Mac OS X 10.7.x Network Configuration

This document describes how to configure the network portion of Mac OS X 10.7.x for use with the Princeton University campus network. Specifically, it covers configuration for use with OIT Ethernet Service, OIT Wireless Service, and OIT PPTP VPN Services.

Contents

1. Software Versions and Update Recommendations
2. The Network Pane in System Preferences
3. About Network Locations
4. Creating Locations
5. Configuring Locations
6. Selecting a Location
7. Disable the Firewall's Stealth Mode
8. PPTP VPN: Configuration
9. PPTP VPN: Connecting and Disconnecting
10. Notes and Caveats
11. Support History at Princeton

Versions of Mac OS X 10.7.x considered "current" at Princeton at this time are:

• 10.7.2
• 10.7.3

We are currently testing version 10.7.4, and have not yet announced support for it.

All older versions of 10.7.x are no longer considered "current" at Princeton, and should be updated. This documentation assumes you are using a current version of Mac OS X.

If you are not sure what version of Mac OS X your Mac is running, use the About this Mac command under the Mac's Apple menu.

If you are running a version that we no longer consider current, we recommend you upgrade to a current version; our documentation assumes you are running a current version.

Upgrading:

• To upgrade from version 10.6.x to version 10.7.x, purchase Apple's Mac OS X 10.7 product; this is a commercial upgrade sold via the Apple App Store. If the App Store provides you with version 10.7 (rather than 10.7.2), then after installing version 10.7, use Software Update pane in System Preferences to update to version 10.7.2.

• To upgrade from versions 10.7.x to version 10.7.3, use the Software Update pane in System Preferences.

Use the System Preferences application to perform network configuration. You will find this application in Mac OS X's Applications folder, as well as in the Apple menu. It may also be in the Dock.

Launching the System Preferences application displays the main System Preferences window. Within this window, click the Network icon; the Network pane of System Preferences is displayed. All network configuration steps will be performed within this pane, sometimes called the "Network preferences pane" or simply "Network preferences."

If the lock icon in the window's lower-left corner is locked, click the icon to unlock the Mac's System Preferences; you will need to provide an administrator's password to do so.

When you have finished making changes (described below), click the Apply button in the window's lower right corner (if you have made changes you wish to keep). If earlier you unlocked your System Preferences, and wish to relock them, click the lock icon in the lower-left corner of the window.

You may then select Quit System Preferences from the System Preferences menu, or click the window's Close button.

In Mac OS X, a network location (or simply a location) is a group of saved configurations for one or more network ports.

Commonly-used kinds of network ports (also called interfaces) include an Ethernet port, a Wi-Fi (a.k.a. Wireless) port, and a Modem port. Other kinds of network ports include a VPN (PPTP) port (used for some Virtual Private Networks), a FireWire port, and a Bluetooth port.

Throughout this documentation, we use the terms network location or location as Mac OS X does (rather than in the conventional sense to mean a physical location).

In its simplest form, you may use a location to correspond to a single way of connecting your Mac to the network; e.g. "Ethernet in my office," "Ethernet at home," "Modem on the road," "Wireless using OIT Wireless Service," or "Wireless at a cafe". Each time you connect your Mac to the network in a different way, you would select a different location.

Because a single location can include configurations for multiple network ports, sometimes a single location can be used when connecting your Mac to the network in more than one way (e.g. "Ethernet in my office" and "Modem on the road", or "Ethernet or Wireless, whatever happens to be available"). Making a single location perform double duty may be convenient, saving you the trouble of selecting a different location each time you connect your Mac in a different way. But it may also lead to unexpected behavior if it results in multiple network ports active simultaneously.

At the top of the Network pane of System Preferences is a Location pop-up menu. This is where you may select the current network location, create new locations, and delete uneeded locations. Initially this menu contains one location named Automatic. The pop-up menu may list additional locations, if you have created any previously.

The Location pop-up menu also contains an Edit Locations... command. This command displays the Locations sheet; that sheet displays a list of all location names, along with buttons to create a new location name, delete an existing location name, rename an existing location name, and to create a new location name by duplicating an existing one. When you are done performing these operations, close the sheet with its Done button. Once a location name exists, to view or edit its configuration, you select the location name in the Location pop-up menu; the remainder of the Network pane will display that location's configuration.

