Help me help my IT guy help me, please.
July 12, 2010 10:17 AM Subscribe
I'm trying to figure out if it's possible to VPN to my company's network. The IT guy is not being forthcoming, declaiming all knowledge of Macs.
So, I've got a company laptop, a PC. I can VPN to the internal network and this enables me to use their Novel login to get access to the internal files so that I can download them and work on them from home.
However, I'm doing intensive graphic work on my Mac and having to transfer with a thumb drive back and forth. (Any tips on getting these two machines to communicate better without a thumb drive transfer would be awesome!)
So, it looks like I have VPN capabilities on my Mac however, I need some additional authentication from our IT guy in order to make it work (a "shared secret" or a certificate?). However, even if I get that to work, would I be able to login to our system from my Mac and browse files?
I basically want to know if this is possible and what kind of info I might bring to our IT guy so that he can set this up for me.
Bonus: my supervisor is leery of me using my Mac "because of viruses" which I tried to gently point out are not much of an issue with Macs. However, if there is some sort of new issue I should be aware of beyond general file compatibility between Macs and PCs, I'd love to know about it.
So, I've got a company laptop, a PC. I can VPN to the internal network and this enables me to use their Novel login to get access to the internal files so that I can download them and work on them from home.
However, I'm doing intensive graphic work on my Mac and having to transfer with a thumb drive back and forth. (Any tips on getting these two machines to communicate better without a thumb drive transfer would be awesome!)
So, it looks like I have VPN capabilities on my Mac however, I need some additional authentication from our IT guy in order to make it work (a "shared secret" or a certificate?). However, even if I get that to work, would I be able to login to our system from my Mac and browse files?
I basically want to know if this is possible and what kind of info I might bring to our IT guy so that he can set this up for me.
Bonus: my supervisor is leery of me using my Mac "because of viruses" which I tried to gently point out are not much of an issue with Macs. However, if there is some sort of new issue I should be aware of beyond general file compatibility between Macs and PCs, I'd love to know about it.
Best answer: Most likely your company uses IPSEC for VPN. The mention of a shared secret or key suggests this. If your guy is using Cisco or Sonicwall then he can download the VPN setup dmg for you and easily get you going. You can use the built-in VPN tool, but it might be easier for you to use the 3rd party tool because it'll match up (somewhat) with the Windows one.
Secondly, the VPN won't do you any good if you can't authenticate to resources and considering you're on a Novell nework, I'm not sure how you're going to handle that. That's probably another install right there.
If you supervisor doesn't want you to put an untrusted personal machine on his network, then that's 100% understable and has nothing to do with "viruses." IT security is more than just viruses.
That said, if you just want to exchange files then ask for FTP access or Citrix or remote desktop access. Going with something your boss supports and trusts is going to be a lot easier for you.
posted by damn dirty ape at 10:43 AM on July 12, 2010 [2 favorites]
Secondly, the VPN won't do you any good if you can't authenticate to resources and considering you're on a Novell nework, I'm not sure how you're going to handle that. That's probably another install right there.
If you supervisor doesn't want you to put an untrusted personal machine on his network, then that's 100% understable and has nothing to do with "viruses." IT security is more than just viruses.
That said, if you just want to exchange files then ask for FTP access or Citrix or remote desktop access. Going with something your boss supports and trusts is going to be a lot easier for you.
posted by damn dirty ape at 10:43 AM on July 12, 2010 [2 favorites]
>The IT guy is not being forthcoming, declaiming all knowledge of Macs.
If his job description doesn't include macs then why should he know it? You can't just drag any random piece of equipment to your IT guy and expect him to suddenly know it and support it. Perhaps you need to check your expectations of being an employee.
posted by damn dirty ape at 10:45 AM on July 12, 2010 [4 favorites]
If his job description doesn't include macs then why should he know it? You can't just drag any random piece of equipment to your IT guy and expect him to suddenly know it and support it. Perhaps you need to check your expectations of being an employee.
posted by damn dirty ape at 10:45 AM on July 12, 2010 [4 favorites]
I have VPN access at home on my PC. I had to send my IT guy a screenshot of all my virus updates to prove that it was "safe" to my managers.
Just wanted to let you know that it's not impossible.
posted by vickyverky at 10:49 AM on July 12, 2010
Just wanted to let you know that it's not impossible.
posted by vickyverky at 10:49 AM on July 12, 2010
This sort of thing can be a nightmare. I'm not suprised your IT guy is keeping away.
If your IT department is up for it, a Dropbox may be a good way of getting files from your Mac to your PC.
