Hi Jonathan -

On Fri, 10 Oct 2008 18:26:43 -0700, Jonathan Ball
wrote:

>To my dismay, I found that if I open a DOS window on my personal (not
>company) computer at home, and start a Telnet session to the same URL
>used for Strategi, I instantly get a sign-on screen for the i5. I'd
>like to close this hole, but obviously without damaging other authorized
>Telnet access to the i5, e.g. from another i5 partition /inside/ our
>network, or from iSeries Access. What are my options?

Telnet is to destination port 23. If you block incoming TCP
connections to port 23 in your company's internet router, that will
block the direct telnet connections.

This should not interfere with telnet (or Client Access which uses
telnet for display sessions) through the VPN because the internet
router only sees the VPN packets. The packets with destination port
23 are encapsulated within the VPN packets.

The Strategi web connection presumably is to port 80 (the default HTTP
port). If it uses a custom port, it shouldn't be port 23, so that
should not be interfered with either. (It's been several years since
we used Strategi where I work, so I don't remember the details nor can
I test it.)

Speaking personally, for maximum security I recommend that all
incoming connections be blocked at your internet router by default,
and only the needed protocols and ports be opened.

--
Ken
Opinions expressed are my own and do not necessarily represent the views
of my employer or anyone in their right mind.

The Easy400 site ( http://www.easy400.net ) provides free iSeries
software utilities, all comprehensive of sources.
One of this utility is named SECTCP ("Triple A Secured TCP").
SECTCP utility allows to restrict and log accesses to FTP and TELNET.
In your case, with SECTCP you could restrict TELNET access to ranges
of IP addresses
including your local network and the remote users allowed to logon.

Giovanni B. Perotti
Easy400 site owner

On Oct 11, 3:26*am, Jonathan Ball wrote:
> Most people who get into our i5 remotely do so by connecting first to
> the company VPN. *Users who connect in this way must have a VPN account
> set up, and are issued an RSA token device.
>
> There are some people who don't come in via the VPN, but instead open a
> browser window and go to a publicly accessible web site. *I don't know
> much about networking, but I believe some kind of network address
> translation redirects them to an HTTP server running on our i5 that runs
> a software product called Strategi, from a company called Advanced
> BusinessLink. *Once they get to that site, and provided they have a
> Strategi user ID on the i5, they can get a Java applet 5250 emulation
> screen and sign onto the i5.
>
> To my dismay, I found that if I open a DOS window on my personal (not
> company) computer at home, and start a Telnet session to the same URL
> used for Strategi, I instantly get a sign-on screen for the i5. *I'd
> like to close this hole, but obviously without damaging other authorized
> Telnet access to the i5, e.g. from another i5 partition /inside/ our
> network, or from iSeries Access. *What are my options?