Troubleshooting Connections
By Charles Wilde
It seems like such a simple set of operations . . .
- Step 1, select the web site or intranet,
- Step 2, click on it to connect,
- Step 3, watch it connect, and
- Step 4, see the site or host connection.
Steps 2 and 3 seem to be the areas of most difficulty.
One of the great challenges to realizing the potential of mobile devices for business use is making a wireless connection. In general terms, problems in making a successful connection resolve to three broad areas:
- Access to wireless media issues, be it a cell phone medium such as GSM/GPRS, or CDMA, or wireless LAN, typically a variant of 802.11. Wireless media often provide only intermittent connectivity, especially when you are physically moving around with the mobile device. The wireless carrier signal can just be unavailable in your current location.
- Security issues, including incompatible VPN server and clients, wireless security access point requiring security standards not implemented in the mobile device, firewall blocks to protocols used by applications in the mobile device, etc.
- Mobile device configuration issues. Mobile devices now include multiple connection methods. Correct device configuration is essential to a successful connection attempt. Other configuration issues revolve around communication link timeouts, which for certain cell phone carriers need to be set to higher values.
Making the Connection Work
Reality: Access to wireless media is inherently less reliable for mobile devices than wired connections. Simple movement of a mobile device can easily disrupt a wireless connection, be it WLAN (802.11) or cellular. Even if the mobile device is temporarily stationary, a marginal, weak signal connection can be rendered inoperable by external influences such as passing vehicles and changing weather conditions.
What To Do: Test in multiple locations. Test at different times of day. Voice coverage and data coverage may not be identical.
Reality: Another issue is contention between services running on the same mobile device, such as voice, data and SMS. Under certain conditions, data connections can be automatically suspended when a voice call is made or received. The ability to simultaneously support voice and data traffic is a function of the particular mobile device as well as support provided in the carrier network. A particular carrier may support simultaneous voice and data traffic, or give priority to either voice or data. A carrier may automatically shunt voice calls to voice mail if a data connection is in use. Alternately, the carrier may pose a question to the user of the mobile device for answering a incoming voice call, which will temporarily suspend data transfer for the duration of the voice call.
What To Do: Check with your cell phone carrier for what to expect with your mobile device. In the best case, some cell phone services such as UMTS allow voice and data service simultaneously.
Reality: Seamless transfer between WLAN and cell phone service is an emerging capability. It promises to ease the data connectivity interruptions for newer versions of Microsoft Windows Mobile and other mobile devices.
What To Do: Test, test, test.
What’s Going On With Your Data?
The actual connection between the two systems is at the Data-Link layer. The data flows down in packets from the Process layer through the Transport, Network and Data-Link layers, across the physical network to the other Data-Link layer, up through the Network, and Transport layers to the other Process layer.
The network “plumbing” is designed in layers to make its complexity more manageable. Each layer is a software object with defined interfaces and protocols for each layer. A protocol is a set of rules and conventions between the communicating units.
A data packet starts at the top of either stack and travels down, across, and then up again. Each layer communicates with the layer above it and the layer below it on the same side. At each layer, a header is added to the data packet which is used to communicate with its peer on the other side of the data link. When the data packet reaches the other side of the physical link, the data packet travels up the stack with each layer removing its header until the original data packet reaches the Process layer.
VPN — No Magic Bullet
Access to enterprise data normally requires various security considerations to ensure that the data become available only to authorized mobile users. VPN or virtual private networks have been the traditional choice to ensure network security for mobile users. A VPN link provides a secure data link over public or unsecured data transmission channels.
There are a wide variety of VPN methods and client software available to meet various needs. Because there does not appear to be an industry consensus on a single VPN standard, VPN usage can be a significant hurdle to successful mobile device connections.
Currently, there are four major categories of VPN protocols: PPTP, L2TP, IPSec, and SSL. Each has its pros and cons:
PPTP is the oldest VPN format and operates at the data link layer of the OSI protocol stack. PPTP creates the “tunnel” or virtual private network, but data security is provided with additional protocols such as Microsoft Point-to-Point Encryption (MPPE) protocol or other user selected means.
L2TP also operates at the data link layer of the OSI protocol stack. It provides more security features than PPTP, but also can be more difficult to implement due to the requirement for digital certificates.
IPSec can be used as security protocol for L2TP, or as a complete VPN solution in itself. IPSec also operates at the network layer of the OSI protocol stack and commonly relies on digital certificates.