A single Automatic location may meet your needs, or you may need to create additional locations:

• If your Mac has a single network port (e.g., Ethernet), always uses this single port to connect to the network, and is always connected to the network in the same way, there's no need for you to create other locations. The Automatic location should work fine for you.

• If your Mac has both a Wi-Fi port and another port (e.g. Ethernet), and you don't want the Mac to silently switch from one port to another (e.g. from OIT Ethernet wiring to an untrusted third party's private Wireless Access Point), you may decide it is prudent to create a unique location for each connection method.

• If your Mac has multiple network ports which might find themselves simultaneously attached to live networks, and each of those networks is a different campus IP subnet, some traffic sent by your Mac will be discarded by the campus network.

  This would happen, for example, if your Ethernet port is attached to the campus network, but your Wireless port also happens to be within range of an OIT Wireless Access Point, so both are simultaneously attached to live (but different) IP networks. (For the curious, a technical explanation for why the traffic is discarded is at Mac OS X Network Configuration: OIT Notes and Caveats.)

  You can avoid this problem by creating a unique location for each network port, designating that only one port be active in each location.

• If your Mac has multiple network ports which might find themselves simultaneously attached to live networks, and two (or more) of those network interfaces are attached to the same IP subnet, the Mac's network software may operate in a way that is not acceptable on the campus network. It may mistakenly use the IP address of one interface for the other interface.

  This is a variation of the previous problem, but is particularly bad when both interfaces are attached to the same IP subnet. Few operating systems support having two physical network interfaces simultaneously attached to the same IP subnet.

  This would happen, for example, if your Ethernet port is attached to the campus network, and your Wireless port also happens to be within range of a private Wireless Access Point attached to the same IP subnet and operating as a bridge. (It doesn't happen with OIT Wireless Service, as OIT's Wireless Access Points are attached to an IP subnet that provides no customer Ethernet connections.)

  As the resulting network activity is not acceptable on the campus network, you must avoid this problem, typically by ensuring that only one of your network interfaces is active at a time; the simplest way to do this is by creating a unique location for each network port, designating that only one port be active in each location.

• If you connect your Mac to the network using the same kind of network port in more than one way at different times, and each way you connect requires a different configuration for that network port, you will need to create a location to hold each of the different configurations. One example would be using the Wireless port with different Wireless Network Names (a.k.a. SSIDs), such as OIT Wireless Service (network names puwireless, puwireless2, etc.) and a private wireless network. Or you might use the Ethernet port with DHCP service in some locations, but Manual service in others.

• If you sometimes operate your Mac with no network connection, and don't want it to waste time trying to establish a network connection, you may want to create a location with no active network ports.

If based on the previous section, you believe the single Automatic location should meet your needs, you are welcome to use it; you may skip this section, and proceed to the Configuring Locations section below.

On the Network pane in System Preferences, use the Location pop-up menu to create a new location name as follows:

1. In the Location pop-up menu, select Edit Locations....

2. The Locations sheet will appear. This displays a list of the location names presently defined on your device. Below the list are several buttons you may use to edit the list. The + (plus) button may be used to create a new location. The - (minus) button may be used to delete a location. The Action (gear) pop-up menu contains commands to duplicate an existing location (which will give the copy a new name), or to rename an existing location.

   Click the + (plus) button to create a new location. A new name will appear in the list of locations in the sheet. The new location will be named Untitled. (If you already have a location with that name, the new one will be named Untitled 2, etc.)

   Select the name of the new location in the sheet, and edit it to give it a more descriptive name. For example: Ethernet Only, Wireless Only, Modem, At Cafe, At Hotel, Offline, etc.

   You may use different names than these; throughout our documentation, we often assume you are using these names. For example, if you use OIT Wireless Service on-campus, but a private wireless network at a cafe, you might choose to create locations named Wireless Only - OIT and Wireless Only - Cafe.

3. Click the Done button to save the new location name and dismiss this sheet.

4. The new location you named has been created with some default settings. Its name appears in the Location pop-up menu. (It might not be the currently-selected location in the pop-up menu.)

   Apple does not document the default settings it creates when you create a new location. It appears these settings may be the same as the Automatic location that originally comes with Mac OS X, although we do not know if the settings vary depending on the Macintosh hardware you are using and any ports connected to a network at the time you create the location.

