Frequently Asked Questions

Contents

• Does the Mac VPN client support OS X?
• Does the Mac VPN client support Panther (10.3)?
• Can I use the VPN component built-in to OS X to access EVPN?
• What are the Mac requirements?
• Does the Mac VPN client work through a router or an Apple airport?
• How do I get updates to the Mac VPN client?
• Can Mac users access Lockheed Martin through VPN?
• Is the Mac client covered under Lockheed Martin licensing?
• Is there anything special I need to do to use VPN on the Mac?
• If my account is placed in the non-compression profile, will I still be able to use EVPN on my PC?
• Every time I try to connect, the connections fails with a message about compression. What's wrong?
• Why don't the VPN DNS names work on the Mac client?
• Can I purchase the Mac VPN Client directly from Netlock?
• I installed the Mac client, but there is no VPN menu in my menu bar. What's wrong?
• Where do I go for help with the Mac VPN client?
• When contacting the ESD, how can I make sure the request goes to the right group?
• Are there any other FAQs related to VPN for Lockheed Martin employees?
• How do I get reimbursed for purchasing the Mac client?
• I'm having problems with Outlook and Exchange Servers. What can I do?
• Is there an alternate VPN solution to the Netlock client for accessing the Lockheed Martin network?
• How can I avoid kernel panics under Tiger, OS 10.4?

Does the Mac VPN client support OS X?

Yes, version 2.1 (or later) of the VPN client supports OS X.

[Return to Contents]

VPN client v2.1.7 adds support for Panther, but Mac Guild testing has shown that versions as old as v2.1.4 work fine with Panther (OS 10.3) as well. There are problems reported using v2.1.2 with Panther.

[Return to Contents]

No, the VPN client built-in to OS X does not support the Nortel switch. You must purchase the Netlock VPN client to access EVPN.

[Return to Contents]

Mac OS X - 10.1.5 or later

• Netlock client v2.1 or later
• CD ROM drive
• 10 MB free disk space
• 64 MB RAM
• Web Browser

Mac OS 8.6 - 9.2.2

• Netlock client v1.2 or later
• Open Transport 2.0.3 or later
• CD ROM drive
• 10 MB free disk space
• 64 MB RAM
• Web Browser

[Return to Contents]

The ability to use the Client with a router is dependent upon the router model and firmware. The router must allow data through port 500, protocols 50 and 51, and allows any UDP port to be used for NAT traversal. For example, the Asante FR1000/3000 series routers are not End Point solutions, and does not work with the Netlock VPN client; whereas, the Asante VR2000 series should support it.

In general, the EVPN solution is using NAT Traversal over port UDP/4500. This information is in the LM EVPN FAQs. Be sure to keep the firmware current.

The ability to use the Client with the AirPort is dependant on the model and firmware version of the AirPort being used, whether or not the AirPort is acting as a NAT device, and whether or not NAT traversal is configured on the Contivity switch. Early models of the AirPort do not support IPSec passthrough or NAT traversal. They will not work with the Client when it is used as a NAT device. These models of AirPort will only work when the AirPort is configured to act as a bridge.

AirPorts with firmware 2.0.4 or later support IPSec passthrough. These versions require Mac OS X in order to configure the AirPort. They will support the use of the Client when the AirPort is used as a NAT, but NAT traversal must not be enabled on the Contivity switch.

AirPort Extreme with firmware 5.1 or later supports both IPSec passthrough and NAT traversal. This will support the use of the Client when the AirPort is used as a NAT, independent of the NAT traversal settings on the Contivity switch.

[Return to Contents]

If you were to purchase today, your purchase includes annual maintenance. Annual maintenance includes technical support and free upgrades for one year. If you already own the client, but are not on the maintenance program, you can sign up for the maintenance program for $25, and you get free upgrades for a year from the point at which you purchased the client (or from the date your last maintenance ended).

[Return to Contents]

Yes, that's what these pages are all about. As of December of 2001, Nortel has released a Mac client which can be used to access Lockheed Martin's VPN switches.

[Return to Contents]

No, as a Mac user, you must purchase the Mac client yourself. For information on ordering the Mac client, check out the Mac VPN ordering page.