Another solution would be for you to install a Virtual Windows machine on your mac. This is remarkably easy with software like Paralells Desktop, and would allow you to install whatever Windows VPN and login software you need. There is a licensing cost with this solution.
posted by seanyboy at 10:56 AM on July 12, 2010
If your IT department is up for it, a Dropbox may be a good way of getting files from your Mac to your PC.
Another solution would be for you to install a Virtual Windows machine on your mac. This is remarkably easy with software like Paralells Desktop, and would allow you to install whatever Windows VPN and login software you need. There is a licensing cost with this solution.
posted by seanyboy at 10:56 AM on July 12, 2010
Response by poster: You can't just drag any random piece of equipment to your IT guy and expect him to suddenly know it and support it.
I didn't. And I don't.
However, your other answer was just what I was looking for. And the idea of remote desktop access is possibly a good workaround for what I what to do.
posted by amanda at 10:57 AM on July 12, 2010
I didn't. And I don't.
However, your other answer was just what I was looking for. And the idea of remote desktop access is possibly a good workaround for what I what to do.
posted by amanda at 10:57 AM on July 12, 2010
Any tips on getting these two machines to communicate better without a thumb drive transfer would be awesome!
That depends on a lot of things, but in the most basic scenario you would just share a directory on one and mount it on the other, assuming that they're both on the same local network -- you'd have to tell us how you have everything hooked up to get concrete answers.
It's possible that the PC has been locked down to prevent creating shares, so in that case you'd want to create the share on the Mac. It's also possible that the VPN client actively disables all the other network interfaces while the VPN is active, which is meant to prevent people with sloppy settings from accidentally allowing proxy access to company data when a person takes their laptop into a public wireless hotspot or other similar situation. If that's the case then you'd have to disconnect from the VPN before copying files between the two machines.
The larger VPN question is too vague to be answerable as it is: VPN is not a specific thing, it's a type of thing, and there are countless ways of doing it. You need to find out the specific kind and see if there is a Mac version of the client available.
posted by Rhomboid at 10:58 AM on July 12, 2010
That depends on a lot of things, but in the most basic scenario you would just share a directory on one and mount it on the other, assuming that they're both on the same local network -- you'd have to tell us how you have everything hooked up to get concrete answers.
It's possible that the PC has been locked down to prevent creating shares, so in that case you'd want to create the share on the Mac. It's also possible that the VPN client actively disables all the other network interfaces while the VPN is active, which is meant to prevent people with sloppy settings from accidentally allowing proxy access to company data when a person takes their laptop into a public wireless hotspot or other similar situation. If that's the case then you'd have to disconnect from the VPN before copying files between the two machines.
The larger VPN question is too vague to be answerable as it is: VPN is not a specific thing, it's a type of thing, and there are countless ways of doing it. You need to find out the specific kind and see if there is a Mac version of the client available.
posted by Rhomboid at 10:58 AM on July 12, 2010
Best answer: as others have noted, the VPN part is really dependent on what software you're using on the PC. Macs have built-in support for L2TP and PPTP VPNs, which are pretty standard. if you're running a recent version of Mac OS X (Snow Leopard, 10.6), you also have support for Cisco IPsec VPNs. which one you actually need can be determined by your VPN software. there's also the possibility that your VPN is something weird that OS X doesn't have built-in support for.
the second part of this is that evidently you're still using Novell Netware at work? you'll need to get more details about that, too. Macs don't support NetWare servers directly, though there is a NetWare client you can get still. it's not free, however. if your file server is a plain jane Windows file server or can be accessed like one, you won't need that (Macs support Windows file servers fine). the latest versions of NetWare (as part of Open Enterprise Server) do also come with a Mac-compatible file server component, though your IT people may (probably) not have that set up. the file server could be any number of other things too; it's just more likely it'll be either Windows or NetWare-based.
so, the gist of it is you need to know specifically what your company's VPN is (PPTP, L2TP or Cisco IPsec) and what your file server is (is it really a NetWare server, or Windows, or something totally different?).
I think it'd probably be easiest overall to just turn on Windows File Sharing on your Mac, download your stuff on the PC and drop it directly onto your Mac through your home network. these instructions are for Mac OS X 10.6 (Snow Leopard); if you have an older version, there's similar available through the googles. then, from your PC, you can open up a window to your work server and a window to your Mac and just drag and drop between them. this way you won't have to install any other ridiculousness on your Mac and you can get rid of the thumbdrive. (you'll have to have the Windows computer on too, though.)
posted by mrg at 10:59 AM on July 12, 2010
the second part of this is that evidently you're still using Novell Netware at work? you'll need to get more details about that, too. Macs don't support NetWare servers directly, though there is a NetWare client you can get still. it's not free, however. if your file server is a plain jane Windows file server or can be accessed like one, you won't need that (Macs support Windows file servers fine). the latest versions of NetWare (as part of Open Enterprise Server) do also come with a Mac-compatible file server component, though your IT people may (probably) not have that set up. the file server could be any number of other things too; it's just more likely it'll be either Windows or NetWare-based.
so, the gist of it is you need to know specifically what your company's VPN is (PPTP, L2TP or Cisco IPsec) and what your file server is (is it really a NetWare server, or Windows, or something totally different?).