5. Click the Apply button in the Network pane.

If you need to create additional locations, repeat the steps above.

You need not immediately create all the locations you might eventually need; you may choose to create just the location(s) you need initially, then return to this procedure in the future when you need to create other locations.

If there are any locations you will not be using (for example, perhaps you have decided not to use the Automatic location), delete them to avoid confusion. You may do so by selecting the Edit Locations... command from the Location pop-up menu. The Locations sheet will appear, listing all location names. For each location you wish to delete, select the location name, then click the - (minus) button. When you are done deleting locations, click the Done done button to dismiss the sheet. Finally, click Apply in the Network pane to save your changes.

At this point you have one or more locations created, but have not yet configured them properly for use with the campus network. (When you create a new location, its initial configuration has settings that are usually inappropriate for use with the campus network. For each location, you will need to configure it appropriately, as described in the next section.

Any location you create, as well as the Automatic location, begins initially with a default configuration. The initial configuration is usually not appropriate for use with the campus network. You should reconfigure the location (even the Automatic location) appropriately for use with the campus network.

For each location, configure it as follows:

1. Select the location name in the Location pop-up menu.

2. The left side of the Network pane will display a list of network ports (interfaces) that are part of this location. These include both physical ports, and virtual ports.

   Confusingly, Apple refers to the items in this list as services, rather than as network ports or network interfaces.

   Some common names of network ports include Ethernet (for an Ethernet interface built into the Mac's motherboard), Wi-Fi (for an 802.11 Wireless interface), FireWire (for a FireWire interface built into the Mac's motherboard), Display Ethernet (for an Ethernet interface built into an attached display), and Internal Modem (for an Apple Modem installed inside the Mac). If your device has more than one Ethernet port, those ports may be named Ethernet 1, Ethernet 2, etc. (If you have configured this location to also support VPN, a port named similar to VPN (PPTP) will also appear.)

   If your Mac has a third-party network port, the port's name may be less intuitive. If you find the name unintuitive, you can give it a better name; select it from the list, then choose the Rename Service... command in the Action (gear) pop-up menu below the list, and enter a new name for the network port.

   In addition to displaying the name of each network port, the list also indicates if the port is Connected, Not Connected, Inactive, Off or in some intermediate state.

   Each port in a location is designated as Active, Inactive, or Off. the Mac tries to use ports designated as active, but does not use use ports designated as inactive or off. Ports designated as inactive or off are clearly marked with the word Inactive. or Off, respectively. Those that are designated active are not explicitly marked with the word Active.

   Just because a port is designated as active doesn't mean it will actually be carrying traffic. For example, an Ethernet port may be designated as active, but if no Ethernet cable is plugged into it, the port will not carry any traffic. The Mac considers the port active, but not connected.

   If multiple ports are designated as active and more than one is currently connected to a working network and capable of carrying traffic, the Mac may simultaneously use more than one network port. It may send some of its traffic out each port, and receive traffic via both ports. In some situations, this will work; in others, it will not behave as you might expect.

   When you create a new location, the Mac assumes it should designate all network ports as active; you will change this next.

3. In the list of network ports displayed by Network Port Configurations, make Inactive each of the network ports listed except the port(s) that you intend to be active in this location.

   To make a network port Inactive for this location, select the port from the list of ports on the left side of the pane. Then from the Action (gear) pop-up menu below the list, select the Make Service Inactive item.

   Since most often you create a new location to be used with a single network port, you will usually want only that one network port active. For example, if this location will be used when you are attached via the Ethernet port, you should make inactive all ports except the Ethernet port.

   If the location has already been set up to be used with the PPTP VPN client, and you wish to continue to use this location with the PPTP VPN client, then the VPN (PPTP) port must remain active, along with the physical port used to attach the computer to the network (e.g. the Ethernet or Wi-Fi port).

4. In this list of network ports, you may choose to change the order of the network ports. You may do this by selecting the Set Service Order command from the Action (gear) pop-up menu below the list of ports. That displays the Service Order sheet, where you may drag the network port names (recall that Apple confusingly calls these "services") into a different order.

   The Mac often re-orders a location's network ports on its own. We have not found any Apple documentation explaining this behavior.

   When only one port is active, it does not matter in which order the ports are listed.

