A Beginner s Guide To BorderManager 3 - gwise.itwelzel.bizgwise.itwelzel.biz/Novellpdf/BorderManager - A Beginner´s Guide To... · Understanding and Configuring Novell BorderManager,

A Beginner’s Guide To BorderManager 3.x Understanding and Configuring Novell BorderManager, versions 3.0, 3.5 and 3.6 Craig Johnson Novell Support Connection SysOp First Edition May 18, 2001

Table of Contents May 18, 2001

A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 2

Table of Contents TABLE OF CONTENTS................................................................................................................. 2 PRINTING THIS BOOK ............................................................................................................... 12 ACKNOWLEDGEMENTS ............................................................................................................ 13 ABOUT THE AUTHOR ................................................................................................................ 14 LICENSING .................................................................................................................................. 15 OFFICIAL DISCLAIMER.............................................................................................................. 16 CHAPTER 1 - OVERVIEW........................................................................................................... 17

What is BorderManager? .......................................................................................................... 17 Filtering.................................................................................................................................. 17 Proxies................................................................................................................................... 18 Gateways............................................................................................................................... 18 VPN ....................................................................................................................................... 18

How This Book Is Organized .................................................................................................... 19 What this book covers ........................................................................................................... 20 What this book does not cover .............................................................................................. 20

CHAPTER 2 - BASICS ................................................................................................................ 21 Some Important Terminology.................................................................................................... 21 Prerequisite Knowledge ............................................................................................................ 22 TCP/IP Basics ........................................................................................................................... 23

Public & Private Networks..................................................................................................... 23 The Importance of the Default Route .................................................................................... 24 Domain Name Service (DNS) ............................................................................................... 25 Secondary IP Addresses....................................................................................................... 27 Proxy Versus Routing and NAT (How Proxies Work) ........................................................... 29

BorderManager Scenarios ........................................................................................................ 31 Scenario 1 - One Public IP Address...................................................................................... 31 Scenario 2 - Multiple Public IP Addresses ............................................................................ 33 Scenario 3 - BorderManager Used Only For HTTP Proxy.................................................... 35 Scenario 4 - A Single Firewall DMZ Segment....................................................................... 36 Scenario 5 - A Classic Two-Firewall DMZ............................................................................. 38 Scenario 6 - A Simple Site-to-Site VPN ................................................................................ 39 Scenario 7 - A Simple Client-to-Site VPN ............................................................................. 40 Scenario 8 - A Complex Multiple BorderManager Server Environment................................ 41

Some Rules of Thumb and Words of Wisdom.......................................................................... 44 CHAPTER 3 - INSTALLATION.................................................................................................... 47

Server Hardware Suggestions .................................................................................................. 47 NetWare Server Installation Tips .............................................................................................. 48

Using MSDOS 6.22 and NetWare 5.1................................................................................... 48 Don’t Let The NetWare Installation Create the Volumes Automatically................................ 49 Install BorderManager from the Root of the CD.................................................................... 50 Get the Server on the Internet Before Configuring BorderManager ..................................... 50 Setting the Default Route and DNS Servers ......................................................................... 52

BorderManager Server Configuration Suggestions .................................................................. 56 NDS Design Considerations ..................................................................................................... 58 Recommended Patches and Installation Sequence ................................................................. 58



How To Install BorderManager 3.x on NetWare 4.x ............................................................. 59 How to Install BorderManager 3.x on NetWare 5.0 .............................................................. 59 How to Install BorderManager 3.5 and 3.6 on NetWare 5.1 ................................................. 60

General Installation Notes......................................................................................................... 62 Working Around Licensing Startup Delays............................................................................ 62 NDS –601 Error Messages At Startup .................................................................................. 62 Loading and Unloading BorderManager Manually................................................................ 63

BMOFF.NCF...................................................................................................................... 64 BMON.NCF........................................................................................................................ 65

BorderManager Licenses.......................................................................................................... 66 What Are NLS Licenses? ...................................................................................................... 66 NLS Issues ............................................................................................................................ 67 MLA Licenses........................................................................................................................ 68

How To Upgrade BorderManager Servers ............................................................................... 70 Changing Out A BorderManager Server................................................................................... 71

Concerns ............................................................................................................................... 71 Concept ................................................................................................................................. 71 Procedure 1 – Primary IP Addresses Used .......................................................................... 71 Procedure 2 – Secondary IP Addresses Used...................................................................... 73

Critical BorderManager-Related Files....................................................................................... 76 Configuration Tools ............................................................................................................... 76

INETCFG.NLM .................................................................................................................. 76 NIASCFG.NLM .................................................................................................................. 76 VPNCFG.NLM ................................................................................................................... 76 BRDCFG.NLM ................................................................................................................... 76 FILTCFG.NLM ................................................................................................................... 76 INSTALL.NLM.................................................................................................................... 76 NWCONFIG.NLM .............................................................................................................. 76 SYS:\PUBLIC\WIN32\NWADMN32.EXE........................................................................... 77 SYS:\PUBLIC\MGMT\CONSOLEONE\1.2\BIN\CONSOLEONE.EXE .............................. 77

Data Files .............................................................................................................................. 77 SYS:\ETC\HOSTS ............................................................................................................. 77 SYS:\ETC\GATEWAYS ..................................................................................................... 77 SYS:\ETC\RESOLV.CFG .................................................................................................. 77 SYS:\ETC\TCPIP.CFG ...................................................................................................... 77 SYS:\ETC\NETINFO.CFG................................................................................................. 77 SYS:\ETC\FILTERS.CFG.................................................................................................. 78

Startup Files .......................................................................................................................... 78 C:\CONFIG.SYS ................................................................................................................ 78 C:\AUTOEXEC.BAT .......................................................................................................... 78 C:\NWSERVER\STARTUP.NCF ....................................................................................... 78 SYS:\SYSTEM\AUTOEXEC.NCF ..................................................................................... 78

Troubleshooting Tools........................................................................................................... 78 TCPCON.NLM ................................................................................................................... 78 CALLMGR.NLM................................................................................................................. 78 PPPTRACE.NLM............................................................................................................... 79

Keeping BorderManager Up-to-date......................................................................................... 79 Patches.................................................................................................................................. 79 The BorderManager 3.5 Enhancement Pack........................................................................ 79

Starting BorderManager............................................................................................................ 81 Tips For Getting NWADMN32 To Work With BorderManager Server...................................... 84

Rename the ACNWAUTH.DLL Snapin ................................................................................. 84 Get The Latest Version of NWADMN32................................................................................ 84 Fix Invalid BorderManager Snapin Modules Errors .............................................................. 84 Fix “No BorderManager Licenses Available” Messages ....................................................... 84 What snapins should I have? ................................................................................................ 85



BorderManager 3.5 / NetWare 5.0 .................................................................................... 85 BorderManager 3.0 / NetWare 4.11 .................................................................................. 86

CHAPTER 4 – UNDERSTANDING PACKET FILTERING.......................................................... 87 Default Packet Filters................................................................................................................ 87

The BorderManager 3.x Default Packet Filters ..................................................................... 88 Outgoing RIP Filters: ......................................................................................................... 88 Incoming RIP Filters .......................................................................................................... 88 Outgoing EGP Filters:........................................................................................................ 88 Incoming EGP Filters......................................................................................................... 89 OSPF External Route Filters ............................................................................................. 89 Packet Forwarding Filters .................................................................................................. 89

Packet Filter Exceptions ........................................................................................................... 89 What are the Default Packet Filter Exceptions?.................................................................... 89

CHAPTER 5 – THE INITIAL CONFIGURATION......................................................................... 92 BorderManager Setup Main Menu............................................................................................ 95 BorderManager IP Address Configuration................................................................................ 96

Secondary IP addresses used on BORDER1....................................................................... 98 Authentication Context (Proxy Authentication) ......................................................................... 99

Proxy Authentication Settings ............................................................................................. 100 40-bit, 56-bit and 128-bit Encryption ................................................................................... 103 Using Proxy Authentication on the Client with CLNTRUST ................................................ 105

CLNTRUST Problem Work-Around................................................................................. 106 Configuring SSL Proxy Authentication ................................................................................ 108

Creating a Security Container.......................................................................................... 109 Creating a Certificate Authority, pre-NetWare 5.1 ........................................................... 110 Creating a Certificate Authority, with NetWare 5.1.......................................................... 112 Creating a Key Material Object for BorderManager with NWADMN32 ........................... 113 Assigning the Key Material Object for SSL Proxy Authentication ................................... 122 Using SSL Proxy Authentication...................................................................................... 123 Test Conditions................................................................................................................ 123 The SSL Proxy Authentication Login Screen (HTML) ..................................................... 125

Proxy Authentication for Citrix Users .................................................................................. 128 DNS Parameters ..................................................................................................................... 129 Transport................................................................................................................................. 131

CHAPTER 6 - HTTP PROXY ..................................................................................................... 133 Concepts ................................................................................................................................. 133

How BorderManager HTTP Proxy Works With DNS .......................................................... 133 How Browsers Are Configured For HTTP Proxy .................................................................... 138

Netscape ............................................................................................................................. 138 Internet Explorer .................................................................................................................. 140

HTTP Proxy Details ................................................................................................................ 141 HTTP ................................................................................................................................... 141 Cache Hierarchy Server ...................................................................................................... 143 Cache Hierarchy Client ....................................................................................................... 144 Cache Hierarchy Routing .................................................................................................... 145 Logging................................................................................................................................ 146

Common Logging ............................................................................................................ 146 Extended Logging............................................................................................................ 148 Indexed Logging .............................................................................................................. 149

HTTP Proxy Caching .............................................................................................................. 151 Cache Aging........................................................................................................................ 151 Cache Control ..................................................................................................................... 152 Cache Location ................................................................................................................... 154 Cachable Object Control ..................................................................................................... 157



Entering a Non-Cacheable URL Pattern ......................................................................... 158 Clearing the Proxy Cache................................................................................................ 159

Scheduled Downloads......................................................................................................... 160 Entering a URL to download on a schedule .................................................................... 161 Set Download Frequency ................................................................................................ 162

HTTP Proxy - SOCKS Client .................................................................................................. 163 Setting Up a Cache Hierarchy ................................................................................................ 165

Concept ............................................................................................................................... 165 CERN Configuration, BorderManager Server as a Client................................................... 166 ICP Cache Hierarchy........................................................................................................... 168 Cache Hierarchy Routing Exceptions ................................................................................. 169

CHAPTER 7 - TRANSPARENT PROXY ................................................................................... 171 Transparent Proxy (HTTP)...................................................................................................... 171

Concept ............................................................................................................................... 171 Pros.................................................................................................................................. 171 Cons................................................................................................................................. 171

Configuring Transparent Proxy ........................................................................................... 172 BorderManager 3.0 Transparent Proxy configuration menu ........................................... 172 BorderManager 3.5 & 3.6 Transparent Proxy configuration menu.................................. 173 Ways To Convert Browsers To Use HTTP Proxy............................................................ 175

Internet Explorer........................................................................................................................ 175 Netscape .................................................................................................................................... 176

Transparent TELNET Proxy.................................................................................................... 177 Concept ............................................................................................................................... 177 Configuring Transparent TELNET Proxy ............................................................................ 178 User Authentication ............................................................................................................. 180 Transparent TELNET Proxy Usage .................................................................................... 181

Example 1 – No User-based Authentication Required.................................................... 181 Example 2 – NDS-Based User Authentication ................................................................ 182

CHAPTER 8 - FTP PROXY........................................................................................................ 184 Concept................................................................................................................................... 184 Limitations ............................................................................................................................... 184 Alternative For ACTIVE (PORT) FTP ..................................................................................... 184 Configuring FTP Proxy............................................................................................................ 185

User Authentication ............................................................................................................. 185 Clear Text User/Password............................................................................................... 185 Single Sign On................................................................................................................. 185

FTP Proxy Usage.................................................................................................................... 186 Example 1 – No User-based Authentication Required, DOS FTP Client ........................... 186 Example 2 – User-based Authentication Required, DOS FTP Client ................................. 188 Example 3 – User-based Authentication Required, CuteFTP Client .................................. 193 Example 4 – User-based Authentication Required, WS_FTP Client .................................. 195 All Examples, FTP Proxy Statistics Screen......................................................................... 196

CHAPTER 9 - MAIL PROXY...................................................................................................... 197 Concept................................................................................................................................... 197 An Alternative.......................................................................................................................... 197 A GWIA Alternative ................................................................................................................. 197 Configuring Mail Proxy............................................................................................................ 198

No Internal Mail Server, Mail Through Proxy ...................................................................... 198 Internal Mail Server, Mail Through Proxy............................................................................ 200 GWIA Example Settings...................................................................................................... 204 Access Rule and Packet Filter Exception to Allow POP3 Through Mail Proxy................... 205

Inbound POP3 ................................................................................................................. 205 Outbound POP3 .............................................................................................................. 207



Access Rule To Allow SMTP Through Mail Proxy .............................................................. 208 Access Rules to Control Use of Mail Proxy......................................................................... 209

Internal Mail Server.......................................................................................................... 209 No Internal Mail Server .................................................................................................... 209 Access Rule Examples .................................................................................................... 210

Allow outbound SMTP.............................................................................................................. 210 Allow Inbound SMTP to Internal Mail Domain........................................................................ 211 Deny All SMTP......................................................................................................................... 212

CHAPTER 10 - NEWS PROXY.................................................................................................. 213 Concept................................................................................................................................... 213 Using News Proxy With An External NNTP Server ................................................................ 213

CHAPTER 11 - REAL AUDIO PROXY...................................................................................... 215 BorderManager 3.0 Settings ................................................................................................... 215 BorderManager 3.5 & 3.6 Settings ......................................................................................... 216 BorderManager 3.0 RealAudio Proxy Access Rule ................................................................ 217 BorderManager 3.5 & 3.6 RealAudio and RTSP Access Rule ............................................... 218 RealPlayer G2 Proxy Settings ................................................................................................ 219

CHAPTER 12 - DNS PROXY..................................................................................................... 220 Concept................................................................................................................................... 220 An Alternative.......................................................................................................................... 220 Configuring DNS Proxy........................................................................................................... 221

CHAPTER 13 - GENERIC TCP PROXY.................................................................................... 222 Concept................................................................................................................................... 222 Configuring Generic TCP Proxy.............................................................................................. 223 Example for NetWare Web Manager ...................................................................................... 224

Browser Configuration......................................................................................................... 228 Access Rule Configuration .................................................................................................. 228

Example For NNTP................................................................................................................. 230 Outlook Express Configuration............................................................................................ 233 Agent /Free Agent Configuration......................................................................................... 239

Example Generic TCP Proxy for Inbound pcANYWHERE..................................................... 240 CHAPTER 14 - GENERIC UDP PROXY ................................................................................... 242

Concept................................................................................................................................... 242 Generic UDP Proxy - Time Server Proxies............................................................................. 244

Configuring A Generic UDP Proxy for NTP......................................................................... 245 Configuring a Generic UDP Proxy for RDATE.................................................................... 246

Example Generic UDP Proxy for Inbound pcANYWHERE .................................................... 247 CHAPTER 15 – ACCELERATION (REVERSE PROXY) .......................................................... 249

HTTP Acceleration .................................................................................................................. 249 Concept ............................................................................................................................... 249 Using Primary Public IP Address ........................................................................................ 249 Configuring Reverse Proxy Acceleration ............................................................................ 250 Using a Secondary Public IP Address ................................................................................ 253

Filter Exceptions Needed for Reverse Proxy Acceleration.............................................. 253 Access Rule Required for Reverse Proxy Acceleration .................................................. 256

FTP Acceleration..................................................................................................................... 257 Concept ............................................................................................................................... 257 Configuration ....................................................................................................................... 257

CHAPTER 16 – THE GATEWAYS ............................................................................................ 261 IPX/IP Gateway....................................................................................................................... 261

Concept ............................................................................................................................... 261 Pros ..................................................................................................................................... 262



Cons .................................................................................................................................... 262 History of IPX/IP Gateway................................................................................................... 262

