I'm connected. Now what?

It often happens that people download, install and successfully configure @TheOffice without any problems and then when they connect, nothing happens…they don’t know what to do.

The confustion probably comes in when people compare @TheOffice with Remote Desktop applications, such as GoToMyPC. When you establish a connection with a Remote Desktop application, it’s quite obvious what happens: you get presented with a screen that represents the desktop of the PC you are connectiong with and you can quite obviously start working on that PC.

Well, nothing specific is supposed to happen when you connect with @TheOffice. It’s just like plugging your PC into your Office Network. You actually need to start using the network. Some things that you might want to try when connected:

• Access your Email – If your email client is already configured to send and receive email from your Office’s mail server, you can do it now.

• Access your Office File Server – You can access shares on your Windows Office Server or other people’s Windows PC’s directly by clicking ‘Start->Run…’ and typing \\servername where you substitute ‘servername’ with the name of the server or PC whose shares you want to access.

• Access Mapped Drives – You can now access any drives you have mapped to shares on your Office Network. If you haven’t got any mapped drives, now is a good time to do it.

• Browse your Network Neighborhood – You can now see all the other Windows PC’s in your Domain or Office Workgroup. You might need to join your PC to the Domain or Workgroup first!

• Access your Intranet – If you’ve got some internal Web services running, e.g. a browser-based CRM system, you can fire up your browser and start to use it.

• Connect to another PC’s desktop – Remote Desktop software such as Microsoft Terminal Services and VNC works very well with @TheOffice. Since your PC is now virtually in your Office Network, you won’t need any special firewall rules to make it work.

• Synchronise your Calendar – If you are using some Calendar/Diary software such as Outlook that needs to stay in sync with the rest of your Office, you can now tell it to synchronize.

• Telnet or SSH to another machine – You can now safely telnet or SSH to another machine without having to configure any other firewall rules.

What other interesting uses have you had for @TheOffice?

What do I need to use @TheOffice?

You need a PC in your office to run the Gateway Software and your office needs a permanent Internet connection. Of course you need to install the client software on all PC’s that want to connect securely to your office; these too need Internet access. You can download both of these software packages from http://attheoffice.trispen.com, where you can also purchase licenses to use this software.

Why can I not refresh my activation keys?

Invalid activation keys entered – If invalid or expired activations keys are entered the licensing server will reject them. Ensure that a valid key is entered.

The Gateway does not have Internet access – For the Gateway to refresh the activation keys and include new activation keys, Internet access is required to the licensing server. The gateway will attempt to use the Internet Explorer proxy settings, if they exist, of the user operating the Gateway user interface.

Why do I need to complete the Verification Matrix?

@TheOffice makes use of sophisticated cryptographic technology to ensure that no unauthorised user is allowed access to your office network. Internally, @TheOffice uses public key cryptography. Each user has a key-pair that consists of a private key (protected by your pass-phrase when stored on disk) and a public key. The public keys are presented to the gateway and verified when a user connects.
The Enrolment process sets up a trust relationship between you and your key-pair. To prove to the gateway that you are who you claim to be during enrolment, you have to present your UserID and password. With Public key technology we can send this information securely to the gateway, but we have to guard against a rogue Gateway receiving your Windows User ID and password! To prevent this, the Verification Matrix is used. This is a number (digital fingerprint) of the Gateway Public Key that @TheOffice converts into twenty two character pairs. The Verification Matrix is not a secret, however you must trust the source from which you obtained it. The best option is to receive it from your system administrator directly – this way you know it can be trusted.

Why can't I enrol to the Gateway?

Domain controller – In order for your @TheOffice Gateway to be able to query the domain controller, the Gateway PC must be registered on the domain. It is also important to verify that the domain controller has the group “Pre-Windows 2000 compatible access”, and that either the user “Everyone” or the Gateway PC is a member of the group.

Incorrect Password used – The user ID and password must match that of the registered user in the domain group as specified in the gateway. Refer to the Advanced Configuration section above for more information.

User not in domain/group specified – All users that require access to the gateway must be included in the access group as specified during the gateway configuration. If you leave the “Group allowed to enrol” field blank, the gateway will use a default group . If the gateway resides in a domain, the default group is “Domain Users”, and if the gateway is not in a domain, the default group is “Users”. Note that the user “Administrator” is not by default part of the local “Users” group.

Office Network firewall issues – No access to the Gateway public address. This could be due to firewall configuration issues. Refer to the section in the @TheOffice Administrator’s Guide on setting up your firewall or get assistance from your firewall administrator. We also have some more details on configuring specific firewalls in the Firewall Configuration Examples section and an online “Gateway/Firewall Setup Test”http://attheoffice.trispen.com/gw_test.htm .

Intermediate firewall setting issues – You might be connecting via a complex network. The gateway should take care of most complexities. However, if the network traffic required by the gateway is blocked somewhere along the way, contact the network administrator of the device filtering the traffic.

Specified IP-Address of Gateway incorrect – The IP address or DNS name of the gateway specified is incorrect and the client cannot connect to the gateway or the gateway is inaccessible from the public network.
NOTE: the IP address or DNS name specified must be accessible from the public network (the Internet). It is also used in the Welcome Memo, as described in the ‘Gateway Status’ section above, to inform the user of the client which gateway address to use.

Why can't I connect to the Gateway?

At each failed attempt to connect to the gateway the user is presented with an error message stating which part of the process failed. The user must ensure that the correct profile and pass phrase is used when attempting to connect to a gateway. The profile is listed as [user ID]@[gateway address](domain). Several problem scenarios could occur and are described below.

