Upload
vuongtuyen
View
217
Download
2
Embed Size (px)
Citation preview
A Beginner’s Guide To BorderManager 3.x Understanding and Configuring Novell BorderManager, versions 3.0, 3.5 and 3.6 Craig Johnson Novell Support Connection SysOp First Edition May 18, 2001
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 2
Table of Contents TABLE OF CONTENTS................................................................................................................. 2 PRINTING THIS BOOK ............................................................................................................... 12 ACKNOWLEDGEMENTS ............................................................................................................ 13 ABOUT THE AUTHOR ................................................................................................................ 14 LICENSING .................................................................................................................................. 15 OFFICIAL DISCLAIMER.............................................................................................................. 16 CHAPTER 1 - OVERVIEW........................................................................................................... 17
What is BorderManager? .......................................................................................................... 17 Filtering.................................................................................................................................. 17 Proxies................................................................................................................................... 18 Gateways............................................................................................................................... 18 VPN ....................................................................................................................................... 18
How This Book Is Organized .................................................................................................... 19 What this book covers ........................................................................................................... 20 What this book does not cover .............................................................................................. 20
CHAPTER 2 - BASICS ................................................................................................................ 21 Some Important Terminology.................................................................................................... 21 Prerequisite Knowledge ............................................................................................................ 22 TCP/IP Basics ........................................................................................................................... 23
Public & Private Networks..................................................................................................... 23 The Importance of the Default Route .................................................................................... 24 Domain Name Service (DNS) ............................................................................................... 25 Secondary IP Addresses....................................................................................................... 27 Proxy Versus Routing and NAT (How Proxies Work) ........................................................... 29
BorderManager Scenarios ........................................................................................................ 31 Scenario 1 - One Public IP Address...................................................................................... 31 Scenario 2 - Multiple Public IP Addresses ............................................................................ 33 Scenario 3 - BorderManager Used Only For HTTP Proxy.................................................... 35 Scenario 4 - A Single Firewall DMZ Segment....................................................................... 36 Scenario 5 - A Classic Two-Firewall DMZ............................................................................. 38 Scenario 6 - A Simple Site-to-Site VPN ................................................................................ 39 Scenario 7 - A Simple Client-to-Site VPN ............................................................................. 40 Scenario 8 - A Complex Multiple BorderManager Server Environment................................ 41
Some Rules of Thumb and Words of Wisdom.......................................................................... 44 CHAPTER 3 - INSTALLATION.................................................................................................... 47
Server Hardware Suggestions .................................................................................................. 47 NetWare Server Installation Tips .............................................................................................. 48
Using MSDOS 6.22 and NetWare 5.1................................................................................... 48 Don’t Let The NetWare Installation Create the Volumes Automatically................................ 49 Install BorderManager from the Root of the CD.................................................................... 50 Get the Server on the Internet Before Configuring BorderManager ..................................... 50 Setting the Default Route and DNS Servers ......................................................................... 52
BorderManager Server Configuration Suggestions .................................................................. 56 NDS Design Considerations ..................................................................................................... 58 Recommended Patches and Installation Sequence ................................................................. 58
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 3
How To Install BorderManager 3.x on NetWare 4.x ............................................................. 59 How to Install BorderManager 3.x on NetWare 5.0 .............................................................. 59 How to Install BorderManager 3.5 and 3.6 on NetWare 5.1 ................................................. 60
General Installation Notes......................................................................................................... 62 Working Around Licensing Startup Delays............................................................................ 62 NDS –601 Error Messages At Startup .................................................................................. 62 Loading and Unloading BorderManager Manually................................................................ 63
BMOFF.NCF...................................................................................................................... 64 BMON.NCF........................................................................................................................ 65
BorderManager Licenses.......................................................................................................... 66 What Are NLS Licenses? ...................................................................................................... 66 NLS Issues ............................................................................................................................ 67 MLA Licenses........................................................................................................................ 68
How To Upgrade BorderManager Servers ............................................................................... 70 Changing Out A BorderManager Server................................................................................... 71
Concerns ............................................................................................................................... 71 Concept ................................................................................................................................. 71 Procedure 1 – Primary IP Addresses Used .......................................................................... 71 Procedure 2 – Secondary IP Addresses Used...................................................................... 73
Critical BorderManager-Related Files....................................................................................... 76 Configuration Tools ............................................................................................................... 76
INETCFG.NLM .................................................................................................................. 76 NIASCFG.NLM .................................................................................................................. 76 VPNCFG.NLM ................................................................................................................... 76 BRDCFG.NLM ................................................................................................................... 76 FILTCFG.NLM ................................................................................................................... 76 INSTALL.NLM.................................................................................................................... 76 NWCONFIG.NLM .............................................................................................................. 76 SYS:\PUBLIC\WIN32\NWADMN32.EXE........................................................................... 77 SYS:\PUBLIC\MGMT\CONSOLEONE\1.2\BIN\CONSOLEONE.EXE .............................. 77
Data Files .............................................................................................................................. 77 SYS:\ETC\HOSTS ............................................................................................................. 77 SYS:\ETC\GATEWAYS ..................................................................................................... 77 SYS:\ETC\RESOLV.CFG .................................................................................................. 77 SYS:\ETC\TCPIP.CFG ...................................................................................................... 77 SYS:\ETC\NETINFO.CFG................................................................................................. 77 SYS:\ETC\FILTERS.CFG.................................................................................................. 78
Startup Files .......................................................................................................................... 78 C:\CONFIG.SYS ................................................................................................................ 78 C:\AUTOEXEC.BAT .......................................................................................................... 78 C:\NWSERVER\STARTUP.NCF ....................................................................................... 78 SYS:\SYSTEM\AUTOEXEC.NCF ..................................................................................... 78
Troubleshooting Tools........................................................................................................... 78 TCPCON.NLM ................................................................................................................... 78 CALLMGR.NLM................................................................................................................. 78 PPPTRACE.NLM............................................................................................................... 79
Keeping BorderManager Up-to-date......................................................................................... 79 Patches.................................................................................................................................. 79 The BorderManager 3.5 Enhancement Pack........................................................................ 79
Starting BorderManager............................................................................................................ 81 Tips For Getting NWADMN32 To Work With BorderManager Server...................................... 84
Rename the ACNWAUTH.DLL Snapin ................................................................................. 84 Get The Latest Version of NWADMN32................................................................................ 84 Fix Invalid BorderManager Snapin Modules Errors .............................................................. 84 Fix “No BorderManager Licenses Available” Messages ....................................................... 84 What snapins should I have? ................................................................................................ 85
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 4
BorderManager 3.5 / NetWare 5.0 .................................................................................... 85 BorderManager 3.0 / NetWare 4.11 .................................................................................. 86
CHAPTER 4 – UNDERSTANDING PACKET FILTERING.......................................................... 87 Default Packet Filters................................................................................................................ 87
The BorderManager 3.x Default Packet Filters ..................................................................... 88 Outgoing RIP Filters: ......................................................................................................... 88 Incoming RIP Filters .......................................................................................................... 88 Outgoing EGP Filters:........................................................................................................ 88 Incoming EGP Filters......................................................................................................... 89 OSPF External Route Filters ............................................................................................. 89 Packet Forwarding Filters .................................................................................................. 89
Packet Filter Exceptions ........................................................................................................... 89 What are the Default Packet Filter Exceptions?.................................................................... 89
CHAPTER 5 – THE INITIAL CONFIGURATION......................................................................... 92 BorderManager Setup Main Menu............................................................................................ 95 BorderManager IP Address Configuration................................................................................ 96
Secondary IP addresses used on BORDER1....................................................................... 98 Authentication Context (Proxy Authentication) ......................................................................... 99
Proxy Authentication Settings ............................................................................................. 100 40-bit, 56-bit and 128-bit Encryption ................................................................................... 103 Using Proxy Authentication on the Client with CLNTRUST ................................................ 105
CLNTRUST Problem Work-Around................................................................................. 106 Configuring SSL Proxy Authentication ................................................................................ 108
