Difference between revisions of "Offsite Access"

From CELS IT Wiki
Jump to: navigation, search
 
Line 1: Line 1:
Secure Access Policy (includes SSH and VPN info)
+
__TOC__
 
 
  1. What is the policy?
 
  2. What does that mean to me? (Updated 06/01/2004)
 
  3. How do I log in?
 
  4. How do I transfer files?
 
  5. Where do I get SSH software for my computer?
 
  6. What is Port Forwarding and how do I set it up? (includes info for using X windows)
 
  7. How can I check my email when I'm not on the MCS network?
 
  8. Is there any more information about SSH?
 
  9. How will this policy be enforced?
 
 
 
Dialup
 
 
 
  1. How can I dial in over the phone?
 
 
 
Cable Modem/DSL
 
 
 
Many of our users are switching to cable modems, as they are inexpensive (around $50/month) and faster (around 400kbps) than ISDN.  Below are tips you'll use.  Call your local cable company for cablemodem availability.  For DSL, check out DSL Reports.
 
 
 
  1. What do I need to do to be able to interact with the MCS Windows domain?
 
  2. What do I do if I want to use more than one computer?
 
  
 +
'''Note''': Work in progress
 
 
  
^ Back to Questions ^
+
=Secure Access Policy (includes SSH and VPN info)=
 
+
==What is the Secure Access policy?==
 
What is the Secure Access policy?
 
  
 
External network connections to MCS resources shall not use clear text reusable passwords for authentication.  Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.
 
External network connections to MCS resources shall not use clear text reusable passwords for authentication.  Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.
 
 
 
+
==What does that mean to me?==
^ Back to Questions ^
 
 
 
 
What does that mean to me?
 
  
 
It means that if you're using a network to access MCS resources from outside Argonne Building 221 or MCS office space in Argonne Building 203, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.
 
It means that if you're using a network to access MCS resources from outside Argonne Building 221 or MCS office space in Argonne Building 203, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.
  
Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall.  The list of machines to which you can SSH directly is:  
+
Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall including wireless.  The list of machines to which you can SSH directly is:  
  
General Login
+
*General Login
 
+
**terra.mcs.anl.gov
terra.mcs.anl.gov
+
**shakey.mcs.anl.gov
shakey.mcs.anl.gov
+
**harley.mcs.anl.gov
harley.mcs.anl.gov
+
::(The above can all be accessed as "login.mcs.anl.gov")
 
 
(The above can all be accessed as "login.mcs.anl.gov")
 
 
 
DSL-only
 
 
 
wiggum.mcs.anl.gov
 
 
 
Chiba City
 
 
 
chiba.mcs.anl.gov
 
 
 
 
These machines require SSH keys for login.  See the SSH Key FAQ for details.  If you use the VPN, you can SSH direct to any machine you can use onsite, using your password as authentication.
 
 
  
^ Back to Questions ^
+
*DSL-only
 +
**wiggum.mcs.anl.gov
  
+
These machines require SSH keys for login.  See the SSH Key FAQ for details.  If you use the VPN, you can SSH direct to any machine (except those listed above) you can use onsite, using your password as authentication.
How do I log in?
+
==How do I log in?==
  
 
The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains.  You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login.  If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the MCS VPN client first.
 
The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains.  You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login.  If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the MCS VPN client first.
Line 70: Line 31:
 
Other protocols may also be available, depending on circumstance.
 
Other protocols may also be available, depending on circumstance.
 
 
 
+
==How do I transfer files?==
^ Back to Questions ^
 
 
 
 
How do I transfer files?
 
  
 
You're probably asking this question because you're used to using the old Internet protocol FTP.  There are several ways to work around the fact that this protocol uses reusable clear text passwords:
 
You're probably asking this question because you're used to using the old Internet protocol FTP.  There are several ways to work around the fact that this protocol uses reusable clear text passwords:
  
