A general introduction

What is the difference between being on the Internet and being CERN internal network ? None when accessing services on the internet. However, when accessing services located at CERN from the outside, the CERN firewall can restrict the access to these services.

Connecting to the CERN internal network from the Internet

As a general guideline, all services that should be accessible from home and/or from the Internet should be opened in the CERN firewall. There should need no difference in experience in accessing CERN services from the internet compared to the same services available from inside CERN.

CERN has made an important effort to ensure that all central computing services are available also from outside on the Internet. This is true in particular for the Electronic Mail, Web Services, Terminal Services, LXplus, AFS, DFS (via the web interface at https://dfs.cern.ch), EDMS, CDS, EDH and all AIS administrative applications. Also the future Grid computing services are all designed to be globally available. There should be no need to request a special access to the CERN internal network, including for website browsing. If you find a web site that has an IP address restriction, it would be probably better to ask the web site owner to remove the IP address restrictions and replace them with one restriction on authenticated users that would simply prevent anonymous web site browsing and restrict it to CERN users, wherever they are in the world.

Having said that, exceptions always exists. Therefore here is the simplest and recommended way to connect to the CERN internal network when you are outside: open an interactive session on the "Windows Terminal Services" (See http://cern.ch/wts) or to the central public linux cluster LXPLUS (see http://cern.ch/plus).

As a final last chance solution, reserved only for advanced users who know what they are doing, we have the possibility to use the virtual private network service (see http://cern.ch/vpn). However, given is security implications this should be used only for extreme and rare cases and users are formally discouraged to use it as a general solution. This also because the availability of the VPN service maybe discontinued, for security reason at future dates.

Conclusion: Once connected to the internet, all central computing services are available and there is no general need to connect to the internal network. If this need exists in particular cases, users are recommended to use LXPLUS or the Windows Terminal Services.

Connecting to the CERN technical network from the Internet

The CERN technical network has been designed to be inaccessible from outside CERN. Therefore no further information will be given to access it from the internet. If you need to access equipment on the technical network from outside CERN you may want to reconsider why it was located on the technical network in the first place.

Connecting to the Internet

Connecting your home computer to the internet

This is the simplest case. All you need is a computer, a telephone line and a "modem" (note that the modem can be built-in inside the computer). The modem connects to the telephone socket on the wall. There are several types of internet connections you can have:

• An analog modem, where the data is transmitted over a normal analog phone call with a speed up to 56 kbps (kilobit per second)

• A digital ISDN (Integrated Services Digital Network) telephone line which gives you 64 kbps. You can also group two simultaneous ISDN lines to have a total 128 kbps. Note however that with the advent of ADSL, the ISDN solution is less and less used and is therefore not recommended anymore for home use

• An ADSL subscription where the modem is connected on a special "high frequencies" filter on the telephone line. In this case you can have from 256 kbps to up to 2 mbps and more of speed.

• There are additional types of Internet subscriptions possible which can use the Satellite or the TV cable. These will not be discussed further, but the model is always the same: a modem that connects the telecommunication device to the computer.

Note that when using the ISDN or analog modem the computer is typically connected using the serial (or USB) lines. Due to the higher bandwidth of ADSL, an ADSL modem always connects using an Ethernet of an USB interface.

Detailed information on how to install a particular modem and the software on your computer should come from your Internet Service Provider (ISP) with whom you need to subscribe the internet connection.

It is strongly recommended to enable the local firewall of your computer . For the CERN standard Portable computer running Windows XP, this is explained at the page http://cern.ch/Win/docs/XP-firewall.

Connecting multiple computers to the internet at home

Why would you need to have more than one computer at home ? Well, if you do not need them, just skip reading. However, especially if you have one computer at home and your CERN portable computer, you may want to have access to the Internet from both of them.

To simplify the this document, the information here will be focused on ADSL subscription only. This because given the small bandwidth available on analog and ISDN lines it is less interesting to share the internet connection. However, what said for the ADSL here can also be easily applicable to other types of internet connections.

In general, things are complicated because the Internet Service provider will allocate to your connection only one IP address which allows you to connect only one computer. As a workaround to this problem, outgoing IP connectivity can be achieved by multiple computers using a technology called NAT (Network Address Translation) that is available in all modern network routers. Therefore, if you want to connect multiple computers on a shared internet ADSL connection you need to buy a router or to configure the computer directly connected to the ADSL modem as a router.

