software Licensing Terms and Conditions

The 6000 MAS is licensed for an individual server under the terms of the End User License Agreement found on the
CD. Acceptance of this agreement and identification of the end-user accepting is required during the software instal­lation.

If you have acquired the 6000 MAS by means other than purchasing a Mitel Networks commercial offering through
an authorized reseller, it is unsupported. For further information and available options, please contact an authorized
reseller. To locate an authorized reseller near you, please visit http://www.mitel.com/.

6

Chapter 2. The Server Console

2.1. Using the Server Console

Basic configuration of the 6000 MAS is performed using the server console. The server console can be accessed us­ing a keyboard and monitor directly connected to the server, or remotely using the ssh protocol. Please contact your
reseller for details.

If the server console mode has been set to "auto", the opening screen of the server console will appear:

If the server console mode is set to "login", you will see a login prompt. You must then log in using the user name
"admin" and the system password.

The server console provides you with basic, direct access to your server. From the server console you can get the
following information and perform the following tasks:

Option 1: Provides you with uptime information about your 6000 MAS.
Option 2: Allows you to view and modify the configuration information entered during the original installation

(ethernet cards, IP address information, DHCP, DNS, domain names, etc.).

Option 3: Provides you with a summary of the configuration parameters entered into your server.
Option 4: Allows you to test your Internet access by sending a small test packet of information to a server on the In-

ternet (located at Mitel Networks Corporation).

Option 5: Allows you to smoothly reboot or shut down your server.
Option 6: Provides access to the web-based Server Manager using a text-based browser. This is the same interface to

which you can connect from another system using a normal web browser. This option merely allows you to perform
these functions directly from the server console.

Option 7: Displays the licensing terms governing the distribution and use of 6000 MAS software and information on
how to contact Mitel Networks for support.

2.1.1. Using the Text-based Browser

For Option 6, Access Server Manager with text-mode browser, the server uses a text-based browser called lynx to al-

7

Chapter 2. The Server Console

low you to access the web-based Server Manager from the server console. Navigation is primarily with the arrow
keys - up and down to move through the page, right arrow to follow a link, left arrow to go back. Lynx has a wide
range of other commands which you can learn about through the online help available at
http://www.lynx.browser.org/ [http://www.lynx.browser.org/]. Note that for security reasons some regular features
of lynx are disabled when you are browsing from the server console (such as the ability to specify an external URL).
Type 'q' (for 'quit') to exit the text-based browser.

2.1.2. Accessing the Linux Root Prompt

If you are an expert user and would like to do advanced modifications to the configuration of your server, you can
access the Linux operating system underlying the 6000 MAS software by logging in as the user "root". If your
server is displaying the server console and not a login prompt, you can press Alt-F2 to switch to another screen with
a login prompt. To switch back, press Alt-F1. You should always ensure that you log out from the root account
when you are finished and before you switch back to the server console.

Warning

Please be aware that making changes and customizations to your server from the Linux command prompt
may invalidate your support agreement. Please contact your Mitel Networks Authorized Reseller before
making any such customizations.

The password for the "root" user is whatever password is currently set for the administrator of the server. Note that
this is the same password as that used by the "admin" user account.

Be aware that this ability to switch between the server console and a login prompt is only available when you have
physical access to the server. If you connect in remotely as the "admin" user and see the server console, you will not
be able to switch to a login prompt in that window. (You can, however, open up another remote connection to your
server and login as the "root" user.) Note that remote administrative access is disabled by default and must be
specifically enabled through the Remote Access panel of the Server Manager.

2.2. On-going Administration Using the Server Manager

The Server Manager is a simple web-based control panel that allows you to administer your network. Using the
Server Manager, you perform such tasks as adding or deleting e-mail addresses, setting the system date and time,
and creating a starter web page. The Server Manager is accessed through a web browser by visiting the URL http://
www.yourdomain.xxx/server-manager or more simply http:// www/server-manager. We recommend you bookmark
this address so that you can return to it when desired.

Note

For security reasons, you are only able to access the Server Manager through a web browser on the local
network. Remote access is only possible using remote access tools such as ssh and PPTP.

8

Chapter 2. The Server Console

When you arrive at the correct URL, you'll be asked to enter your user name (which is always "admin") and the
password you created during the installation process. Enter that information and click "OK" to be taken to the Server
Manager. It will look like the screen shown above.

9

Chapter 3. Configuration

3.1. Set Date and Time

Accessing the Date and Time panel within the Server Manager allows you to set the system date and time either
manually or using a network time server. Pull-down menus for month and time zone ensure accurate entry. The
Server Manager will reset the time automatically during daylight savings time. There are worldwide time zones with
multiple selections for countries with multiple time zones. (including standard time zones, states/provinces and even
cities). This ensures that regional variations in time zones and daylight savings time are accurately reflected.