IntranetWare IPX/IP Gateway.......................................................................................... 262 BorderManager 2.1 IPX/IP Gateway ............................................................................... 263 BorderManager 3.x IPX/IP Gateway ............................................................................... 264

Client Settings For IP Gateway............................................................................................... 267 Use Proxy, No Authentication, No Rules, No Logging........................................................ 267 Use Proxy, Authentication, Access Rules and Logging ...................................................... 267 Use IP gateway, No Proxy, Access Rules and Logging ..................................................... 268

Installing IP Gateway Service on the PC ................................................................................ 269 IP/IP Gateway ......................................................................................................................... 272

Concept ............................................................................................................................... 272 Pros ..................................................................................................................................... 272 Cons .................................................................................................................................... 272 Access Rules, Proxies and the IP/IP Gateway ................................................................... 273

IP/IP Gateway With Access Rules And Without Proxy.................................................... 273 IP/IP Gateway Without Access Rules And With Proxy.................................................... 273 IP/IP Gateway With Proxy and With Access Rules ......................................................... 273

Configuring IP/IP Gateway.................................................................................................. 274 SOCKS Gateway .................................................................................................................... 276

Concept ............................................................................................................................... 276 CHAPTER 17 - SITE-TO-SITE VPN .......................................................................................... 278

Introduction to BorderManager VPN....................................................................................... 278 Concept................................................................................................................................... 278 Setting Up the Master VPN Server ......................................................................................... 279

Configuration Tasks at the Server Console ........................................................................ 279 VPN IP and IPX Addressing Design Considerations .......................................................... 282 Setting Up The Master VPN Server, Continued.................................................................. 285 Configuring the VPN Master Server in NWADMN32 .......................................................... 297

Adding a Site-to-Site Slave VPN Server – Server Console Procedures ................................ 301 Adding a VPN Slave Server – NWADMN32 Procedures ....................................................... 315

CHAPTER 18 - CLIENT-TO-SITE VPN ..................................................................................... 323 Concept................................................................................................................................... 323 Setting Up VPN Servers ......................................................................................................... 324

BorderManager Client-to-Site VPN Access Rules .............................................................. 329 Configuring a Client-to-Site VPN Client PC ............................................................................ 336

VPN Client Connection Process – A Case Study ............................................................... 337 Step 1 – Try LAN VPN Client Connection to BORDER1................................................. 338 Step 2 – Repeat Test With Valid IP Address................................................................... 341 Step 3 – Install/Reinstall VPN Client Software ................................................................ 345 Step 4 – Try LAN VPN Client Connection to BORDER2................................................. 348 Step 5 – Create a Login Policy Object............................................................................. 351 Step 6 – Add Rule for VPN Authentication ...................................................................... 354 Step 7 – Try LAN VPN Client Connection to BORDER2 Again ...................................... 359

Client-to-Site VPN Using Pure IP Login.................................................................................. 361 Routing Issues..................................................................................................................... 361

Missing Default Route on Internal Hosts and Routers .................................................... 361 Incorrect Default Route on Internal Hosts and Routers................................................... 362

Issues with Client-to-Site over Site-to-Site Links ................................................................ 362 Issue with BorderManager 3.5 and 3.6 with Client-to-Site VPN and Dynamic NAT ....... 363

Service Location Issues ...................................................................................................... 364 Making Use of SLP .......................................................................................................... 364 Using NWHOST Instead Of (Or In Addition To) SLP ...................................................... 364 Using the HOSTS File ..................................................................................................... 365 The Importance of Client32 Protocol Preferences........................................................... 366



The Bottom Line .................................................................................................................. 367 Client-to-Site VPN Over NAT .............................................................................................. 369 Disconnecting a Client-to-Site Connection.......................................................................... 369

CHAPTER 19 - VIEWING AUDIT LOG DATA FOR VPN ......................................................... 370 Using NWADMN32 To View Log Data ................................................................................... 370 An Alternative To Using NWADMN32 .................................................................................... 375

VPTUNNEL Debug Options ................................................................................................ 375 VPNINF/VPMASTER/VPSLAVE Debug Options................................................................ 375

CHAPTER 20 - ACCESS RULES.............................................................................................. 376 Concept................................................................................................................................... 376 The Default Rule ..................................................................................................................... 376 Rule Inheritance...................................................................................................................... 377 Proxy Authentication and NDS-based Rules .......................................................................... 377 Enforce Rules.......................................................................................................................... 378 Time Restrictions .................................................................................................................... 379 Setting Up Access Rules ........................................................................................................ 380 Explanation of the Effective Rules .......................................................................................... 381

Checking Effective Rules .................................................................................................... 384 Rules Applied On BORDER1.................................................................................................. 389

Allow All users to Access Selected URL’s .......................................................................... 389 Allow the Admin User to Access a Reverse Proxy ............................................................. 391 Allow Selected Users Access to Any URL .......................................................................... 392 Allow Access To Reverse Proxy ......................................................................................... 394 Track Usage for a Particular Web Site................................................................................ 395 Allow HTTPS/SSL Through Reverse Proxy........................................................................ 396 Block Selected Downloads.................................................................................................. 397 Deny Access to CyberNOT List URL’s................................................................................ 399 Allow Browsing to FTP Sites Through the HTTP Proxy...................................................... 401 Track Specific Users with an Allow URL Rule..................................................................... 403 Allow a Group of Users to Any URL.................................................................................... 406 Allow Admin User to FTP Accelerator (FTP Reverse Proxy).............................................. 407 Deny All Users Access To FTP Reverse Proxy .................................................................. 408 Allowing Use of the FTP Proxy............................................................................................ 409 Allow External Access to Web Manager ............................................................................. 411 Deny VPN Client Access to the BORDER1 Server ............................................................ 412 Allow VPN Client Access to the BORDER1 Server ............................................................ 413 Allow Access to RealAudio Proxy ....................................................................................... 415 Allow Access To Generic UDP Proxy for Port 37 (RDATE)................................................ 417 Inbound pcANYWHERE Access Rules Using Generic Proxies.......................................... 418 Access Rules Allowing The News Proxy............................................................................. 421

Allowing Use of the News (NNTP) Proxy for Reading..................................................... 421 Allowing Use of the News (NNTP) Proxy for Posting. ..................................................... 422

Allow Outbound SMTP Through the Mail Proxy.................................................................. 423 Allow Inbound SMTP Mail Through the Mail Proxy............................................................. 424 Deny All SMTP Mail Through the Mail Proxy...................................................................... 425 Allow Inbound POP3 Through the Mail Proxy..................................................................... 426 Deny All Ports for Troubleshooting Purposes ..................................................................... 427 Deny All URLs For Troubleshooting Purposes ................................................................... 428

Example - Setting an Allow All URL Rule ............................................................................... 429 Example - Adding a CyberPatrol CyberNOT List Deny Rule.................................................. 430

CyberNOT List Selection..................................................................................................... 431 CyberNOT List Definitions in Use ....................................................................................... 432

The Refresh Server Button ..................................................................................................... 434 Those Additional Rules Fields............................................................................................. 435

Backing up Access Rules ....................................................................................................... 436



CHAPTER 21 - INSTALLING CYBERPATROL........................................................................ 439 Registering CyberPatrol.......................................................................................................... 440 The CyberPatrol REGISTER.EXE Program ........................................................................... 441 Downloading a new CyberNOT list on demand...................................................................... 443

CHAPTER 22 - CUSTOM ERROR PAGES............................................................................... 444 Concept................................................................................................................................... 444 One Example .......................................................................................................................... 444

CHAPTER 23 - USING DYNAMIC NAT .................................................................................... 448 Concept................................................................................................................................... 448 Outbound DNS........................................................................................................................ 450

DNS from Internal PC’s to an ISP’s DNS Servers .............................................................. 450 Outbound NNTP...................................................................................................................... 453

CHAPTER 24 - USING STATIC NAT ........................................................................................ 455 Concept................................................................................................................................... 455 Static NAT To Internal SMTP Mail Server .............................................................................. 456

CHAPTER 25 -BORDERMANAGER ALERTS ......................................................................... 461 Concept................................................................................................................................... 461 Configuring Alerts.................................................................................................................... 461

BorderManager 3.0 ............................................................................................................. 462 BorderManager 3.5 and 3.6 ................................................................................................ 463

CHAPTER 26 - LOGGING ......................................................................................................... 465 Controlling the Size of the Indexed and Access Control Logs................................................ 465 Viewing Common Log Files .................................................................................................... 468

Configuring "WebTrends for Firewalls and VPN’s" For Novell BorderManager ................. 469 WebTrends Configuration................................................................................................ 469

Viewing Extended Logs....................................................................................................... 480 Viewing Indexed Logs ......................................................................................................... 480

Viewing Real-Time Proxy Cache Data ................................................................................... 488 Viewing Access Control Logs ................................................................................................. 489

Usage Trends...................................................................................................................... 494 Exporting the Access Control Log to Excel............................................................................. 495 Viewing VPN Activity............................................................................................................... 501

CHAPTER 27 - BORDERMANAGER CONSOLE SCREENS .................................................. 508 IP Gateway / SOCKS.............................................................................................................. 508 Proxy Console......................................................................................................................... 509 Option 1 - FastCache Current Activity screen ........................................................................ 510 Option 2 – Display Memory Usage ......................................................................................... 513 Option 3 – Display ICP Statistics ............................................................................................ 514 Option 4 – Display DNS Statistics........................................................................................... 515 Option 5 – Display Cache Statistics........................................................................................ 516 Option 6 – Display Not Cached Statistics ............................................................................... 517 Option 7 – Display HTTP Server Statistics ............................................................................. 518 Option 8 – Display HTTP Client Statistics .............................................................................. 519 Option 9 – Display Connection Statistics................................................................................ 520 Option 10 – Display FTP Client Statistics ............................................................................... 521 Option 11 – Display GOPHER Statistics ................................................................................ 522 Option 12 – Display DNS Cache Entry Information ................................................................ 523 Option 13 – Show hosts sorted by most DNS lookup requests.............................................. 524 Option 14 – Show Origin Hosts Sorted by Amount of Data Transmitted by the Cache ......... 525 Option 15 – Show Origin Hosts Sorted by the Amount of Data sent TO the Cache .............. 526 Option 16 – Show Proxies and Origin Hosts Sorted By Most Data Directly Received........... 527 Option 17 – Display Configured Addresses and Services...................................................... 528 Option 18 – Display SOCKS Client Statistics ......................................................................... 530



Option 19 – Application Proxies.............................................................................................. 531 Mail Proxy Statistics ............................................................................................................ 532 Real Audio Proxy Statistics ................................................................................................. 533

Option 20 – Transparent Proxy Statistics ............................................................................... 534 CHAPTER 28 - PROXY CACHE CONFIGURATION CONSOLE ............................................. 535

Option 1 – Display Object Cache Configuration ..................................................................... 536 Option 2 – Display DNS/Miscellaneous Configuration............................................................ 537 Option 3 – Display TCP Configuration .................................................................................... 538 Option 4 – Display ICP Configuration ..................................................................................... 539 Option 5 – Display FTP/GOPHER Configuration.................................................................... 540 Option 6 – Display HTTP Configuration.................................................................................. 541 Option 7 – Display Authentication Configuration .................................................................... 542 Option 8 – Display Generic TCP/UDP Configuration.............................................................. 543 Option 9 – Display RealAudio Configuration .......................................................................... 544 Option 10 – Display SMTP Configuration ............................................................................... 545 Option 11 – Display POP3 Configuration ............................................................................... 546 Option 12 – Display NNTP Configuration ............................................................................... 547 Option 13 – Display SOCKS Configuration ............................................................................ 548 Option 14 – Display THTTP Configuration ............................................................................. 549 Option 15 – Display Site Download Configuration.................................................................. 550 Option 16 – Display TTELNET Configuration ......................................................................... 551 Option 17 – Display RTSP Configuration ............................................................................... 552

CHAPTER 29 – TROUBLESHOOTING BORDERMANAGER ................................................. 553 Simplify the Configuration ....................................................................................................... 553 Start at the Server ................................................................................................................... 553 Isolate the Problem ................................................................................................................. 554

Look at the IP Packets at the Server................................................................................... 554 Is it a Filtering Problem?...................................................................................................... 554 Is it a NAT or a Routing Problem? ...................................................................................... 554 Is it an Access Rule Problem? ............................................................................................ 555

How To Search the Novell KnowledgeBase ........................................................................... 556 HTTP Proxy Issues ................................................................................................................. 556 Transparent Proxy Issues ....................................................................................................... 557 Mail Proxy Issues .................................................................................................................... 557 DNS Proxy Issues ................................................................................................................... 557 IP Gateway Issues .................................................................................................................. 558 Site-to-Site VPN Issues .......................................................................................................... 558 Client-to-Site Issues................................................................................................................ 558 Miscellaneous Issues.............................................................................................................. 559

Dial-Up Connection Keeps Coming Up............................................................................... 559 CHAPTER 30 - PERFORMANCE TUNING............................................................................... 560

General Recommendations .................................................................................................... 560 Use the Following Server Set Parameters.............................................................................. 561 Use The Following NetWare Administrator (NWADMN32) Settings ...................................... 562 Watch Your Memory - Memory Considerations...................................................................... 562

CHAPTER 31 - ODDS & ENDS................................................................................................. 564 Documenting Your Server....................................................................................................... 564

Run CONFIG.NLM .............................................................................................................. 564 Comment Your Filter Exceptions......................................................................................... 565 Screenshot your VPNCFG Screens.................................................................................... 566 Screenshot your INETCFG Settings ................................................................................... 566 Screenshot your NWADMN32 Screens .............................................................................. 566 Back Up Your Access Rules ............................................................................................... 566

Miscellaneous Hints ................................................................................................................ 567



PPTP to BorderManager 3.5 ............................................................................................... 567 Converting Internet Explorer to Proxy Settings ................................................................... 567 VPN & Modems Tip............................................................................................................. 567 VPN Client with LAN Connection ........................................................................................ 568 VPN with Client 4.7x for NT................................................................................................. 568 Citrix Setting for NAT........................................................................................................... 569 Remote Install of BorderManager 3.5 or 3.6 By Redirecting GUI ....................................... 569 HOSTS File Tip ................................................................................................................... 569 Load Balancing Internal Web Servers................................................................................. 570 SSL Logout Page Location.................................................................................................. 570 St. Bernard Software – Don’t Use On BorderManager ....................................................... 570 Serving up the PROXY.PAC File from BorderManager...................................................... 571 More PROXY.PAC File Help ............................................................................................... 571 BorderManager and NetWare Cluster Services.................................................................. 572 Common Log File Format.................................................................................................... 575

IP Address ....................................................................................................................... 575 Authenticated User Name................................................................................................ 575 Date ................................................................................................................................. 575 Time................................................................................................................................. 575 Timezone ......................................................................................................................... 575 HTTP Request ................................................................................................................. 575 URL.................................................................................................................................. 576 Status Code ..................................................................................................................... 576

ERRATA & REVISIONS ............................................................................................................ 578 Beta 2.0................................................................................................................................... 578 Beta 3.0................................................................................................................................... 578 First Edition ............................................................................................................................. 578

INDEX......................................................................................................................................... 580

Printing This Book May 18, 2001

Printing This Book

Acknowledgements May 18, 2001

Acknowledgements

About the Author May 18, 2001

About the Author

•

•

•

•

•

•

Licensing May 18, 2001

Licensing

Official Disclaimer May 18, 2001

Official Disclaimer

Chapter 1 - Overview May 18, 2001


Chapter 1 - Overview What is BorderManager?

Filtering



Proxies

Gateways

VPN



How This Book Is Organized



What this book covers •

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

•

What this book does not cover •

•

•

•

•

•

Chapter 2 - Basics May 18, 2001


Chapter 2 - Basics Some Important Terminology

Access Rules based on a source of an NDS user name, group or container generally only apply to the HTTP, FTP and Transparent TELNET proxies, and IP Gateway, and require Proxy Authentication to be used.



Prerequisite Knowledge



TCP/IP Basics

Public & Private Networks

•

•

•

RFC 1918 - Address Allocation for Private Internets. Y.

Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot &

E. Lear. February 1996. (Format: TXT=22270 bytes)



(Obsoletes RFC1627, RFC1597) (Also BCP0005) (Status:

BEST CURRENT PRACTICE)

Use this URL for a link to RFC 1918: ftp://ftp.isi.edu/in-notes/rfc1918.txt

Remember – if you use the private IP addresses, you will not get a response back from the Internet to your PC unless you are using a Proxy, a Gateway service or have dynamic NAT enabled! This has nothing to do with packet filtering! The routers on the Internet will drop packets with private addresses.

The Importance of the Default Route



Domain Name Service (DNS)



•

•

•

•



•

Stateful packet filtering is explained in detail in my book “Novell BorderManager: A Beginner’s Guide To Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net. A full discussion of packet filtering concepts and issues is out of the scope of this book.

Secondary IP Addresses

You may need a dedicated IP address for each service, such as a web server or a mail server that you want to host. You will definitely need to have different IP addresses if you want to use static NAT and proxies as you cannot use both of those services on the same public IP address at the same time.



You can assign addresses in different networks to a single network card, and NetWare will route between them as if they were assigned to two different network cards. Assigning addresses from different networks is done in INETCFG by simply binding a new address to an interface. An example would be to assign 192.168.10.252 and 172.16.31.254 to an interface. This book does not cover such an assignment, as it is not normally needed in a BorderManager configuration. This is NOT the same as a secondary IP address.

IPADDRESS is all one word!

ADD SECONDARY IPADDRESS 192.168.10.253

DISPLAY SECONDARY IPADDRESS



Caution! Secondary IP addresses are not permanent – you need to put the ADD SECONDARY IPADDRESS 192.168.10.253 command in AUTOEXEC.NCF (after the primary bindings are made) so that the addresses will be available after a server reboot.

Proxy Versus Routing and NAT (How Proxies Work)

•

•

•

•

DELETE SECONDARY IPADDRESS 192.168.10.253



•

•

•

•

•

•

•



BorderManager Scenarios

Some of these scenarios are not very basic! Don’t get bogged down trying to understand the more complex scenarios until you are familiar with BorderManager. I provide these scenarios in order to show some range of possibilities for implementing BorderManager.

Scenario 1 - One Public IP Address

InternetW AN link

BorderM anager Server

Private IP Address192.168.10.254(255.255.255.0)

A Sim ple Two-Interface, One IP Address Configuration

Public IP Address4.3.2.254

(255.255.255.252)

Exam pleAn organization's public network, assigned by the ISP, has a 255.255.255.252 subnet m ask - this allows for two IPaddresses to be assigned (one to the router and one to the BorderManager server).4.3.2.254 is assigned to the In ternet router's LAN interface.4.3.2.253 is assigned to the BorderManager server public in terface.A Class C Private IP network (192.168.10.x) is in use on the internal LAN, and 192.168.10.254 is assigned to theBorderManager private interface. Up to 254 IP addresses can be assigned on the internal LAN.

The BorderM anager server's default route is4.3.2.254, which is the Internet Router's LANIP address

CISCOSYSTEMS

W AN IP Address(ISP Assigned)

InternetRouter

Macintosh

Hub or Switch

PC

Mail Server

All these internal hosts have a192.168.10.x IP address, and a defaultgateway of 192.168.10.254, which is theBorderM anager server's private IPaddress

Subnet M ask / Usable Public IP Addresses(rem em ber that one of these addresses goes onthe router. These num bers do not include thenetwork address or the broadcast address.)

255.255.255.252 2255.255.255.248 6255.255.255.240 14255.255.255.224 30255.255.255.192 62255.255.255.128 126255.255.255.0 254

(The public IP addresses m ust com e from the ISP).

Public IP address4.3.2.253

(255.255.255.252)

W eb Server1

FTP Server

BorderManager Proxies are used tosend inbound traffic coming to theBorderManager public IP address4.3.2.253 to an internal FTP server,Mail server or W eb server, dependingon the type of traffic.





Scenario 2 - Multiple Public IP Addresses

InternetW AN link



A Typical Two-Interface Configuration


(255.255.255.252)

Exam pleAn organization's public network, assigned by the ISP, has a 255.255.255.248 subnet m ask - this allows for six IPaddresses to be assigned (one to the router and five can be assigned to the BorderM anager server).4.3.2.254 is assigned to the Internet Router's LAN interface.4.3.2.253, 4.3.2.252 and 4.3.2.251 are assigned to the BorderManager server public interface.A Class C Private IP network (192.168.10.x) is in use on the internal LAN, and 192.168.10.254 is assigned to theBorderManager private interface. Up to 254 IP addresses can be assigned on the internal LAN.

The BorderManager server's default route is4.3.2.254, which is the Internet Router's LANIP address

4.3.2.253 is the prim ary IP binding, and isreverse proxied to web server14.3.2.252 is static NAT'd to the internal m ailserver.4.3.2.251 is reverse proxied to web server2

CISCOSYSTEMS


In ternetRouter

Macintosh

Hub or Switch

PC

Mail Server

W eb Server2

All these internal hosts have a192.168.10.x IP address, and a defaultgateway of 192.168.10.254

Subnet M ask / U sable Public IP Addresses(remem ber that one of these addresses goes onthe router. These num bers do not include thenetwork address or the broadcast address.)

255.255.255.252 2255.255.255.248 6255.255.255.240 14255.255.255.224 30255.255.255.192 62255.255.255.128 126255.255.255.0 254

(The public IP addresses m ust come from the ISP).

Public IP addresses4.3.2.2534.3.2.2524.3.2.251

(255.255.255.248)

W eb Server1





Scenario 3 - BorderManager Used Only For HTTP Proxy

InternetW AN link

BorderManager Server


A One Interface Configuration Used for HTTP ProxyExam pleAn organization wishes to use BorderManager for HTTP Proxy and Access Rules to control web browsing, but alsowishes to use an existing firewall. BorderManager is set up on the internal LAN with a single IP address and a singleinterface, and HTTP Proxy is configured. The firewall is configured to accept HTTP traffic only from theBorderManager server's IP address, so all internal browsers m ust point to the BorderManager server HTTP proxy.

The firewall is configured to block TCP port 80unless it com es from the BorderManager IPaddress. Thus, the internal PC's m ust go tothe BorderManager HTTP Proxy in order tobrowse the Internet.

CISCOSYSTEMS


InternetRouter /Firew all

Macintosh

Hub or Switch

PC

Mail Server

W eb Server2

BorderManager is set up with a singleinterface and a single IP address. HTTPProxy is set up on that IP address, and allinternal web browsers use theBorderManager server's IP address andport 8080 in their proxy settings.

W eb Server1



Scenario 4 - A Single Firewall DMZ Segment

Internet WAN link

Firew all

Main Internal LAN

A Sim ple One-Firewall DMZ Configuration

ExampleAn organization's uses a single firewall with two internal interfaces. One interface connects the main internal LAN.Another interface connects an isolated LAN (DMZ segment)

CISCOSYSTEMS

InternetRouter

Internal Servers

Internal hosts

Public Mail Server

Public IP address(es)

Public W eb Server

Public FTP Server

Isolated LAN

DM Z

M ainInternal

LAN





Scenario 5 - A Classic Two-Firewall DMZ

Internet

WAN link

Public F irew all

A Two-Firewall Classic DMZ Configuration

Exam pleAn organization's uses two firewalls, with the public servers connected on a (DMZ) LAN segment between them . Themain internal LAN is protected behind both firewalls. In case the public firewall is comprom ised, the internal LANsegment is still protected by the private firewall.

CISCOSYSTEMS

In ternetRouter

Internal Servers

Internal hosts

Public Mail Server

Public W eb Server

Public FTP Server

DM Z

M ainInternal

LAN

Priva te F irew all



Scenario 6 - A Simple Site-to-Site VPN

Internet W AN linkSite B


Site BPrivate IP Address

192.168.11.254(255.255.255.0)

Site BPublic IP Address

2.2.2.254(255.255.255.252)

A Typical Site-to-Site VPN Configuration

LAN IP Address2.2.2.253

(255.255.255.252)

Example:An organization's Site-to-Site VPN, uses a Class C private IP network (192.168.99.0) for the VPN tunnel. EachBorderManager VPN server is assigned a VPN tunnel address from the 192.168.99.0 network to be a m ember of thesite-to-site VPN. The VPN tunnel network address must not be in use anywhere else on the connected LAN's. Theremote sites must all have different internal IP network addresses. In this example, Site A is on a 192.168.10.0internal network, while Site B is on a 192.168.11.0 internal network. The VPN tunnel network is different from both.A unique (hexadecimal) IPX network num ber is also assigned to the VPN tunnel in order to route IPX through the VPNfrom one site to another. The IPX network number for the VPN tunnel is DEADBEEF, and that network number is notin use anywhere else on the interconnected networks.

The Site B BorderManagerserver's default route is2.2.2.253, which is the SiteB Internet Router's LAN IPaddress

Site ABorderM anager Server

Site APublic IP Address

1.1.1.254(255.255.255.252)

LAN IP Address192.168.10.252(255.255.255.0)

CISCOSYSTEMS

Site AInternetRouter

CISCOSYSTEMS

W AN link


(255.255.255.252)

Site BInternetRouter

The Site A BorderManagerserver's default route is1.1.1.253, which is the SiteA Internet Router's LAN IPaddress

Site AVP N Tunnel IP Address

192.168.99.254(255.255.255.0)

Site BVP N TunnelIP Address

192.168.99.253(255.255.255.0)

Note that the two VPN servershave VPN tunnel addresses in

the same IP network!

The Site A BorderManager server 'protects' network192.168.10.0, which then shows up as a static routein the Site B VPN server, pointing to 192.168.99.254as a next hop. (Thereby forcing all traffic from Site Bto 192.168.10.0 to go through the VPN tunnel).

The Site A BorderManager server 'protects' network192.168.11.0, which then shows up as a static routein the Site A VPN server, pointing to 192.168.99.253as a next hop. (Thereby forcing all traffic from Site Ato 192.168.11.0 to go through the VPN tunnel).



Scenario 7 - A Simple Client-to-Site VPN

Internet WAN link




(255.255.255.252)

A Typical Client-to-Site VPN Configuration


(255.255.255.252)

Exam pleAn organization 's Client-to-Site VPN, uses a C lass C private IP network (192.168.99.0) for the VPN tunnel. IPX canalso be supported for access over the VPN, if configured. The IPX network num ber assigned to the VPN tunnel m ustbe unique in the network.

The Client-S ite VPN configuration used is the sam e as that set up for the server to be a Master VPN Site-Site server.

The BorderManagerserver's default route is2.2.2.253, which is theInternet Router's LAN IPaddress

W AN link


VPN TunnelIP Address

192.168.99.254(255.255.255.0)

W indows PC StandardModem

W indows PC CableModem

WAN link

W indows PCCISCOSYSTEMS

CISCOSYSTEMS

InternetRouter

LANconnected

Router

WAN link



Scenario 8 - A Complex Multiple BorderManager Server Environment

Virtual Private Network192.168.99.0

betweenBORDER1 and BORDER2

Internet

Dial-up

BORD ER3NetW are 5.1 / BMgr 3.5

PRIVATE192.168.10.254(255.255.255.)

PRIVAT E192.168.10.252(255.255.255.0)

dynamic IPaddress

Internal LAN10/100 switch

BORD ER1NetW are 4.11

BMgr 3.0HTTP Proxy

Client-Server VPNSite-Site VPN

Public-Side DHCP-default route is 192.168.10.254

dial-upconnection

Hub

Hub

P200NetW are 5.0

GroupW ise 5.5Internal DHCP

DNS2 W eb Servers

ZENW orks InventoryNDPS

KIDS450NetW are 5.1/W in98

FTPW EB Serverr

NNTPNDPS

W ebsphereMedia Server

BORD ER2NetW are 5.0

BMgr 3.5Client-Server VPN

Site-Site VPN

PUBLIC4.3.2.2544.3.2.2534.3.2.2524.3.2.251

(255.255.255.0)

PUBLIC4.3.2.250

(255.255.255.0)

PRIVAT E192.168.11.254(255.255.255.0)

192.168.10.250192.168.10.249(255.255.255.0)

192.168.10.251(255.255.255.0)A Com plex Multi-Server (Lab) Scenario

ICS-W 2KW indows 2000 Advanced Server

web serverDNS server

NNTP serverSMTP/ POP3 server

HTTP Proxy

4.3.2.1(255.255.255.0)

VPN:192.168.99.254

VPN:192.168.99.253



This is not a typical BorderManager installation scenario. I use it here for various reasons, one of which is that it allows me to show how an HTTP Caching Hierarchy works.



Server Component IP Addresses Functions

BORDER1 PUBLIC Interface 4.3.2.254 Site-to-Site VPN, Client-to-Site VPN

4.3.2.253 Reverse Proxy


4.3.2.251 Static NAT


192.168.99.254 VPN Tunnel IP address

BORDER1 PRIVATE Interface 192.168.10.252 Various proxies, default route for 192.168.10.0 network

BORDER2 PUBLIC Interface 4.3.2.250 Site-to-Site VPN, Client-to-Site VPN


192.168.99.253 VPN Tunnel IP address

BORDER2 PRIVATE Interface 192.168.11.254 Various proxies, default route for 192.168.11.0 network

BORDER3 PRIVATE Interface 192.168.10.254 CERN Proxy, default route for BORDER1

BORDER3 PUBLIC Interface Dial-up interface (modem) Internet connection



Some Rules of Thumb and Words of Wisdom

•

•

•

•

•

•

•

•

•

•

•

•



•

•

•

•

•

•

•

•

•

•

•



•

•

•

•

•

Chapter 3 - Installation May 18, 2001


Chapter 3 - Installation Server Hardware Suggestions



NetWare Server Installation Tips

Using MSDOS 6.22 and NetWare 5.1

[menu] menuitem=NOVELL,Boot as Novell server (default) menuitem=DOS,Boot to DOS with CDROM TSR's loaded menudefault,novell,15 [dos] FILES=50 BUFFERS=50 DEVICE=\DOS\CPQIDECD.SYS /D:CDROM1 LASTDRIVE=G [novell]



Never use “CDROM” as a CPQIDECD or MSCDEX command line option. CDROM is a reserved word in DOS and will not work to identify the CDROM. Use something like CDROM1 or CPQCDROM instead.

Don’t Let The NetWare Installation Create the Volumes Automatically

@echo off cls rem Written by Craig Johnson, Jan. 9, 1998 goto %config% :NOVELL cd c:\nwserver server goto END :DOS path c:\dos;c:\nc C:\DOS\MSCDEX /l:D /m:40 /d:CDROM1 :END



Install BorderManager from the Root of the CD

Get the Server on the Internet Before Configuring BorderManager



•

•

•



Setting the Default Route and DNS Servers

If you intend to use packet filter exceptions to bypass the proxies or IP Gateway for selected traffic, you also will need to Enable IP Packet Forwarding. However, the BorderManager services themselves (proxies, IP Gateway, VPN) do not require the BorderManager server to act as a router. In most cases, you will want to enable IP routing.









BorderManager Server Configuration Suggestions

In order to configure cache volumes, you need to select an advanced option during the NetWare 5 installation. Otherwise you will end up with the default – a SYS volume that uses up the entire NetWare partition. You can either re-install the server, or get a copy of a utility like PowerQuest’s ServerMagic 3. ServerMagic 3 can be used to resize the partitions and volumes, including resizing a SYS volume down to a reasonable 4GB so that you can then use NWCONFIG to create cache and log volumes.





NDS Design Considerations

Recommended Patches and Installation Sequence



How To Install BorderManager 3.x on NetWare 4.x

How to Install BorderManager 3.x on NetWare 5.0



How to Install BorderManager 3.5 and 3.6 on NetWare 5.1

If possible, do not install any optional components of NetWare 5.1 with BorderManager. Installing components such as the web server, news server and FTP server can interfere with BorderManager proxies. (You can test with these components added if you like, and simply not load them in AUTOEXEC.NCF if they cause problems. You can also install them at a later time if you like). Most of the installation is similar to installing under NetWare 5.0, except that you do not need to install a NetWare Service Pack first. (NetWare 5.1 starts out like NetWare 5.0 with Service Pack 4 installed).