If you plan to buy a router, then it is interesting to buy an ADSL modem with an Ethernet connection as the vast majority of NAT router have a WAN (Wide Area Network) Ethernet port to connect the ADSL modem. If you have an ADSL-USB modem, you cannot connect the normal routers (but you can buy a router with an ADSL modem built-in - which is even simpler - see below). On the other hand, if you plan to use an existing computer to act as a router, you may want to buy an ADSL-USB modem in order to leave free the Ethernet connection of your computer to connect additional computers. This is an advanced configuration (see below) which is not recommended unless you know what you do. This configuration has the advantage that allows you to run services (like a web server or a mail server - or even peer-to-peer applications) in your gateway computer without bothering about the NAT address translation and therefore using the native IP address provided you by the ISP (If you use Windows XP, search for "internet connection sharing" or ICS in the local windows help).

In all cases it is strongly recommended to enable the local firewall of your NAT router . The procedure to do this is explained in the documentation of your router.

Advanced comment 1: If you have a router, you may wonder what is the difference between the WAN (Wide Area Network) and the other ports. It is the NAT service that will differentiate them: the WAN is where you have the unique IP address and where the router will issue a DHCP request to obtain it. The other ports are where the router will run its own DHCP server and allocate additional addresses. The WAN port is also where the PPPoE (Point-to-point protocol over Ethernet) connection will be established: In fact, using pppoe, the router will login using username/password to the ISP to establish the Ethernet connection. You can normally setup the pppoe credentials by connecting to the local web server that is running on the local router from any of the ports.

Advanced comment 2: If you use a computer as a router, the Ethernet switch is optional if you connect only one additional computer to your computer acting as a router. If you do so, remember that you cannot use a normal Ethernet cable but a "crossed" cable. Using a crossed cable you can connect two computers directly using their Ethernet cards.

This is quite complicated .... isn't there a simpler solution ?

YES. There are two simplifications possible: The first is to use Wireless LAN (also called Wi-Fi or 802.11) to avoid pulling cables through your house. The second is to integrate in the same box the ADSL modem and the router. In the Ideal case, one box that is a ADSL modem with router and wireless access point is all you need.

Another possibility, is to reuse the free ADSL (Ethernet) modem that the ISP gave you and buy a Wireless router with an Ethernet switch. This has the advantage that you can mix freely Ethernet ant wireless at home and use Ethernet for fixed computers.

Conclusion: If you have multiple computers to connect to the internet and you wand the simplest solution, choose the all-in one WI-FI router. The ADSL modem can be separate or built-in and it is up to you to decide if you have only wireless or a combination of wireless + Ethernet inside your house.

IMPORTANT NOTE: The frequency channels used in France for Wi-Fi are more restrictive than the rest of the world. To avoid incompatibilities (especially when buying Wi-Fi cards for the client computers) it is strongly recommended to buy these in Switzerland instead of France. The incompatibility is only in one direction: French client cards have 30 % chances of being unable to connect to a Swiss Access point. Swiss Cards can connect to all French and Swiss access points.

In all cases it is strongly recommended to enable the local firewall of your router . The procedure to do this is explained in the documentation of your router.

If you have a wireless access point, ensure that you have secured it by enabling access only for the physical Ethernet addresses of your wireless cards. Otherwise your neighbours could sniff into your home network. The procedure to do this is explained in the documentation of your wireless access point.

Connecting your CERN portable computer to the internet when at Home

The way to connect the CERN portable computer to the internet when at home is identical to the way described above to connect your home computer.

As the vast majority of CERN portable computers are equipped with Wireless cards, the ADSL with wireless access point solution at home is ideal as this allows you to move transparently your portable computer from / to your office.

In all cases, especially if you do not have ADSL at home, any other solution to connect your computer to the internet at home remains valid, including the analog modem.

Connecting your CERN portable computer to the internet when traveling

When traveling, things gets terribly more complicated because you never know what you can expect at the remote location. Therefore we will focus on only four cases: connecting to the internet using an analog modem, connecting using a GSM portable phone, connecting using a Wireless provider and finally connecting using Ethernet.

Connecting your CERN portable computer to the internet using Ethernet

When you are traveling at remote institutes or universities and in some hotels, you can find an Ethernet connection. In this case, if you have a CERN standard portable computer which is configured as a DHCP client ("obtain IP address automatically") you should just plug in the Ethernet cable in your computer. For this to work, the Ethernet socket should provide a DHCP (Dynamic Host Configuration Protocol) service. If the Ethernet socket does not offer a DHCP service, you will have to configure the TCP/IP connection of your computer manually using the instructions available at the remote site.