I think it'd probably be easiest overall to just turn on Windows File Sharing on your Mac, download your stuff on the PC and drop it directly onto your Mac through your home network. these instructions are for Mac OS X 10.6 (Snow Leopard); if you have an older version, there's similar available through the googles. then, from your PC, you can open up a window to your work server and a window to your Mac and just drag and drop between them. this way you won't have to install any other ridiculousness on your Mac and you can get rid of the thumbdrive. (you'll have to have the Windows computer on too, though.)
posted by mrg at 10:59 AM on July 12, 2010
The IT guy is not being forthcoming, declaiming all knowledge of Macs.
If his job description doesn't include macs then why should he know it? You can't just drag any random piece of equipment to your IT guy and expect him to suddenly know it and support it. Perhaps you need to check your expectations of being an employee.
Reposting this for emphasis, and I'll also add that if you're not prepared to do 100% of your support and troubleshooting yourself, USE WHAT YOUR IT GROUP WILL SUPPORT. I can't tell you how many times during my IT days that I was asked to support something nonstandard, and my answer was always a firm "Sorry, I can't do that, but I'll be happy to arrange supportable hardware or an OS for you". It's not that I wanted to be a dick, but I just didn't have the bandwidth to ramp up and learn how to support crazy-ass edge cases like Macs and a million desktop Linux variants. There was also the "camel's nose" factor - where if you give someone help on something nonstandard just once, you've just set expectations that you'll do it all the time.
If you can't get this working by yourself, use Windows and then support will be your IT guy's problem, not yours.
posted by deadmessenger at 11:00 AM on July 12, 2010 [1 favorite]
If his job description doesn't include macs then why should he know it? You can't just drag any random piece of equipment to your IT guy and expect him to suddenly know it and support it. Perhaps you need to check your expectations of being an employee.
Reposting this for emphasis, and I'll also add that if you're not prepared to do 100% of your support and troubleshooting yourself, USE WHAT YOUR IT GROUP WILL SUPPORT. I can't tell you how many times during my IT days that I was asked to support something nonstandard, and my answer was always a firm "Sorry, I can't do that, but I'll be happy to arrange supportable hardware or an OS for you". It's not that I wanted to be a dick, but I just didn't have the bandwidth to ramp up and learn how to support crazy-ass edge cases like Macs and a million desktop Linux variants. There was also the "camel's nose" factor - where if you give someone help on something nonstandard just once, you've just set expectations that you'll do it all the time.
If you can't get this working by yourself, use Windows and then support will be your IT guy's problem, not yours.
posted by deadmessenger at 11:00 AM on July 12, 2010 [1 favorite]
Your IT guy may like this even less than putting a Mac on the VPN, but something like Dropbox would at least make it easy to move files back and forth.
Depending on how the firewall is set up at work, you could also potentially set up a SSH tunnel from your work PC to your Mac and tunnel traffic over it in both directions (e.g. grab files from your Mac while you're at work, grab files from your PC while you're at home, remote desktop from home to work, etc.).
As a last resort, you could put VMWare Fusion or Parallels on your Mac, installing Windows XP Pro (get a copy on eBay), and use the Windows VPN software.
posted by kindall at 11:00 AM on July 12, 2010
Depending on how the firewall is set up at work, you could also potentially set up a SSH tunnel from your work PC to your Mac and tunnel traffic over it in both directions (e.g. grab files from your Mac while you're at work, grab files from your PC while you're at home, remote desktop from home to work, etc.).
As a last resort, you could put VMWare Fusion or Parallels on your Mac, installing Windows XP Pro (get a copy on eBay), and use the Windows VPN software.
posted by kindall at 11:00 AM on July 12, 2010
Best answer: There may or may not be a way to trivially get your mac to connect to the VPN. I don't have enough information to say definitively.
Getting your mac to authenticate (log in) to the server is another matter - there is no (as of the last time I supported Novell) mac client. Although it is possible to configure a server to allow for macs to authenticate, it's not guaranteed that your IT department has done that - and that if they had, that your experience would be trouble free. It's not a trivial task.
