|
-
Antiviral
o
Do not
ignore this step!
Virus threats are a very real, very common and are serious problem.
o
You must
have reliable, up to date AV software installed with current signature
files. Run a complete scan.
o
Suggest
that this should be done on a weekly basis.
-
Malware/Spyware
o
Do not
ignore this step!
Lately, Spyware and other malicious code is a significant cause of
many computer problems.
o
Install reliable, up to date anti-Spyware Malware software (
such as
Spybot, and
Ad-Aware. WinXP users should try
MS AntiSpyware
) installed with current
signature files. Run a
complete scan.
o
Suggest
that this should be done on a weekly/monthly basis, depending on how often
the user surfs the web.
o
-
Anti-popup
software
o
Anti-popup
software prevents the UPHS webmail web page (https://secure.uphs.upenn.edu/webmail/)
and the “Instant Virtual Extranet” website (https://extranet.uphs.upenn.edu/)
from working properly. Add
these URLs to the Anti-popup software’s “exception/permitted” lists.
o
Anti-Popup
features were added to IE with WinXP SP2. See notes on WinXP SP2 below.
o
Add
“Instant Virtual Extranet” website and the UPHS webmail website to the
“exception list” of WinXP SP2 Internet Explorer web browser:
§
Launch IE
web browser
§
Select:
Tools > “Pop-up Blocker Settings …”
§
In the
“Address of web site to allow:” field, enter:
·
https://extranet.uphs.upenn.edu/
§
Click
“Add”
§
In the
“Address of web site to allow:” field, enter:
·
https://secure.uphs.upenn.edu/webmail/
§
Click
“Add”
§
Click
“Close”
-
OS Patch
level
o
Do not
ignore this step!
If a computer does not have all the up to date patches, it is
vulnerable to serious viruses like Sasser and other seriously harmful
code.
o
Sasser
and it’s variants can infect your computer within moments of
connecting to the Internet. These
viruses will seriously inhibit your ability to connect to any network and
use your computer.
o
Apply the
MS Sasser patches (MS04-011.exe). Then
hit www.windowsupdate.com and
apply all the “Critical Updates and Service Packs”.
Reboot and keep returning to that site until the “Critical
Updates and Service Packs” number is –zero-.
o
Suggest
that this should be done on a monthly basis.
-
Update
Client Software
o
Do not
ignore this step!
§
Old
Fiberlink v2.07 dialers will not operate after 01-Nov-2004
§
New VPN
client operates better on Win2k and WinXP
o
Now that
the computer is “clean”, go to the Remote Access website (http://www.uphs.upenn.edu/network/remote/),
download and install the latest Fiberlink dialer (if using Fiberlink
dialup) and latest VPN client software.
Install.
-
[Customer
Service only step] verify user account
o
[for VPN
thick client users] In “User Manger for Domains”, check to see if the
UPHS\ NT Domain account is a member of a “Remote Access - DeptName”
group.
o
If not in a
Remote Access group, check for an old Radius account as described in
Primus FCG1291.
o
You can
validate these account/passwords yourself on the “Instant Virtual
Extranet” website (https://extranet.uphs.upenn.edu/).
You may want to use a separate PC or a “MS Virtual PC” session.
Otherwise the new VPN tunnel may close the vpn tunnel that supports
the HelpDesk telephony software.
-
test
account
o
We have
created a special VPN test user account.
This username/password information can be given out to the
users by the Customer Service Center.
For Security and switch stability reasons, the account will not be
published on the website.
§
Username:
[please call the UPHS CSC at 215-662-7474]
§
Password:
[please call the UPHS CSC at 215-662-7474]
o
This
account can be used to validate that the vpn switch is up and running at
any time.
o
The CSC and
the end users can try this account from their side.
It will log them in, they will see a test banner page, and then it
will automatically log them out in about 20-30 seconds.
This account has been locked down so it has no capabilities on
the internal network. All
it does it test to see if your home setup can get in or not.
o
If the
account does not work for the home/remote user, then they have a problem
with their home computer or home network, and need to resolve the issue
from their side (see below).
-
Remote
Firewalls
o
The remaining issues are typically home/remote business site
firewall/router issues. Remote
users will need to verify that “IPSec” traffic can pass through in
both directions on their hardware & software firewall solutions. They may need to consult their product documentation or
product support for assistance.
o
Open UDP Port 500 (NAT-Detection). Allow traffic to flow in both
directions.
o
Transport Protocol (TCP) ID 50 (ESP) and ID 51 (AH) should be allowed.
o
The
above traffic should be allowed to flow in both directions to the UPHS
vpn switch “vpn.uphs.upenn.edu” 165.123.243.30.
o
Windows XP Service Pack 2 (released Aug 2004) has added
firewall functionality to Windows XP.
It is activated by default. Users
who have enabled “Automatic Updates” will now have a software firewall
and may not even be aware of it.
o
If you haven’t already done so, I’d suggest hitting http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx
and becoming familiar with WinXP SP2 and its new firewall product.
It will be significant.
o
Short, minimal WinXP SP2 answers:
§
If a computer already running another quality software
firewall that is working well, Microsoft does not recommend running two of
them. Disable the MS firewall
in this case.
§
Add the vpn client software to the “exceptions” list.
·
Start > Control Panel > Network and Internet
Connections > Network Connections
·
“Change Windows Firewall Settings” [over on left side]
> “Exceptions” tab > “Add
Program” > select “Contivity VPN client” > OK.
·
Other network based programs may need to be added in this
same fashion in order for them to operate properly.
|