Creating a Security Container.......................................................................................... 109 Creating a Certificate Authority, pre-NetWare 5.1 ........................................................... 110 Creating a Certificate Authority, with NetWare 5.1.......................................................... 112 Creating a Key Material Object for BorderManager with NWADMN32 ........................... 113 Assigning the Key Material Object for SSL Proxy Authentication ................................... 122 Using SSL Proxy Authentication...................................................................................... 123 Test Conditions................................................................................................................ 123 The SSL Proxy Authentication Login Screen (HTML) ..................................................... 125
Proxy Authentication for Citrix Users .................................................................................. 128 DNS Parameters ..................................................................................................................... 129 Transport................................................................................................................................. 131
CHAPTER 6 - HTTP PROXY ..................................................................................................... 133 Concepts ................................................................................................................................. 133
How BorderManager HTTP Proxy Works With DNS .......................................................... 133 How Browsers Are Configured For HTTP Proxy .................................................................... 138
Netscape ............................................................................................................................. 138 Internet Explorer .................................................................................................................. 140
HTTP Proxy Details ................................................................................................................ 141 HTTP ................................................................................................................................... 141 Cache Hierarchy Server ...................................................................................................... 143 Cache Hierarchy Client ....................................................................................................... 144 Cache Hierarchy Routing .................................................................................................... 145 Logging................................................................................................................................ 146
Common Logging ............................................................................................................ 146 Extended Logging............................................................................................................ 148 Indexed Logging .............................................................................................................. 149
HTTP Proxy Caching .............................................................................................................. 151 Cache Aging........................................................................................................................ 151 Cache Control ..................................................................................................................... 152 Cache Location ................................................................................................................... 154 Cachable Object Control ..................................................................................................... 157
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 5
Entering a Non-Cacheable URL Pattern ......................................................................... 158 Clearing the Proxy Cache................................................................................................ 159
Scheduled Downloads......................................................................................................... 160 Entering a URL to download on a schedule .................................................................... 161 Set Download Frequency ................................................................................................ 162
HTTP Proxy - SOCKS Client .................................................................................................. 163 Setting Up a Cache Hierarchy ................................................................................................ 165
Concept ............................................................................................................................... 165 CERN Configuration, BorderManager Server as a Client................................................... 166 ICP Cache Hierarchy........................................................................................................... 168 Cache Hierarchy Routing Exceptions ................................................................................. 169
CHAPTER 7 - TRANSPARENT PROXY ................................................................................... 171 Transparent Proxy (HTTP)...................................................................................................... 171
Concept ............................................................................................................................... 171 Pros.................................................................................................................................. 171 Cons................................................................................................................................. 171
Configuring Transparent Proxy ........................................................................................... 172 BorderManager 3.0 Transparent Proxy configuration menu ........................................... 172 BorderManager 3.5 & 3.6 Transparent Proxy configuration menu.................................. 173 Ways To Convert Browsers To Use HTTP Proxy............................................................ 175
Internet Explorer........................................................................................................................ 175 Netscape .................................................................................................................................... 176
Transparent TELNET Proxy.................................................................................................... 177 Concept ............................................................................................................................... 177 Configuring Transparent TELNET Proxy ............................................................................ 178 User Authentication ............................................................................................................. 180 Transparent TELNET Proxy Usage .................................................................................... 181
Example 1 – No User-based Authentication Required.................................................... 181 Example 2 – NDS-Based User Authentication ................................................................ 182
CHAPTER 8 - FTP PROXY........................................................................................................ 184 Concept................................................................................................................................... 184 Limitations ............................................................................................................................... 184 Alternative For ACTIVE (PORT) FTP ..................................................................................... 184 Configuring FTP Proxy............................................................................................................ 185
User Authentication ............................................................................................................. 185 Clear Text User/Password............................................................................................... 185 Single Sign On................................................................................................................. 185
FTP Proxy Usage.................................................................................................................... 186 Example 1 – No User-based Authentication Required, DOS FTP Client ........................... 186 Example 2 – User-based Authentication Required, DOS FTP Client ................................. 188 Example 3 – User-based Authentication Required, CuteFTP Client .................................. 193 Example 4 – User-based Authentication Required, WS_FTP Client .................................. 195 All Examples, FTP Proxy Statistics Screen......................................................................... 196
CHAPTER 9 - MAIL PROXY...................................................................................................... 197 Concept................................................................................................................................... 197 An Alternative.......................................................................................................................... 197 A GWIA Alternative ................................................................................................................. 197 Configuring Mail Proxy............................................................................................................ 198
No Internal Mail Server, Mail Through Proxy ...................................................................... 198 Internal Mail Server, Mail Through Proxy............................................................................ 200 GWIA Example Settings...................................................................................................... 204 Access Rule and Packet Filter Exception to Allow POP3 Through Mail Proxy................... 205
Inbound POP3 ................................................................................................................. 205 Outbound POP3 .............................................................................................................. 207
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 6
Access Rule To Allow SMTP Through Mail Proxy .............................................................. 208 Access Rules to Control Use of Mail Proxy......................................................................... 209
Internal Mail Server.......................................................................................................... 209 No Internal Mail Server .................................................................................................... 209 Access Rule Examples .................................................................................................... 210
Allow outbound SMTP.............................................................................................................. 210 Allow Inbound SMTP to Internal Mail Domain........................................................................ 211 Deny All SMTP......................................................................................................................... 212
CHAPTER 10 - NEWS PROXY.................................................................................................. 213 Concept................................................................................................................................... 213 Using News Proxy With An External NNTP Server ................................................................ 213
CHAPTER 11 - REAL AUDIO PROXY...................................................................................... 215 BorderManager 3.0 Settings ................................................................................................... 215 BorderManager 3.5 & 3.6 Settings ......................................................................................... 216 BorderManager 3.0 RealAudio Proxy Access Rule ................................................................ 217 BorderManager 3.5 & 3.6 RealAudio and RTSP Access Rule ............................................... 218 RealPlayer G2 Proxy Settings ................................................................................................ 219
CHAPTER 12 - DNS PROXY..................................................................................................... 220 Concept................................................................................................................................... 220 An Alternative.......................................................................................................................... 220 Configuring DNS Proxy........................................................................................................... 221
CHAPTER 13 - GENERIC TCP PROXY.................................................................................... 222 Concept................................................................................................................................... 222 Configuring Generic TCP Proxy.............................................................................................. 223 Example for NetWare Web Manager ...................................................................................... 224
Browser Configuration......................................................................................................... 228 Access Rule Configuration .................................................................................................. 228
Example For NNTP................................................................................................................. 230 Outlook Express Configuration............................................................................................ 233 Agent /Free Agent Configuration......................................................................................... 239
Example Generic TCP Proxy for Inbound pcANYWHERE..................................................... 240 CHAPTER 14 - GENERIC UDP PROXY ................................................................................... 242
Concept................................................................................................................................... 242 Generic UDP Proxy - Time Server Proxies............................................................................. 244
Configuring A Generic UDP Proxy for NTP......................................................................... 245 Configuring a Generic UDP Proxy for RDATE.................................................................... 246
Example Generic UDP Proxy for Inbound pcANYWHERE .................................................... 247 CHAPTER 15 – ACCELERATION (REVERSE PROXY) .......................................................... 249
HTTP Acceleration .................................................................................................................. 249 Concept ............................................................................................................................... 249 Using Primary Public IP Address ........................................................................................ 249 Configuring Reverse Proxy Acceleration ............................................................................ 250 Using a Secondary Public IP Address ................................................................................ 253