An RJ45 Ethernet Cable (8 wires)

It is strongly recommended, when your computer is connected directly to a remote network, to enable the local firewall . For the CERN standard Portable computer running Windows XP, this is explained at the page http://cern.ch/Win/docs/XP-firewall.

You should note all changes you make to your TCP/IP and Firewall configuration while traveling so that when your computer connects again to the CERN internal network you can rollback to the original recommended configuration for the CERN internal network.

A final suggestion: If you plan to connect remotely using Ethernet, make sure you have in your "traveler's kit" an Ethernet cable few meters long. One of the most common reason that prevents travelers to use Ethernet connections is the lack of the cable at the remote location.

Connecting your CERN portable computer to the internet using Wireless 802.11 (Wi-Fi)

Another handy technology to connect to the Internet when you are traveling at remote institutes, in universities, in several hotels and in several public areas (airports, trains stations, etc) is the Wireless 802.11. It is now more easier to find public wireless hot spots than to find an Ethernet connection. 

In this case, if you have a CERN standard portable computer which is configured as a DHCP client ("obtain IP address automatically") you should plug in the Wireless card (or enable it if it is built-in your computer). For this to work, it is very likely that you will have to configure some of the Wireless Network properties (typically the SSID) following the instructions available at the remote site.

But where are these instructions ? In the vast majority of cases, once your card is connected to the wireless network, only the Web browser will work. Opening the web browser to any URL address, will give you additional instructions (similar to the physical address registration page which appears when a unregistered network device connects to the CERN internal network). When you are in public areas (hotels, airports, train or bus stations, ...) these additional instructions will also give you billing, subscription and payment information.

In all cases, it is strongly recommended to change the parameters of your wireless connection manually. In all cases, avoid inserting the CD-ROM of the service provider that will reconfigure your computer to use the local service: This will work but your computer will be reconfigured to use exclusively that service and it will be a serious headache to reconfigure your computer back to its original configuration for use at CERN. Also do not forget, when your computer is connected directly to a remote network, to enable the local firewall . For the CERN standard Portable computer running Windows XP, this is explained at the page http://cern.ch/Win/docs/XP-firewall.

IMPORTANT NOTE: The frequency channels used in France for Wi-Fi are more restrictive than the rest of the world. To avoid incompatibilities it is strongly recommended to buy Wireless client cards in Switzerland instead of France. The incompatibility is only in one direction: French client cards have 30 % chances of being unable to connect to a Swiss, European Union and United Stated Access point. Swiss Cards can connect to all French, Swiss, EU and US access points.

Connecting your CERN portable computer to the internet using an analog modem

While this is probably one of the slowest connection techniques it is probably the one available really everywhere you can find a telephone. Unfortunately, connector standards for telephones are not quite yet a reality in Europe and it is strongly recommend that you use something like the "Modem traveler's kit" shown below in order to physically be able to connect your computer to the local telephone line in every country. The "Modem traveler's kit" is bounded with the purchase of the Fujitsu-Siemens laptops from the CERN PC-SHOP.

In addition, the traveler's kit may not be enough. First of all because it has a RJ-11 connector (4 contacts, only 2 active - the inner center ones - for 1 telephone line) and in some countries a RJ-12 connector is used (6 contacts, only 2 active for 1 telephone line). But also because there is some misunderstanding in the USOC (Universal Service Ordering Code) standard for RJ (Registered Jack) connectors of which 2 of the 4 wires should be used for the telephone line. This because in many wirings, there is confusion with the RJ-14 standard that has the same 4 contacts connector as the RJ-11 but 4 active contacts for 2 telephone lines.

To make things worst, the CERN fixed telephones don't use nor the inner nor the outer wires of the RJ-11 but the first and the third ones. This non-standard wiring requires a dedicated additional modem cable just for use within CERN.

A short conclusion on connectors: After connecting it to the wall socket, if your modem is silent, it is a wiring problem and very likely that the modem signal arrives to the outer two contacts instead of the inner two one of the RJ-11. Therefore, to be sure to connect wherever you are, make sure that you add to your traveler's kit also a screwdriver, scissors, spare wires, and maybe a soldering iron.

Once you have finished the easy part (connecting your modem to the local telephone) you can start the difficult one: Which phone number to dial to get internet access ? And which credentials should you use ? Here you have basically two options:

Call your ISP in Switzerland or France. This is the easiest way from the configuration point of view because you do not need to reconfigure your computer. But ... it is very expensive if you are not located in that country. Also note that if you are using to dial in a toll free number, these are generally not available outside France or Switzerland and therefore simply unusable. As a conclusion, this first approach is not recommended.