CAUTION This document is likely to be out of date in regard to the patches available for BorderManager, and any issues in regard to interaction of patches and NetWare. Please check the readme files for each patch carefully to see what new settings may be required or what conflicts might result. Also, check the Novell Public Forums for current information, and check tip #1 at http://nscsysop.hypermart.net.



General Installation Notes

Working Around Licensing Startup Delays

See the section on NLS licensing below for an explanation of licensing in general. This segment is intended to show you a way to get BorderManager to start automatically, working around a slow initialization of licensing services problem.

NDS –601 Error Messages At Startup

? LOAD BRDSRV



Loading and Unloading BorderManager Manually



BMOFF.NCF

rem Craig Johnson, Feb. 21, 2001 See http://nscsysop.hypermart.net rem Unloads most BorderManager-related NLM's unload proxy rem You may want to delay unloading proxycfg until proxy.nlm unloads completely. rem Some users have seen an abend without the delay, though most are fine. rem The ? should cause a 10-second delay before proxycfg unloads, unless rem you press Y. ? unload proxycfg rem Unload CyberPatrol. unload cpfilter unload ipxipgw unload authgw unload authchk unload aclcheck unload nbmalert rem The next two lines unload VPN modules. unload vpmaster unload vpslave unload brdmon unload brdsrv unload csatpxy



BMON.NCF

Rem Craig Johnson, Mar. 11, 2001 See http://nscsysop.hypermart.net rem CSATPXY options to redirect listening port number seem to be ineffective, but you can try anyway... load csatpxy 999 rem The NOLOAD proxy prevents autoloading of most other BorderManager modules load brdsrv /NOLOAD rem The /S options represses certain (cosmetic) error messages. load aclcheck /S rem The /M option tells Mail Proxy to query more than one MX record if needed load proxy -M Rem Loads CyberPatrol load sys:etc\cpfilter\cpfilter Rem Load modules that don’t autoload w/the BRDSRV /NOLOAD option load AUTHGW load IPXF Rem Loads VPN control module - select the one you are using, Rem or comment out both if not using VPN. load vpmaster rem load vpslave



BorderManager Licenses

What Are NLS Licenses?

•

•

•

•

•



NLS Issues



Note: You can also use the LICMAINT.NLM utility to install licenses, and it may work when no other methods do. Look for the utility in the NIAS42\INSTALL directory on a BorderManager CD.

MLA Licenses



If you have NOT installed the MLA license to the server using NWCONFIG, you may have to manually copy the NICI files from the license diskette to the DOS partition (and rename them) in order to get encryption services to work. See TID 2945674.



How To Upgrade BorderManager Servers



Changing Out A BorderManager Server

Concerns

Concept

Procedure 1 – Primary IP Addresses Used





Procedure 2 – Secondary IP Addresses Used







Critical BorderManager-Related Files

Configuration Tools

INETCFG.NLM

NIASCFG.NLM

VPNCFG.NLM

BRDCFG.NLM

FILTCFG.NLM

INSTALL.NLM

NWCONFIG.NLM



SYS:\PUBLIC\WIN32\NWADMN32.EXE

SYS:\PUBLIC\MGMT\CONSOLEONE\1.2\BIN\CONSOLEONE.EXE

Data Files

SYS:\ETC\HOSTS

SYS:\ETC\GATEWAYS

SYS:\ETC\RESOLV.CFG

SYS:\ETC\TCPIP.CFG

SYS:\ETC\NETINFO.CFG



SYS:\ETC\FILTERS.CFG

Startup Files

C:\CONFIG.SYS

C:\AUTOEXEC.BAT

C:\NWSERVER\STARTUP.NCF

SYS:\SYSTEM\AUTOEXEC.NCF

Troubleshooting Tools

TCPCON.NLM

CALLMGR.NLM



PPPTRACE.NLM

Keeping BorderManager Up-to-date

Patches

The BorderManager 3.5 Enhancement Pack





Starting BorderManager

FILE SERVER NAME BORDER1 IPX INTERNAL NET 1234 # load conlog MAXIMUM=100 ; Network driver LOADs and BINDs are initiated via ; INITSYS.NCF. The actual LOAD and BIND commands ; are contained in INITSYS.NCF and NETINFO.CFG. ; These files are in SYS:\ETC. sys:\etc\initsys.ncf LOAD NETDB /N SET NAT DYNAMIC MODE TO PASS THRU=ON # STATIC NAT FOR PCANYWHERE, FTP SERVER, CITRIX ADD SECONDARY IPADDRESS 4.3.2.253 # REVERSE PROXY ACCELERATION FOR BJHOME WEB SERVER ADD SECONDARY IPADDRESS 4.3.2.252 # STATIC NAT TO MAIL SERVER ADD SECONDARY IPADDRESS 4.3.2.251 Search Add SYS:\JAVA\BIN Load NLSLSP Mount All Load CSAUDIT # BEGIN SAS/PKI (ADDED BY SASI) Load CCS Load PKI # END SAS/PKI (ADDED BY SASI) ? Load MONITOR ? Load RDATE /P 240 /V 2 /U /M 999999999 192.168.10.254 # Load BorderManager Services ? Load BRDSRV.NLM /NOLOAD ? Load ACLCHECK /S ? Load PROXY -M Load SYS:\ETC\CPFILTER\CPFILTER Load IPXF Load AUTHGW Load VPMASTER



CAUTION A problem was discovered with NETDB version 4.09, and possibly later versions. Loading it manually before INITSYS.NCF as shown in some Novell documents could lead to serious TCP/IP communications problems, when used with certain versions of TCPIP.NLM. Check the Novell Support Forums for information on manually loading this module. If it is loaded after TCPIP.NLM is loaded, you should not see a problem. You can also simply let it autoload as needed, though some startup delays may be experienced.





Tips For Getting NWADMN32 To Work With BorderManager Server

Rename the ACNWAUTH.DLL Snapin

Get The Latest Version of NWADMN32

Fix Invalid BorderManager Snapin Modules Errors

Fix “No BorderManager Licenses Available” Messages



What snapins should I have?

BorderManager 3.5 / NetWare 5.0

BorderManager 3.5 / NetWare 5.0 Volume in drive K is SYS Directory of K:\public\WIN32\SNAPINS . <DIR> . .. <DIR> .. AUDIT32 DLL 11,776 03-02-00 4:09p AUDIT32.DLL RADSNAP DLL 304,128 05-31-99 10:44p RADSNAP.DLL ALERT DLL 85,504 05-19-99 4:45p ALERT.DLL RESTRICT DLL 343,040 09-15-99 10:41a RESTRICT.DLL NWCADM32 DLL 71,680 06-02-98 6:33p NWCADM32.DLL BSMON DLL 803,328 09-14-99 12:07p BSMON.DLL PKISNAP DLL 447,488 02-18-99 2:40p PKISNAP.DLL ADMSNAP DLL 192,000 05-31-99 10:47p ADMSNAP.DLL NLSMGR32 DLL 556,544 02-29-00 5:17p NLSMGR32.DLL ACNWAUTH DL_ 225,280 06-01-99 10:20a ACNWAUTH.DL_ BSCOV DLL 119,296 09-15-99 10:19a BSCOV.DLL INI <DIR> 06-25-00 11:37a Ini 95ONLY <DIR> 06-25-00 11:48a 95ONLY NTONLY <DIR> 06-25-00 11:48a NTONLY 12 file(s) 3,160,064 bytes 5 dir(s) 3,261,267,968 bytes free



BorderManager 3.0 / NetWare 4.11

Volume in drive I is SYS Directory of I:\PUBLIC\WIN32\SNAPINS . <DIR> . .. <DIR> .. NLSMGR32 DLL 556,544 02-29-00 5:17p NLSMGR32.DLL ALERT DLL 76,288 10-12-98 2:24p ALERT.DLL BSCOV DLL 117,760 11-23-99 3:51p BSCOV.DLL RESTRICT DLL 342,016 12-03-99 1:29p RESTRICT.DLL NWCADM32 DLL 71,680 06-02-98 6:33p NWCADM32.DLL BSMON DLL 803,328 11-23-99 4:05p BSMON.DLL AUDIT32 DLL 11,776 03-02-00 4:09p AUDIT32.DLL PKISNAP DLL 447,488 02-18-99 2:40p PKISNAP.DLL ADMSNAP DLL 192,000 05-31-99 10:47p ADMSNAP.DLL INI <DIR> 07-19-00 8:59a INI 10 file(s) 2,618,880 bytes 3 dir(s) 232,718,336 bytes free

Chapter 4 – Understanding Packet Filtering May 18, 2001


Chapter 4 – Understanding Packet Filtering

Packet filtering is explained in detail in the book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html. A few sections of that book have been taken out and used in this book.

Default Packet Filters



The BorderManager 3.x Default Packet Filters

Outgoing RIP Filters: •

•

•

•

Incoming RIP Filters •

Outgoing EGP Filters: •



Incoming EGP Filters •

OSPF External Route Filters •

Packet Forwarding Filters •

•

Packet Filter Exceptions

What are the Default Packet Filter Exceptions?

The default packet filter exceptions allow all outbound traffic from proxies, and some inbound traffic. However, the default packet filter exceptions do not allow certain types of inbound traffic to some of the proxies, such as inbound SMTP, NNTP or almost any special traffic for a Generic TCP or UDP Proxy. In addition, no default packet filter exception allows any inbound or outbound traffic for secondary IP addresses. You must manually add packet filter exceptions for all of these situations as needed.



There is an important distinction to be made here between the public interface and the public IP address. All of the default exceptions call out the public IP address rather than the interface. This is a necessary distinction as calling out the interface instead of the public IP address results in allowing undesired traffic. It also means that the default packet filter exceptions do not cover any secondary IP addresses that you might add to the public interface. Also, because a source or destination IP address is specified in the filter exception, it is not necessary to specify the interface.



The default packet filters cover both IPX and IP traffic, though this book is exclusively concerned with IP packet filters and exceptions. The default packet filters should not be blocking ANY traffic to or from the private interface, so if enabling packet filters causes communications problems, it may indicate that the packet filters were applied incorrectly with BRDCFG.NLM, and need to be redone, especially if IPX communications have been affected. However, there are some issues with certain types of IP communications to NetWare 5.x servers trying to go to the public IP address instead of the private IP address. In this case, the following command may be needed: SET NCP EXCLUDE IP ADDRESSES x.x.x.x (for the version in the service packs, use SET NCP EXCLUDE IP ADDRESSES = x.x.x.x - that is, add the = sign.) Another option is to set up a stateful packet filter exception allowing TCP destination port 524 from the private interface to the public IP address.

Chapter 5 – The Initial Configuration May 18, 2001


Chapter 5 – The Initial Configuration





If you have problems getting NWADMN32.EXE to launch, try renaming the SYS:\PUBLIC\WIN32\SNAPINS\ACNWAUTH.DLL file to something else so that it will not load. This file is used for configuring ActivCard parameters, but often causes NWADMN32 to crash. Refer to the Troubleshooting section at the end of this book if you have other problems getting NWADMN32 to work with BorderManager.



BorderManager Setup Main Menu



BorderManager IP Address Configuration

•

•

•



There could be additional secondary public IP addresses configured on the BorderManager server that do not show up in this NWADMN32 menu. Adding a secondary IP address to the server is done with the ADD SECONDARY IPADDRESS command. Once a secondary IP address is added to the server, it can then be added in NWADMN32 to make it available for BorderManager proxy services. Addresses used for static NAT do not require configuration in the BorderManager IP Address summary menu. However, if a secondary IP address were to be used for one of the proxies, it would have to be entered in the BorderManager IP Address Summary menu in order to configure that proxy. In the example above, there is no 4.3.2.251 IP address shown in the screenshot, but that IP address happens to be set up on the server and is used with static NAT, to bypass the BorderManager proxies for certain types of inbound traffic.

•

•

•

•

•



Secondary IP addresses used on BORDER1

•

•

•

•



Authentication Context (Proxy Authentication)

NDS-based rules can also be used with the FTP Proxy and Transparent TELNET Proxy. But the username/password has to be passed to these proxies in different ways. Also, the CLNTRUST utility has not worked with FTP Proxy in BorderManager 3.5 with patch sets up through at least BM35C11.EXE.



Proxy Authentication Settings





SSO is popularly thought of as meaning to use the CLNTRUST utility. However, both CLNTRUST and SSL authentication both make use of SSO. SSO stands for Single-Sign On, and SSO really means that the same user ID and password as the users normal login account are used for proxy authentication. This was not always the case. BorderManager 2.1 used a separate password tied to the user account, and that led to a lot of administrative burden. CLNTRUST and SSL are simply different ways to pass the user ID and password to the BorderManager server. CLNTRUST does not actually send the password across the wire, but makes use of Client32 RSA security features. SSL does send the password across the wire, but encrypts it. Unfortunately, the User ID and password for the FTP Proxy and Transparent TELNET Proxy are sent across the wire in clear text, and the FTP Proxy does not make use of the CLNTRUST utility, at least in BorderManager 3.5 patch sets up through BM35C06.EXE. Another point: Single Sign On in BorderManager is not the same as the Novell Single Sign On product.



40-bit, 56-bit and 128-bit Encryption



40-, 50-, and 128-bit encryption is different in the strength of the encryption process that is used. The practical meaning is that the higher the bit number, the harder it is to break the encryption by brute force attack.

As of this writing, a BorderManager server can be upgraded to 128-bit encryption by using a 128-bit version of TCPIP.NLM from the latest NetWare support pack, and installing the NICID156.EXE patch. If a VPN was originally configured without 128-bit encryption, it must be reconfigured (in VPNCFG) in order to upgrade to 128-bit encryption.

As of this writing, a bug has been seen in the certificate creation process when using NetWare 5.1 certificate server. ConsoleOne is used to create certificates with the newer certificate server, and it appears to be unable to create an SSL certificate at less than the highest value of encryption capable by the host server. In other words, although you may try to create a 40-bit certificate on a 128-bit server, the certificate will still be 128-bit. I have seen this happen on some networks but not others, and as of this writing do not know the cause.



Using Proxy Authentication on the Client with CLNTRUST

#F:\PUBLIC\DWNTRUST.EXE #F:\PUBLIC\CLNTRUST.EXE



If you should see many unsuccessful authentication requests (thousands), it may be that the user is not logged into the same NDS tree as the BorderManager server.

CLNTRUST Problem Work-Around

source interface=<private interface>, destination interface=<public interface> source ports=Any destination port=524 protocol=TCP destination IP address=<BorderManager server public IP address>



SET NCP EXCLUDE IP ADDRESSES x.x.x.x

SET NCP EXCLUDE IP ADDRESSES = x.x.x.x

SET NCP INCLUDE IP ADDRESSES x.x.x.x

SET NCP INCLUDE IP ADDRESSES = x.x.x.x



Configuring SSL Proxy Authentication



Creating a Security Container



Creating a Certificate Authority, pre-NetWare 5.1





Creating a Certificate Authority, with NetWare 5.1



Creating a Key Material Object for BorderManager with NWADMN32





As of this writing, a bug has been found in creating 40-bit certificates with ConsoleOne and Certificate Server 2 on some networks. Even though you try to create a custom certificate with 40-bit encryption, it comes up in the browser as using the highest level of encryption available on the server.















Assigning the Key Material Object for SSL Proxy Authentication



Using SSL Proxy Authentication

Test Conditions





The SSL Proxy Authentication Login Screen (HTML)





Macintosh computers may not be able to use SSL Proxy Authentication with Internet Explorer as the browser. Try a later version of Netscape instead.