    * Our best recommendation is to use the file transfer protocol that comes with SSH called scp.  This guarantees that you're using full-strength encryption for both the authentication and the file transfer itselfA windows version can be found here.
+
* Use SCP or SFTP to transfer files over SSH.   
    * You can initiate an FTP transfer on the MCS side to any remote site. The policy allows outgoing network connections from MCS to use any protocol you may wish, including traditional FTP.  That might mean, for example, that you log into MCS using SSH, but then FTP back to the remote site you're at.
+
**[http://winscp.net/eng/index.php Windows client]
    * You can use the anonymous FTP server directory ftp://ftp.mcs.anl.gov/incoming as a place to put and get files.  This directory can be accessed at /home/ftp/incoming on all MCS UNIX systems.
+
**[http://www.apple.com/downloads/macosx/internet_utilities/fugu.html Mac OS X GUI client].  Mac OS X has ssh, scp and sftp built in.
    * You can use port forwarding to tunnel the authentication of FTP through an encrypted SSH link.  See the question "How do I set up port forwarding?" for more information.
+
**linux and unix machines typically have ssh, scp and sftp installed by default.
    * You can use the Windows VPN, and ftp will work as you expect it to normally.
+
* You can use the Windows VPN, and ftp via unixhome.mcs.anl.gov.
  
 
FTP is pretty much disabled on hosts inside the firewall.  The host "unixhome" accepts FTP connections so make sure that's the only host with which you try to use FTP.
 
FTP is pretty much disabled on hosts inside the firewall.  The host "unixhome" accepts FTP connections so make sure that's the only host with which you try to use FTP.
 
 
  
^ Back to Questions ^
+
==Where do I get SSH software for my computer?==
 
 
 
Where do I get SSH software for my computer?
 
  
 
This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.
 
This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.
  
For UNIX, you can download the source code for SSH from the InternetWe require SSH Protocol Version 2.
+
Most unix and linux machines have SSH and its associated utilities installed by default.  If you're running your own unix/linux machine, you should know how to get these packages.
 
 
If a search of sites for SSH is unproductive, you can try to get ssh is also via anonymous ftp from the following sites:
 
 
 
    Australia:
 
    ftp://coombs.anu.edu.au/pub/security/tools
 
    Chile:
 
    ftp://ftp.inf.utfsm.cl/pub/security/ssh
 
    Finland:
 
    ftp://ftp.funet.fi/pub/unix/security/login/ssh
 
    Germany:
 
    ftp://ftp.cert.dfn.de/pub/tools/net/ssh
 
    Hungary:
 
    ftp://ftp.kfki.hu/pub/packages/security/ssh
 
    Ireland:
 
    ftp://odyssey.ucc.ie/pub/ssh
 
    Poland:
 
    ftp://ftp.agh.edu.pl/pub/security/ssh
 
    Portugal:
 
    ftp://ftp.ci.uminho.pt/pub/security/ssh
 
    Russia:
 
    ftp://ftp.kiae.su/unix/crypto
 
    Slovenia:
 
    ftp://ftp.arnes.si/security/ssh
 
    United Kingdom:
 
    ftp://ftp.exweb.com/pub/security/ssh
 
    United States:
 
    ftp://ftp.net.ohio-state.edu/pub/security/ssh
 
    United States:
 
    ftp://ftp.gw.com/pub/unix/ssh
 
 
 
If you are an MCS employee using Windows, you can use the MCS site licensed SecureCRT program from VanDyke.  See the MCS Windows software web page for more information about how to install and use SecureCRT.
 
 
 
If you are not an MCS employee, or are using some other operating system, please see  http://www.employees.org/~satch/ssh/faq/ssh-faq-3.html which has been partially reproduced here.  Please read the licensing information carefully; there may be patent issues that restrict your right to use free versions.
 
Win32 (Windows9x, Windows NT, Windows 2000)
 
 
 
    * raju: ftp://ftp.franken.de/pub/win32/develop/gnuwin32/cygwin32/porters/Mathur_Raju
 
    * cigaly: http://www.doc.ic.ac.uk/~ci2/ssh/
 
    * f-secure: http://www.datafellows.com/products/cryptography/ 
 
    * secure crt: http://www.vandyke.com/products/SecureCRT/
 
    * ttssh: http://www.zip.com.au/~roca/ttssh.html
 
    * therapy: http://guardian.htu.tuwien.ac.at/therapy/ssh/
 
    * chaffee: http://bmrc.berkeley.edu/people/chaffee/winntutil.html
 
    * sergey okhapkin: http://miracle.geol.msu.ru/sos/ or http://www.lexa.ru/sos/
 
    * putty: http://www.chiark.greenend.org.uk/~sgtatham/putty.html
 
    * fissh: http://www.massconfusion.com/ssh/
 
 
 
beos
 
 
 
    * http://www.be.com/beware/Network/ssh.html
 
 
 
Windows CE
 
 
 
    * mov: http://www.movsoftware.com/sshce.htm
 
 
 
Java
 
 
 