Instead of setting the time manually, you can use a network time server. A time server is a device on the Internet that
keeps accurate time and is able to communicate the time to other computers over the Internet using the Network
Time Protocol (NTP). Many organizations around the world provide Internet time servers for free.

Warning

After you start using a network time server, you should NOT set the time or date manually. If you do so, the
network time synchronization will no longer function.

This screen in the Server Manager allows you to configure your server to connect regularly to a time server and syn­chronize the clock on the server with the time provided by the time server. To do this, simply check the box for En­"able NTP Service", add the domain name or IP address of the time server in the space provided and click "Save
NTP Settings". Using a time server is optional but doing so can greatly increase the accuracy of your system.

For more information about using a network time server, visit http://www.ntp.org/. You can also find a list of pub­licly available time servers at http://www.eecis.udel.edu/~mills/ntp/servers.htm
[http://www.eecis.udel.edu/~mills/ntp/servers.htm]. You should always use a secondary time server (also called a
stratum 2 server) to lighten the load on the primary time servers.

3.2. Configuring Your Desktop Operating System

10

Chapter 3. Configuration

The dialog box where you configure your desktop differs from operating system to operating system and version to
version. As an example, in Microsoft Windows 95 or 98, client configuration occurs in the "Properties" dialog box
associated with the TCP/IP protocol for your ethernet adapter. To get there, go to the "Control Panel" and select
"Network". If a TCP/IP protocol is not yet associated with your ethernet adapter, you may need to add one before
you can configure its properties with the following information.

Item Description What to enter

enable TCP/IP protocol

All your computers must communicate on
the network using the TCP/IP protocol.

disable non-TCP/IP pro­tocols

enable DHCP service See section below In Windows, enable "Obtain an IP address

Unless an application relies on a non- TCP/
IP protocol, disable all other protocols.

In Windows you add a TCP/IP protocol. In
Apple, open TCP/IP Control Panel.

Turn "off" other networking protocols (e.g.
NetBeui, etc.)

service automatically". In Apple, select
"DHCP server".

Note

We strongly recommend that you configure all clients machines using DHCP rather than manually using
static IP addresses. Should you ever need to change network settings or troubleshoot your network later,
you will find it much easier to work in an environment where addresses are automatically assigned.

On a Windows 95/98 system, the window will look like the image below:

11

3.2.1. Automatic DHCP Service

Your server provides a DHCP server that assigns each of the computers on your network an IP address, subnet
mask, gateway IP address and DNS IP address(es).

Note

In some rare cases, you may want to use a static IP address for a particular client machine. The typical ap­proach is to manually enter this IP address into the network properties of the specific machine. The nega­tive side of this approach is that you cannot easily change or alter network settings without having to go in
and modify the information on the client machine. However, it is possible to provide this static IP address
directly through DHCP rather than manually configuring the client computer. To do so, you will first need
to determine the Ethernet address of the client computer (usually through the network properties). Next you
will go to the Hostnames and addresses web panel of the Server Manager and enter the information there.

Only One DHCP Server

It is imperative that no other DHCP server is on your network. If a former DHCP server configured your computers,
you should remove that DHCP server from your network. Leave DHCP enabled, and reboot each computer. New IP
addresses, netmasks, gateway IP addresses and DNS addresses will be assigned automatically by the 6000 Managed
Application Server (MAS) DHCP server.

Chapter 3. Configuration

3.2.2. Manual Entry For Computers Not Using DHCP Service

As noted above, we strongly recommend that you perform all your client configuration using DHCP. It is even pos­sible to assign a static IP address through the Hostnames and addresses web panel of the Server Manager that will be
distributed through your DHCP server.

However, if your computers do not support DHCP, you must manually enter the following information into your
TCP/IP properties:

Item Description What to enter

IP address Manually enter this information (see para-

graph below).

subnet mask (or netmask) Manually enter this number. The default subnet mask (or netmask) is

gateway IP address Enter the IP address for the server or, in the

case of server-only mode, enter the IP ad­dress for your network's gateway (e.g. the
firewall or network router).

IP addresses of your do­main name servers

Manually enter this information. Normally you would just add the IP address

You must assign a different, unique IP ad­dress to computers not accepting DHCP
(see note below).

"255.255.255.0".
If you are running in server and gateway

mode, your server is your local network's
gateway. Enter its IP address here: the de­fault is "192.168.1.1". If you are running in
server-only mode, enter the IP address for
the device interfacing with your external
network.

for your server - the default used in the
server console is "192.168.1.1". If you have
a firewall other than your server that re­stricts internal queries to Internet DNS
servers, you may need to enter additional
DNS servers here.