Proxy Authentication for Citrix Users



DNS Parameters





Transport



Chapter 6 - HTTP Proxy May 18, 2001


Chapter 6 - HTTP Proxy Concepts

How BorderManager HTTP Proxy Works With DNS



# SYS:\ETC\HOSTS # 127.0.0.1 loopback lb localhost # normal loopback address 192.168.10.252 BORDER1 192.168.10.250 www.bjhome.com 192.168.10.249 www2.bjhome.com 192.168.10.251 www3.bjhome.com





•

•

•

•

•

•

•

•





How Browsers Are Configured For HTTP Proxy

Netscape





Internet Explorer



HTTP Proxy Details

HTTP





Cache Hierarchy Server



Cache Hierarchy Client



Cache Hierarchy Routing



Logging

Common Logging



You should not allow the Common log files to be created on the (default) SYS volume unless you keep a very close eye on the amount of space the log files are using. I recommend setting up a dedicated log volume and directing all common log files there.



Extended Logging

At the time of this writing, I am not aware of any commercial applications that make use of Extended log files to produce a report, therefore you may want to consider if it is worth enabling this type of logging.



Indexed Logging

•

•

•



•

•



HTTP Proxy Caching

Cache Aging



Cache Control



Caution! Do not enable read-ahead in unpatched BorderManager 3.0 servers as there is a bug that can cause the HTTP Proxy to continuously loop back and request the same web page over and over if there is a broken link on the page. This setting generally improves performance, but it is critical to apply the latest BorderManager patches to avoid the bug, which can appear to the web site’s ISP as a denial of service attack, and to you as a large waste of bandwidth.

Many changes to caching parameters do not go into effect unless you reload PROXY.NLM. If in doubt, restart the server, or unload and reload PROXY.NLM.



Cache Location

CAUTION This is a very important section! You should never leave the cache location on the default volume (SYS)!



When setting up the HTTP Proxy cache location, for BorderManager 3.0 you must create the initial directory (in this case you must manually create the CACHE1:PROXY\CACHE and CACHE2:PROXY\CACHE directories). BorderManager 3.5 and 3.6 will automatically create all the subdirectories needed according to the cache location parameters.

The cache volume should be set up with 16K block size, no suballocation and no compression enabled for good caching performance. Only DOS name space should be used on a cache volume.



You must use VREPAIR to remove LONG name space in NetWare 5.x. NetWare 5.x volumes are created with LONG name space enabled by default, unlike NetWare 4.x. You cannot remove name spaces or change NSS volume parameters at all, which is one reason I don’t recommend NSS cache volumes.



Cachable Object Control

•

•

•

•



The entries you configure here will not be cached AFTER you make the entries, but if you have already browsed to them, entries will already be in cache. You may need to clear the cache data by unloading PROXY.NLM, and then using a LOAD PROXY –CC command (clear ALL cache entries).

Entering a Non-Cacheable URL Pattern



Clearing the Proxy Cache

A faster way, to be used only when the cache is on a dedicated volume (and you should ALWAYS have the cache on a dedicated volume), is to delete and recreate the cache volume itself. Clearing the cache with the –CC option can be fairly slow on large cache volumes with many cached nodes.



Scheduled Downloads

You must check the Enable Scheduled Download box to be able to manually pre-cache data from the server console, using the “Proxy” console screen, option 22. That option allows you to immediately pull data into cache (one time) from a URL.



Entering a URL to download on a schedule



Set Download Frequency



HTTP Proxy - SOCKS Client

Only the HTTP Proxy really makes use of the SOCKS client. Other proxies will not use the SOCKS client setting (including the FTP Proxy, although the menu option makes it look like it can use SOCKS).





Setting Up a Cache Hierarchy

Concept

As far as I know, all HTTP Proxies can serve as a CERN proxy, but not all have ICP proxy capability.

The latest patch for BorderManager 3.5 and 3.6 (BM3CC01.EXE as of this writing) provides the capability of passing authentication information to an upstream caching server.



CERN Configuration, BorderManager Server as a Client





ICP Cache Hierarchy

ICP packets are not sent if only one other ICP server is defined. There is no need to query the other ICP servers unless a choice is to be made for which of those servers might already have the data.



Cache Hierarchy Routing Exceptions

See Scenario 8, earlier in this book, for a diagram of the servers and addressing used. The cache hierarchy being described is between BORDER1 and BORDER3.



Chapter 7 - Transparent Proxy May 18, 2001


Chapter 7 - Transparent Proxy Transparent Proxy (HTTP)

Concept

Pros •

•

•

Cons •

•

•

•

•

•

•



Configuring Transparent Proxy

BorderManager 3.0 Transparent Proxy configuration menu



BorderManager 3.5 & 3.6 Transparent Proxy configuration menu



Transparent Proxy will cache data from a web site as a different node than the same web site accessed through HTTP Proxy. That is, the same data might be cached twice, once for Transparent Proxy and once for HTTP Proxy. Because of this difference, you also will continue to cache data that has been entered as a non-cacheable URL if you are using Transparent Proxy instead of HTTP Proxy.



CAUTION: HTTPS / SSL port 443 redirection does not work through transparent proxy by design. You should set up a stateful packet filter exception to pass this type of traffic through, or rely on the HTTP proxy, which will handle port 443 traffic.

Ways To Convert Browsers To Use HTTP Proxy

#regedit -s f:\public\proxy.reg

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"=dword:00000001 "ProxyServer"="10.10.10.1:8080"





Transparent TELNET Proxy

Transparent TELNET proxy is available only in BorderManager 3.5 and 3.6. It is not present in BorderManager 3.0.

Concept



Configuring Transparent TELNET Proxy





User Authentication



Transparent TELNET Proxy Usage

Example 1 – No User-based Authentication Required

TELNET UNIXSERVER.COM



Example 2 – NDS-Based User Authentication

TELNET UNIXSERVER.COM



Novell Border Manager TELNET Proxy Service You are required to authenticate before connecting to the target host User Name:

User Name: Admin

Access Denied by Novell Border Manager:Access Control failure

Access Denied by Novell Border Manager:user login failure

Chapter 8 - FTP Proxy May 18, 2001


Chapter 8 - FTP Proxy Concept

Limitations

Alternative For ACTIVE (PORT) FTP



Configuring FTP Proxy

User Authentication

Clear Text User/Password

Single Sign On



FTP Proxy Usage

Example 1 – No User-based Authentication Required, DOS FTP Client

FTP BORDER1



Connected to BORDER1.BJHOME.COM. 220 Service Ready User (BORDER1.BJHOME.COM:(none)):

User (BORDER1.BJHOME.COM:(none)): anonymous$ftp.sysop.com

331 Anonymous access allowed, send identity (e-mail name) as password. Password:

230-Welcome to the FTP Server 230 Anonymous user logged in. ftp>



Example 2 – User-based Authentication Required, DOS FTP Client





FTP BORDER1

Connected to BORDER1.BJHOME.COM. 220 Service Ready User (BORDER1.BJHOME.COM:(none)):



User (BORDER1.BJHOME.COM:(none)): anonymous$ftp.sysop.com

530 Access Denied by Novell Border Manager:Access Control failure Connection closed by remote host ftp>

ftp> Open BORDER1 Connected to border1. 220 Service Ready. User (border1:(none)): admin.dd$anonymous$ftp.sysop.com 331 Anonymous access allowed, send identity (e-mail name) as password. Password: <press enter, or type your email address> Connection closed by remote host. ftp>



ftp> Open BORDER1 Connected to border1. 220 Service Ready. User (border1:(none)): admin.dd$anonymous$ftp.sysop.com 331 Anonymous access allowed, send identity (e-mail name) as password. Password: <admin user password>$<press Enter, or type your email address> 230-Welcome to the FTP Server 230 Anonymous user logged in. ftp>



Example 3 – User-based Authentication Required, CuteFTP Client

Admin.DD$anonymous$ftp.sysop.com



<admin.dd NDS password>$<your email address>



Example 4 – User-based Authentication Required, WS_FTP Client



All Examples, FTP Proxy Statistics Screen

Chapter 9 - Mail Proxy May 18, 2001


Chapter 9 - Mail Proxy Concept

An Alternative

A GWIA Alternative



Configuring Mail Proxy

No Internal Mail Server, Mail Through Proxy

SYS:\ETC\PROXY\SPOOL\INCOMING

SYS:\ETC\PROXY\SPOOL\OUTGOING



Using an NSS volume to hold the spool directory may cause problems.



The latest Proxy/ACL patch (BM3XC01 at the time of this writing) may have specific settings required in the SYS:ETC\PROXY\PROXY.CFG file to be used for configuring the mail proxy. Check the patch instructions carefully.

Internal Mail Server, Mail Through Proxy

Source Interface: <public interface> Destination Interface: <public interface> Protocol: TCP Destination Port: 25 (SMTP) Destination IP Address: <public IP address of the BorderManager server>



Source Interface: <public interface> Destination Interface: <public interface> Protocol: TCP Destination Port: 110 (POP3) Destination IP Address: <public IP address of the BorderManager server>





Be sure to check the installation instructions in any BorderManager patches. The Proxy/ACL patch BM35C11 and later in particular calls out different values to be used than the ones shown in this example.



GWIA Example Settings

This example is for GroupWise Internet Agent running on an internal mail server, NOT on the BorderManager server. If you are running GWIA on the BorderManager server, you would not be using the Mail Proxy.



Access Rule and Packet Filter Exception to Allow POP3 Through Mail Proxy

Inbound POP3





Outbound POP3



Access Rule To Allow SMTP Through Mail Proxy



Access Rules to Control Use of Mail Proxy

Internal Mail Server

No Internal Mail Server



Access Rule Examples





Chapter 10 - News Proxy May 18, 2001


Chapter 10 - News Proxy Concept

Using News Proxy With An External NNTP Server

Chapter 10 - News Proxy May 18, 2001


Chapter 11 - Real Audio Proxy May 18, 2001


Chapter 11 - Real Audio Proxy

BorderManager 3.0 Settings



BorderManager 3.5 & 3.6 Settings



BorderManager 3.0 RealAudio Proxy Access Rule



BorderManager 3.5 & 3.6 RealAudio and RTSP Access Rule



RealPlayer G2 Proxy Settings

The PC-to-proxy data for the RTSP protocol is sent using port 9090, while the proxy-to-RTSP host data will use port 554.

Chapter 12 - DNS Proxy May 18, 2001


Chapter 12 - DNS Proxy Concept

An Alternative

Chapter 12 - DNS Proxy May 18, 2001


Configuring DNS Proxy

If you configure DNS Proxy, you cannot run a DNS server on the same server as BorderManager because only one will be able to listen on port 53. (I do not recommend running a DNS server on BorderManager).

Chapter 13 - Generic TCP Proxy May 18, 2001


Chapter 13 - Generic TCP Proxy Concept



You cannot set up the same TCP port number as that used by one of the non-generic proxies, such as the HTTP, Mail, or News Proxies. Those port numbers are reserved, even if those proxies are not enabled. See the example on NNTP proxy below for a possible alternative.

Configuring Generic TCP Proxy



Example for NetWare Web Manager









Browser Configuration

Access Rule Configuration

HTTPS://4.3.2.247:12345

HTTPS://www3.bjhome.com:12345





Example For NNTP

"News", "NNTP" and Usenet are synonymous in this case.

An alternative to using any proxies for Usenet access is to set up a stateful packet filter exception, usually in combination with Dynamic NAT, to allow routing of outbound NNTP traffic to any Usenet server.





The access rule only specifies the destination port to be used on the Internet side of the BorderManager server. The custom port (listening port on the internal side of the BorderManager server) is not specified in an access rule.



Outlook Express Configuration











Not all Newsreader programs have a menu entry for setting a non-default port number. However, those programs, like Forte Free Agent, may allow you to change the default listening port number in an INI file.



Agent /Free Agent Configuration

[Servers] NewsServer="192.168.10.252" MailServer="<your mail server goes here>" POPServer="" NNTPPort=120 SMTPPort=25 POPPort=110 SMTPServerPort=25



Example Generic TCP Proxy for Inbound pcANYWHERE

pcANYWHERE locates other pcANYWHERE hosts using UDP port 5632, and if no response is received on 5632, then UDP port 22 is also tried. Once a pcANYWHERE host is located, a connection is made and traffic is exchanged on TCP port 5631. Both a UDP and a TCP generic proxy (along with appropriate access rules, and packet filter exceptions if using a secondary public IP address) are required.



Chapter 14 - Generic UDP Proxy May 18, 2001


Chapter 14 - Generic UDP Proxy Concept

You cannot set up the same UDP port number as used by one of the non-generic proxies, such as the DNS proxy. Those port numbers are reserved, even if those proxies are not enabled.





Generic UDP Proxy - Time Server Proxies



Configuring A Generic UDP Proxy for NTP



Configuring a Generic UDP Proxy for RDATE



Example Generic UDP Proxy for Inbound pcANYWHERE



Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001


Chapter 15 – Acceleration (Reverse Proxy) HTTP Acceleration

Concept

Using Primary Public IP Address



Configuring Reverse Proxy Acceleration







Using a Secondary Public IP Address

Filter Exceptions Needed for Reverse Proxy Acceleration

Review the section toward the front of this book if you are not familiar with secondary IP addresses.

If you are using Dynamic NAT, you MUST either disable NAT Implicit Filtering in INETCFG, or SET NAT DYNAMIC MODE TO PASS THRU=ON (and put that in AUTOEXEC.NCF). There is also a ‘trick’ that effectively disables NAT Implicit filtering ONLY for a single IP address – static NAT the public secondary IP address to itself.







Access Rule Required for Reverse Proxy Acceleration



FTP Acceleration

Concept

Configuration

This is one case where the default packet filter exceptions do not cover the requirements of a proxy. You must add a packet filter exception to allow TCP destination port 21 to the BorderManager server’s public IP address being used for FTP Acceleration.







Chapter 16 – The Gateways May 18, 2001


Chapter 16 – The Gateways IPX/IP Gateway

Concept



Pros •

•

•

•

•

Cons •

•

•

•

•

History of IPX/IP Gateway

IntranetWare IPX/IP Gateway



BorderManager 2.1 IPX/IP Gateway



BorderManager 3.x IPX/IP Gateway





The Single Sign On Authentication and Log settings for IPX/IP Gateway also affect the IP/IP Gateway.



Client Settings For IP Gateway

Use Proxy, No Authentication, No Rules, No Logging •

•

•

•

•

•

Use Proxy, Authentication, Access Rules and Logging •

•

•

•

•

•

•

•

•



Use IP gateway, No Proxy, Access Rules and Logging •

•

•

•

•

•

•



Installing IP Gateway Service on the PC







IP/IP Gateway

Concept

Pros •

•

•

•

Cons •

•



•

•

Access Rules, Proxies and the IP/IP Gateway

IP/IP Gateway With Access Rules And Without Proxy •

•

•

IP/IP Gateway Without Access Rules And With Proxy •

•

IP/IP Gateway With Proxy and With Access Rules •

•

•

•



Configuring IP/IP Gateway



The Single Sign On Authentication and Log settings for IP/IP Gateway also affect the IPX/IP Gateway.



SOCKS Gateway

Concept



•

•

•

•

Chapter 17 - Site-to-Site VPN May 18, 2001


Chapter 17 - Site-to-Site VPN Introduction to BorderManager VPN

Concept



Setting Up the Master VPN Server

Configuration Tasks at the Server Console







VPN IP and IPX Addressing Design Considerations

It is key that you assign unique IP and IPX network numbers to the VPN segments!



For the VPN server tunnel IP addressing, use a private Class C IP network number from the range between 192.168.0.0 and 192.168.254.0 for best results, with subnet mask 255.255.255.0. The examples in this book will show 192.168.99.0 in use. Refer to the Site-to-Site VPN scenario earlier in this book.

•

•

•

•





Setting Up The Master VPN Server, Continued













In order to set up Site-to-Site VPN slave servers, you will be required to supply the MINFO.VPN file at the slave server.













Configuring the VPN Master Server in NWADMN32









Adding a Site-to-Site Slave VPN Server – Server Console Procedures

Review the section ‘Configuring a Master VPN Server’ under the section on setting up Client-to-Site VPN for details on getting the first VPN server configured.