    * java-applet: http://www.cl.cam.ac.uk/~fapp2/software/java-ssh/
 
    * mindterm: client: http://www.mindbright.se/mindterm
 
    * mindtunnel: server: http://www.mindbright.se/mindtunnel.html
 
 
 
OS/2
 
 
 
    * ftp://hobbes.nmsu.edu/pub/os2/apps/internet/telnet/client/sshos203.zip
 
 
 
Macintosh
 
  
    * niftytelnet+ssh: http://www.lysator.liu.se/~jonasw/freeware.html
+
Mac OS X machines include SSH and its associated utilities by default.
    * f-secure: http://www.datafellows.com/f-secure/
 
  
+
Windows clients: [http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY], [http://www.cygwin.com/ cygwin], [http://www.google.com/search?q=free+windows+SSH+clients others]
  
^ Back to Questions ^
+
==What is port forwarding, and how do I set it up?==
 
 
 
What is port forwarding, and how do I set it up?
 
  
 
Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH).  This is a good way to continue to use your familiar protocols in a secure way.
 
Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH).  This is a good way to continue to use your familiar protocols in a secure way.
Using SSH Port Forwarding with FTP on UNIX
+
===Using SSH Port Forwarding with X on UNIX===
 
 
You will need to open two windows to do this, and you will need to pick a random number between 1025 and 65535.  Let's call that number NNNN.
 
 
 
In Window One, use this SSH command to establish a connection to the MCS machine unixhome.  Log in normally with ssh.
 
  
ssh -g -L NNNN:unixhome.mcs.anl.gov:21 unixhome.mcs.anl.gov
+
This is easy, just use ssh -Y <hostname> and your X display settings will be sent to the remote machine, and all X Windows will open on your own display.
 
 
Once you're logged in, move to Window Two and start FTP using this command line:
 
 
 
ftp my.machine.name NNNN (ftp localhost may not work properly, so use the real machine name.)
 
 
 
You should get the normal FTP login prompt of the MCS machine, at which time you can log in.  Since this is using an SSH encrypted tunnel you are meeting the policy requirement to protect your password from sniffing along the way.
 
Using SSH Port Forwarding with FTP on Windows
 
 
 
See the Windows FAQ.
 
Using SSH Port Forwarding with X on UNIX
 
 
 
This is easy--you don' t have to do anything!  If it doesn't work, you can try "ssh -X" instead of just ssh.
 
  
 
If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you.  All you have to do is start your favorite X application on the remote end.  Check to make sure you're not setting your $DISPLAY in any of your startup files.  Also, never use xhost +, especially in your startup files, as it's a big security hole.
 
If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you.  All you have to do is start your favorite X application on the remote end.  Check to make sure you're not setting your $DISPLAY in any of your startup files.  Also, never use xhost +, especially in your startup files, as it's a big security hole.
Using SSH Port Forwarding with X on Microsoft Windows with SecureCRT
+
===Using SSH Port Forwarding with X on Microsoft Windows with SecureCRT===
  
 
See the X-Windows section in the Windows FAQ.
 
See the X-Windows section in the Windows FAQ.
 
 
 +
==How can I check my email when I'm not on the MCS network?==
  
^ Back to Questions ^
+
The officially supported method for getting your mail is to use SMTP and IMAP via SSL/TLS. You authenticate using your regular workstation/e-mail credentials.
 
 
 
How can I check my email when I'm not on the MCS network?
 
 
 
There are three methods, Secure Protocols, VPN and portforwarding.
 
 
 
Secure Protocols
 
 
 
We're now supporting SMTP, IMAP and POP via SSL/TLS. You authenticate using your regular unix credentials.
 
  
 
The relevant servers and ports are:
 
The relevant servers and ports are:
  
    * Secure POP: imap.mcs.anl.gov (port 995) (yes, the hostname doesn't make a lot of sense)
+
* Secure IMAP: imap.mcs.anl.gov (port 993) '''''recommended'''''
    * Secure IMAP: imap.mcs.anl.gov (port 993)
+
* Secure POP: imap.mcs.anl.gov (port 995) (yes, the hostname doesn't make a lot of sense)
    * SMTP: mailgw.mcs.anl.gov (port 25 or port 465) (You might have more luck with port 465)
+
* SMTP: mailgw.mcs.anl.gov (port 25 or port 465) (You might have more luck with port 465)
  
The certificates are self-signed. You can accept the certificate (if you view it you'll see it's really us). If your mail application won't seem to remember your preference for allowing a self-signed certificate, some tips are included in the instructions below.
+
The IMAP and POP certificate is self-signed. You can accept the certificate (if you view it you'll see it's really us). If your mail application won't seem to remember your preference for allowing a self-signed certificate, some tips are included in the instructions below.
  
