Professional Documents
Culture Documents
An O2 White Paper
Contents
3
2. O2 Bearer Service
2.1. Introduction
O2’s Bearer Service offers business customers a high • Dynamic or static mobile device IP allocation.
quality private mobile data connection to their own • Private or Public IP Addresses for the mobile devices.
private domain.
This service is designed for customers that require a
O2’s Bearer Service can be used to support both GPRS private connection to their company LAN, which will
and 3G data traffic (e.g. the same infrastructure supports offer them the highest quality of service and most
both 3G and GPRS users). consistent data communications performance.
The key aspects of O2’s Bearer Service are as follows: O2’s Bearer Service is delivered and managed end-to-end
by O2 to ensure the smoothest service delivery and
• Each connection is defined by a unique, private shortest problem resolution timescales. O2 proactively
Access Point Name (APN). monitor the status of the service and produce detailed
• Connectivity is provided via a physical leased line that usage reports to ensure suitable service levels are
connects the O2 network with the customer’s LAN. maintained at all times.
• Customers can define which Subscriber Identification
Module (SIM) cards are able to access their APN. The leased line infrastructure offers the highest level of
• The service can be configured to precisely match a availability via two basic types of physical connection:
customer’s requirements – in terms of security for DataLink (refer to section 2.2) and Resilient DataLink
instance. (refer to section 2.3).
• The service does not provide any direct access to the
Internet. Customers wishing to order O2 Bearer Services should
• All private Bearer Services connect to resilient GPRS discuss their options with their O2 Account Manager in
Gateway Support Nodes (GGSN’s) in the O2 the first instance. A detailed, ‘Application For Service’,
network. form is used to capture customer requirements and
service can be provided in 43 working days after this
The installation of this service offers customers the form has been processed.
opportunity to design the mobile data connectivity
service of their choice. Almost every aspect of the service
can be configured to the customer’s requirements as this
is a private service that connects customers to the O2
GPRS and 3G networks directly, using physical leased
line infrastructure.
4
2.2. DataLink
Standard connectivity for Bearer Service customers is
delivered via a single leased line (128 Kbit/s, 256 Kbit/s,
512 Kbit/s and 2 Mbit/s bandwidths are available),
terminating on a single router that is installed at the
customer’s premises. Once installed the router presents a
single Ethernet or Token Ring connection to the
customers LAN.
Radius DHCP
Server Server
GRE Tunnel
O2 Data Network
Leased Line
Firewall
Corporate Network
Remote User
Figure 1:
Top Level Overview of a typical GPRS/3G Bearer
Service connection.
5
2.3. Resilient DataLink 2.4. VPN support
For those customers requiring the very highest levels of O2 does not impose any restrictions on the type of data
availability, O2 offers a Resilient DataLink leased line or ports that can be used for data transfer between the
option to Bearer Service customers. Two links and routers mobile devices and the corporate network. Consequently,
are provided as part of this solution. it is straightforward to use any type of VPN solution with
O2’s bearer service.
The two links and routers can be terminated at the same
site. However, it is strongly recommended that they are
deployed in different computer rooms which are served
by different exchanges and duct routes.
6
3. O2 Mobile Web service
3.1. Introduction
O2’s Mobile Web service allows customers to get onto Internet resources. PAT was defined by the Internet
the Internet via GPRS and/or 3G (refer to Figure 2). In Engineering Task Force (IETF) as a way to convert private
this instance customers do not have their own APN. The IP addresses to public routable Internet addresses and
key aspects of the service are detailed below: enables organisations to minimise the number of Internet
IP addresses they require e.g. by using PAT, companies
• Users can ‘surf’ the Internet, access FTP servers, can connect thousands of systems/users to the Internet
access e-mail and generally utilise Internet resources. via a few IP addresses.