See the section in this book on configuring a Master VPN server for more explanation on VPN addressing considerations.



You will be required to provide the MINFO.VPN file from the Master VPN server at this point, and you will need the slave server’s authentication digest string (for comparison purposes). The easiest way to enter the data is to have that file on a floppy disk inserted in the slave server at this point.























Adding a VPN Slave Server – NWADMN32 Procedures











Adding a network or host address to the protected list will set a static route on the other Site-to-Site VPN servers pointing to the protecting server’s VPN tunnel IP address. In the example shown for BORDER2, if you look at the BORDER1 server’s SYS:\ETC/GATEWAYS file, you should see an entry for 192.168.11.0 pointing to a next hop of 192.168.99.253. Only protect networks that are actually ‘behind’ the server you are configuring.





Chapter 18 - Client-to-Site VPN May 18, 2001


Chapter 18 - Client-to-Site VPN Concept

As of this writing, Client-to-Site VPN does not work on WindowsME.



Setting Up VPN Servers



The WAN Client IPX Network Address must not be the same as an IPX network number used anywhere else in the network, including on either side of a Site-to-Site VPN or an internal IPX Net Number of a NetWare server.



Caution: If you select Encrypt All Networks, ALL traffic from a VPN user will come across the WAN link to the BorderManager server and be encrypted, including that user’s regular Internet traffic! This setting often results in the client browsing to the Internet failing.

All internal TCP/IP hosts to be accessed via a VPN connection MUST be configured with a valid default gateway.







BorderManager Client-to-Site VPN Access Rules















Configuring a Client-to-Site VPN Client PC



VPN Client Connection Process – A Case Study



Step 1 – Try LAN VPN Client Connection to BORDER1







Step 2 – Repeat Test With Valid IP Address









Step 3 – Install/Reinstall VPN Client Software







Step 4 – Try LAN VPN Client Connection to BORDER2



I did not receive the same display in the test to BORDER1 only because I had previously tested a VPN connection to that server and accepted the Authentication Data. You should always get an Authentication Data displayed the first time you connect to a BorderManager VPN server.



Important! Most people having the problem shown here should be able to simply delete any existing LPOCACHE.DAT files they find rather than go through the exercise shown next to set up a Login Policy Object.



Step 5 – Create a Login Policy Object







Step 6 – Add Rule for VPN Authentication











Step 7 – Try LAN VPN Client Connection to BORDER2 Again





Client-to-Site VPN Using Pure IP Login

Windows 2000 does not support IPX over Client-to-Site VPN.

Routing Issues

Missing Default Route on Internal Hosts and Routers



Incorrect Default Route on Internal Hosts and Routers

CAUTION Using dynamic NAT on the private IP address of a BorderManager server should be done ONLY when the server is used as a dedicated Client-to-Site VPN server.

Issues with Client-to-Site over Site-to-Site Links



The problem above has been observed on my master VPN BorderManager 3.5 and 3.6 test servers, but not on my slave BorderManager 3.0 or 3.5 test servers. The slave test servers simply do not seem to forward the packets across the Site-to-Site VPN link at all. You may see either behavior in your environment, but the problem remains that traffic does not cross the Site-to-Site VPN link.

Issue with BorderManager 3.5 and 3.6 with Client-to-Site VPN and Dynamic NAT



Service Location Issues

Making Use of SLP

Using NWHOST Instead Of (Or In Addition To) SLP



Using the HOSTS File

JOHNSON 192.168.10.250 P200 192.168.10.250 BORDER1 192.168.10.252

192.168.10.250 JOHNSON 192.168.10.250 P200 192.168.10.252 BORDER1



The Importance of Client32 Protocol Preferences



The Bottom Line





Client-to-Site VPN Over NAT

As of this writing, the BorderManager server itself must not be behind a NAT connection. Its public IP address must be a registered public IP address on the Internet.

Disconnecting a Client-to-Site Connection

Chapter 19 - Viewing Audit Log Data for VPN May 18, 2001


Chapter 19 - Viewing Audit Log Data for VPN

Using NWADMN32 To View Log Data











An Alternative To Using NWADMN32

VPTUNNEL Debug Options

VPNINF/VPMASTER/VPSLAVE Debug Options

Chapter 20 - Access Rules May 18, 2001


Chapter 20 - Access Rules Concept

The Default Rule



Rule Inheritance

Proxy Authentication and NDS-based Rules

NDS-based rules are simply skipped if the user is not proxy authenticated! And not all proxies can make use of proxy authentication.



Enforce Rules



Time Restrictions

Unfortunately, Time Restrictions do not honor daylight savings time.



Setting Up Access Rules

Caution: It is not recommended to apply rules to containers unless you thoroughly understand the ramifications of the rules inheritance, timing and NDS design issues involved.

Putting the least frequently used rules below more frequently used rules will enhance performance, though you may not notice any real difference.



Explanation of the Effective Rules







Checking Effective Rules

I have adjusted the column borders in the examples shown so that the columns in view can be more easily seen. You can drag the rule divider columns as you like to see the complete column.







It may be worthwhile to set up a separate CyberPatrol Deny rule for each CyberPatrol category in order to be able to tell users which category was denied to them, by tracking an Access Control Log entry to the access rule number.



If you are using inherited rules, adding another rule to the very end of the rules list can only be done by adding the rule as high or higher in the NDS tree as the inherited rules.



Rules Applied On BORDER1

Allow All users to Access Selected URL’s

You can go to the http://www.cyberpatrol.com web site to see if a particular URL has been placed on the CyberNOT list. You can also email CyberPatrol, using a link on their web site, to request that a URL be added or removed from the CyberNOT list.





Allow the Admin User to Access a Reverse Proxy



Allow Selected Users Access to Any URL



If CLNTRUST is not running or SSL login has not been achieved, this rule will be ignored and access to a URL will be granted or denied based on other access rules farther down the rules list.



Allow Access To Reverse Proxy



Track Usage for a Particular Web Site



Allow HTTPS/SSL Through Reverse Proxy



Block Selected Downloads





Deny Access to CyberNOT List URL’s





Allow Browsing to FTP Sites Through the HTTP Proxy





Track Specific Users with an Allow URL Rule



See Novell TID 2938132, “Managing the proxy cache log files” for a method of controlling the size of the log files. Or see Novell TID 10013835, “How to Manage the BorderManager Proxy Cache”, which is basically the same TID.





Allow a Group of Users to Any URL

•

•

If Proxy Authentication is NOT enabled, this rule will be skipped over! None of the member of the InternetUsers.tuc.dd group will be able to browse any URL, except for www.yahoo.com.



Allow Admin User to FTP Accelerator (FTP Reverse Proxy)



Deny All Users Access To FTP Reverse Proxy



Allowing Use of the FTP Proxy

FTP Proxy applies only to FTP clients. Browsing to FTP sites through the HTTP Proxy can be done using a browser if access rules have been set up to allow Any URL. If Access Rules are instead set up to allow ports 80 and 443, then FTP browsing should be blocked, but browsing to non-standard linked references will also be blocked.





Allow External Access to Web Manager



Deny VPN Client Access to the BORDER1 Server



Allow VPN Client Access to the BORDER1 Server

You should realize that this rule only controls access to the VPN connection itself, not to internal resources once the VPN connection is established. You cannot allow a user to connect to the VPN, and then deny that user access to certain servers by using BorderManager Access Rules. Once the user is authenticated to the VPN, his/her PC becomes a remote node on the network, as if it were physically plugged into the local LAN.





Allow Access to RealAudio Proxy





Allow Access To Generic UDP Proxy for Port 37 (RDATE)

RDATE.NLM is available for free from http://www.murkworks.com.

One syntax for using RDATE on an internal NetWare server might be: LOAD RDATE /u /p 60 /v 2 /m 999999999 192.168.10.254



Inbound pcANYWHERE Access Rules Using Generic Proxies

This example will only allow a single internal host to be set up for access from the Internet. If additional internal hosts are desired to be accessed from the Internet, static NAT using packet filter exceptions and secondary public IP addresses would be one comparatively easy way to accomplish the task. Using multiple generic proxies with secondary IP addresses can quickly get very complicated because of issue of needing to have a unique IP address/port number combination on the private interface.







Access Rules Allowing The News Proxy

Allowing Use of the News (NNTP) Proxy for Reading



Allowing Use of the News (NNTP) Proxy for Posting.



Allow Outbound SMTP Through the Mail Proxy



Allow Inbound SMTP Mail Through the Mail Proxy



Deny All SMTP Mail Through the Mail Proxy



Allow Inbound POP3 Through the Mail Proxy



Deny All Ports for Troubleshooting Purposes



Deny All URLs For Troubleshooting Purposes



Example - Setting an Allow All URL Rule



Example - Adding a CyberPatrol CyberNOT List Deny Rule



CyberNOT List Selection



CyberNOT List Definitions in Use

•

•

•

•

•

•

•

•

•

•

•



•

•



The Refresh Server Button



Those Additional Rules Fields



Backing up Access Rules





Chapter 21 - Installing CyberPatrol May 18, 2001


Chapter 21 - Installing CyberPatrol



Registering CyberPatrol

For BorderManager 3.0 and 3.5, a newer version of cpfilter.nlm than that included on the installation CD is available from the Minimum Patch List at http://support.novell.com. You should install the newer version before configuring CyberPatrol for the first time to avoid duplication of effort.



The CyberPatrol REGISTER.EXE Program





Downloading a new CyberNOT list on demand

Chapter 22 - Custom Error Pages May 18, 2001


Chapter 22 - Custom Error Pages Concept

One Example

"403 Forbidden - You have attempted to access an unauthorized site. All such attempts are logged, and the logs are made available for managerial review. You could be subject to dismissal. Contact the systems administrator at 555-1234 and offer him/her a hefty bribe to tell management that you were testing CyberPatrol for him."





<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="GENERATOR" content="Mozilla/4.72 [en] (Win98; U) [Netscape]"> <title>BorderManager Information Alert</title> </head> <body bgcolor="#FFFFFF"> <table BORDER=0 CELLSPACING=4 CELLPADDING=8 frame > <tr height="30"> <td WIDTH="444" HEIGHT="30"><img SRC="<PROXY_ADDRESS>/data/bmtext.gif" height=40 width=445></td> </tr> <tr height="30"> <td WIDTH="444" HEIGHT="30" BGCOLOR="#FFFFFF"> <center>An error has occurred with your request </center> </td> </tr> <tr> <td WIDTH="444"><img SRC="<PROXY_ADDRESS>/data/<ERROR_STATUS>.gif" width=444></td> </tr> <tr height="30"> <td WIDTH="444" HEIGHT="30" BGCOLOR="#FFFFFF">Description: <ERROR_DESCRIPTION></td> </tr> <tr> <td WIDTH="444">Contact the systems administrator at 555-1234 for additional explanations for the error message. The most common errors seen are: 403 Forbidden - The user tried to access a site that is blocked by an access rule. X-rated sites are often blocked. 502 Bad Gateway - This is a communications issue and generally means that an invalid URL was entered in the browser (mistyped the address). Can also result from DNS problems. 504 Gateway Time-out - This is a communications issue and generally means that a valid URL was entered, but a DNS server is not available or the web server is down.. <img SRC="<PROXY_ADDRESS>/data/alertbar.gif" height=8 width=445></td> </tr> </table> </body>

</html>



The source address for the GIF files is denoted as <PROXY_ADDRESS>/data/bmtext.gif (or whatever the filename happens to be). Some editors may cut off the directory part of the file name (leaving just bmtext.gif for instance), and that will not work. Also, in my sample PXYERR.HTM, I use a width of 444 pixels for <ERROR STATUS>.gif. Be careful not to make your GIF files too large or too small! (By the way, I used Paint to create the 403 forbidden.GIF file, though I used Viewprint to crop it down as it was too large initially.)

[MiniWeb Server] Port-Number=1959 Root-Directory=SYS:\ETC\PROXY\DATA

Chapter 23 - Using Dynamic NAT May 18, 2001


Chapter 23 - Using Dynamic NAT

Some packet filter exceptions are also shown in the section on configuring reverse proxy acceleration on a secondary IP address.

Concept



•

•

•

•

•

This is NOT intended to be a full explanation of working with packet filter exceptions, or to provide numerous examples. To thoroughly understand how packet filter exceptions work, and for many more examples, you should look in the book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html.

SET NAT DYNAMIC MODE TO PASS THRU=ON



Outbound DNS

This is one example of using packet filter exceptions to allow selected traffic to bypass the BorderManager proxies and route to the Internet. Dynamic NAT is often (usually) required for the example shown to work. The exception (not using dynamic NAT) would be if the internal LAN is using properly registered public IP addresses. This example was taken from “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html. Much more explanation and many more examples are contained in that book.

DNS from Internal PC’s to an ISP’s DNS Servers



Figure 1 - FILTCFG - DNS Filter Exception for UDP Port 53



Figure 2 - FILTCFG - DNS Filter Exception for TCP port 53



Outbound NNTP

This is one example of using packet filter exceptions to allow selected traffic to bypass the BorderManager proxies and route to the Internet. Dynamic NAT is often (usually) required for the example shown to work. The exception (not using dynamic NAT) would be if the internal LAN is using properly registered public IP addresses. This example was taken from my book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html. Much more explanation and many more examples are contained in that book.



Chapter 24 - Using Static Nat May 18, 2001


Chapter 24 - Using Static Nat Concept

That's right - I said the packet filter exceptions for static NAT use the internal IP address of the host, not the IP address assigned on the BorderManager server!



Static NAT To Internal SMTP Mail Server

This is one example of using packet filter exceptions to allow selected traffic to bypass the BorderManager proxies and route to the Internet. Dynamic NAT is often (usually) required for the example shown to work. The exception (not using dynamic NAT) would be if the internal LAN is using properly registered public IP addresses. This example was taken from my book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html. Much more explanation and many more examples are contained in that book.



Here is where you might want to add your ISP's mail server IP address as a Source IP address.







Chapter 25 -BorderManager Alerts May 18, 2001


Chapter 25 -BorderManager Alerts Concept

Configuring Alerts



BorderManager 3.0



BorderManager 3.5 and 3.6



Chapter 26 - Logging May 18, 2001


Chapter 26 - Logging Controlling the Size of the Indexed and Access Control Logs







Viewing Common Log Files



Configuring "WebTrends for Firewalls and VPN’s" For Novell BorderManager

WebTrends Configuration





















•

•

•

•

•

•

This information is from an as yet unpublished article by Marcus Williamson, 'Understanding BorderManager Logging' Marcus Williamson Connectotel Ltd http://www.connectotel.com/



Viewing Extended Logs

Viewing Indexed Logs









•

•

•









Viewing Real-Time Proxy Cache Data

BorderManager 3.x only shows you 100 sites on this screen.



Viewing Access Control Logs



If you are NOT using Proxy Authentication, you will NOT see the user ID’s as shown in the example. You will instead see the IP addresses of the host PC’s used when browsing. If browsing was done via a Citrix server, the same IP address (or user ID) would probably be shown in the log files as all Citrix users will have the same IP address.



You will only see the URL’s accessed when using HTTP Proxy. If you are using Transparent Proxy, only the IP addresses of the hosts will be shown.







Usage Trends

•

•

•

•

•

•



Exporting the Access Control Log to Excel













Viewing VPN Activity













Chapter 27 - BorderManager Console Screens May 18, 2001


Chapter 27 - BorderManager Console Screens

IP Gateway / SOCKS



Proxy Console



Option 1 - FastCache Current Activity screen







Option 2 – Display Memory Usage



Option 3 – Display ICP Statistics

The screen shown here, and the ones that follow were not all taken from the same server or at the same time. Some screen examples will clearly contradict others.