 
Mailer specific instructions:
 
Mailer specific instructions:
  
Eudora:
+
'''Thunderbird''': ''to-do''
 +
 
 +
'''Eudora''':
  
  1. Click Tools, then Personalties.
+
#Click Tools, then Personalties.
  2. Right-click in the white area and choose "New"
+
#Right-click in the white area and choose "New"
  3. Click the Skip directly to advanced setup option and choose Finish:
+
#Click the Skip directly to advanced setup option and choose Finish:
  4. Fill in the required information. SMTP server is mailgw.mcs.anl.gov, check Authentication allows and Use relay personality.  Under Secure Sockets when Sending, choose "Required, Alternate Port".  Check the "Check Mail" box as well.
+
#Fill in the required information. SMTP server is mailgw.mcs.anl.gov, check Authentication allows and Use relay personality.  Under Secure Sockets when Sending, choose "Required, Alternate Port".  Check the "Check Mail" box as well.
  5. Select the Incoming Mail tab and fill in the required information.  Server is imap.mcs.anl.gov, regardless of if you're using POP or IMAP.  Under Secure Sockets when Receiving, choose "Required, Alternate Port in the SSL".  Choose OK.
+
#Select the Incoming Mail tab and fill in the required information.  Server is imap.mcs.anl.gov, regardless of if you're using POP or IMAP.  Under Secure Sockets when Receiving, choose "Required, Alternate Port in the SSL".  Choose OK.
  6. You may get an error. It's okay.
+
#*You may get an error. It's okay.
  7. We need to add the certificate, so right click the Personality you just created and choose Properties.
+
#We need to add the certificate, so right click the Personality you just created and choose Properties.
  8. Choose the Incoming Mail tab, and click the Last SSL Info button.
+
#Choose the Incoming Mail tab, and click the Last SSL Info button.
          * If you get an error, cancel from this menu and try to check your mail.  Then, after the error, return to step 7.
+
#*If you get an error, cancel from this menu and try to check your mail.  Then, after the error, return to step 6.
  9. Choose the Certificate Information Manager button.
+
#Choose the Certificate Information Manager button.
  10. Click Add to Trusted.
+
#Click Add to Trusted.
  11. Click Done, then OK, then OK, then click the Mailboxes tab in the lower left of the Eudora Window. If using IMAP, Right-click the personality you created, and choose Refresh Mailbox List.
+
#Click Done, then OK, then OK, then click the Mailboxes tab in the lower left of the Eudora Window. If using IMAP, Right-click the personality you created, and choose Refresh Mailbox List.
  12. For sending mail, repeat steps 7-11 but use the Generic Properties Tab in step 8, and try sending mail instead of checking it in the sub-step.
 
  
 
You're done!
 
You're done!
  
Outlook/Outlook Express: To make your mailer remember your certificates, point Internet Explorer (not any other browser)at https://imap.mcs.anl.gov:993 and choose to view the certificate. Click Install Certificate, then when asked where you'd like to place the certificate, choose "Place all certificates in the following store" and Browse to "Trusted Root Certificate Authority", then click Next, then Finish. It will ask to confirm (say yes), then you can click your way through with "OK". When back at the Security Alert window, choose no and close the browser.  Now do the same with https://mailgw.mcs.anl.gov:465 for the SMTP certificate.  Outlook now has the mail server's certificate.
+
'''Outlook/Outlook Express''':  
 
 
MacOS X Mail: Follow the directions here.
 
 
 
VPN or Portforwarding:  Windows users click here, Unix/Linux read below
 
 
 
The easiest way is to just ssh to an MCS host and run pine from there.
 