It is critical that every computer on your network has a unique IP address and that you don't assign two computers

12

Chapter 3. Configuration

the same address. In enabling DHCP service in the server console, you designated a range of IP addresses for DHCP
assignment. You also allocated a block of IP addresses for manual assignment. If you accepted the defaults pre­configured into the server console, IP addresses 192.168.1.2 through 192.168.1.64 will have been set aside for man­ual entry. To avoid duplication, use only those IP addresses when manually assigning IP addresses to your comput­ers.

After configuring the TCP/IP parameters, you may need to reboot your desktop computer to implement the configu­ration changes. (For example, most Windows systems need to be rebooted after the TCP/IP configuration has been
changed.) Once the settings take effect, your computer will be connected to the server and to the Internet.

3.2.3. MS Windows Workgroup Configuration

If you are using a Microsoft operating system, you must ensure that your workgroup is the same as the workgroup
name of your server. (The default workgroup name is your domain name. In a subsequent chapter, we'll explain how
this can be changed using the web-based Server Manager.) If you are using the default name, go to the Control
Panel, select "Network" and then select "Identification". In the field for "Workgroup", type your domain name.

3.3. Workgroup

If you are using a computer on a local network and you wish to access the server via Windows file sharing, it is im­portant that you are logged onto the same workgroup as your 6000 MAS. This screen allows you to enter the name
of the Windows workgroup the server should appear in. If you wish you can change the workgroup name to corre­spond with an existing workgroup. Macintosh users need only enter a Server Name or accept the defaults.

The Server Name is the name by which the server will be known on the Windows clients, and should be left at its

13

Chapter 3. Configuration

default unless there are very good reasons to change it. In order that you may later connect multiple locations using
IPSEC VPNs, we suggest that you ensure a different name is used for each server.

3.3.1. 6000 MAS as Domain Controller

On the 6000 MAS panel shown in the preceding section, you can specify whether the server should be the domain
master for your Windows workgroup. Most sites should choose "Yes" unless you are adding a server to an existing
network which already has a domain master.

Note

Once you join the domain, you do not need to create local accounts on each Windows NT/2000 box. When
you first log in after joining the domain you will need to manually select the Domain of the 6000 MAS
rather than the default (which is to log in locally on the NT machine). You can also join when you install
the client's system.

If you do configure your system to be the domain master, a special Windows share called NETLOGON is created with
a DOS batch file called netlogon.bat. This batch file is executed by Windows clients that have been configured
to "Logon to domain". The netlogon.bat file we provide by default does very little, but advanced users can, if they
wish, modify this script to set environment variables for their clients or provide automatic drive mappings.

As the NETLOGON share is only writable by the "admin" user, you modify the netlogon.bat script by logging on to
a Windows system as "admin", connecting to the share and then modifying the script using a Windows text editor.
Be aware that the NETLOGON share will not be visible in Network Neighborhood or other similar tools. As the
"admin" user, you will need to connect to the share or map a drive to it, by using the specific path:

\\servername\NETLOGON\

The sample file contains a few examples of setting the system time for each machine and also for mapping a com­mon drive for all Windows client.

The sections below define the steps that must be executed on various Windows versions to join domains.

3.3.1.1. Windows 9x

To join a Windows 9x machine to the domain, follow these steps:

14

1. Navigate to the Network section of the Control Panel (Start->Settings->Control Panel->Network).

2. Select the Configuration tab.

3. Highlight "Client for Microsoft Networks", and then click "Properties".

4. Check "Log onto Windows NT Domain", and enter the domain name in the text field.

5. Click all the "OK" buttons and reboot.

3.3.1.2. Windows NT 4

To join a Windows NT 4 machine to the domain, follow these steps:

1. Navigate to the Network section of the Control Panel (Start->Settings->Control Panel->Network).

2. Select the Identification tab.

3. Click "Change" and then enter the computer name and the domain name. Click "Create a Computer Account in

this Domain", enter "admin" as the user name and then enter its password.

4. Click "OK".

Chapter 3. Configuration

5. After a short pause (0-10 seconds), you should be greeted by a "Welcome to DOMAIN" message and asked to

reboot.

6. Log in on a domain account.

3.3.1.3. Windows 2000

To join a Windows 2000 machine to the domain, follow these steps:

1. Navigate to the Network section of the Control Panel (Start->Settings->Control Panel->Network and Dial-up

Connections).

2. Click "Network Identification".

3. Click "Properties", enter your computer name and domain name, and then click "OK".

4. You will be prompted for a user account with rights to join a machine to the domain. Use "admin" as the user

name, and enter the password.

5. After a short pause (10-30 seconds), you should be greeted by a "Welcome to DOMAIN" message and asked to

reboot.

