 |
 |
|
 |
 |
 |
|
|
Q. What are the advantages of the
APPX Router when compared to a pure LU6.2 link?
A. A pure LU6.2 link requires all end-users to be running an LU6.2 application, which has implications for the kind of software and hardware you need on the client workstation. Router clients run TCP/IP applications, which may be much easier to configure, and have less stringent hardware and software requirements. Further, when an end-user workstation needs to be added, you may discover that they already have Internet or Intranet access, which may provide a low cost data path to the host. Q. What are the advantages of the APPX Router when compared to a pure TCP/IP link? A. Your host system may not have TCP/IP connectivity, making that an unavailable alternative. As a matter of fact, TCP/IP only recently became available as part of the VSE operating system. While it has been available for MVS for some time, it may not be installed on the host system you want to access. Since the Router uses LU6.2 for connectivity with the host, VTAM is required, but not TCP/IP. Using the Router also adds extra security, and offloads the TCP/IP processing from the mainframe. Q. Can an LU6.2 application be used on the client PC? A. No. Currently all client applications must be APPX applications that use one of cfSOFTWARE's TCP/IP drivers. If the end-user workstation has LU6.2, you may be able to connect to your host using one of cfSOFTWARE's LU6.2 drivers. Contact cfSOFTWARE for more information. Q. I want to add a new CICS transaction to the Router. How do I do this? A. You simply need to add a new Router Host Connection. Q. Is the Router datastream encrypted? A. v1.40 of the APPX Router supports encryption on PC initiated sessions. Support includes encryption and authentication. Encryption requirements can be configured as needed. See APPX Router - Session Encryption for more information. Q. What data transfer rate can I expect with the Router? A. This is a difficult question to answer. A number of factors come into play, one of the most important of which is the physical connectivity to your host. All layers of the APPX Router are designed to make optimal use of your available bandwidth. Naturally, the higher the throughput you achieve, the higher will be your requirements for resources such as VTAM buffers and CPU utilization. In most environments, the capacity of the mainframe to accommodate LU6.2 sessions will be the determining factor; that capacity, in turn is controlled by factors such as VTAM buffer allocations, pacing values, and the like. Q. How many simultaneous connections can the Router support? A. You may configure the Router to support virtually as many concurrent sessions as you like. The number of concurrent sessions actually achievable in practice is based on resource availability (CPU capacity, memory, communications bandwidth, etc.). Q. Why was the APPX Router written as an NT service? A. NT Services have a number of advantages over applications. Services can be autostarted when the system is booted, and they are not affected by user logon/logoff activity. Q. I need to log on to the APPX Server as a different user. Will the APPX Router be affected? A. No, as long as you do not boot the server. This is one of the reasons we chose to design the Router as an NT service. Remember, though, that only users who are members of APPX Router Operators security group may use the Router Manager application. Q. What happens to in-progress transfer sessions when the Router is stopped? A. The Router will wait a small interval of time (about 60 seconds) to allow pending sessions to complete. After that, any unfinished sessions will be terminated. It is best to schedule the outage with end-users and other interested parties. Q. What happens to in-progress transfer sessions when a Listener is stopped? A. They will be unaffected by the change; they will be permitted to run to completion. The only effect of stopping a Listener is that incoming conversations will be rejected. It is a good practice to stop all Listeners and allow pending sessions to complete before stopping the Router. Q. What happens to in-progress transfer sessions when the SNA Server is stopped? A. They will be terminated immediately. Any time a session is stopped through operator intervention at the Server, data integrity issues come into play. Make sure you consult with end-user application analysts so you understand the consequences of manually terminating sessions. Q. Can the Router be accessed through a firewall? A. Yes, if the firewall and the Router are configured properly. The client application is configured to access the Router using a) its destination host name and, b) the Listener port. The firewall must accept traffic to the Router from the client machine, and must also permit traffic to the client machine from the Router. If such traffic is restricted by the firewall, either the firewall or the Router must be reconfigured as necessary. Q. Can the Router be accessed via a VPN (Virtual Private Network)? A. Yes. A VPN can be used to add encryption to an APPX Router connection, as well as additional authentication. In addition, the APPX Router natively supports encrypted and authenticated sessions. Q. Can the Router be used with private internet (IP) addresses? A. Yes, but some special considerations apply. Some networks are set up to use private IP addresses (usually 10.x.x.x, 172.16.x.x through 172.31.x.x, or 192.168.x.x), as opposed to "real" registered internet addresses. If the APPX Router and the client workstation are in the same private network, then no special considerations apply. If the client is in a separate private network, then it's IP address will generally be translated to a registered (or public) address by a firewall, and the APPX Router will see that address as the source address. This effects which address need to be defined in the Addresses section of a listener definition. In some unusual configurations, the address of the client may be translated twice (by two firewalls). In any case the listener definition must use the addresses as finally seen by the Router. Q. Can the Router be used with a proxy server