   If more than one port remains active, the order matters, but not in the way one might expect. We have not found definitive documentation explaining how this works. (The relevant Apple documentation indicates that the OS tries the network ports in the order they appear in the list, but this appears to be incomplete or inaccurate. It appears instead that the OS will make simultaneous use of the enabled ports, at least for some kinds of ports. The effect of the ordering is unclear.)

   Having multiple ports simultaneously active could lead to unexpected behavior, as mentioned above in About Network Locations. You can avoid these issues by ensuring that each location has only a single network port active. (If you do choose to have multiple ports active, you should be prepared to decide the order in which they should be listed, taking into consideration which port you want associated with the Mac's default IP route. Or perhaps the location you are configuring may use the PPTP VPN client, so you must leave the VPN (PPTP) port active, in addition to your regular network port.)

5. In the list of network ports on the left side of the pane, select the name of a network port you wish to configure.

   If earlier you specified that this is the only network port that is active in this location, then this is the only port you will need to configure for this location.

   Otherwise you will need to configure each active network port separately. Start by selecting one of the active network ports to configure first; when you have completed configuring this port, you will need to come back this step later to configure each additional active port.

   (The steps below do not apply if you are configuring a VPN (PPTP) port; instructions for configuring that kind of network port appears in another section below, entitled PPTP VPN Configuration. Configure all the non-VPN ports first.)

6. If possible, arrange for your Mac to be physically attached to the campus network using the network port you are currently configuring.

   For example, if you are configuring an Ethernet port, ensure the Ethernet cable is attached. If you are configuring a Wireless port, ensure you are within range of an OIT Wireless Access Point.

   If this is not possible at this time, you can still perform most of the configuration steps below.

7. The main portion of the Network pane now displays some of the settings for this single network port within the current location. While Apple doesn't seem to have a name for this display, we'll refer to this display as the basic settings for this network port.

8. If the current network port is Wi-Fi, configure the basic settings on the right side of the preference pane as follows, (for use with OIT Wireless Service):
   1. If the Status of the Wi-Fi interface is Off, then turn on the Wi-Fi interface by clicking the Turn Wi-Fi On button.

      (If you had made any changes to the configuration that you have not yet "applied", when you try to turn on the Wi-Fi interface, the Mac may alert you that Switching Wi-Fi power will cause any unsaved changes to be lost. Would you like to apply your changes before switching Wi-Fi's power?. If this alert is displayed, do respond by clicking Apply. That will saves your outstanding changes before turning on the Wi-Fi interface.)

   2. In the Network Name pop-up menu, select puwireless.

      Network names that begin with puwireless are those that are part of OIT Wireless Service. (In some areas of campus, the correct name to use is puwireless2.)

      If you only turned on the Wi-Fi interface a few moments ago, it may take a few more seconds before any network names appear in this pop-up menu. Sometimes clicking the popup-menu a few times will cause more names to appear in the menu.

      If the network name does not appear in the pop-up menu, you will not be able to complete this configuration step. This may be because you are not currently within range of OIT Wireless Service.

   3. We suggest you uncheck the Ask to join new networks checkbox. (You may choose to leave it checked, but may find it irritating to be interrupted by the dialog box this will produce when you are out of range of your preferred Wi-Fi networks.)

   4. Ensure the Show Wi-Fi status in menu bar checkbox is checked. This causes the Mac to display the Wi-Fi menu in the menu bar. (As described in Mac OS X Network Configuration: OIT Notes and Caveats, this menu often does not work properly.)

9. Click the Advanced... button near the lower-right corner of the preference pane to view the selected network port's advanced configuration sheet.

   Within the advanced configuration sheet for this network port is a series of tabs. Each tab causes a different subset of items to be displayed. In the steps below, you will click each tab, and configure its associated items.

10. If the Hardware tab appears, click it.

    If this is an Ethernet port or a Wi-Fi port, in the Configure pop-up menu, select Automatically.

11. If the Wi-Fi tab appears, click it.

    Configure as following (for use with OIT Wireless Service):

    1. If the name of the wireless network you selected above (puwireless or puwireless2) does not appear in the table of Preferred Networks, add it. Do so by clicking the + (plus) button below the table, You will be prompted to enter the name of a wireless network. Enter (again) the wireless network name you selected earlier (no spaces, all lower case). In the Security pop-up menu, select None. Click OK to save this network and exit from this sheet.