The User has not enrolled – If the fields in the client connection windows are greyed out, the user has not enrolled to a gateway. The user is required to enrol from the client device from which a connection is required to be made. Remember the first enrolment to the gateway creates a new active user on the gateway and a subsequent enrolment requires that the user enrol using the original pass phrase. Refer to the Client ‘Enrolment’ section.
NOTE: A user can enrol from several PCs to the same gateway. The first enrol process creates a new profile on the gateway, and subsequent enrolments must use the same pass phrase as the first since they are actually using a copy of the initial profile.

I cannot find my profile – The user profile is created on completion of the enrolment process. If several users use a client PC then each user must enrol from that PC so that the user has a valid profile to use during the connection process.

I have a valid profile and cannot connect – A user that has previously enrolled and was able to connect to the gateway may have left another PC connected using his profile. The user may only have two connections to the gateway open at any one time. It is not recommended that users share profiles, as this will reduce the security value of the system. Another problem could be as simple as using the incorrect pass-phrase. You might also, in fact, have an invalid profile due to the fact that the gateway has been changed, for example the country changed. Refer to The Gateway Basic Configuration section in the @TheOffice Administrator’s Guide for more information. This issue is resolved by enrolling again.

Connection attempted on local subnet – Each PC on the network is located on a network with a unique IP Address and operates within a particular subnet, the local portion of the network. Any communications outside of this network is routed via a gateway to reach its destination. @TheOffice requires that the Client and gateway are located in different subnets, and will warn the user if this is not the case. You can therefore not use the Client while you are in the office subnet and need to be outside of your local office network.

Firewall not set-up correctly – You may have restrictive setting on your firewall blocking outgoing connections, or you may have a proxy type firewall. Proxy firewalls are not supported. If the enrol process was successful then it is unlikely that the firewall settings are at fault.

Insufficient IP addresses in the IP Pool – Each user is allocated an address from the IP pool as specified during the Basic Configuration of the gateway. If no address is available for the user the connection will be denied and an appropriate error message provided. The gateway administrator can look at the logs to determine how often this problem occurs and take corrective action i.e. increase the size of the IP pool.

Insufficient Licensed Users – For users to connect to the Gateway the administrator has to install Activation Keys that allow a certain number of subscribed users to connect. Once the limit is reached no additional connections will be allowed and the administrator will have to manage the active/inactive user list or install additional Activation Keys.

Why is my connection so slow?

On a logical level, once you are connected, you are virtually plugged into your office network. Your connection speed, however, will probably not be as fast as when you are physically connected to your office network. It will be limited by factors such as your local dialup or DSL speed, the speed of your ISP, your office’s leased line or DSL Internet connection and general network latency. The following tips will help alleviate slow connection speeds:

Avoid browsing using your Network Neighborhood – The Windows file sharing protocol is not very efficient over slow links. Rather map network drives to often-used shared folders and disable the ‘Reconnect at logon’ option.

Copy work files locally – When opening a Word document, for instance, a temporary hidden file is created in the same location. This temporary file is also used when you edit the Word document. A lot of bandwidth is consumed when Word creates and maintains this temporary file in a shared folder. First copying work files to your local hard disk and back when you are done will speed things up.

Use Windows Offline feature – Windows lets you use mapped drives offline, which allows you to work on shared files without being connected all the time. It automatically takes care of synchronisation. Consult your Windows documentation for details.

I can't Browse my Network Neighborhood or map any drives!

Think of the product as a virtual “cable” that plugs the client into the office LAN at the point where the Gateway plugs into the LAN. @TheOffice operates on the IP layer and does not get involved in any higher level layers (session, application, etc.) or protocols (MS-SMB, NETBIOS, SSL, etc.). Chances are that if you experience problems accessing a specific service over an @TheOffice connection, you will have the same problem if you take the same Client computer and plug it directly in on the LAN your Gateway is situated (it must also have an IP from the Gateway’s Pool for this to be true). There are several reasons why you might not access some services on your LAN, even though you are successfully connected to the Gateway:

Gateway not on the LAN you want to browse – It might be that you installed your Gateway on another LAN segment or in your DMZ. If your routing is not configured appropriately you might not be able to access the services you want. Also see the question on ‘Should I put my Gateway on my LAN or in my DMZ?’.

Firewall settings – A personal firewall on the Client, Gateway or Server you wish to access, such as Zone Alarm, might block the IP’s in your pool or certain services.

Windows Domain Access – Be sure you log in on the correct domain and that the specific user is privileged to access the services.

Should I put my Gateway on my LAN or in my DMZ?

This is always an issue with IPSec products, and to a large degree it depends on your security policy. The product can handle both, but we prefer that you install the gateway on your local network (LAN). Reasons are:

• The gateway has an automatic proxy-ARP feature – thus, you don’t have to set up routes for the virtual IP pool if the IPs in the pool are on the same subnet as the gateway.

• The gateway forwards broadcast packets from clients. This enables them to “browse” the Microsoft network (“My Network Places”).

• The gateway must be able to access the domain controller (if you are using a domain).

All of the above can be done in the DMZ, but with extra firewall and router configuration.

What are the security risks when my Gateway is on my LAN?

Since @TheOffice.Wherever! only makes outgoing connections, you do not have to allow any explicit connection into your network. Although @TheOffice.Wherever uses peer-to-peer connections, it only allows users to connect once they are properly authenticated. However if you are concerned about allowing Peer-to-peer connections into your network you may restrict this type of connection to the Gateway PC only.