Filter Exceptions Needed for Reverse Proxy Acceleration.............................................. 253 Access Rule Required for Reverse Proxy Acceleration .................................................. 256
FTP Acceleration..................................................................................................................... 257 Concept ............................................................................................................................... 257 Configuration ....................................................................................................................... 257
CHAPTER 16 – THE GATEWAYS ............................................................................................ 261 IPX/IP Gateway....................................................................................................................... 261
Concept ............................................................................................................................... 261 Pros ..................................................................................................................................... 262
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 7
Cons .................................................................................................................................... 262 History of IPX/IP Gateway................................................................................................... 262
IntranetWare IPX/IP Gateway.......................................................................................... 262 BorderManager 2.1 IPX/IP Gateway ............................................................................... 263 BorderManager 3.x IPX/IP Gateway ............................................................................... 264
Client Settings For IP Gateway............................................................................................... 267 Use Proxy, No Authentication, No Rules, No Logging........................................................ 267 Use Proxy, Authentication, Access Rules and Logging ...................................................... 267 Use IP gateway, No Proxy, Access Rules and Logging ..................................................... 268
Installing IP Gateway Service on the PC ................................................................................ 269 IP/IP Gateway ......................................................................................................................... 272
Concept ............................................................................................................................... 272 Pros ..................................................................................................................................... 272 Cons .................................................................................................................................... 272 Access Rules, Proxies and the IP/IP Gateway ................................................................... 273
IP/IP Gateway With Access Rules And Without Proxy.................................................... 273 IP/IP Gateway Without Access Rules And With Proxy.................................................... 273 IP/IP Gateway With Proxy and With Access Rules ......................................................... 273
Configuring IP/IP Gateway.................................................................................................. 274 SOCKS Gateway .................................................................................................................... 276
Concept ............................................................................................................................... 276 CHAPTER 17 - SITE-TO-SITE VPN .......................................................................................... 278
Introduction to BorderManager VPN....................................................................................... 278 Concept................................................................................................................................... 278 Setting Up the Master VPN Server ......................................................................................... 279
Configuration Tasks at the Server Console ........................................................................ 279 VPN IP and IPX Addressing Design Considerations .......................................................... 282 Setting Up The Master VPN Server, Continued.................................................................. 285 Configuring the VPN Master Server in NWADMN32 .......................................................... 297
Adding a Site-to-Site Slave VPN Server – Server Console Procedures ................................ 301 Adding a VPN Slave Server – NWADMN32 Procedures ....................................................... 315
CHAPTER 18 - CLIENT-TO-SITE VPN ..................................................................................... 323 Concept................................................................................................................................... 323 Setting Up VPN Servers ......................................................................................................... 324
BorderManager Client-to-Site VPN Access Rules .............................................................. 329 Configuring a Client-to-Site VPN Client PC ............................................................................ 336
VPN Client Connection Process – A Case Study ............................................................... 337 Step 1 – Try LAN VPN Client Connection to BORDER1................................................. 338 Step 2 – Repeat Test With Valid IP Address................................................................... 341 Step 3 – Install/Reinstall VPN Client Software ................................................................ 345 Step 4 – Try LAN VPN Client Connection to BORDER2................................................. 348 Step 5 – Create a Login Policy Object............................................................................. 351 Step 6 – Add Rule for VPN Authentication ...................................................................... 354 Step 7 – Try LAN VPN Client Connection to BORDER2 Again ...................................... 359
Client-to-Site VPN Using Pure IP Login.................................................................................. 361 Routing Issues..................................................................................................................... 361
Missing Default Route on Internal Hosts and Routers .................................................... 361 Incorrect Default Route on Internal Hosts and Routers................................................... 362
Issues with Client-to-Site over Site-to-Site Links ................................................................ 362 Issue with BorderManager 3.5 and 3.6 with Client-to-Site VPN and Dynamic NAT ....... 363
Service Location Issues ...................................................................................................... 364 Making Use of SLP .......................................................................................................... 364 Using NWHOST Instead Of (Or In Addition To) SLP ...................................................... 364 Using the HOSTS File ..................................................................................................... 365 The Importance of Client32 Protocol Preferences........................................................... 366
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 8
The Bottom Line .................................................................................................................. 367 Client-to-Site VPN Over NAT .............................................................................................. 369 Disconnecting a Client-to-Site Connection.......................................................................... 369
CHAPTER 19 - VIEWING AUDIT LOG DATA FOR VPN ......................................................... 370 Using NWADMN32 To View Log Data ................................................................................... 370 An Alternative To Using NWADMN32 .................................................................................... 375
VPTUNNEL Debug Options ................................................................................................ 375 VPNINF/VPMASTER/VPSLAVE Debug Options................................................................ 375
CHAPTER 20 - ACCESS RULES.............................................................................................. 376 Concept................................................................................................................................... 376 The Default Rule ..................................................................................................................... 376 Rule Inheritance...................................................................................................................... 377 Proxy Authentication and NDS-based Rules .......................................................................... 377 Enforce Rules.......................................................................................................................... 378 Time Restrictions .................................................................................................................... 379 Setting Up Access Rules ........................................................................................................ 380 Explanation of the Effective Rules .......................................................................................... 381
Checking Effective Rules .................................................................................................... 384 Rules Applied On BORDER1.................................................................................................. 389
Allow All users to Access Selected URL’s .......................................................................... 389 Allow the Admin User to Access a Reverse Proxy ............................................................. 391 Allow Selected Users Access to Any URL .......................................................................... 392 Allow Access To Reverse Proxy ......................................................................................... 394 Track Usage for a Particular Web Site................................................................................ 395 Allow HTTPS/SSL Through Reverse Proxy........................................................................ 396 Block Selected Downloads.................................................................................................. 397 Deny Access to CyberNOT List URL’s................................................................................ 399 Allow Browsing to FTP Sites Through the HTTP Proxy...................................................... 401 Track Specific Users with an Allow URL Rule..................................................................... 403 Allow a Group of Users to Any URL.................................................................................... 406 Allow Admin User to FTP Accelerator (FTP Reverse Proxy).............................................. 407 Deny All Users Access To FTP Reverse Proxy .................................................................. 408 Allowing Use of the FTP Proxy............................................................................................ 409 Allow External Access to Web Manager ............................................................................. 411 Deny VPN Client Access to the BORDER1 Server ............................................................ 412 Allow VPN Client Access to the BORDER1 Server ............................................................ 413 Allow Access to RealAudio Proxy ....................................................................................... 415 Allow Access To Generic UDP Proxy for Port 37 (RDATE)................................................ 417 Inbound pcANYWHERE Access Rules Using Generic Proxies.......................................... 418 Access Rules Allowing The News Proxy............................................................................. 421
Allowing Use of the News (NNTP) Proxy for Reading..................................................... 421 Allowing Use of the News (NNTP) Proxy for Posting. ..................................................... 422
Allow Outbound SMTP Through the Mail Proxy.................................................................. 423 Allow Inbound SMTP Mail Through the Mail Proxy............................................................. 424 Deny All SMTP Mail Through the Mail Proxy...................................................................... 425 Allow Inbound POP3 Through the Mail Proxy..................................................................... 426 Deny All Ports for Troubleshooting Purposes ..................................................................... 427 Deny All URLs For Troubleshooting Purposes ................................................................... 428
Example - Setting an Allow All URL Rule ............................................................................... 429 Example - Adding a CyberPatrol CyberNOT List Deny Rule.................................................. 430
CyberNOT List Selection..................................................................................................... 431 CyberNOT List Definitions in Use ....................................................................................... 432
The Refresh Server Button ..................................................................................................... 434 Those Additional Rules Fields............................................................................................. 435
Backing up Access Rules ....................................................................................................... 436
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 9
CHAPTER 21 - INSTALLING CYBERPATROL........................................................................ 439 Registering CyberPatrol.......................................................................................................... 440 The CyberPatrol REGISTER.EXE Program ........................................................................... 441 Downloading a new CyberNOT list on demand...................................................................... 443
CHAPTER 22 - CUSTOM ERROR PAGES............................................................................... 444 Concept................................................................................................................................... 444 One Example .......................................................................................................................... 444
CHAPTER 23 - USING DYNAMIC NAT .................................................................................... 448 Concept................................................................................................................................... 448 Outbound DNS........................................................................................................................ 450