    2. If any wireless network names other than puwireless or puwireless2 appear in the table of Preferred Networks, you may wish to remove them. Network names that begin with puwireless are those that are part of OIT Wireless Service.

       It is particularly important to remove any wireless network names beginning with puvisitor, as those are part Temporary Visitor Wireless Network Access (TVWNA). Allowing your device to try to connect to any of those will interfere with your device's ability to connect to OIT Wireless Service.

       To a remove a wireless network name from the table, select the name in the table, then clicking the - (minus) button below the table.

    3. Uncheck the Remember networks this computer has joined checkbox.

       Unchecking this box is intended to reduce the chances your Mac will connect to a wireless other than the one you currently intend for it to connect.

12. Click the TCP/IP tab.

    In nearly all circumstances, configure TCP/IP as follows (for use with OIT Ethernet Service and OIT Wireless Service):

    1. In the Configure IPv4 pop-up menu, select Using DHCP.

    2. Make sure the DHCP Client ID field is empty. It shouldn't even contain any spaces.

    3. In the Configure IPv6 pop-up menu, select Off if that choice appears. Otherwise, select Link-local only.

    The instructions above for configuring TCP/IP are appropriate for nearly all circumstances. However, if this location's network port is Ethernet, and you choose to use BootP or manual configuration (neither is normally recommended) instead of using DHCP, you will need to configure TCP/IP differently than described above. In that event, follow these more general instructions instead.

13. Click the DNS tab.

    In nearly all circumstances, configure DNS as follows (for use with OIT Ethernet Service and OIT Wireless Service):

    1. Make sure that the DNS Servers list is empty or contains only IP addresses that are in greyed-out type. (Addresses that are greyed-out are ones the device has learned via non-manual configuration, such as DHCP or BootP. These are fine.)

       If any IP address appears in this list in normal type (not greyed-out), remove that IP address by selecting it and then clicking the - (minus) button below the list.

    2. Make sure that the Search Domains list is empty or contains only DNS domains that are in greyed-out type. (DNS domains that are greyed-out are ones the device has learned via non-manual configuration, such as DHCP or BootP. These are fine.)

       If any DNS domain appears in this list in normal type (not greyed-out), remove that DNS domain by selecting it and then clicking the - (minus) button below the list.

    The instructions above for configuring DNS are appropriate for nearly all circumstances. However, if this location's network port is Ethernet, and you choose to use manual configuration (not normally recommended) instead of using DHCP, you will need to configure DNS differently than described above. In that event, follow these more general instructions instead.

14. Click the WINS tab.

    In nearly all circumstances, configure WINS as follows (for use with OIT Ethernet Service and OIT Wireless Service):

    1. Make sure that the NetBIOS Name is empty or contains only a name that is in greyed-out type. (A NetBIOS Name that is greyed-out is one the device has obtained via some other source rather than manual configuration via this preference pane.)

       If any NetBIOS Name appears in this list in normal type (not greyed-out), remove that NetBIOS Name by selecting it deleting it.

    2. Make sure that the WINS Servers list is empty or contains only IP addresses that are in greyed-out type. (Addresses that are greyed-out are ones the device has learned via non-manual configuration, such as DHCP or BootP. These are fine.)

       If any IP address appears in this list in normal type (not greyed-out), remove that IP address by selecting it and then clicking the - (minus) button below the list.

    The instructions above for configuring WINS are appropriate for nearly all circumstances. However, if this location's network port is Ethernet, and you choose to use manual configuration (not normally recommended) instead of using DHCP, you may need to configure WINS differently than described above. In that event, follow these more general instructions instead.

15. If the Proxies tab appears, click it.
    1. Ensure the Use Passive FTP Mode (PASV) checkbox is checked; using passive FTP mode can address some FTP difficulties in the presence of firewalls or NATs.

    2. As no proxy servers are needed to connect to the campus network, ensure none of the checkboxes in the Select a protocol to configure list are be checked.

16. Click the 802.1X tab.

    The campus network does not use 802.1X, so 802.1X login should be left disabled. As the default configuration for 802.1X is for it to be disabled (no profiles appear in the window's left pane), there should be nothing you need to change in this tab.

17. At this point, you should be done configuring the advanced settings for all the tabs displayed for the current network port.