[Return to Contents]

Yes, as a Mac user, you need to purchase the Apani VPN client yourself. Click here for purchase information.

[Return to Contents]

Yes, the non-compression profile will still allow access via VPN on your PC. The only difference is that your connection on the PC will also be uncompressed. However, you no longer need to have compression turned off to use the Mac VPN client, as long as you are using Netlock version 2.1 or higher.

[Return to Contents]

The old Mac VPN client does not work on EVPN accounts using compression. You need to upgrade to the latest version of the VPN client software.

[Return to Contents]

The Mac client is not setup to access the VPN switches through the domain names. You must specify the actual IP addresses. See the internal data page for IP addresses.

[Return to Contents]

Yes. Apani now owns the Netlock VPN client, and they offer a Buy/Try program on-line. You can also buy it from the Apani on-line store.

[Return to Contents]

There is a known bug with version 1.1 of the Mac client running on newer Macs in OS 9.2 and higher. Obtain version 1.2 to resolve the problem.

WORK AROUND: You can access the client using the following URL: http://127.0.0.1:9161/

NOTE: You can bookmark the URL and/or drag the URL to your desktop to make it easier to access on subsequent connections.

[Return to Contents]

For Mac specific issues, send a message to the Mac Guild mailing list for help. You must be subscribed to post a message, and you can subscribe on the Mac Guild sign-up page. For VPN switch issues or SecurID issues, you need to call the ESD (408-742-SERV). If you are unsure what category your issue falls into, ask the Mac Guild for guidance.

[Return to Contents]

Have your request assigned to the ISO--RAS assignment group.

[Return to Contents]

Yes, there is a generic EVPN FAQ which is geared towards both Windows and Mac users on the Enterprise VPN site.

[Return to Contents]

If you wish to be reimbursed for the Mac client, you should go through your local management or financial approval process prior to ordering the product or you may not be reimbursed.

[Return to Contents]

Here are some suggestions that have helped customers resolve problems experienced with Outlook.

1. Add the Exchange Server to the Macs hosts file in the TCP/IP control
panel. The format is:

mail.company.com A 10.1.0.1

It's basically, host name, followed by an 'A', followed by the IP Address.

2. There is a long discussion regarding general problems with Outlook and any VPN tunnel. Two suggestions
from the discussion:

A) In the Outlook preferences, make sure the default transport type is set to TCP/IP instead of Appletalk.
B) Within the setup of the Outlook profile, open the "Exchange Server" service properties. Click on the Advance tab. Enable "Check server every" box and set it to 22 seconds (22 gave the testers the best results after much testing).

3. Try using the Outlook Web Access address (https://owa.us.lmco.com/exchange/) for the Exchange server address in the
account settings.

4. Some customers report that they can read email, but cannot view or send large attachments. This is most likely an MTU related problem. We have provided a utility to reduce MTU that resolves that issue. Download the free Netlock MTU Reducer from here.

Note: The application will display a simple windoid confirming the MTU change. It also creates a log file for review. If you reboot the computer it will change the MTU back to its original setting and you will need to run the application again to reduce MTU.

[Return to Contents]

Any alternate solution must work with the Nortel switches and they must support authentication with SecurID. A lot of products can support working with Nortel switches, but the issue is supporting the necessary SecurID authentication. Right now the only known supported solution is the Netlock client product.

[Return to Contents]

The Contivity VPN client (version 3.3) may cause a kernel panic when you want to stop it. As it is stops when you shut down or restart the computer, it means that sometimes your computer will go into a kernel panic instead of restarting or powering off. This was almost systematic before 10.4.2.

One solution is to stop the VPN client when unused. If you are on 10.4, you cannot do this under the default installation. The workaround is to remove the command that unloads the Contivity kernel extension. By commenting out the command "unload_kext", you can stop and start the Contivity daemon using the following commands from Terminal:

• sudo /Library/StartupItems/Nleac/Nleac stop
• sudo /Library/StartupItems/Nleac/Nleac start

You'll need administrator privileges to update the script. Detailed instructions for doing this can be found here.

[Return to Contents]