DNS from Internal PC’s to an ISP’s DNS Servers .............................................................. 450 Outbound NNTP...................................................................................................................... 453
CHAPTER 24 - USING STATIC NAT ........................................................................................ 455 Concept................................................................................................................................... 455 Static NAT To Internal SMTP Mail Server .............................................................................. 456
CHAPTER 25 -BORDERMANAGER ALERTS ......................................................................... 461 Concept................................................................................................................................... 461 Configuring Alerts.................................................................................................................... 461
BorderManager 3.0 ............................................................................................................. 462 BorderManager 3.5 and 3.6 ................................................................................................ 463
CHAPTER 26 - LOGGING ......................................................................................................... 465 Controlling the Size of the Indexed and Access Control Logs................................................ 465 Viewing Common Log Files .................................................................................................... 468
Configuring "WebTrends for Firewalls and VPN’s" For Novell BorderManager ................. 469 WebTrends Configuration................................................................................................ 469
Viewing Extended Logs....................................................................................................... 480 Viewing Indexed Logs ......................................................................................................... 480
Viewing Real-Time Proxy Cache Data ................................................................................... 488 Viewing Access Control Logs ................................................................................................. 489
Usage Trends...................................................................................................................... 494 Exporting the Access Control Log to Excel............................................................................. 495 Viewing VPN Activity............................................................................................................... 501
CHAPTER 27 - BORDERMANAGER CONSOLE SCREENS .................................................. 508 IP Gateway / SOCKS.............................................................................................................. 508 Proxy Console......................................................................................................................... 509 Option 1 - FastCache Current Activity screen ........................................................................ 510 Option 2 – Display Memory Usage ......................................................................................... 513 Option 3 – Display ICP Statistics ............................................................................................ 514 Option 4 – Display DNS Statistics........................................................................................... 515 Option 5 – Display Cache Statistics........................................................................................ 516 Option 6 – Display Not Cached Statistics ............................................................................... 517 Option 7 – Display HTTP Server Statistics ............................................................................. 518 Option 8 – Display HTTP Client Statistics .............................................................................. 519 Option 9 – Display Connection Statistics................................................................................ 520 Option 10 – Display FTP Client Statistics ............................................................................... 521 Option 11 – Display GOPHER Statistics ................................................................................ 522 Option 12 – Display DNS Cache Entry Information ................................................................ 523 Option 13 – Show hosts sorted by most DNS lookup requests.............................................. 524 Option 14 – Show Origin Hosts Sorted by Amount of Data Transmitted by the Cache ......... 525 Option 15 – Show Origin Hosts Sorted by the Amount of Data sent TO the Cache .............. 526 Option 16 – Show Proxies and Origin Hosts Sorted By Most Data Directly Received........... 527 Option 17 – Display Configured Addresses and Services...................................................... 528 Option 18 – Display SOCKS Client Statistics ......................................................................... 530
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 10
Option 19 – Application Proxies.............................................................................................. 531 Mail Proxy Statistics ............................................................................................................ 532 Real Audio Proxy Statistics ................................................................................................. 533
Option 20 – Transparent Proxy Statistics ............................................................................... 534 CHAPTER 28 - PROXY CACHE CONFIGURATION CONSOLE ............................................. 535
Option 1 – Display Object Cache Configuration ..................................................................... 536 Option 2 – Display DNS/Miscellaneous Configuration............................................................ 537 Option 3 – Display TCP Configuration .................................................................................... 538 Option 4 – Display ICP Configuration ..................................................................................... 539 Option 5 – Display FTP/GOPHER Configuration.................................................................... 540 Option 6 – Display HTTP Configuration.................................................................................. 541 Option 7 – Display Authentication Configuration .................................................................... 542 Option 8 – Display Generic TCP/UDP Configuration.............................................................. 543 Option 9 – Display RealAudio Configuration .......................................................................... 544 Option 10 – Display SMTP Configuration ............................................................................... 545 Option 11 – Display POP3 Configuration ............................................................................... 546 Option 12 – Display NNTP Configuration ............................................................................... 547 Option 13 – Display SOCKS Configuration ............................................................................ 548 Option 14 – Display THTTP Configuration ............................................................................. 549 Option 15 – Display Site Download Configuration.................................................................. 550 Option 16 – Display TTELNET Configuration ......................................................................... 551 Option 17 – Display RTSP Configuration ............................................................................... 552
CHAPTER 29 – TROUBLESHOOTING BORDERMANAGER ................................................. 553 Simplify the Configuration ....................................................................................................... 553 Start at the Server ................................................................................................................... 553 Isolate the Problem ................................................................................................................. 554
Look at the IP Packets at the Server................................................................................... 554 Is it a Filtering Problem?...................................................................................................... 554 Is it a NAT or a Routing Problem? ...................................................................................... 554 Is it an Access Rule Problem? ............................................................................................ 555
How To Search the Novell KnowledgeBase ........................................................................... 556 HTTP Proxy Issues ................................................................................................................. 556 Transparent Proxy Issues ....................................................................................................... 557 Mail Proxy Issues .................................................................................................................... 557 DNS Proxy Issues ................................................................................................................... 557 IP Gateway Issues .................................................................................................................. 558 Site-to-Site VPN Issues .......................................................................................................... 558 Client-to-Site Issues................................................................................................................ 558 Miscellaneous Issues.............................................................................................................. 559
Dial-Up Connection Keeps Coming Up............................................................................... 559 CHAPTER 30 - PERFORMANCE TUNING............................................................................... 560
General Recommendations .................................................................................................... 560 Use the Following Server Set Parameters.............................................................................. 561 Use The Following NetWare Administrator (NWADMN32) Settings ...................................... 562 Watch Your Memory - Memory Considerations...................................................................... 562
CHAPTER 31 - ODDS & ENDS................................................................................................. 564 Documenting Your Server....................................................................................................... 564
Run CONFIG.NLM .............................................................................................................. 564 Comment Your Filter Exceptions......................................................................................... 565 Screenshot your VPNCFG Screens.................................................................................... 566 Screenshot your INETCFG Settings ................................................................................... 566 Screenshot your NWADMN32 Screens .............................................................................. 566 Back Up Your Access Rules ............................................................................................... 566
Miscellaneous Hints ................................................................................................................ 567
Table of Contents May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 11
PPTP to BorderManager 3.5 ............................................................................................... 567 Converting Internet Explorer to Proxy Settings ................................................................... 567 VPN & Modems Tip............................................................................................................. 567 VPN Client with LAN Connection ........................................................................................ 568 VPN with Client 4.7x for NT................................................................................................. 568 Citrix Setting for NAT........................................................................................................... 569 Remote Install of BorderManager 3.5 or 3.6 By Redirecting GUI ....................................... 569 HOSTS File Tip ................................................................................................................... 569 Load Balancing Internal Web Servers................................................................................. 570 SSL Logout Page Location.................................................................................................. 570 St. Bernard Software – Don’t Use On BorderManager ....................................................... 570 Serving up the PROXY.PAC File from BorderManager...................................................... 571 More PROXY.PAC File Help ............................................................................................... 571 BorderManager and NetWare Cluster Services.................................................................. 572 Common Log File Format.................................................................................................... 575
IP Address ....................................................................................................................... 575 Authenticated User Name................................................................................................ 575 Date ................................................................................................................................. 575 Time................................................................................................................................. 575 Timezone ......................................................................................................................... 575 HTTP Request ................................................................................................................. 575 URL.................................................................................................................................. 576 Status Code ..................................................................................................................... 576
ERRATA & REVISIONS ............................................................................................................ 578 Beta 2.0................................................................................................................................... 578 Beta 3.0................................................................................................................................... 578 First Edition ............................................................................................................................. 578
INDEX......................................................................................................................................... 580
Chapter 1 - Overview May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 17
Chapter 1 - Overview What is BorderManager?