However, if there is some sort of new issue I should be aware of beyond general file compatibility between Macs and PCs, I'd love to know about it.
Well, there is the issue of you doing company stuff on a machine they don't own and can't audit. Are you using a student version of your apps for business ? That's a violation of the license and the company is open to (substantial) liability as a result. Are the going to be able to recall, or audit access to any confidential files on your computer ? Probably not, it's yours not theirs. And so on. There's a ton of issues that they probably aren't prepared to go into to satisfy your request.
posted by Pogo_Fuzzybutt at 11:09 AM on July 12, 2010
Getting your mac to authenticate (log in) to the server is another matter - there is no (as of the last time I supported Novell) mac client. Although it is possible to configure a server to allow for macs to authenticate, it's not guaranteed that your IT department has done that - and that if they had, that your experience would be trouble free. It's not a trivial task.
However, if there is some sort of new issue I should be aware of beyond general file compatibility between Macs and PCs, I'd love to know about it.
Well, there is the issue of you doing company stuff on a machine they don't own and can't audit. Are you using a student version of your apps for business ? That's a violation of the license and the company is open to (substantial) liability as a result. Are the going to be able to recall, or audit access to any confidential files on your computer ? Probably not, it's yours not theirs. And so on. There's a ton of issues that they probably aren't prepared to go into to satisfy your request.
posted by Pogo_Fuzzybutt at 11:09 AM on July 12, 2010
Wow. I have quite a troubled relationship with Macs, but a modern company considering them "nonstandard" and acting all shocked when a designer wants to use one is just bizarre. But if that's how your workplace is, then you'll just have to deal with it.
At any rate, I think the home-networking file transfer solution mentioned above will work best, or else a virtual Windows on your Mac. That's a nice thing to have anyway.
posted by drjimmy11 at 11:13 AM on July 12, 2010
At any rate, I think the home-networking file transfer solution mentioned above will work best, or else a virtual Windows on your Mac. That's a nice thing to have anyway.
posted by drjimmy11 at 11:13 AM on July 12, 2010
Response by poster: These are great answers -- both for clarifying what the issue is and also giving me some great ideas for work-arounds including (smack on the forehead) installing windows on my machine which I've been wanting to do. I'm not sure if our IT guy will touch Windows on a Mac either but it would get me about ten steps in the right direction for this project.
posted by amanda at 11:22 AM on July 12, 2010
posted by amanda at 11:22 AM on July 12, 2010
VPNing in from an insecure, unsupported computer is a horribly bad idea and you shouldn't do it.
Signed,
IT Security Guy for a Company You Have Heard Of.
posted by Threeway Handshake at 11:24 AM on July 12, 2010 [4 favorites]
Signed,
IT Security Guy for a Company You Have Heard Of.
posted by Threeway Handshake at 11:24 AM on July 12, 2010 [4 favorites]
it is not bizarre for a company to only want company approved machines on the VPN. if she wants the mac to be company approved that's another matter than the one she's discussing. what she's discussing is broadening the support boundaries and policies of an IT department through haranguing some guy who doesn't make those boundaries or policies. it also seems like she's trying to get around what her boss said by convincing IT to help her.
VPN is your first hurdle - if it's anything like the VPNs i've seen on company issued PCs, after you connect, in the background, they'll run some sort of compliance check to make sure the computer is running all the software it should be, it could also push software updates to your computers - so putting a mac on that system isn't as easy as just making the network connection.
posted by nadawi at 11:27 AM on July 12, 2010
VPN is your first hurdle - if it's anything like the VPNs i've seen on company issued PCs, after you connect, in the background, they'll run some sort of compliance check to make sure the computer is running all the software it should be, it could also push software updates to your computers - so putting a mac on that system isn't as easy as just making the network connection.
posted by nadawi at 11:27 AM on July 12, 2010
Response by poster: You guys are so sweet. To clarify, I was planning to take this info back to IT guy and talk it over with him not go all rambo through the back door with my crazy VPN access but I appreciate the concern. I just needed more info on how this might work and what the issues are so that he and I could have a productive conversation.
posted by amanda at 11:30 AM on July 12, 2010
posted by amanda at 11:30 AM on July 12, 2010
we're just explaining why he'll say no, which he will. company lent laptops are given precisely so companies can control them. they have no control over your personal computer.
what you're suggesting is sort of like going to a steak restaurant, bringing your own cut of lamb, taking it back to the kitchen and explaining how they should cook it for you. or, if your boss were to give you sketches of logos for his kid's teeball team and ask you to make them into banners, stickers, and shirts - surely you'd say "yeah, that's not really my job".
