User`s guide
AT&T Global Network Client for Windows Administrator’s Guide
© 2015 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or
AT&T affiliated companies. All other marks contained herein are the property of their respective owners. Images are shown for illustrative purposes only; individual
experience may vary. This document is not an offer, commitment, representation or warranty by AT&T and is subject to change.
Windows is a registered trademark of Microsoft Corporation in the United States and other countries.
-92-
Encryption for IPSec VPN connections
Encryption can be configured in the AT&T administration server at the user account lever or sub account
level. If values are specified in the AT&T administration server they will override the AT&T Global
Network Client’s default proposal behavior. Multiple algorithms can be selected, but the highest
supported encryption level will always be proposed first.
Co-existence with Microsoft IPSec
Microsoft IPSec can be used for corporate protection strategies like Domain Isolation, Server Isolation,
and IPSec based Network Access Protection (NAP) while VPN connected with the AT&T Global Network
Client. Microsoft IPSec traffic travels through an AT&T VPN tunnel. No configuration changes are
required when VPN tunneling with SSL-T services using the AT&T Global Network Client. If you are using
Version 9.3 or later, no configuration changes are required when using IPSEC either, as the client will now
default to use ephemeral source ports.
For IPSec services, the Use Ephemeral IPSec Ports Login Properties preference must be enabled. When
enabled, the AT&T Global Network Client will NOT stop Microsoft’s IPSec service and will use ephemeral
source ports (1024+). This enables Microsoft to have sole ownership of IPSec source ports 500 and 4500.
This options is enabled by default. If the end user is having difficulty connecting, and you suspect the use
of ephemeral source ports may be causing the issue, you can disable this option. To disable this option,
click Show the login properties window from the Settings panel on the main window, click the
Preferences tab, click Override Defaults, scroll down and deselect Use ephemeral source ports for IPSec
in the VPN Details section.
NAT Traversal
The AT&T Global Network Client IPSec implementation supports NAT traversal through UDP
encapsulation of IPSec traffic.
The NAT traversal implementation varies based on tunnel endpoint as listed below:
Cisco®
7
and AT&T Branded Tunnel Endpoints
NAT devices are auto-detected through a series of hashes during IKE negotiations. The AT&T VPN
client uses UDP port 4500 as the source port and UDP port 4500 as the destination port in IKE
negotiations and ESP IPSec data flows.
This implementation is based off the following Internet drafts:
http://www.ietf.org/internet-drafts/draft-ietf-ipsec-udp-encaps-02.tx
Configuring UDP Encapsulation
A preference labeled Negotiate UDP Encapsulation with VPN server for NAT Traversal is available in the
Login Properties/Preferences panel to allow an end user to alter the use of NAT Traversal. The default
value for this preference can be centrally configured in the AT&T administration server, but can be
7
Cisco is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.