• This is a public service and can be used by any O2
pay monthly customer. The APN associated with The use of PAT has major implications as although PAT
the service is mobile.o2.co.uk provides many benefits, some applications, including
• If customers have an Internet facing VPN gateway IPSec VPNs, can experience issues when PAT is being
then they might already support remote access via used. The issues surround trying to ensure packet
the Internet. If this is the case they should be able integrity – when a packet passes through a PAT device,
to use the Mobile Web service to allow people to in this instance the O2 firewall that is used in the Mobile
access their network via GPRS. Web environment, the original IP address is modified.
• By default Mobile Web users enjoy an optimised This is not allowed when using IPSec VPN solutions,
experience when accessing Internet content at no because any modification of the packet will result in a
extra cost. This network hosted optimisation can failed integrity check and will prevent the VPN tunnel
speed up the delivery of Web pages by optimising from being created. As a consequence IPSec and PAT
graphic images and compressing text content. It can can function together only when PAT occurs before the
however degrade the image quality in Web pages packet is encrypted. Whilst this will normally work fine in
and interfere with some other Internet applications. If gateway-to-gateway communications, remote access
this is experienced, the optimisation platform can be solutions are problematic because the IPSec VPN client
bypassed by changing the user name in the Mobile on a remote laptop will encrypt the packet before it
travels to the PAT device, subsequently breaking the
Web settings of the handset/device, as follows:
IPSec VPN connection.
– Default settings – includes optimisation:
– User name: faster To enable IPSec VPNs to work with Network Address
– Password: password Translation (NAT) or PAT devices, a solution called NAT
– No optimisation required: Traversal was developed – it should be noted that this is
– User name: bypass sometimes also known as UDP encapsulation. The main
– Password: password technology behind this solution is UDP (User Data
Protocol) encapsulation, wherein the IPSec packet is
The Mobile Web APN is associated with all new O2 pay encapsulated inside a UDP/IP header, allowing NAT or
monthly SIM cards. If customers do not wish this APN to PAT devices to change IP or port addresses without
be available to users they should specify this requirement modifying the IPSec packet.
prior to SIMs being provisioned.
In order for NAT Traversal to work properly the VPN
The O2 Mobile Web service uses private IP addressing solution (e.g. client and server) must be configured for
and Port Address Translation (PAT) when users access NAT traversal working.
7
GRE Tunnel
O2 Data Network O2 Mobile Web Service
Leased Line
Firewall
Radius Server
(allocates Private IP Addresses)
Remote User
Internet
Figure 2:
Top Level Overview of O2’s Mobile Web Service.
8
3.2. VPN support
3.2.1. IPSec based VPN solutions 3.2.2. PPTP and SSL based VPN solutions
Unless customers wish to support split tunnelling they Customers can use Point-to-Point Tunnelling Protocol
are recommended to use O2’s Mobile Web VPN service (PPTP) and SSL based VPN solutions in conjunction with
in conjunction with their IPSec based VPN solution (refer O2’s Mobile Web Service.
to section 4 for more information on O2’s Mobile Web
VPN solution).
9
3.3. IP addresses allocated to Mobile Web users
Users are allocated a dynamic, private unregistered IP
address which is drawn from the following ranges:
10
4. O2 Mobile Web VPN service
4.1. Introduction
O2’s Mobile Web VPN service was specifically developed – At the request of customers the service was
to allow customers to use their VPN solutions with GPRS set-up so only VPN protocols can be used when
and 3G – assuming the customers VPN solution can be users first establish their GPRS or 3G connection
utilised via people connected to the Internet (refer to e.g. the firewall associated with the service will
Figure 3). block all other traffic.
– Once the VPN session is in place, users will be able
The key aspects of the service are as follows: to browse the Intranet/Internet and access other
corporate resources – assuming the corporate
• Customers do not have their own APN. security policy allows such transactions to take place.
• This is a public service and can be used by any O2 – Split tunnelling will not work as users are not
pay monthly customer. The APN associated with the able to access Internet resources directly.
service is vpn.o2.co.uk and a user name of user and • It is possible to confirm connectivity exists between
password of password should be used. the VPN client and server via the ping command.