Filtering
Chapter 1 - Overview May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 18
Proxies
Gateways
VPN
Chapter 1 - Overview May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 19
How This Book Is Organized
Chapter 1 - Overview May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 20
What this book covers •
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
What this book does not cover •
•
•
•
•
•
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 21
Chapter 2 - Basics Some Important Terminology
Access Rules based on a source of an NDS user name, group or container generally only apply to the HTTP, FTP and Transparent TELNET proxies, and IP Gateway, and require Proxy Authentication to be used.
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 22
Prerequisite Knowledge
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 23
TCP/IP Basics
Public & Private Networks
•
•
•
RFC 1918 - Address Allocation for Private Internets. Y.
Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot &
E. Lear. February 1996. (Format: TXT=22270 bytes)
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 24
(Obsoletes RFC1627, RFC1597) (Also BCP0005) (Status:
BEST CURRENT PRACTICE)
Use this URL for a link to RFC 1918: ftp://ftp.isi.edu/in-notes/rfc1918.txt
Remember – if you use the private IP addresses, you will not get a response back from the Internet to your PC unless you are using a Proxy, a Gateway service or have dynamic NAT enabled! This has nothing to do with packet filtering! The routers on the Internet will drop packets with private addresses.
The Importance of the Default Route
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 25
Domain Name Service (DNS)
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 26
•
•
•
•
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 27
•
Stateful packet filtering is explained in detail in my book “Novell BorderManager: A Beginner’s Guide To Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net. A full discussion of packet filtering concepts and issues is out of the scope of this book.
Secondary IP Addresses
You may need a dedicated IP address for each service, such as a web server or a mail server that you want to host. You will definitely need to have different IP addresses if you want to use static NAT and proxies as you cannot use both of those services on the same public IP address at the same time.
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 28
You can assign addresses in different networks to a single network card, and NetWare will route between them as if they were assigned to two different network cards. Assigning addresses from different networks is done in INETCFG by simply binding a new address to an interface. An example would be to assign 192.168.10.252 and 172.16.31.254 to an interface. This book does not cover such an assignment, as it is not normally needed in a BorderManager configuration. This is NOT the same as a secondary IP address.
IPADDRESS is all one word!
ADD SECONDARY IPADDRESS 192.168.10.253
DISPLAY SECONDARY IPADDRESS
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 29
Caution! Secondary IP addresses are not permanent – you need to put the ADD SECONDARY IPADDRESS 192.168.10.253 command in AUTOEXEC.NCF (after the primary bindings are made) so that the addresses will be available after a server reboot.
Proxy Versus Routing and NAT (How Proxies Work)
•
•
•
•
DELETE SECONDARY IPADDRESS 192.168.10.253
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 30
•
•
•
•
•
•
•
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 31
BorderManager Scenarios
Some of these scenarios are not very basic! Don’t get bogged down trying to understand the more complex scenarios until you are familiar with BorderManager. I provide these scenarios in order to show some range of possibilities for implementing BorderManager.
Scenario 1 - One Public IP Address
InternetW AN link
BorderM anager Server
Private IP Address192.168.10.254(255.255.255.0)
A Sim ple Two-Interface, One IP Address Configuration
Public IP Address4.3.2.254
(255.255.255.252)
Exam pleAn organization's public network, assigned by the ISP, has a 255.255.255.252 subnet m ask - this allows for two IPaddresses to be assigned (one to the router and one to the BorderManager server).4.3.2.254 is assigned to the In ternet router's LAN interface.4.3.2.253 is assigned to the BorderManager server public in terface.A Class C Private IP network (192.168.10.x) is in use on the internal LAN, and 192.168.10.254 is assigned to theBorderManager private interface. Up to 254 IP addresses can be assigned on the internal LAN.
The BorderM anager server's default route is4.3.2.254, which is the Internet Router's LANIP address
CISCOSYSTEMS
W AN IP Address(ISP Assigned)
InternetRouter
Macintosh
Hub or Switch
PC
Mail Server
All these internal hosts have a192.168.10.x IP address, and a defaultgateway of 192.168.10.254, which is theBorderM anager server's private IPaddress
Subnet M ask / Usable Public IP Addresses(rem em ber that one of these addresses goes onthe router. These num bers do not include thenetwork address or the broadcast address.)
255.255.255.252 2255.255.255.248 6255.255.255.240 14255.255.255.224 30255.255.255.192 62255.255.255.128 126255.255.255.0 254
(The public IP addresses m ust com e from the ISP).
Public IP address4.3.2.253
(255.255.255.252)
W eb Server1
FTP Server
BorderManager Proxies are used tosend inbound traffic coming to theBorderManager public IP address4.3.2.253 to an internal FTP server,Mail server or W eb server, dependingon the type of traffic.
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 32
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 33
Scenario 2 - Multiple Public IP Addresses
InternetW AN link
BorderM anager Server
Private IP Address192.168.10.254(255.255.255.0)
A Typical Two-Interface Configuration
Public IP Address4.3.2.254
(255.255.255.252)
Exam pleAn organization's public network, assigned by the ISP, has a 255.255.255.248 subnet m ask - this allows for six IPaddresses to be assigned (one to the router and five can be assigned to the BorderM anager server).4.3.2.254 is assigned to the Internet Router's LAN interface.4.3.2.253, 4.3.2.252 and 4.3.2.251 are assigned to the BorderManager server public interface.A Class C Private IP network (192.168.10.x) is in use on the internal LAN, and 192.168.10.254 is assigned to theBorderManager private interface. Up to 254 IP addresses can be assigned on the internal LAN.
The BorderManager server's default route is4.3.2.254, which is the Internet Router's LANIP address
4.3.2.253 is the prim ary IP binding, and isreverse proxied to web server14.3.2.252 is static NAT'd to the internal m ailserver.4.3.2.251 is reverse proxied to web server2
CISCOSYSTEMS
W AN IP Address(ISP Assigned)
In ternetRouter
Macintosh
Hub or Switch
PC
Mail Server
W eb Server2
All these internal hosts have a192.168.10.x IP address, and a defaultgateway of 192.168.10.254
Subnet M ask / U sable Public IP Addresses(remem ber that one of these addresses goes onthe router. These num bers do not include thenetwork address or the broadcast address.)
255.255.255.252 2255.255.255.248 6255.255.255.240 14255.255.255.224 30255.255.255.192 62255.255.255.128 126255.255.255.0 254
(The public IP addresses m ust come from the ISP).