    Click the OK button in the lower right corner of the network port's advanced configuration sheet to dismiss the sheet and return to the basic settings for this network port.

18. Click the Apply button in the lower-right corner of the Network pane to save the configuration for this network port.

    The Mac may prompt you for your password, or the password for the keychain, to allow it to apply and save the changes.

19. If this location has any other network port which is active and you've not yet configured that port, return to step 5 above to select that network port and configure it.

    Repeat this process until you have configured all network ports that are active for this location.

If you created multiple locations, repeat the steps above (go back to step 1) for each each location.

You may also wish to create an additional location in which all network ports are inactive (e.g. name it "Offline"), for use when you don't want your Mac to attempt to use the network at all. Simply select each network port in the list on the left side of the preference pane, and use the Make Service Inactive command in the Action (gear) menu.

After you are done configuration all your locations, click the Apply  button in the lower-right corner of the Network pane (it will be dimmed if you have made no changes since last clicking it). Then select Quit System Preferences from the System Preferences menu.

After you have created any necessary locations, and configured all your locations, all that remains is to select your current location. You may do so in either of the following ways:

• You may use the Location hierarchical menu, located in the Mac's Apple menu. It lists the name of each of the locations currently defined; select one to change to that location. (You may do so even if the Mac's System Preferences are locked.)

• You may open the System Preferences application, either from within Mac OS X's Applications folder, or from the Apple menu. (It may also be in the Dock.) Select the appropriate location from the Location pop-up menu, then click the Apply button. (You may do so even if the Mac's System Preferences are locked.) You may then quit the System Preferences application.

If you have several locations defined, and need to switch among them (e.g. when you change the way your Mac is connected to the network), you may use either method above to select a different location. The first method is usually more convenient, as it involves just a single click.

When you select a different location, any connections that were present at the time you switch location may be disconnected. Any network applications that was running before you switched locations may stop working; you may need to quit and restart those applications. (Some applications may be better than others in automatically handling this situation without needing to be restarted.)

Under most circumstances, you do not need to restart your computer (nor logout and login) simply because you select a different location; you might need to do so if your computer runs any network-based servers.

The firewall software included in Mac OS X offers a Stealth Mode feature. By default, even if the firewall is enabled, its stealth mode feature is disabled, but some customers may have enabled the stealth mode feature.

If your Mac OS X firewall is enabled, please be check to verify that its stealth mode feature is disabled. Do so as follows:

1. Open the System Preferences application. You will find this application in Mac OS X's Applications folder, as well as in the Apple menu. It may also be in the Dock.

2. Within the main System Preferences window, click the Security & Privacy icon. The Security & Privacy pane of System Preferences is displayed.

3. In the Security & Privacy pane of System Preferences, click the Firewall tab.

4. If the Firewall tab shows that the firewall is turned off, this implies the firewall's Stealth Mode feature also is not active. Skip the remaining steps.

5. You've determined that the firewall software is turned on, so you will need to ensure that its Stealth Mode feature is not enabled. Continue with the remaining steps below.

6. If the lock icon in the window's lower-left corner is locked, click the icon to unlock the Mac's System Preferences; you will need to provide an administrator's password to do so.

7. Click the Advanced... button in the lower right portion of the Security & Privacy pane. This displays the firewall's advanced settings sheet.

8. The firewall's advanced settings sheet includes a checkbox labeled Enable Stealth Mode. Ensure this item is not checked.

9. Click the OK button in the lower right corner of the firewall's advanced settings sheet to save and dismiss it.

10. Select Quit System Preferences from the System Preferences menu.

The reason for ensuring Stealth Mode is disabled is that Stealth Mode would cause your device to ignore IP PING requests. OIT DHCP and BootP Services explains why your device should respond to IP PING requests. (It is acceptable to use other parts Mac OS X's firewall.)

Mac OS X includes VPN client software supporting the Microsoft Point-to-Point Tunneling Protocol (PPTP). You may use this client to connect to OIT PPTP VPN Service.

Before you can use the PPTP VPN client with a particular network location, you must first add a VPN (PPTP) network port to that location, then configure that VPN (PPTP) port. You need do this only once for a particular network location. Do so as follows:

1. Open the System Preferences application. You will find this application in Mac OS X's Applications folder, as well as in the Apple menu. It may also be in the Dock.