 
 
But if you really want to run it from your local machine, here's how.You need SSH installed to do this.  First of all, edit the inbox-path field of your .pinerc like so:
 
 
 
    inbox-path={localhost:2143}inbox
 
 
 
Now, before running pine, make sure you have a secure session with port forwarding enabled.  To do this, execute the following command:
 
 
 
    ssh terra -L 2143:imap.mcs.anl.gov:143
 
  
As long as this ssh session is open, all connects to local port 2143 will go to imap.mcs.anl.gov's port 143, which is the IMAP port. The change you made in pine above tells pine to use this new, forwarded local port, so when pine is started, you'll actually be talking to the mail server, and the entire session is secure.
+
To make your mailer remember your certificates, point Internet Explorer (not any other browser) at https://imap.mcs.anl.gov:993 and choose to view the certificate. Click Install Certificate, then when asked where you'd like to place the certificate, choose "Place all certificates in the following store" and Browse to "Trusted Root Certificate Authority", then click Next, then Finish. It will ask to confirm (say yes), then you can click your way through with "OK". When back at the Security Alert window, choose no and close the browser. Outlook now has the mail server's certificate.
 
  
^ Back to Questions ^
+
'''MacOS X Mail''':
  
+
Follow the directions here '''to-do'''.
Is there any more information about SSH?
 
 
 
Yes, there are several commercial providers of SSH and related products:
 
 
 
    * SSH Communications Security is the Finnish organization that developed and now markets various versions of SSH.  Their web site is full of good information.
 
    * Data Fellows sells a full range of SSH-based software products in the United States.
 
    * Van Dyke Technologies also sells SSH-based software products in the United States.  They are the authors of the SecureCRT program for which MCS has purchased a site license.
 
 
 
You should also look at the SSH FAQ at http://www.employees.org/~satch/ssh/faq/ for more information and additional legal analysis about free vs. licensed versions of SSH software.
 
 
 
 
^ Back to Questions ^
 
 
 
 
How will this policy be enforced?
 
 
 
After 9:00 AM CDT on Tuesday, 22 June 1999, we put a filter in the MCS network routing equipment to disallow incoming network connections using the well known TCP/IP ports for Telnet, FTP, and rlogin.  There will be some exceptions, such as for the anonymous FTP server.
 
 
 
As of January 3, 2003, another filter was put in place restricting access to the hosts listed above.
 
 
 
As of April 26th, 2004, the above hosts were changed to accept only host-based and public-key logins.
 
 
 
Everyone in MCS is intelligent, and we are confident that many MCS employees can figure out ways around this particular enforcement mechanism.  However, please be aware that doing this will not only increase your own exposure to risk but that of the division as a whole.  If this policy or its enforcement causes you a particular problem, please feel free to contact systems@mcs.anl.gov at any time to discuss how we can best work together to meet your needs.
 
 
  
 
^ Back to Questions ^
 
^ Back to Questions ^

Revision as of 21:26, 12 March 2007

Note: Work in progress


Secure Access Policy (includes SSH and VPN info)

What is the Secure Access policy?

External network connections to MCS resources shall not use clear text reusable passwords for authentication. Additionally, SSH connections without VPN tunneling will not use reusable passwords for authentication.

What does that mean to me?

It means that if you're using a network to access MCS resources from outside Argonne Building 221 or MCS office space in Argonne Building 203, you must use some mechanism to hide your password from being "sniffed" or otherwise captured in transit to the MCS network, especially without your knowledge.

Note: As of April 26, 2003, machines in MCS are, by default, disallowing any password-based authentication on connections initiated from outside the MCS firewall including wireless. The list of machines to which you can SSH directly is:

  • General Login
    • terra.mcs.anl.gov
    • shakey.mcs.anl.gov
    • harley.mcs.anl.gov
(The above can all be accessed as "login.mcs.anl.gov")
  • DSL-only
    • wiggum.mcs.anl.gov

These machines require SSH keys for login. See the SSH Key FAQ for details. If you use the VPN, you can SSH direct to any machine (except those listed above) you can use onsite, using your password as authentication.

How do I log in?

The MCS Systems Group has installed the Secure Shell (SSH) server on all UNIX systems that it maintains. You can use this protocol from anywhere on the Internet to connect to the above listed MCS computing resources, provided you are set up for SSH key-based login. If the host to which you need to connect is not in that list, you can either SSH from one of the hosts above, or you can use the MCS VPN client first.

Other protocols may also be available, depending on circumstance.

How do I transfer files?

You're probably asking this question because you're used to using the old Internet protocol FTP. There are several ways to work around the fact that this protocol uses reusable clear text passwords:

  • Use SCP or SFTP to transfer files over SSH.
  • You can use the Windows VPN, and ftp via unixhome.mcs.anl.gov.

FTP is pretty much disabled on hosts inside the firewall. The host "unixhome" accepts FTP connections so make sure that's the only host with which you try to use FTP.


Where do I get SSH software for my computer?