SSL VPN links are a relatively recent development, and offer some significant advantages. The client software is often just the web browser, and SSL has been well tested over time with secure web servers used for Internet commerce and enterprise intranet access. SSL VPN links operate at the Session (Process) layer of the OSI protocol stack.
SSL enabled services are another way security is offered for mobile connections. VPN methods secure the whole communication channel so that any application is automatically secured. An alternative to the VPN is enabling security on a per application basis with SSL. Most commonly seen in use with the web browser, the “lock” symbol is displayed in the browser when the application (web browser) is operating over a secure SSL channel to the web server. Only the particular web browser session is secured, other applications running on the device are not secured by this SSL channel. SSL is also available with IBM 3270 and IBM 5250 sessions where SSL is enabled for TN3270 and TN5250 server sessions.
Not all of these VPN methods are available for all mobile devices. And, for a given method, the VPN client software on the device needs to be chosen carefully to be compatible with the VPN server software. Once the client software is installed, careful coordination with the enterprise IT staff may be needed to configure the client software and install any necessary digital certificates.
Getting the Device Configuration Right
Beyond the requirements of a VPN, successful connections between mobile devices and enterprise servers require proper configuration of various communication related parameters. With Windows XP on a notebook or Tablet PC, this configuration is minimal, normally only requiring installing a driver for a wireless networking card. Often even this process is not required for the more popular networking cards. Once the driver is installed, configuring the driver to match the wireless access point security parameters is usually required.
With a Windows Mobile device, configuration is more complex, requiring attention to each wireless communication method available on the Pocket PC or Smartphone. With recent Windows Mobile devices, this can include cell phone, WLAN (802.11), Bluetooth, and IrDA infrared communication methods. To help manage all of these methods, the Windows Mobile operating software comes with an application called “Connection Manager”. In addition, the cell phone wireless carrier or manufacturer of the Windows Mobile device may add an additional application to extend the management facilities to configure features unique to the device and carrier.
The Connection Manager categorizes connections into “Work” and “Internet” categories. This distinction is made to allow applications to select between two communication methods available to the Pocket PC. The “Work” connection may be set to communicate over a VPN connection to the enterprise LAN. The “Internet” connection can then be set to use a direct path to the Internet, bypassing the VPN.
Careful attention to configuration, both in the Windows Mobile Connection Manager, and in a device manufacturer’s custom communication application is required to create a successful connection scenario. In particular, configuration changes may be required to cause the Windows Mobile device to select the VPN connection if an Internet or DNS style host name (one with “name.com”) is used in lieu of a Net BIOS style host name (one with “name”, no dots).
Getting Into the Right “Port”
Other configuration issues revolve around “ports”, which are subclasses of communication used with a single IP address. If a port number is blocked anywhere along the route between the mobile device and the enterprise server, communication will fail. Web browsers in unsecured mode typically use port number 80 which is most often open end to end. When moving to secure web browser communication, FTP or Telnet communication, or other specialized services including email, different port numbers will be employed.
To successfully connect using these services, you must work with your IT department to ensure that the appropriate ports are not blocked anywhere along the communication path between the mobile device and the server. Specialized software tools are available to determine where communication paths are blocked. Examples are IP Toolkit for the Pocket PC and “ping” and “tracert” for the Windows XP based mobile device.
Where Do You Start?
With an understanding of the underlying reasons why connections fail, here’s how to proceed to locate your connection problem and resolve it.
Step 1 - The first step in troubleshooting a connection problem is to focus on getting web browsing to public Internet web servers working. This resolves the first category of issues – connecting to the wireless media. You may also need to adjust the device configuration, such as adjusting the timeout.
Step 2 – Once you can get this to work, then the next step to enabling a connection to your enterprise server is to contact your company IT staff. They can advise you on items you will need: for example, the correct VPN client software if needed, any required digital security certificates, proper port numbers, host names or IP addresses, DNS server addresses, communication protocols available, etc.
Step 3 – With the necessary communication client software installed and configured to the specifications from your IT department, the next step is to use software tools to trace the connection hops from device to communication nodes and then to the enterprise server. Tools like “ping” and “tracert” and IP Toolkit for the Pocket PC will identify where communication is likely blocked.
Collaboration with your IT department will be necessary to work through these issues. By walking through the issues one by one, you will identify the right combination of elements you need and be connecting consistently in a very short time.