Public IP addresses4.3.2.2534.3.2.2524.3.2.251
(255.255.255.248)
W eb Server1
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 34
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 35
Scenario 3 - BorderManager Used Only For HTTP Proxy
InternetW AN link
BorderManager Server
Private IP Address192.168.10.254(255.255.255.0)
A One Interface Configuration Used for HTTP ProxyExam pleAn organization wishes to use BorderManager for HTTP Proxy and Access Rules to control web browsing, but alsowishes to use an existing firewall. BorderManager is set up on the internal LAN with a single IP address and a singleinterface, and HTTP Proxy is configured. The firewall is configured to accept HTTP traffic only from theBorderManager server's IP address, so all internal browsers m ust point to the BorderManager server HTTP proxy.
The firewall is configured to block TCP port 80unless it com es from the BorderManager IPaddress. Thus, the internal PC's m ust go tothe BorderManager HTTP Proxy in order tobrowse the Internet.
CISCOSYSTEMS
W AN IP Address(ISP Assigned)
InternetRouter /Firew all
Macintosh
Hub or Switch
PC
Mail Server
W eb Server2
BorderManager is set up with a singleinterface and a single IP address. HTTPProxy is set up on that IP address, and allinternal web browsers use theBorderManager server's IP address andport 8080 in their proxy settings.
W eb Server1
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 36
Scenario 4 - A Single Firewall DMZ Segment
Internet WAN link
Firew all
Main Internal LAN
A Sim ple One-Firewall DMZ Configuration
ExampleAn organization's uses a single firewall with two internal interfaces. One interface connects the main internal LAN.Another interface connects an isolated LAN (DMZ segment)
CISCOSYSTEMS
InternetRouter
Internal Servers
Internal hosts
Public Mail Server
Public IP address(es)
Public W eb Server
Public FTP Server
Isolated LAN
DM Z
M ainInternal
LAN
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 37
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 38
Scenario 5 - A Classic Two-Firewall DMZ
Internet
WAN link
Public F irew all
A Two-Firewall Classic DMZ Configuration
Exam pleAn organization's uses two firewalls, with the public servers connected on a (DMZ) LAN segment between them . Themain internal LAN is protected behind both firewalls. In case the public firewall is comprom ised, the internal LANsegment is still protected by the private firewall.
CISCOSYSTEMS
In ternetRouter
Internal Servers
Internal hosts
Public Mail Server
Public W eb Server
Public FTP Server
DM Z
M ainInternal
LAN
Priva te F irew all
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 39
Scenario 6 - A Simple Site-to-Site VPN
Internet W AN linkSite B
BorderM anager Server
Site BPrivate IP Address
192.168.11.254(255.255.255.0)
Site BPublic IP Address
2.2.2.254(255.255.255.252)
A Typical Site-to-Site VPN Configuration
LAN IP Address2.2.2.253
(255.255.255.252)
Example:An organization's Site-to-Site VPN, uses a Class C private IP network (192.168.99.0) for the VPN tunnel. EachBorderManager VPN server is assigned a VPN tunnel address from the 192.168.99.0 network to be a m ember of thesite-to-site VPN. The VPN tunnel network address must not be in use anywhere else on the connected LAN's. Theremote sites must all have different internal IP network addresses. In this example, Site A is on a 192.168.10.0internal network, while Site B is on a 192.168.11.0 internal network. The VPN tunnel network is different from both.A unique (hexadecimal) IPX network num ber is also assigned to the VPN tunnel in order to route IPX through the VPNfrom one site to another. The IPX network number for the VPN tunnel is DEADBEEF, and that network number is notin use anywhere else on the interconnected networks.
The Site B BorderManagerserver's default route is2.2.2.253, which is the SiteB Internet Router's LAN IPaddress
Site ABorderM anager Server
Site APublic IP Address
1.1.1.254(255.255.255.252)
LAN IP Address192.168.10.252(255.255.255.0)
CISCOSYSTEMS
Site AInternetRouter
CISCOSYSTEMS
W AN link
LAN IP Address1.1.1.253
(255.255.255.252)
Site BInternetRouter
The Site A BorderManagerserver's default route is1.1.1.253, which is the SiteA Internet Router's LAN IPaddress
Site AVP N Tunnel IP Address
192.168.99.254(255.255.255.0)
Site BVP N TunnelIP Address
192.168.99.253(255.255.255.0)
Note that the two VPN servershave VPN tunnel addresses in
the same IP network!
The Site A BorderManager server 'protects' network192.168.10.0, which then shows up as a static routein the Site B VPN server, pointing to 192.168.99.254as a next hop. (Thereby forcing all traffic from Site Bto 192.168.10.0 to go through the VPN tunnel).
The Site A BorderManager server 'protects' network192.168.11.0, which then shows up as a static routein the Site A VPN server, pointing to 192.168.99.253as a next hop. (Thereby forcing all traffic from Site Ato 192.168.11.0 to go through the VPN tunnel).
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 40
Scenario 7 - A Simple Client-to-Site VPN
Internet WAN link
BorderM anager Server
Private IP Address192.168.10.252(255.255.255.0)
Public IP Address2.2.2.254
(255.255.255.252)
A Typical Client-to-Site VPN Configuration
LAN IP Address2.2.2.253
(255.255.255.252)
Exam pleAn organization 's Client-to-Site VPN, uses a C lass C private IP network (192.168.99.0) for the VPN tunnel. IPX canalso be supported for access over the VPN, if configured. The IPX network num ber assigned to the VPN tunnel m ustbe unique in the network.
The Client-S ite VPN configuration used is the sam e as that set up for the server to be a Master VPN Site-Site server.
The BorderManagerserver's default route is2.2.2.253, which is theInternet Router's LAN IPaddress
W AN link
W AN IP Address(ISP Assigned)
VPN TunnelIP Address
192.168.99.254(255.255.255.0)
W indows PC StandardModem
W indows PC CableModem
WAN link
W indows PCCISCOSYSTEMS
CISCOSYSTEMS
InternetRouter
LANconnected
Router
WAN link
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 41
Scenario 8 - A Complex Multiple BorderManager Server Environment
Virtual Private Network192.168.99.0
betweenBORDER1 and BORDER2
Internet
Dial-up
BORD ER3NetW are 5.1 / BMgr 3.5
PRIVATE192.168.10.254(255.255.255.)
PRIVAT E192.168.10.252(255.255.255.0)
dynamic IPaddress
Internal LAN10/100 switch
BORD ER1NetW are 4.11
BMgr 3.0HTTP Proxy
Client-Server VPNSite-Site VPN
Public-Side DHCP-default route is 192.168.10.254
dial-upconnection
Hub
Hub
P200NetW are 5.0
GroupW ise 5.5Internal DHCP
DNS2 W eb Servers
ZENW orks InventoryNDPS
KIDS450NetW are 5.1/W in98
FTPW EB Serverr
NNTPNDPS
W ebsphereMedia Server
BORD ER2NetW are 5.0
BMgr 3.5Client-Server VPN
Site-Site VPN
PUBLIC4.3.2.2544.3.2.2534.3.2.2524.3.2.251
(255.255.255.0)
PUBLIC4.3.2.250
(255.255.255.0)
PRIVAT E192.168.11.254(255.255.255.0)
192.168.10.250192.168.10.249(255.255.255.0)
192.168.10.251(255.255.255.0)A Com plex Multi-Server (Lab) Scenario
ICS-W 2KW indows 2000 Advanced Server
web serverDNS server
NNTP serverSMTP/ POP3 server
HTTP Proxy
4.3.2.1(255.255.255.0)
VPN:192.168.99.254
VPN:192.168.99.253
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 42
This is not a typical BorderManager installation scenario. I use it here for various reasons, one of which is that it allows me to show how an HTTP Caching Hierarchy works.