This depends on what kind of computer you are using and whether you are an employee of Argonne's MCS Division.

Most unix and linux machines have SSH and its associated utilities installed by default. If you're running your own unix/linux machine, you should know how to get these packages.

Mac OS X machines include SSH and its associated utilities by default.

Windows clients: PuTTY, cygwin, others

What is port forwarding, and how do I set it up?

Port forwarding is a technique where an insecure protocol (like FTP, X, POP3) is tunneled through a secure protocol (like SSH). This is a good way to continue to use your familiar protocols in a secure way.

Using SSH Port Forwarding with X on UNIX

This is easy, just use ssh -Y <hostname> and your X display settings will be sent to the remote machine, and all X Windows will open on your own display.

If you have a $DISPLAY set properly, and use ssh to connect to another system, ssh will automatically set $DISPLAY on the remote end and set up everything for you. All you have to do is start your favorite X application on the remote end. Check to make sure you're not setting your $DISPLAY in any of your startup files. Also, never use xhost +, especially in your startup files, as it's a big security hole.

Using SSH Port Forwarding with X on Microsoft Windows with SecureCRT

See the X-Windows section in the Windows FAQ.

How can I check my email when I'm not on the MCS network?

The officially supported method for getting your mail is to use SMTP and IMAP via SSL/TLS. You authenticate using your regular workstation/e-mail credentials.

The relevant servers and ports are:

  • Secure IMAP: imap.mcs.anl.gov (port 993) recommended
  • Secure POP: imap.mcs.anl.gov (port 995) (yes, the hostname doesn't make a lot of sense)
  • SMTP: mailgw.mcs.anl.gov (port 25 or port 465) (You might have more luck with port 465)

The IMAP and POP certificate is self-signed. You can accept the certificate (if you view it you'll see it's really us). If your mail application won't seem to remember your preference for allowing a self-signed certificate, some tips are included in the instructions below.

Mailer specific instructions:

Thunderbird: to-do

Eudora:

  1. Click Tools, then Personalties.
  2. Right-click in the white area and choose "New"
  3. Click the Skip directly to advanced setup option and choose Finish:
  4. Fill in the required information. SMTP server is mailgw.mcs.anl.gov, check Authentication allows and Use relay personality. Under Secure Sockets when Sending, choose "Required, Alternate Port". Check the "Check Mail" box as well.
  5. Select the Incoming Mail tab and fill in the required information. Server is imap.mcs.anl.gov, regardless of if you're using POP or IMAP. Under Secure Sockets when Receiving, choose "Required, Alternate Port in the SSL". Choose OK.
    • You may get an error. It's okay.
  6. We need to add the certificate, so right click the Personality you just created and choose Properties.
  7. Choose the Incoming Mail tab, and click the Last SSL Info button.
    • If you get an error, cancel from this menu and try to check your mail. Then, after the error, return to step 6.
  8. Choose the Certificate Information Manager button.
  9. Click Add to Trusted.
  10. Click Done, then OK, then OK, then click the Mailboxes tab in the lower left of the Eudora Window. If using IMAP, Right-click the personality you created, and choose Refresh Mailbox List.

You're done!

Outlook/Outlook Express:

To make your mailer remember your certificates, point Internet Explorer (not any other browser) at https://imap.mcs.anl.gov:993 and choose to view the certificate. Click Install Certificate, then when asked where you'd like to place the certificate, choose "Place all certificates in the following store" and Browse to "Trusted Root Certificate Authority", then click Next, then Finish. It will ask to confirm (say yes), then you can click your way through with "OK". When back at the Security Alert window, choose no and close the browser. Outlook now has the mail server's certificate.

MacOS X Mail:

Follow the directions here to-do.

^ Back to Questions ^


How can I dial in over the phone? If you want a PPP connection, you have a couple of choices. Please note that if you want to use anything other than Windows for your dialup networking, you are on your own.

   * You can sign up with ECT's  modem pool. This is painless, but you need a cost code.  This is also the type of account you'll need for toll-free dialup.  Your local access number can be found here.  The list of pertinent ECT info, including instructions, numbers, and the 800 number can be found here.
   * If you're running Windows, and don't want to pay for a dialup, try a free dialup provider, such as NetZero.


^ Back to Questions ^


What do I need to do to be able to interact with the MCS Windows domain?

Use the VPN.


^ Back to Questions ^


What do I do if I want to use more than one computer with my connection at home?

Send e-mail to systems@mcs.anl.gov to request a NAT box.