... OR ...

Call a local number to minimize your communication cost. This requires a subscription to a local ISP (which you may be very easy to obtain if you are familiar with the country you are in and/or if you speak the local language) or a subscription to a "global" Internet Service Provider.

We will not discuss further nor the first option nor the local ISP solution for the second and continue our discussion only on the "global ISP". To use the global ISP, make sure you have made your subscription and tested it *before* leaving CERN for your trip. You should also have tested it few times from both France and Switzerland to become familiar with it. Note that any CERN office (provided you have the CERN special ad hoc cable to connect the modem) is an ideal place to test the connection from both France and Switzerland (dial the 0 for Switzerland, 10 for France local numbers).

As you can see in another part of this document, we have identified few global ISP that you can use. The less intrusive one (in terms of software to install) which is likely to give you the minimum headaches is IPASS (www.ipass.com) whose partner in Switzerland is www.bluewin.ch (search for the "Traveler Package"). Otherwise you can use a "branded" global provider such as America On line (www.aol.com) or Compuserve (www.compuserve.com). For further information, see the dedicated article on this web site.

Connecting your CERN portable computer to the internet using a mobile phone

Using your mobile phone is the slowest connection techniques available and by far the most expensive (except when you are under the coverage of the sunrise network). The mobile phone gives no advantages compared to the fixed telephone line except that you do not have the burden of the "wiring" problem that the fixed telephone gives you.

The mechanism to connect is similar to all other known technologies: you connect using the built-in modem of your mobile phone.

 However you have two basic choices: establish a GSM data connection or a GPRS (General Packet Radio Service) connection.

The GSM data connection is like a normal phone call and you can connect to your usual (local or global) ISP as you would have done from a fixed analog telephone line. All you need to verify is that your GSM subscription allows you to place digital GSM calls (for CERN phones this requires a special subscription) and then you can use your GSM instead of the local analog modem. The disadvantages of the GSM data connection is its maximum speed limited to 9.6 kbps and the cost of a normal GSM call (to which you need to add the roaming cost). This cost can be very high and the only possibility to use this service is to work on "disconnected mode" only for reading/sending email (you connect to download received messages, you disconnect, you read and write your email and you finally connect again to send the outgoing mail).

The GPRS connection is a more appealing technology when using mobile phones. However, this requires a separate setup available from your telephone provider (and not your ISP) and often a separate subscription. In addition there is currently no automated roaming possibility among different GPRS operators and therefore you will need to change the configuration of the GPRS connection in your computer (the phone number and the credentials to establish the connection) every time you change the operator This information is published on the Web site of the telecommunication operator. The advantages/disadvantages of GPRS are: a maximum speed limited to 28.8 kbps. A cost proportional to the amount of data transmitted and not to the connection time (no need to work in disconnected mode). Finally remember that while roaming costs are very high, when used from a CERN mobile phone on the Swiss sunrise network, GPRS usage is free of charge.

The IT/CS group provides now a services for using GPRS with a CERN owned Phone. Information on how to use this service is available from http://cern.ch/it-cs/telecom/gprs. The service is limited to access the CERN intranet only and if you need to access resources on the internet, you can open, after connected to CERN using GPRS, an interactive session on the "Windows Terminal Services" (See http://cern.ch/wts) or to the central public linux cluster LXPLUS (see http://cern.ch/plus) to get outside CERN.

Visitors at CERN: Connecting to the internet from local hotels and local home in the CERN neighborhoods

If you are a temporary visitor at CERN and you require a short-time internet connection from your flat the easiest and quickest solution is the analog modem connection. In both France and Switzerland there are "free" internet service providers, where "free" means that they provide you with unlimited internet access for the cost of a local telephone call. If you buy "packages" and you commit to a minimum number of hours connected per month, then you can have even better deals.

The major difficulty that visitors may experience is to find an ISP who have the web information pages available in English.

If you are living in Switzerland there are two providers (infomaniak and Tiscali) which provides you a simple number where you can dial in and get an internet connection from anywhere. At the time of writing, the access numbers are:

If you are living in France, then you have to make a free subscription. This is without cost and it can take up to 48 hours according to the provider. Once this is done, the provider will give you the national phone number (at a local call cost) to call and your username and password for the dial-in parameter.

The URLs to the ISP available are on the http://cern.ch/remoteaccess home page