Option 4 – Display DNS Statistics



Option 5 – Display Cache Statistics



Option 6 – Display Not Cached Statistics



Option 7 – Display HTTP Server Statistics



Option 8 – Display HTTP Client Statistics



Option 9 – Display Connection Statistics



Option 10 – Display FTP Client Statistics



Option 11 – Display GOPHER Statistics



Option 12 – Display DNS Cache Entry Information



Option 13 – Show hosts sorted by most DNS lookup requests



Option 14 – Show Origin Hosts Sorted by Amount of Data Transmitted by the Cache



Option 15 – Show Origin Hosts Sorted by the Amount of Data sent TO the Cache



Option 16 – Show Proxies and Origin Hosts Sorted By Most Data Directly Received



Option 17 – Display Configured Addresses and Services





Option 18 – Display SOCKS Client Statistics



Option 19 – Application Proxies



Mail Proxy Statistics



Real Audio Proxy Statistics



Option 20 – Transparent Proxy Statistics

This option has always had a bug in that incorrect statistics were shown for Transparent Proxy, including negative values for some parameters.

Chapter 28 - Proxy Cache Configuration Console May 18, 2001


Chapter 28 - Proxy Cache Configuration Console

Download the file BM3PCFG.EXE file from http://support.novell.com to see Novell’s explanation of many of the proxycfg screens. The explanations are quite good.



Option 1 – Display Object Cache Configuration



Option 2 – Display DNS/Miscellaneous Configuration



Option 3 – Display TCP Configuration



Option 4 – Display ICP Configuration



Option 5 – Display FTP/GOPHER Configuration



Option 6 – Display HTTP Configuration



Option 7 – Display Authentication Configuration



Option 8 – Display Generic TCP/UDP Configuration



Option 9 – Display RealAudio Configuration



Option 10 – Display SMTP Configuration



Option 11 – Display POP3 Configuration



Option 12 – Display NNTP Configuration



Option 13 – Display SOCKS Configuration



Option 14 – Display THTTP Configuration



Option 15 – Display Site Download Configuration



Option 16 – Display TTELNET Configuration

This console screen is seen only on BorderManager 3.5 or 3.6 servers.



Option 17 – Display RTSP Configuration

This console screen is seen only on BorderManager 3.5 or 3.6 servers.

Chapter 29 – Troubleshooting BorderManager May 18, 2001


Chapter 29 – Troubleshooting BorderManager

Simplify the Configuration

Start at the Server



Isolate the Problem

Look at the IP Packets at the Server

Is it a Filtering Problem?

Is it a NAT or a Routing Problem?



•

•

•

•

•

Is it an Access Rule Problem?



How To Search the Novell KnowledgeBase

HTTP Proxy Issues



Transparent Proxy Issues

•

•

•

•

•

•

Mail Proxy Issues

DNS Proxy Issues



IP Gateway Issues

Site-to-Site VPN Issues

Client-to-Site Issues



Miscellaneous Issues

Dial-Up Connection Keeps Coming Up

Chapter 30 - Performance Tuning May 18, 2001


Chapter 30 - Performance Tuning

General Recommendations • Get the latest patches and drivers. • Get the latest DISK and LAN drivers from your hardware vendor. • ALWAYS read the readme file for new patches before applying them. • Keep Cache Volumes Separate • Have Multiple Cache Volumes (best to have them on separate physical

drives). • Turn Compression Off • Turn Suballocation Off • 8k Block Size

I recommend 16K block size instead of 8K block size. I find it to be more efficient for RAM usage, and disk space is generally cheap these days.

• Use DOS Name Space only on cache volumes • If using NSS volumes for caching, LOAD NSS /cachebalance=65

I recommend legacy volumes for caching as I have been told (by someone at Novell who knows!) that NSS volumes are about 30% slower than legacy volumes for caching.



• Load NETDB.NLM /N directly after INITSYS.NCF • Clean out unnecessary entries from the SYS:\ETC\HOSTS file • Clean out unnecessary entries in the SYS:\ETC\RESOLV.CFG file • Delete the SYS:\ETC\PROXY\PXYHOSTS file if you suspect DNS cache

problems.

I also recommend you flag the PROXY directory for immediate purge of deleted files so that you do not build up endless copy of deleted PXYHOSTS files. A new PXYHOST file is saved every 10 minutes.

Use the Following Server Set Parameters

Maximum Physical Receive Packet Size = 1514

WARNING! With many modern LAN drivers, particularly with NetWare 5.x, you should use a Maximum Physical Receive Packet Size of no less than 2048 because the LAN drivers require additional overhead! Going too small on this parameter can cause tremendous communications problems. I prefer to waste some memory and leave the value at the default of 4224.

• Maximum Packet Receive Buffers = 10000 • Minimum Packet Receive Buffers = 5000 • New Packet Receive Buffer Wait Time = 0.1 sec • Maximum Interrupt Events = 50 • Garbage Collection Interval = 5 • Read Ahead Enabled = on • Maximum Concurrent Disk Cache Writes = 750 • Dirty Disk Cache Delay Time = 0.1 sec • Dirty Directory Cache Delay Time = 0.1 sec • Maximum Concurrent Directory Cache Writes = 125 • Directory Cache Allocation Wait Time = 0.1 sec • Directory Cache Buffer NonReferenced delay = 30 min • Minimum Directory Cache Buffers = 1000 • Maximum Directory Cache Buffers = 4000 • Maximum Number of Internal Directory Handles = 500 • Immediate Purge of Deleted Files = on • Enable File Compression = off • Maximum File Locks = 100000



The Maximum File Locks parameter must be set higher than the maximum hot nodes setting in the BorderManager setup in NWADMN32 or the hot nodes setting will not take effect. The maximum hot nodes usable will be about 2/3rds of this value.

• Enable Hardware Write Back = on • Enable Disk Read After Write Verify = off • Worker Thread Execute In A Row Count = 15 • Pseudo Preemption Count = 200 • Minimum Service Processes = 500 • Maximum Service Processes = 1000 • New Service Process Wait Time = 0.3 sec

Use The Following NetWare Administrator (NWADMN32) Settings

Your server may require customization from these parameters for bets results.

• Maximum Hot Unreferenced Time = 30 • Cache Hash Table Size = 256 • Maximum Number of Hot Nodes = 50000

Remember that this parameter requires you to set the Maximum File Locks setting higher (suggested value is 100,000 locks).

• Number of Directories = 128

You should enter a value or 128 times the number of cache volumes configured as the value entered will be divided across all the cache volumes.

Watch Your Memory - Memory Considerations

• Eliminate any NLM’s that you don't need. • Watch the LRU Sitting Time in Monitor – keep it above 15 minutes. • Use efficient buffer sizes • Use DOS name space only on the cache volume(s)



You cannot remove name spaces from an NSS volume, so don’t waste time trying. NetWare 5 automatically creates legacy volumes with LONG name space added, and you have to use VREPAIR to then remove the LONG name space.

Chapter 31 - Odds & Ends May 18, 2001


Chapter 31 - Odds & Ends Documenting Your Server

Run CONFIG.NLM

You must use the LOAD command syntax on NetWare 5.x servers because you will otherwise run the internal CONFIG command and not the NLM. Alternative: Type CONFIG.NLM instead of CONFIG.



Caution! The output from CONFIG.NLM includes the serial number of the server, and can show the RCONSOLE password in the NETINFO.CFG data. If you plan on posting the config.txt file (in the Novell Support Connection public forums for troubleshooting perhaps), be sure to edit out this information first!

Comment Your Filter Exceptions



Screenshot your VPNCFG Screens

Screenshot your INETCFG Settings

Screenshot your NWADMN32 Screens

Back Up Your Access Rules



Miscellaneous Hints

I have not personally verified the accuracy of all of this information

PPTP to BorderManager 3.5

Converting Internet Explorer to Proxy Settings

VPN & Modems Tip

#regedit -s f:\public\proxy.reg



VPN Client with LAN Connection

•

•

VPN with Client 4.7x for NT



Citrix Setting for NAT

Remote Install of BorderManager 3.5 or 3.6 By Redirecting GUI

HOSTS File Tip

altaddr /set xxx.xxx.xxx.xxx



Load Balancing Internal Web Servers

I wonder how useful this actually is, since the static cache content still comes only from the one BorderManager server.

SSL Logout Page Location

St. Bernard Software – Don’t Use On BorderManager



Serving up the PROXY.PAC File from BorderManager

More PROXY.PAC File Help

function FindProxyForURL(url, host) { // Direct connections to local domain if (isPlainHostName(host) || dnsDomainIs(host, ".internal1.com") || dnsDomainIs(host, ".internal2.com") || dnsDomainIs(host, ".somewhereelse.co.uk") || dnsDomainIs(host, ".playdomain.uk") || dnsDomainIs(host, "127.0.0.1") || dnsDomainIs(host, "10.") || dnsDomainIs(host, ".nothere.int")) return "DIRECT"; // Otherwise use proxy else return "PROXY 10.119.208.11:8080; " + "PROXY 10.119.208.10:8080"; }



BorderManager and NetWare Cluster Services

If you don’t mind losing your build up of cache and storing the HTTP logs of both servers independently, then it isn’t necessary to configure the BorderManager resource to use a shared storage subsystem. The benefits of this include; faster cache performance (NSS volumes are about 30% slower than Netware Partitions), and a large savings in money. Saving the HTTP logs on each server’s separate volumes is not an issue as log analysis programs like WebTrends can easily coalesce the logs into one report for you.





The 255.255.255.254 subnet mask discussed above is not an error – it works for the filtering module to limit the filter exception to two valid addresses. Using that subnet mask would not work for IP address assignment, but it works fine for restricting filter exception addresses.

Source Interface : Public Destination Interface: Public Packet Type: ANY (IP) Source Addr Type: Host Src IP Address: 4.1.1.2 Dest Addr Type: Any Address

Source Interface : Public Destination Interface: Public Packet Type: ANY (IP) Source Addr Type: Network Src IP Address: 4.1.1.2/255.255.255.254 Dest Addr Type: Any Address



Common Log File Format

Field Example IP Address 10.1.1.2

Authenticated User Name .admin.acme

Date 03/Aug/1999

Time 12:07:41

Timezone +0000

HTTP Request GET

URL http://support.novell.com/images/support_nav_bar.gif HTTP Version HTTP/1.0

Completion Code 200

File Size 3264

IP Address

Authenticated User Name

Date

Time

Timezone

HTTP Request

HTTP Request Meaning GET Read a page or entity within a page HEAD Obtain the header information for a page POST Submit the results of a form



URL

Status Code

HTTP Status Code Meaning 200 OK 201 Created 202 Accepted 301 Moved Permanently 302 Moved Temporarily 304 Not Modified 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable

HTTP Status Code Meaning 100 Continue 101 Switching Protocols 200 OK 201 Created 202 Accepted 203 Non-Authoritative Information 204 No Content 205 Reset Content 206 Partial Content 300 Multiple Choices 301 Moved Permanently 302 Found 303 See Other 304 Not Modified 305 Use Proxy 306 Unused 307 Temporary Redirect 400 Bad Request



401 Unauthorized 402 Payment Required 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 409 Conflict 410 Gone 411 Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request-URI Too Long 415 Unsupported Media Type 416 Requested Range Not Satisfiable 417 Expectation Failed 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported

Errata & Revisions May 18, 2001


Errata & Revisions

Beta 2.0

Beta 3.0

First Edition

Errata & Revisions May 18, 2001


Index May 18, 2001

Index 128-bit....................................103, 104, 115, 122, 326 40-bit......................................103, 104, 115, 116, 122 56-bit......................................................103, 104, 326 ABEND .........................................................220, 557 acceleration ................................21, 97, 135, 249, 411 Acceleration20, 21, 133, 249, 250, 257, 258, 394, 407 Access Control Log387, 399, 403, 427, 428, 465, 467,

489, 490, 493, 494, 495 access rule...18, 21, 30, 35, 40, 45, 50, 58, 72, 74, 93,

102, 107, 125, 138, 180, 181, 182, 183, 196, 197, 198, 200, 205, 207, 208, 209, 210, 211, 212, 213, 214, 216, 218, 221, 222, 228, 229, 232, 238, 240, 241, 242, 246, 247, 252, 256, 257, 260, 261, 266, 267, 268, 272, 273, 275, 328, 329, 335, 337, 377, 378, 379, 381, 385, 386, 387, 388, 389, 390, 391, 392, 393, 396, 397, 401, 402, 405, 406, 409, 421, 422, 424, 425, 426, 434, 436, 465, 509, 511, 531, 533, 553, 555, 564, 578

Access Rule ..19, 20, 21, 22, 44, 45, 94, 99, 102, 123, 133, 171, 180, 185, 186, 190, 193, 205, 208, 209, 210, 217, 218, 228, 232, 237, 238, 241, 247, 256, 257, 260, 261, 267, 268, 272, 273, 328, 329, 334, 354, 376, 378, 380, 395, 409, 413, 418, 421, 429, 434, 435, 436, 439, 490, 555, 557, 566

ACLCHECK........................................21, 82, 83, 434 alert ................................................461, 462, 463, 464 Alert .......................................................461, 463, 464 Audit Log...............................................370, 483, 504 authentication....17, 45, 84, 85, 90, 99, 101, 102, 103,

105, 106, 107, 108, 123, 125, 128, 139, 165, 180, 183, 185, 186, 193, 195, 249, 252, 261, 267, 268, 272, 273, 277, 302, 304, 340, 349, 350, 352, 353, 354, 355, 358, 359, 377, 403, 508, 542

Authentication.....19, 21, 99, 100, 101, 102, 107, 108, 115, 122, 123, 127, 128, 163, 180, 181, 182, 183, 185, 186, 188, 189, 193, 195, 266, 267, 273, 275, 340, 349, 350, 354, 542

BLACK-ICE ..................................................244, 245 BMAS......................................................................19 BORDER1 41, 42, 43, 81, 92, 95, 96, 97, 98, 99, 129,

134, 166, 169, 187, 190, 244, 245, 301, 320, 337, 338, 340, 344, 349, 370, 380, 381, 387, 388, 389, 412, 413, 414, 417, 440, 461, 468

BORDER2 ....41, 42, 43, 92, 311, 314, 315, 317, 320, 337, 348, 351, 359, 360

BRDSRV .............................................62, 82, 83, 439 Btrieve .............................56, 149, 150, 404, 465, 480 bug 26, 59, 60, 61, 104, 115, 153, 395, 510, 511, 534,

556, 568, 569 cache .....18, 21, 42, 44, 47, 56, 63, 74, 129, 130, 133,

135, 136, 137, 142, 144, 145, 150, 152, 154, 155, 156, 157, 158, 159, 160, 165, 166, 168, 169, 170,

172, 174, 249, 260, 404, 484, 509, 510, 511, 512, 514, 516, 517, 523, 525, 526, 527, 536, 541, 556, 560, 561, 562, 570, 572

Cache56, 143, 144, 145, 151, 152, 154, 159, 165, 166, 168, 169, 170, 404, 470, 482, 483, 484, 488, 511, 516, 523, 525, 526, 535, 536, 560, 561, 562

Cache Aging.......................................................... 151 cache control ......................................................... 152 Cache Hash Table ......................................... 152, 562 cache hierarchy42, 145, 165, 166, 168, 169, 170, 514,

527 cache location.......................................... 63, 154, 155 CERN. 20, 42, 43, 144, 165, 166, 167, 168, 169, 170,

442, 514, 525, 526, 527, 539 Citrix ..................................................... 128, 490, 569 Client-to-Site 18, 40, 43, 44, 66, 71, 76, 83, 278, 279,

280, 282, 301, 323, 324, 325, 327, 329, 330, 332, 334, 335, 336, 337, 340, 346, 348, 358, 359, 361, 362, 363, 364, 367, 369, 370, 412, 413, 414, 558, 568, 578, 579

CLNTRUST... 99, 101, 102, 103, 105, 106, 107, 108, 123, 127, 128, 185, 219, 264, 267, 268, 342, 393

common log.. 146, 147, 148, 268, 404, 468, 469, 472, 477, 478

Common log.................. 146, 147, 266, 275, 395, 468 config.txt ....................................................... 565, 566 CP_SETUP.EXE........................................... 439, 440 CPFILTER .............. 83, 433, 439, 440, 441, 442, 443 CSAUDIT ............................................... 57, 150, 465 CSLIB ............................................. 56, 149, 404, 465 custom error page............................ 63, 444, 446, 447 CyberNOT.... 379, 387, 389, 390, 399, 430, 431, 432,