2. Within the main System Preferences window, click the Network icon. The Network pane of System Preferences is displayed.

3. If the lock icon in the window's lower-left corner is locked, click the icon to unlock the Mac's System Preferences; you will need to provide an administrator's password to do so.

4. In the Location pop-up menu, select the location with which you wish to use VPN.

5. Ensure your Mac already has a properly configured, functioning network connection when using the currently-selected location. The VPN client communicates with a VPN server over an already-working network connection.

6. Click the + (plus) button below the list of network ports on the left side of the Network preferences pane. This will display a dialog box asking you to select the interface and to enter a name for the new service.
   1. In the dialog box's Interface pop-up menu, select VPN.

   2. In the dialog box's VPN Type pop-up menu, select PPTP.

   3. In the dialog box's Service Name field, enter a descriptive name for this network interface. We suggest using the default name VPN (PPTP), and will assume in this document that you use this name.

   4. Click the Create button in the lower right corner of the dialog box to dismiss the dialog. You are returned to the Network preferences pane, with the new VPN (PPTP) network port you created selected.

7. The main portion of the Network preferences pane displays some of the settings for this single network port within the current location. While Apple's doesn't appear to have a name for this display, we'll refer to these as the basic settings for this network port.

8. Configure the basic items on the right side of the preference pane as follows:
   1. In the Configuration pop-up menu, select Add Configuration... This will display a sheet which will prompt you for a name for the new configuration. Enter a descriptive name; we suggest Princeton VPN or perhaps OIT PPTP VPN. Click the Create button in the lower right corner of the sheet to dismiss it and return to the main preference pane.

   2. In the Server Address field, enter vpn.princeton.edu.

   3. In the Account Name field, enter PRINCETON\netid, where netid is your OIT Windows netid. This account name will be used as the default netid each time you connect; you will still be able to enter a different netid each time you connect if you wish.

   4. In the Encryption pop-up menu, select Maximum (128 bit only).

   5. Click the Authentication Settings... button to display the User Authentication sheet. Select the Password radio button. Do not enter a password; storing a password in the configuration is not a good idea. Instead, you will be prompted for a password each time you connect. Click the OK button to dismiss this sheet.

   6. Check the Show VPN status in menu bar checkbox. This creates a menu that displays the status of your VPN connection, and lets you quickly connect and disconnect from a VPN server.

9. Click the Advanced... button near the lower right corner of the preference pane to view the selected network port's advanced configuration sheet.

   Within the advanced configuration sheet for this network port is a series of tabs. Each tab causes a different subset of items to be displayed. In the steps below, you will click each tab, and configure its associated items.

10. Click the Options tab.
    1. Check the Send all traffic over VPN connection checkbox.
    2. Optionally, check the Use verbose logging checkbox. This may help you if you later contact support staff to diagnose VPN connection problems.

11. Click the VPN on Demand tab.

    Make sure the list of DNS domains is empty. If any DNS domain appears in the list, select it, then click the - (minus) button below the list to remove it.

12. Click the TCP/IP tab.
    1. In the Configure IPv4 pop-up menu, select Using PPP.
    2. In the Configure IPv6 pop-up menu, select Off if that choice appears. Otherwise, select Automatic.

13. Click the DNS tab.
    1. Make sure the list of DNS Servers is empty. If any IP address appears in the list, select it, then click the - (minus) button below the list to remove it.
    2. Click the + button below the list of Search Domains; this will allow you to enter a DNS domain name in the list of Search Domains. Enter princeton.edu.

14. Click the Proxies tab.
    1. Ensure the Use Passive FTP Mode (PASV) checkbox is checked; using passive FTP mode can address some FTP difficulties in the presence of firewalls or NATs.
    2. As no proxy servers are needed to use OIT VPN Service, ensure none of the checkboxes in the Select a protocol to configure list are be checked.

15. At this point, you should be done configuring the advanced settings for all the tabs displayed for the current network port.

    Click the OK button in the lower right corner of the network port's advanced configuration sheet to dismiss the sheet and return to the basic settings for this network port.

16. Click the Apply button in the lower-right corner of the Network pane to save the configuration for this network port.