the non-VPN suggestions you got here were great. if i were you i wouldn't waste my, or the IT guy's, time with trying to get a non-company issued computer of any OS on the VPN.
posted by nadawi at 11:37 AM on July 12, 2010
what you're suggesting is sort of like going to a steak restaurant, bringing your own cut of lamb, taking it back to the kitchen and explaining how they should cook it for you. or, if your boss were to give you sketches of logos for his kid's teeball team and ask you to make them into banners, stickers, and shirts - surely you'd say "yeah, that's not really my job".
the non-VPN suggestions you got here were great. if i were you i wouldn't waste my, or the IT guy's, time with trying to get a non-company issued computer of any OS on the VPN.
posted by nadawi at 11:37 AM on July 12, 2010
Just a thought here. Evidently the company laptop they issued you is not up to the task of doing the design work.
It would likely be far cheaper and easier for them to pony up and get you a new laptop that is up to the task, rather than trying to support your singular condition, for all the reasons listed above.
posted by Xoebe at 11:40 AM on July 12, 2010
It would likely be far cheaper and easier for them to pony up and get you a new laptop that is up to the task, rather than trying to support your singular condition, for all the reasons listed above.
posted by Xoebe at 11:40 AM on July 12, 2010
Responders - AFAIK she has a remote PC (work) and a remote Mac (personal). PC has VPN, mac doesn't. Remote files are on the server behind the VPN. Inter-machine communication may not be possible (check that split tunneling) so shares/ftp/ssh may not work. There's no telling if the VPN they use will support Mac.
Also - most companies have standard images - and as much as I like the VM suggestion, there's no way I'd ever provide a user with a copy of our standard image to install on their home system.
OP - it's not 'just' viruses. I've setup many a VPN that only allowed connections after checking that the proper security software and patches are in place. By adding a non-standard system, you'd more then doubling the security grunt work - what exploits effect this new system? what exploits effect the software that is running on this system? Is your software patched? Can you be a vector for other attacks that requires more back end configuration to mitigate? Do I have to run another version of the VPN client? What will that impact? Etc etc.
Here's what I suggest you do: stay out of the solution space. Go to your manager and say that your current laptop PC isn't strong enough to handle these graphic tasks in a reasonable time. Let them decide how to meet your needs - don't try to tell them that you need a specific solution (VPN on your Mac), tell them yes/no on the solutions they provide (be it a new system, new process, whatever). You can suggest you use the VPN on the Mac but to me "non-standard" is longhand for "no".
I had to send my IT guy a screenshot of all my virus updates to prove that it was "safe" to my managers.
haha oh wow.
posted by anti social order at 11:42 AM on July 12, 2010 [1 favorite]
Also - most companies have standard images - and as much as I like the VM suggestion, there's no way I'd ever provide a user with a copy of our standard image to install on their home system.
OP - it's not 'just' viruses. I've setup many a VPN that only allowed connections after checking that the proper security software and patches are in place. By adding a non-standard system, you'd more then doubling the security grunt work - what exploits effect this new system? what exploits effect the software that is running on this system? Is your software patched? Can you be a vector for other attacks that requires more back end configuration to mitigate? Do I have to run another version of the VPN client? What will that impact? Etc etc.
Here's what I suggest you do: stay out of the solution space. Go to your manager and say that your current laptop PC isn't strong enough to handle these graphic tasks in a reasonable time. Let them decide how to meet your needs - don't try to tell them that you need a specific solution (VPN on your Mac), tell them yes/no on the solutions they provide (be it a new system, new process, whatever). You can suggest you use the VPN on the Mac but to me "non-standard" is longhand for "no".
I had to send my IT guy a screenshot of all my virus updates to prove that it was "safe" to my managers.
haha oh wow.
posted by anti social order at 11:42 AM on July 12, 2010 [1 favorite]
One more tip for connecting to the Novell server via a VPN - I have found that using the IP addresses of the Novell server(s) for server, tree and context(underneath where you enter your username and password at login), rather than browsing for them, cuts a lot of the network BS out of troubleshooting a connection problem that happens AFTER you have successfully connected to the VPN. This has worked for me, and I am running Novell 6.5.
My network/servers/Mac/PC/VPN situation is weird, though, so YMMV, but it's worth a shot.
posted by chambers at 12:54 PM on July 12, 2010
My network/servers/Mac/PC/VPN situation is weird, though, so YMMV, but it's worth a shot.
posted by chambers at 12:54 PM on July 12, 2010
This thread is closed to new comments.
What I would do is is look at all the settings in your PC VPN program and then try to match them as best as you can on your Mac.
posted by k8t at 10:21 AM on July 12, 2010