AT&T Administration Server Queries
Overview
AT&T incorporates value-added service management features into all of its networking services. AT&T uses its proprietary AT&T Administration Server as the engine for its network service management. The AT&T Administration Server engine is implemented globally and controls user authorization and optional authentication. It is also used by all VPN Gateway customers to control the auto-configuration of each VPN Gateway. Having all configurations in a global, centralized management engine provides many benefits:
- Only AT&T support personnel or a Customer Account Administrator can perform changes.
- End users do not have access to their AT&T Administration Server accounts, which keeps control only in the hands of educated technical personnel.
- Changes are provisioned in only one location and can be propagated on the next logon, at a designated time interval, when the VPN Gateway is restarted, when the active IP address changes, or when requested by the user through the web interface.
- Customer IT personnel do not need to confirm manual changes with hundreds of end users.
VPN Gateway Device Profile
The VPN Gateway is designed to work out of the box in many instances. Any parameters that can be remotely configured are done so through the AT&T Administration Server interface, in coordination with you, the Customer Account Administrator, before the VPN Gateway is shipped to the remote location.
If the VPN Gateway is being deployed in a DHCP environment, all of the VPN Gateway settings can be configured in the AT&T Administration Server and the only customer interaction would be to connect the LAN and WAN cables. The VPN Gateway can retrieve all of its configuration information from the AT&T Administration Server.
In the case where the WAN interface is PPPoE, Static IP, or if the user has a Dial primary connection, user intervention is required to set up the WAN connection through the web interface. Once the Internet connection has been configured and established, the VPN Gateway will be able to retrieve its configuration information.
- Local LAN and VLAN IP address and subnet information
- DHCP Server or DHCP relay information associated with the local LAN or VLAN
- Tunnel profiles which can include the credentials needed to establish the VPN tunnel for primary and secondary tunnel server lists
- Multiple tunnel information
- Configuration for cellular connectivity, primary or backup
- DNS, WINS, domain name, and suffix search lists associated to a VPN tunnel
- The local time zone and whether or not daylight saving time should be used
- Controls on the user’s ability to save user tunnel credentials
- Class of Service profiles and rules
- Network Address Translation (NAT) types
- Routing controls for RIP or VRRP
- WAN and LAN Interface speed overrides
- Cascaded networks and alias interface definitions
- Loopback interface definitions
- An optional custom software location and optional software upgrades, including at what frequency they should be checked for
- Whether the optional VPN Gateway Administrator Device Password is being used
- Support password for remote web and dial access into the VPN Gateway
- Tunnel initiation modes for WAN and Dial backup connections
- Proactive Alerting information that includes which conditions should be monitored and the thresholds that trigger the alerts
- Firewall policy information
- IP Address for various servers: the AT&T Administration Server, Focus, NetPoll Listener, and Upgrade servers
- Time of day windows for controlling certain functions such as dial connectivity and alerting
- Problem Determination information which includes items such as the DSL circuit information and on-site contact information
- Customizable web interface customer assistance information that can include the phone number, e-mail address, web page, and customer messages
Current VPN Gateway Settings
When the VPN Gateway queries the AT&T Administration Server it sends a number of items in the request. The items contain information about the current state of the VPN Gateway. If the VPN Gateway is behind a NAT device, the VPN Gateway will send the transport IP address to the AT&T Administration Server in the query request. The transport IP address is the address the NAT device uses when it sends traffic from the VPN Gateway to the Internet. While support will not be able to reach the VPN Gateway behind the NAT device, knowing the transport IP address is helpful for problem determination.
Automated Queries
The VPN Gateway queries the AT&T Administration Server when it is powered on and then in subsequent 24-hour intervals. Queries are also performed during the tunnel establishment process for Remote Office and Customer Direct connections. These login queries pull down most of the VPN Gateway configuration; however critical values that may cause a reboot if changed are only retrieved by full queries performed every 24 hours. Barring connectivity problems, an individual VPN Gateway should pick up any changes made by an Account Administrator within 24 hours.
If the VPN Gateway cannot for any reason retrieve the Device Profile from the AT&T Administration Server, the VPN Gateway will attempt to query the AT&T Administration Server on one-hour intervals until the query is successful. The VPN Gateway will continue to use the information returned in the last successful query. The VPN Gateway can operate for 7 days without obtaining a successful response. After that, the box is marked as inactive until a successful query takes place.
After 7 days of hourly retries without obtaining a successful response, the VPN Gateway will stop issuing device queries until the VPN Gateway is rebooted. After reboot, one attempt will be made to retrieve the configuration. If that fails, it will not try again until after another reboot. This prevents unnecessary queries to the AT&T Administration Server from devices that have been discontinued but not unplugged from the Internet.
The VPN Gateway can be configured to automatically switch to an inactive state upon receiving a Profile Not Found error from the AT&T Administration Server in response to a Device Profile request. The Profile Not Found error must be received to force immediate inactivation. If the Device Profile request fails for another reasons (ex: the AT&T Administration Server was unreachable) the existing logic which requires 7 days of failed attempts prior to setting the device as inactive persists. Once inactive, the VPN Gateway automatically terminates any active tunnels and prevents all traffic from routing through the device.
Manual Queries
The user has the ability to initiate a Device Query through the VPN Gateway web interface using the VPN Gateway Profile Update option on the System menu. This avoids requiring a reboot or waiting 24 hours to pick up configuration changes. The web page will warn the user that if critical values (language, time zone, etc.) have changed in their profile that the tunnel and/or dial connection will be dropped and the VPN Gateway will reboot. The user-initiated query can only be performed every 5 minutes. If the user tries to initiate the query too frequently an error message will be displayed. If for some reason the user-initiated query fails, this limitation does not apply; the user does not have to wait 5 minutes before retrying.