or SOCKS? Q. Can the Router be safely placed outside the TCP/IP firewall? A. Yes, if certain precautions are taken. Warning: This should be done only by persons familiar with IP security issues. The APPX Router can be placed on the "dirty" side of the firewall or in a DMZ, so long as certain precautions are taken. General access to the Router machine must be prevented. This is most easily accomplished by setting up a packet filter on the IP router connecting to the internet (the "external" router). This packet filter should prevent any connections to the APPX Router except to TCP ports specifically assigned to APPX Router Listeners. Second, it is strongly recommended that IP Security be enabled in NT - this is done by checking the "Enable Security" checkbox on the "Advanced IP Addressing" panel accessed via the Advanced button on the TCP/IP properties page. Once enabled, security should be set up to allow only the TCP ports required for listeners. No other IP access should be allowed without careful consideration, even basic services such as DNS should not be enabled unless absolutely required. Depending on your security requirements, setting up the NT IP security may be sufficient Other services, such as NetBIOS over TCP/IP (NBT) or other networking protocols should not be installed. Only the DLC connection required for the host connection should be installed, preferably bound to a second network interface card (NIC). As few NT services as possible should run on this machine. Insure that all current security NT patches are installed, and that the documented procedures for "hardening" an NT installation are followed (strong passwords for all signons, no extraneous processes or user accounts, etc.). In this configuration the NT machine running the APPX Router becomes part of your firewall system, and must be secured accordingly. Not doing so can introduce significant security vulnerabilities.
NOTE: If the APPX Router is installed in a DMZ, rather than on the "dirty" side of the firewall, it may be possible to relax some of these constraints if the firewall provides an adequate amount of security for the DMZ. Again, this type of configuration should only be undertaken by experienced IP security personnel, and in conjunction with your firewall administrator. If you are unsure of all of the security implications of this configuration, please contact cfSOFTWARE Technical Support for additional information. Q. What encryption methods does the APPX Router support? A. The Router currently supports the Blowfish encryption algorithm, with either 40 or 128 bit keys. Session keys are negotiated with the Diffie-Hellman algorithm, and sessions are authenticated via shared secrets and passwords. Q. I have different users, with different security requirements. Do I have to specify the same encryption and authentication requirements for all of them? A. No. Encryption and authentication requirements can be specified for the port on which the session is coming in, the IP address from where the session is originating, and for specific users. The router enforces the strictest specification that applies to a session. Q. Wow. That seems like a lot of stuff to specify for each user. Won't this take forever to set up? A. No. While you can specify requirements for a particular user, it's much more common to define a few security profiles, and assign each user to a security profile. Q. Can I control which mainframe transactions a user can get to? A. Yes. First, only transactions that are specifically defined to the APPX Router are accessible. You can further restrict which transactions any incoming session can get to based on the port and source IP address. If the session is authenticated, transaction availability can be controlled by user ID as well. Q. Does authentication require encryption? A. No. Optionally, authentication without encryption may be allowed. This can be used to give access to internal users without the extra overhead of encryption. Q. Do all users requesting the same transaction have to run the same host program? A. No. Based on the security classes assigned to the port, source IP address and user ID (if the session is authenticated), different host transaction may be selected. Q. Where are users, passwords and other security requirements specified on the Router? A. The APPX Router can access a locally defined database, a database on a remote machine, or interface to a user written DLL to provide encryption and authentication data. The pcMAINFRAME PCID database on the mainframe can be used to supply encryption and authentication data to the APPX Router. Q. I'd like to add encryption, but I have many existing users, and I can't migrate them all at once. How can I do this? A. The APPX Router can be set up so that it uses encryption with clients that support it, and runs without encryption with older clients. Clients that can authenticate and encrypt can be given more access rights, if desired. Once all clients have migrated, the non-encrypted access can be disabled. Q. What are the system requirements for encryption support? A. The APPX Router v1.40, and current APPX/TCP device drivers for Across the Boards/Win32, are the only hard requirements for encryption support. Mainframe APPX v3.36 has enhancements to support the encryption and authentication functions, and while recommended, is not required. pcMAINFRAME v5.50 has full support for encryption. Q. I have operations outside the United States and Canada, can I use the APPX Router encryption support? A. At this time, export of the encryption support is being handled on a case-by-case basis. Please contact cfSOFTWARE for more information. |