• Users are allocated a public IP address and are on
the Internet.
• Users cannot directly ‘surf’ the Internet, access FTP
servers, access e-mail or utilise Internet resources:
GRE Tunnel
O2 Data O2 Mobile Web VPN Service
Network Leased Line
Firewall
Radius Server
(allocates Public
IP addresses)
VPN Tunnel
Corporate Network
Figure 3:
A VPN Tunnel Established between a
Remote User and the Corporate LAN.
11
The O2 Mobile Web VPN service does not include any
optimisation capability, delivers public registered IP
addresses to mobile devices and allows access only to
VPN applications. The service offers businesses the ability
to provide secure LAN access to their users via the Internet
and control their usage through the application of their
internal IT policy.
12
4.2. VPN support
4.2.1. Introduction • UDP port 2746 (required to support:
VPN1_IPSEC_encapsulation – Check Point VPN-1
Unless customers wish to support split tunnelling (refer SecuRemote IPSEC Transport Encapsulation
to section 3.2.1 for a description of what is meant by the Protocol).
term split tunnelling) they are recommended to use O2’s • UDP port 50000: required for Barron McCann X-
Mobile Web VPN service in conjunction with their VPN Kryptor VPN solution.
solution. • TCP port 50000: required for Barron McCann X-
Kryptor VPN solution.
4.2.2. IPSec, PPTP and SSL Based VPN • UDP port 10000: many VPN solutions use this port
Solutions when NAT traversal is being used.
• TCP port 10000: this is the default port used by
As detailed in the following text IPSec, PPTP and SSL
Cisco VPN solutions when the IPSec over TCP option
based VPN solutions will work in conjunction with O2’s
is selected.
Mobile Web VPN service.
• UDP 2233: used by the Shiva VPN solution.
• UDP 10025: used by the Shiva VPN solution.
The protocols supported by the Mobile Web VPN service
• UDP 10026: used by the Shiva VPN solution.
are as follows:
• UDP 10027: used by the Shiva VPN solution.
• Ping (allows people to confirm that connectivity • TCP 10027: used by the Shiva VPN solution.
exists between their device, a laptop for instance, • TCP 10028: used by the Shiva VPN solution.
and the VPN server). • TCP port 389: used by AT&T’s VPN service.
• Protocol 50 (ESP). • TCP port 709: used by AT&T’s VPN service.
• Protocol 51 (AH). • TCP port 5080: used by AT&T’s VPN service.
• Protocol 47 (GRE) (required to support PPTP) • TCP port 443 (SSL).
• Layer 2 Tunnel Protocol (L2TP). • UDP port 443 (some VPN solutions require that a
UDP port be used – this port has been opened up for
The Mobile Web VPN service allows the ports detailed this purpose).
below to be used: • UDP port 12000: used by Good Technology Mobile
Messaging solution.
• UDP port 500 (IKE). • TCP port 15000: used by Good Technology Mobile
• TCP port 1723 (required to support PPTP). Messaging solution.
• UDP port 4500 (required for NAT-T).
• UDP port 1701 (required to support: L2TP/IPSec).
• TCP port 259 (required to support: FW1_MEP –
Checkpoint NG FP3 MEP determines closest entry
point – only used if using NG FP3 Clients and more
than one entry point into the network)
• TCP port 264 (required to support: FW1_topo –
Check Point VPN-1 SecuRemote Topology
Requests.).
13
4.3. IP addresses allocated to Mobile Web VPN users
Users will be allocated an IP address from one of the
ranges detailed below:
• 82.132.160.1 to 82.132.163.254.
• 82.132.168.1 to 82.132.171.254.
14
5. Service comparison
15
6. Glossary of terms
IP Internet Protocol
All Rights Reserved. No part of this document may be copied, photocopied, reproduced, translated or reduced to any electronic or machine readable form without the prior permission of O2 Limited.
16