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 43
Server Component IP Addresses Functions
BORDER1 PUBLIC Interface 4.3.2.254 Site-to-Site VPN, Client-to-Site VPN
4.3.2.253 Reverse Proxy
4.3.2.252 Reverse Proxy
4.3.2.251 Static NAT
4.3.2.247 Reverse Proxy
192.168.99.254 VPN Tunnel IP address
BORDER1 PRIVATE Interface 192.168.10.252 Various proxies, default route for 192.168.10.0 network
BORDER2 PUBLIC Interface 4.3.2.250 Site-to-Site VPN, Client-to-Site VPN
4.3.2.249 Reverse Proxy
192.168.99.253 VPN Tunnel IP address
BORDER2 PRIVATE Interface 192.168.11.254 Various proxies, default route for 192.168.11.0 network
BORDER3 PRIVATE Interface 192.168.10.254 CERN Proxy, default route for BORDER1
BORDER3 PUBLIC Interface Dial-up interface (modem) Internet connection
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 44
Some Rules of Thumb and Words of Wisdom
•
•
•
•
•
•
•
•
•
•
•
•
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 45
•
•
•
•
•
•
•
•
•
•
•
Chapter 2 - Basics May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 46
•
•
•
•
•
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 47
Chapter 3 - Installation Server Hardware Suggestions
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 48
NetWare Server Installation Tips
Using MSDOS 6.22 and NetWare 5.1
[menu] menuitem=NOVELL,Boot as Novell server (default) menuitem=DOS,Boot to DOS with CDROM TSR's loaded menudefault,novell,15 [dos] FILES=50 BUFFERS=50 DEVICE=\DOS\CPQIDECD.SYS /D:CDROM1 LASTDRIVE=G [novell]
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 49
Never use “CDROM” as a CPQIDECD or MSCDEX command line option. CDROM is a reserved word in DOS and will not work to identify the CDROM. Use something like CDROM1 or CPQCDROM instead.
Don’t Let The NetWare Installation Create the Volumes Automatically
@echo off cls rem Written by Craig Johnson, Jan. 9, 1998 goto %config% :NOVELL cd c:\nwserver server goto END :DOS path c:\dos;c:\nc C:\DOS\MSCDEX /l:D /m:40 /d:CDROM1 :END
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 50
Install BorderManager from the Root of the CD
Get the Server on the Internet Before Configuring BorderManager
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 51
•
•
•
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 52
Setting the Default Route and DNS Servers
If you intend to use packet filter exceptions to bypass the proxies or IP Gateway for selected traffic, you also will need to Enable IP Packet Forwarding. However, the BorderManager services themselves (proxies, IP Gateway, VPN) do not require the BorderManager server to act as a router. In most cases, you will want to enable IP routing.
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 53
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 54
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 55
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 56
BorderManager Server Configuration Suggestions
In order to configure cache volumes, you need to select an advanced option during the NetWare 5 installation. Otherwise you will end up with the default – a SYS volume that uses up the entire NetWare partition. You can either re-install the server, or get a copy of a utility like PowerQuest’s ServerMagic 3. ServerMagic 3 can be used to resize the partitions and volumes, including resizing a SYS volume down to a reasonable 4GB so that you can then use NWCONFIG to create cache and log volumes.
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 57
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 58
NDS Design Considerations
Recommended Patches and Installation Sequence
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 59
How To Install BorderManager 3.x on NetWare 4.x
How to Install BorderManager 3.x on NetWare 5.0
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 60
How to Install BorderManager 3.5 and 3.6 on NetWare 5.1
If possible, do not install any optional components of NetWare 5.1 with BorderManager. Installing components such as the web server, news server and FTP server can interfere with BorderManager proxies. (You can test with these components added if you like, and simply not load them in AUTOEXEC.NCF if they cause problems. You can also install them at a later time if you like). Most of the installation is similar to installing under NetWare 5.0, except that you do not need to install a NetWare Service Pack first. (NetWare 5.1 starts out like NetWare 5.0 with Service Pack 4 installed).
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 61
CAUTION This document is likely to be out of date in regard to the patches available for BorderManager, and any issues in regard to interaction of patches and NetWare. Please check the readme files for each patch carefully to see what new settings may be required or what conflicts might result. Also, check the Novell Public Forums for current information, and check tip #1 at http://nscsysop.hypermart.net.
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 62
General Installation Notes
Working Around Licensing Startup Delays
See the section on NLS licensing below for an explanation of licensing in general. This segment is intended to show you a way to get BorderManager to start automatically, working around a slow initialization of licensing services problem.
NDS –601 Error Messages At Startup
? LOAD BRDSRV
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 63
Loading and Unloading BorderManager Manually
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 64
BMOFF.NCF
rem Craig Johnson, Feb. 21, 2001 See http://nscsysop.hypermart.net rem Unloads most BorderManager-related NLM's unload proxy rem You may want to delay unloading proxycfg until proxy.nlm unloads completely. rem Some users have seen an abend without the delay, though most are fine. rem The ? should cause a 10-second delay before proxycfg unloads, unless rem you press Y. ? unload proxycfg rem Unload CyberPatrol. unload cpfilter unload ipxipgw unload authgw unload authchk unload aclcheck unload nbmalert rem The next two lines unload VPN modules. unload vpmaster unload vpslave unload brdmon unload brdsrv unload csatpxy
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 65
BMON.NCF
Rem Craig Johnson, Mar. 11, 2001 See http://nscsysop.hypermart.net rem CSATPXY options to redirect listening port number seem to be ineffective, but you can try anyway... load csatpxy 999 rem The NOLOAD proxy prevents autoloading of most other BorderManager modules load brdsrv /NOLOAD rem The /S options represses certain (cosmetic) error messages. load aclcheck /S rem The /M option tells Mail Proxy to query more than one MX record if needed load proxy -M Rem Loads CyberPatrol load sys:etc\cpfilter\cpfilter Rem Load modules that don’t autoload w/the BRDSRV /NOLOAD option load AUTHGW load IPXF Rem Loads VPN control module - select the one you are using, Rem or comment out both if not using VPN. load vpmaster rem load vpslave
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 66
BorderManager Licenses
What Are NLS Licenses?
•
•
•
•
•
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 67
NLS Issues
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 68
Note: You can also use the LICMAINT.NLM utility to install licenses, and it may work when no other methods do. Look for the utility in the NIAS42\INSTALL directory on a BorderManager CD.
MLA Licenses
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 69
If you have NOT installed the MLA license to the server using NWCONFIG, you may have to manually copy the NICI files from the license diskette to the DOS partition (and rename them) in order to get encryption services to work. See TID 2945674.