17. The VPN menu has been added to your menu bar. (The icon is an oblong shape with some vertical bars, reminscent of a battery charge indicator.)
    1. Enable the Show status while connecting feature in this menu. This provides some visual feedback while you are connecting to a VPN server.

    2. Enable the Show time connected feature in this menu. This provides a way to tell you have succesfully connected to a VPN server without having to click the title of the menu.

18. The current network location is now "set up" to use PPTP VPN; i.e. a VPN network port has been added to the network location.

The steps above need be performed only once to configure a network location so it may use the PPTP VPN client. (If you have multiple network locations, and wish to use the PPTP VPN client from each of them, you will need to repeat the steps above for each network location.)

If you sometimes need to use another VPN service (e.g. another VPN service provider) from this same network location, it is best to keep the configuration for each VPN service entirely separate. Do so by adding to the network location an additional VPN network port (use the + (plus) button below the list of network ports) for each provider. You will be able to select which VPN service to connect to at any one time via the VPN menu in the menu bar.

If you ever wish to remove the PPTP VPN "setup" from an existing network location, select that network location in the Network pane in System Preferences, select the VPN (PPTP) network port from the list of ports on the left side of the pane, then click the - (minus) button below the list.

The instructions in this section assume you have already performed the one-time setup of the current network location so it can use PPTP VPN. (The instructions for doing so appear in the section immediately above.)

To use the PPTP VPN client to connect to OIT PPTP VPN Service, follow these steps:

1. Ensure your Mac already has a properly configured, functioning network connection. The VPN client communicates with a VPN server over an already-working network connection.

   For example, if you are connected to the network via Ethernet, that Ethernet connection must be connected and working; you must already be able to use your computer to communicate on the network.

2. Select the Connect VPN (PPTP) command from the VPN menu.

   If you named the network port something other than VPN (PPTP), the Connect command in the menu may be different. (E.g. you might have named it OIT PPTP VPN, Princeton VPN, etc.)

   If you have created multiple VPN network ports or configurations in the current network location, the menu may contain several Connect choices from which to choose.

   (A more time-consuming alternative is to using the VPN menu is to open the System Preferences application (from the Application folder, or from the Apple menu, or possibly from the Dock. Click the Network button to display the Network preferences pane. Select the VPN (PPTP) network port in the list of ports on the left side of the pane. In the basic settings that appear on the right side of the pane, click the Connect button.)

3. Assuming you did not save a password as part of the configuration, the VPN Connection dialog box will appear. It will prompt for your name and password.

   Your name will already be filled in (using the value you entered earlier when configuring the VPN port). (You may enter a different name here, to use a different netid for just this session without changing the saved configuration.)

   Enter your OIT Windows password, and click the OK button.

4. Your Mac will try to establish a VPN connection to the VPN server. The VPN menu in the menu bar will show progress as the connection is attempted.

5. If all has gone well, there is little indication of success.

   One way tell that you have connected succesfully is that the VPN menu will contain a Disconnect VPN command instead of a Connect VPN command. (This may not be obvious if the menu contains Connect commands for more than VPN service, as only one of them will change to Disconnect.) Another is that if you have the VPN menu configured to Show time connected, the menu will contain a time counter. Finally, if you open the Network preferences pane in System Preferences and then click on the VPN (PPTP) network port, the basic settings that appear on the right side of the preference pane will show your Status is Connected, as well as show some information about your connection.

   If the connection failed, a VPN Connection window will appear, indicating that the connection attempt failed, and possibly providing some explanation for the failure.

6. To disconnect from the VPN server, click Disconnect VPN (PPTP) in the VPN menu in the menu bar.

   If you named the network port something other than VPN (PPTP), the Disconnect command in the menu may be different. If you have created multiple VPN network ports or configurations in the current network location, the menu may contain several Connect and Disconnect choices from which to choose.

   (A more time-consuming alternative is to open the System Preferences application (from the Application folder, or from the Apple menu, or possibly from the Dock. Click the Network button to display the Network preferences pane. Select the VPN (PPTP) network port in the list of ports on the left side of the pane. In the basic settings that appear on the right side of the pane, click the Disconnect button.)

See Mac OS X 10.7.x Network Configuration: OIT Notes and Caveats for additional notes and caveats about using Mac OS X 10.7.x networking at Princeton.

For a chronology of support history at Princeton, see Mac OS X Networking: Support History at Princeton.