6. Log in on a domain account.

3.3.1.4. Windows XP Professional Edition

To join a Windows XP machine to the domain, follow these steps:

1. Navigate to the Network section of the Control Panel (Start->Settings->Control Panel).

15

2. Click "Network and Internet Connections".

3. Click "Network Connections".

4. Select "Advanced" -> "Network Identification".

5. On the Computer Name tab, click "Change".

6. Select "Domain" and then enter your domain name.

7. Enter "admin" and the password.

3.4. Remote Access

If you're an advanced user, the 6000 MAS provides several ways to access the underlying operating system, either
from a computer on your internal network or from a computer outside your site on the Internet. Additionally, you
have the ability to access your computer network securely from a remote computer. All of these operations are con­figured from the screen shown below in the Server Manager.

Chapter 3. Configuration

Each of these remote access methods is described below.

16

3.4.1. Remote Access Using ssh

If you need to connect directly to your server and login from a remote system belonging to you, we strongly encour­age you to use ssh instead of telnet. In addition to UNIX and Linux systems, ssh client software is now also avail­able for Windows and Macintosh systems. (See the section below.)

If you do not have any reason to allow remote access, we suggest you set this to No access .

ssh (secure shell)

ssh (secure shell) provides a secure, encrypted way to login to a remote machine across a network or to copy files
from a local machine to a server. Many people do not realize that many programs such as telnet and ftp transmit
your password in plain, unencrypted text across your network or the Internet. ssh and its companion program scp
provide a secure way to login or copy files. The ssh protocol was originally invented by SSH Communications Se­curity which sells commercial ssh servers, clients, and other related products. The protocol itself has two versions ­SSH1 and SSH2 - both of which are supported by most clients and servers today. For more information about SSH
Communications Security and its commercial products, visit http://www.ssh.com/.

OpenSSH, included with the 6000 MAS, is a version of the ssh tools and protocol. The server provides the ssh client
programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols. For more information
about OpenSSH, visit http://www.openssh.com/ [http://www.openssh.com/].

Chapter 3. Configuration

Once ssh is enabled, you should be able to connect to your server simply by launching the ssh client on your remote
system and ensuring that it is pointed to the external domain name or IP address for your server. In the default con­figuration, you should next be prompted for your user name. After you enter admin and your administrative pass­word, you will be in the server console. From here you can change the server configuration, access the Server Man­ager through a text browser or perform other server console tasks.

If you do enable ssh access, you have two additional configuration options:

• Allow administrative command line access over ssh - This allows someone to connect to your server and login as
"root" with the administrative password. The user would then have full access to the underlying operating sys­tem. This can be useful if someone is providing remote support for your system, but in most cases we recom­mend setting this to No.

• Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server
using a standard user name and password. This may be a concern from a security point of view, in that someone
wishing to break into your system could connect to your ssh server and repeatedly enter user names and pass­words in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authenti-
cation and involves the copying of an ssh key from the client to the server.

Note

By default, only two user names can be used to login remotely to the server: admin (to access the server
console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself.

3.4.1.1. ssh clients for Windows and Macintosh systems

A number of different free software programs provide ssh clients for use in a Windows or Macintosh environment.
Several are extensions of existing telnet programs that include ssh functionality. Two different lists of known clients
can be found online at http://www.openssh.com/windows.html [http://www.openssh.com/windows.html] and
http://www.freessh.org/.

A commercial ssh client is available from SSH Communications Security at:
http://www.ssh.com/products/ssh/download.html [http://www.ssh.com/products/ssh/download.html]. Note that the

17

Chapter 3. Configuration

client is free for evaluation, academic and certain non-commercial uses.

3.4.2. Remote Access Using SSL

It is also possible to specify individual remote hosts or entire subnets from which access is permitted. At the bottom
of this Remote Access screen, entries can be added to a table that lists those subnets that have been given access.
Simply provide the network IP address and the appropriate subnet mask to grant this additional access.

You can now connect to the server manager using the regular URL of https://www.mydomain.xxx/server-manager.
You will be prompted for the admin user name and password.

3.5. Directory

Your 6000 MAS provides an easy mechanism for creating a company directory. Each time you create or delete an e­mail account, your directory is automatically updated.

In this section of the Server Manager, you specify the default directory information for new accounts - the user's de­partment, company, street address, city and phone number. Each time you create an e-mail account, the fields will
contain the information entered here as the default. If you wish, you can modify the default information for each
user.

At any time, you can change the default information and choose whether to apply this new information to all new
users or to all existing users as well. The field to do this is located near the bottom of the screen. Choosing "update
with new defaults" is a convenient one-click method of revising your directory when, for example, your company
has moved to a new address.

3.5.1. Configuring Your Company's Directory on Clients

18