433, 439, 440, 443, 490, 492 CyberPatrol .... 83, 379, 380, 387, 389, 390, 399, 404,

406, 429, 430, 431, 432, 433, 439, 440, 441, 442, 444, 490, 491

CyberYES ..................................................... 439, 440 Debug.................................................................... 375 default gateway .... 24, 30, 32, 34, 326, 361, 362, 363,

555, 573 default route 24, 25, 32, 34, 42, 43, 44, 45, 50, 51, 52,

54, 70, 73, 74, 77, 172, 361, 362, 555 Default route ........................................................... 74 default rule ...... 45, 123, 212, 376, 380, 386, 406, 428 digest .... 292, 302, 304, 305, 306, 314, 318, 327, 328,

349 DNS 18, 20, 21, 22, 25, 26, 27, 29, 30, 42, 50, 51, 52,

55, 74, 77, 129, 130, 133, 134, 135, 136, 137, 159, 169, 171, 172, 181, 182, 187, 190, 193, 200, 207, 214, 220, 221, 228, 231, 232, 242, 245, 246, 366, 380, 427, 450, 451, 452, 456, 462, 510, 515, 523, 524, 537, 553, 556, 557, 561, 571

Index May 18, 2001


DNS Proxy...18, 20, 27, 130, 135, 136, 220, 221, 557 do not cache ...........................................................157 dynamic NAT .19, 23, 24, 29, 45, 184, 220, 340, 362,

363, 367, 376, 418, 448, 449, 450, 453, 456, 555, 559

Dynamic NAT ....20, 30, 50, 135, 184, 230, 253, 363, 448, 449, 450, 453, 456, 573

Effective Rules.......123, 376, 380, 381, 383, 384, 386 Enforce Rules.........................................133, 378, 555 Enhancement Pack.............................................79, 80 error page.......................................................256, 444 Ethernet............................................................47, 336 extended log...........................................................147 Extended Logging..................................................148 FILTCFG .......21, 76, 88, 89, 197, 200, 225, 253, 565 filter exception ..19, 27, 29, 30, 33, 36, 37, 38, 45, 52,

70, 72, 74, 76, 78, 87, 89, 90, 91, 106, 135, 136, 175, 184, 197, 198, 200, 201, 205, 206, 207, 214, 220, 222, 225, 226, 227, 230, 240, 242, 249, 253, 256, 257, 369, 376, 396, 418, 420, 422, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 529, 554, 557, 564, 565, 566, 573, 574

Filtering .......17, 19, 87, 227, 253, 340, 418, 449, 554 filters.....21, 22, 27, 36, 37, 45, 50, 76, 78, 87, 88, 91,

106, 133, 138, 206, 253, 283, 293, 294, 363, 369, 461, 554, 555, 565

FTP .18, 20, 21, 32, 33, 34, 37, 40, 42, 44, 45, 60, 99, 102, 107, 138, 139, 149, 152, 154, 163, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 195, 196, 257, 258, 259, 260, 336, 377, 401, 407, 408, 409, 410, 455, 521, 540, 578

FTP Acceleration ...........................257, 258, 260, 407 FTP Proxy18, 20, 34, 45, 99, 102, 139, 149, 163, 184,

185, 186, 187, 188, 189, 190, 191, 192, 193, 195, 196, 260, 377, 407, 409, 410, 578

Generic Proxy ................................228, 236, 238, 543 Generic TCP Proxy222, 223, 224, 228, 230, 234, 235,

240, 247, 411 Generic UDP Proxy ......240, 242, 243, 244, 245, 246,

247, 417 GroupWise.................................13, 79, 197, 200, 204 GWIA ............................................................197, 204 hierarchy ........143, 145, 165, 166, 168, 514, 525, 539 HOSTS26, 72, 77, 134, 135, 136, 169, 187, 190, 251,

365, 366, 367, 368, 561, 569, 579 hot nodes........................................................152, 562 HTTP Proxy....20, 29, 34, 35, 45, 56, 63, 73, 97, 107,

123, 130, 132, 133, 134, 135, 136, 138, 139, 141, 142, 144, 151, 153, 155, 163, 165, 166, 169, 170, 171, 172, 173, 174, 175, 176, 219, 220, 256, 268, 271, 377, 391, 397, 401, 404, 406, 409, 427, 442, 491, 515, 516, 517, 518, 519, 520, 521, 522, 523, 530, 536, 537, 541, 556, 557, 567

HTTPS......35, 90, 128, 133, 139, 157, 171, 175, 228, 249, 251, 253, 254, 396, 557

ICMP ...............................................................45, 361 ICP...................20, 165, 166, 167, 168, 514, 527, 539 indexed log.............................................................149 Indexed Logging ............................................149, 484

INETCFG... 22, 24, 27, 28, 30, 50, 51, 52, 55, 73, 76, 77, 135, 136, 184, 253, 262, 283, 303, 340, 448, 449, 555, 566, 573

Internet Explorer .. 127, 140, 175, 176, 219, 445, 567, 571

Internic .................................................................... 23 Java Applet Stripping............................................ 142 license ........................................... 66, 67, 68, 69, 433 LOAD PROXY –CC............................. 158, 159, 556 log .. 21, 44, 56, 63, 72, 103, 108, 127, 146, 147, 148,

149, 150, 171, 229, 334, 336, 344, 345, 359, 360, 364, 368, 369, 370, 371, 375, 377, 388, 395, 404, 427, 428, 430, 461, 465, 468, 471, 472, 474, 480, 484, 490, 493, 494, 495, 511, 557, 558, 559, 572, 577

logging 20, 44, 99, 146, 147, 148, 149, 156, 212, 215, 221, 244, 266, 275, 337, 361, 377, 388, 395, 404, 428, 461, 483, 490, 493, 558

Logging .. 57, 146, 148, 149, 171, 267, 268, 334, 395, 397, 399, 403, 413, 427, 428, 430, 465, 479, 490, 557, 577

mail25, 27, 32, 33, 42, 55, 83, 98, 197, 198, 199, 200, 201, 202, 203, 204, 205, 207, 208, 209, 211, 212, 423, 424, 425, 426, 456, 457, 458, 459, 460, 462, 532

Mail Proxy ..... 20, 32, 33, 44, 83, 197, 198, 199, 200, 201, 204, 205, 207, 208, 209, 210, 212, 423, 424, 425, 426, 529, 532, 557

Maximum Number of Hot Nodes.................. 152, 562 Microsystems ................................................ 432, 440 MLA license................................................ 44, 68, 69 NDS-based rule ....................................... 99, 102, 377 NETDB ........................................................... 82, 561 NETINFO.CFG................... 76, 77, 78, 301, 555, 565 Netscape123, 127, 138, 139, 140, 176, 219, 396, 444,

571 NetWare 4.11 . 22, 42, 47, 59, 62, 66, 68, 86, 96, 110,

262, 361, 558 NetWare 4.2 ...................................................... 59, 76 NetWare 5.0 .......................... 42, 59, 60, 85, 110, 264 NetWare 5.1 48, 57, 60, 62, 70, 77, 98, 104, 109, 110,

112, 113, 225 NetWare Connect .............................................. 19, 72 Network Address Translation...................... 18, 23, 24 NIAS ................... 17, 19, 50, 59, 60, 61, 76, 262, 279 NIASCFG ................................. 19, 76, 279, 280, 296 NICI ........................................................................ 69 NIST................................................ 82, 244, 246, 417 NLS............. 46, 62, 63, 66, 67, 68, 70, 81, 82, 83, 84 NLS Licenses .......................................................... 66 NLSFLAIM............................................................. 62 NLSLSP ............................................................ 66, 68 NNTP . 14, 20, 22, 42, 44, 55, 89, 213, 214, 223, 224,

230, 231, 232, 239, 242, 421, 422, 453, 454, 547 NTP............................................................... 244, 245 NWADMIN .................................................. 380, 461 NWHOST ..................... 364, 365, 366, 368, 558, 579 Outbound DNS...................................................... 450 PASV FTP .................................................... 139, 184

Index May 18, 2001


patches ..22, 58, 59, 60, 61, 62, 66, 68, 70, 75, 79, 80, 81, 83, 93, 103, 128, 153, 185, 197, 198, 203, 401, 510, 534, 556, 557, 560, 568, 578

Patches ...............................................................58, 79 pcANYWHERE....224, 240, 241, 247, 248, 418, 420,

578 PING............................................45, 50, 51, 283, 553 POP3...18, 42, 98, 197, 198, 199, 200, 201, 202, 204,

205, 207, 209, 426, 546 port 110..................................................205, 206, 426 port 119..........................214, 230, 232, 422, 453, 454 port 123....................98, 226, 227, 228, 244, 245, 411 port 12345................................98, 226, 227, 228, 411 port 213....................................................................90 port 23............................................................177, 179 port 25............................................210, 457, 459, 460 port 353............................................................90, 369 port 37..............................................82, 244, 245, 417 port 443..............................35, 90, 175, 251, 255, 396 port 5631................................................240, 418, 420 port 5632........................................240, 418, 419, 420 port 80...34, 35, 90, 97, 123, 133, 141, 144, 165, 172,

174, 176, 251, 253, 255, 267, 442, 578 private ...18, 23, 24, 26, 27, 29, 30, 31, 32, 34, 36, 40,

41, 46, 47, 63, 72, 73, 74, 87, 88, 91, 96, 97, 98, 118, 123, 133, 138, 139, 172, 174, 184, 187, 190, 193, 200, 210, 214, 220, 221, 230, 231, 278, 282, 283, 284, 286, 287, 303, 362, 363, 365, 367, 417, 418, 451, 452, 453, 454, 455, 555, 559, 567, 573, 575

private interface ......29, 31, 41, 47, 73, 74, 87, 88, 91, 172, 184, 283, 363, 418, 451, 452, 453, 454

private IP address....23, 24, 27, 29, 32, 34, 63, 72, 74, 91, 96, 98, 118, 123, 138, 139, 174, 187, 190, 193, 200, 214, 220, 221, 230, 283, 284, 362, 363, 365, 367, 417, 559, 573, 575

Private IP address.....................................................96 Proxy Authentication ..21, 77, 99, 100, 101, 102, 103,

104, 105, 107, 108, 113, 115, 121, 122, 123, 124, 125, 127, 128, 133, 139, 171, 180, 219, 251, 252, 254, 376, 377, 380, 387, 393, 395, 403, 406, 490, 570, 577

PROXY Performance Tuning ................................153 PROXY.CFG.........................200, 256, 446, 556, 557 public interface .23, 29, 31, 32, 33, 34, 37, 41, 42, 45,

54, 72, 87, 88, 89, 90, 184, 225, 263, 283, 303, 340, 451, 452, 453, 454, 455

Public interface ..............................................226, 227 public IP address23, 24, 26, 27, 29, 32, 33, 34, 42, 44,

45, 50, 73, 87, 89, 90, 91, 96, 97, 98, 106, 107, 133, 197, 200, 201, 202, 205, 206, 207, 214, 224, 225, 226, 227, 240, 241, 247, 249, 253, 257, 259, 260, 283, 284, 285, 298, 303, 323, 348, 361, 363, 369, 396, 411, 418, 419, 420, 422, 448, 450, 453, 455, 456, 458, 555, 559, 569, 573

Public IP address................................................25, 97 PXYERR.HTM..............................444, 445, 446, 447 PXYHOSTS...134, 135, 137, 159, 510, 523, 556, 561 RADIUS ......................17, 19, 20, 44, 50, 62, 82, 354

RDATE ........................................... 82, 244, 246, 417 read-ahead ............................. 153, 395, 510, 511, 556 Real Audio ............................ 215, 216, 217, 218, 533 RealAudio Proxy........................... 215, 217, 415, 416 real-time ........................................ 370, 372, 374, 503 Refresh Server............................................... 380, 434 REGISTER.EXE........................... 433, 440, 441, 443 Reverse Proxy .... 20, 21, 43, 249, 250, 253, 256, 391,

394, 396, 407, 408, 455 reverse proxy acceleration.. 32, 33, 42, 135, 224, 249,

253, 394, 448 Reverse Proxy Acceleration20, 21, 249, 250, 253, 256 Rollover................................................................. 146 rule hit logging ...................................... 395, 430, 490 Rule Inheritance .................................................... 377 scheduled download ...................... 160, 161, 162, 550 secondary IP address28, 34, 46, 72, 73, 74, 75, 89, 90,

96, 97, 98, 107, 225, 231, 249, 253, 254, 255, 396, 418, 448, 455, 529, 559, 573

serial number................................................. 440, 565 SET TCP IP DEBUG...................... 51, 361, 554, 555 Single Sign On ...... 101, 102, 122, 185, 189, 266, 275 Site-to-Site . 18, 20, 39, 42, 43, 45, 66, 71, 75, 76, 81,

83, 278, 279, 280, 282, 283, 291, 295, 301, 320, 324, 325, 327, 362, 363, 370, 558, 579

SLP........................................ 337, 364, 366, 558, 579 SMTP . 18, 33, 42, 55, 83, 89, 98, 197, 198, 199, 200,

201, 202, 204, 208, 209, 210, 211, 212, 423, 424, 425, 426, 456, 457, 458, 459, 460, 461, 464, 545, 578

snapin .......................................... 84, 85, 93, 262, 375 SOCKS18, 20, 139, 163, 164, 276, 277, 508, 530, 548 SOCKS Client ................................. 20, 163, 530, 548 SOCKS Server ........................................................ 20 Software Virtual Server................................. 171, 557 SSL..... 77, 90, 99, 101, 102, 103, 104, 105, 108, 113,

115, 121, 122, 123, 124, 125, 127, 128, 139, 157, 171, 175, 228, 249, 251, 252, 253, 254, 277, 393, 396, 557, 570, 575

SSO ............... 102, 107, 261, 267, 268, 272, 273, 575 Stateful .................................................................... 27 static NAT 27, 32, 34, 36, 42, 70, 74, 78, 97, 98, 197,

253, 363, 367, 418, 455, 456, 457, 458, 459, 460, 555, 559, 573

Static NAT .. 19, 20, 33, 43, 45, 46, 98, 455, 456, 569 static route....................................................... 54, 320 statistics 106, 192, 196, 237, 238, 245, 343, 347, 488,

510, 511, 512, 514, 515, 516, 517, 518, 519, 520, 521, 522, 523, 526, 527, 530, 531, 533, 534

TID..... 56, 58, 69, 70, 82, 83, 84, 150, 152, 341, 350, 404, 444, 556, 560, 561, 567, 569

timeout .................... 63, 107, 108, 127, 130, 131, 373 transparent proxy................... 171, 172, 174, 175, 267 Transparent Proxy .. 20, 107, 133, 134, 138, 171, 172,

173, 174, 175, 178, 220, 261, 264, 272, 273, 491, 510, 534, 557

transport ................................................ 130, 323, 537 Transport ................................................. 22, 130, 131

Index May 18, 2001


tuning...............................................................57, 560 unload ............55, 63, 73, 75, 153, 523, 554, 559, 573 URL Pattern ...........................................................158 Usage Trends .................................................487, 494 virtual IPX network number ..................................325 VPMASTER......................................62, 83, 301, 375 VPN over NAT ........................................44, 369, 578 VPNCFG 76, 104, 279, 280, 285, 289, 291, 292, 293,

294, 295, 296, 297, 301, 302, 303, 314, 318, 327, 566

VPSLAVE......................................... 62, 83, 301, 375 VPTUNNEL.................................................... 88, 375 VREPAIR ..................................................... 156, 563 Web Manager . 98, 224, 225, 226, 227, 228, 229, 411,

578 www.yahoo.com ................... 387, 388, 389, 390, 406 ZENworks ..... 105, 139, 175, 176, 262, 263, 272, 360

Documents

A Beginner s Guide To BorderManager 3 - gwise.itwelzel.bizgwise.itwelzel.biz/Novellpdf/BorderManager - A Beginner´s Guide To... · Understanding and Configuring Novell BorderManager,