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 70
How To Upgrade BorderManager Servers
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 71
Changing Out A BorderManager Server
Concerns
Concept
Procedure 1 – Primary IP Addresses Used
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 72
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 73
Procedure 2 – Secondary IP Addresses Used
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 74
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 75
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 76
Critical BorderManager-Related Files
Configuration Tools
INETCFG.NLM
NIASCFG.NLM
VPNCFG.NLM
BRDCFG.NLM
FILTCFG.NLM
INSTALL.NLM
NWCONFIG.NLM
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 77
SYS:\PUBLIC\WIN32\NWADMN32.EXE
SYS:\PUBLIC\MGMT\CONSOLEONE\1.2\BIN\CONSOLEONE.EXE
Data Files
SYS:\ETC\HOSTS
SYS:\ETC\GATEWAYS
SYS:\ETC\RESOLV.CFG
SYS:\ETC\TCPIP.CFG
SYS:\ETC\NETINFO.CFG
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 78
SYS:\ETC\FILTERS.CFG
Startup Files
C:\CONFIG.SYS
C:\AUTOEXEC.BAT
C:\NWSERVER\STARTUP.NCF
SYS:\SYSTEM\AUTOEXEC.NCF
Troubleshooting Tools
TCPCON.NLM
CALLMGR.NLM
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 79
PPPTRACE.NLM
Keeping BorderManager Up-to-date
Patches
The BorderManager 3.5 Enhancement Pack
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 80
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 81
Starting BorderManager
FILE SERVER NAME BORDER1 IPX INTERNAL NET 1234 # load conlog MAXIMUM=100 ; Network driver LOADs and BINDs are initiated via ; INITSYS.NCF. The actual LOAD and BIND commands ; are contained in INITSYS.NCF and NETINFO.CFG. ; These files are in SYS:\ETC. sys:\etc\initsys.ncf LOAD NETDB /N SET NAT DYNAMIC MODE TO PASS THRU=ON # STATIC NAT FOR PCANYWHERE, FTP SERVER, CITRIX ADD SECONDARY IPADDRESS 4.3.2.253 # REVERSE PROXY ACCELERATION FOR BJHOME WEB SERVER ADD SECONDARY IPADDRESS 4.3.2.252 # STATIC NAT TO MAIL SERVER ADD SECONDARY IPADDRESS 4.3.2.251 Search Add SYS:\JAVA\BIN Load NLSLSP Mount All Load CSAUDIT # BEGIN SAS/PKI (ADDED BY SASI) Load CCS Load PKI # END SAS/PKI (ADDED BY SASI) ? Load MONITOR ? Load RDATE /P 240 /V 2 /U /M 999999999 192.168.10.254 # Load BorderManager Services ? Load BRDSRV.NLM /NOLOAD ? Load ACLCHECK /S ? Load PROXY -M Load SYS:\ETC\CPFILTER\CPFILTER Load IPXF Load AUTHGW Load VPMASTER
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 82
CAUTION A problem was discovered with NETDB version 4.09, and possibly later versions. Loading it manually before INITSYS.NCF as shown in some Novell documents could lead to serious TCP/IP communications problems, when used with certain versions of TCPIP.NLM. Check the Novell Support Forums for information on manually loading this module. If it is loaded after TCPIP.NLM is loaded, you should not see a problem. You can also simply let it autoload as needed, though some startup delays may be experienced.
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 83
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 84
Tips For Getting NWADMN32 To Work With BorderManager Server
Rename the ACNWAUTH.DLL Snapin
Get The Latest Version of NWADMN32
Fix Invalid BorderManager Snapin Modules Errors
Fix “No BorderManager Licenses Available” Messages
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 85
What snapins should I have?
BorderManager 3.5 / NetWare 5.0
BorderManager 3.5 / NetWare 5.0 Volume in drive K is SYS Directory of K:\public\WIN32\SNAPINS . <DIR> . .. <DIR> .. AUDIT32 DLL 11,776 03-02-00 4:09p AUDIT32.DLL RADSNAP DLL 304,128 05-31-99 10:44p RADSNAP.DLL ALERT DLL 85,504 05-19-99 4:45p ALERT.DLL RESTRICT DLL 343,040 09-15-99 10:41a RESTRICT.DLL NWCADM32 DLL 71,680 06-02-98 6:33p NWCADM32.DLL BSMON DLL 803,328 09-14-99 12:07p BSMON.DLL PKISNAP DLL 447,488 02-18-99 2:40p PKISNAP.DLL ADMSNAP DLL 192,000 05-31-99 10:47p ADMSNAP.DLL NLSMGR32 DLL 556,544 02-29-00 5:17p NLSMGR32.DLL ACNWAUTH DL_ 225,280 06-01-99 10:20a ACNWAUTH.DL_ BSCOV DLL 119,296 09-15-99 10:19a BSCOV.DLL INI <DIR> 06-25-00 11:37a Ini 95ONLY <DIR> 06-25-00 11:48a 95ONLY NTONLY <DIR> 06-25-00 11:48a NTONLY 12 file(s) 3,160,064 bytes 5 dir(s) 3,261,267,968 bytes free
Chapter 3 - Installation May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 86
BorderManager 3.0 / NetWare 4.11
Volume in drive I is SYS Directory of I:\PUBLIC\WIN32\SNAPINS . <DIR> . .. <DIR> .. NLSMGR32 DLL 556,544 02-29-00 5:17p NLSMGR32.DLL ALERT DLL 76,288 10-12-98 2:24p ALERT.DLL BSCOV DLL 117,760 11-23-99 3:51p BSCOV.DLL RESTRICT DLL 342,016 12-03-99 1:29p RESTRICT.DLL NWCADM32 DLL 71,680 06-02-98 6:33p NWCADM32.DLL BSMON DLL 803,328 11-23-99 4:05p BSMON.DLL AUDIT32 DLL 11,776 03-02-00 4:09p AUDIT32.DLL PKISNAP DLL 447,488 02-18-99 2:40p PKISNAP.DLL ADMSNAP DLL 192,000 05-31-99 10:47p ADMSNAP.DLL INI <DIR> 07-19-00 8:59a INI 10 file(s) 2,618,880 bytes 3 dir(s) 232,718,336 bytes free
Chapter 4 – Understanding Packet Filtering May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 87
Chapter 4 – Understanding Packet Filtering
Packet filtering is explained in detail in the book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html. A few sections of that book have been taken out and used in this book.
Default Packet Filters
Chapter 4 – Understanding Packet Filtering May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 88
The BorderManager 3.x Default Packet Filters
Outgoing RIP Filters: •
•
•
•
Incoming RIP Filters •
Outgoing EGP Filters: •
Chapter 4 – Understanding Packet Filtering May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 89
Incoming EGP Filters •
OSPF External Route Filters •
Packet Forwarding Filters •
•
Packet Filter Exceptions
What are the Default Packet Filter Exceptions?
The default packet filter exceptions allow all outbound traffic from proxies, and some inbound traffic. However, the default packet filter exceptions do not allow certain types of inbound traffic to some of the proxies, such as inbound SMTP, NNTP or almost any special traffic for a Generic TCP or UDP Proxy. In addition, no default packet filter exception allows any inbound or outbound traffic for secondary IP addresses. You must manually add packet filter exceptions for all of these situations as needed.
Chapter 4 – Understanding Packet Filtering May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 90
There is an important distinction to be made here between the public interface and the public IP address. All of the default exceptions call out the public IP address rather than the interface. This is a necessary distinction as calling out the interface instead of the public IP address results in allowing undesired traffic. It also means that the default packet filter exceptions do not cover any secondary IP addresses that you might add to the public interface. Also, because a source or destination IP address is specified in the filter exception, it is not necessary to specify the interface.
Chapter 4 – Understanding Packet Filtering May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 91
The default packet filters cover both IPX and IP traffic, though this book is exclusively concerned with IP packet filters and exceptions. The default packet filters should not be blocking ANY traffic to or from the private interface, so if enabling packet filters causes communications problems, it may indicate that the packet filters were applied incorrectly with BRDCFG.NLM, and need to be redone, especially if IPX communications have been affected. However, there are some issues with certain types of IP communications to NetWare 5.x servers trying to go to the public IP address instead of the private IP address. In this case, the following command may be needed: SET NCP EXCLUDE IP ADDRESSES x.x.x.x (for the version in the service packs, use SET NCP EXCLUDE IP ADDRESSES = x.x.x.x - that is, add the = sign.) Another option is to set up a stateful packet filter exception allowing TCP destination port 524 from the private interface to the public IP address.
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 92
Chapter 5 – The Initial Configuration
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 93
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 94
If you have problems getting NWADMN32.EXE to launch, try renaming the SYS:\PUBLIC\WIN32\SNAPINS\ACNWAUTH.DLL file to something else so that it will not load. This file is used for configuring ActivCard parameters, but often causes NWADMN32 to crash. Refer to the Troubleshooting section at the end of this book if you have other problems getting NWADMN32 to work with BorderManager.
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 95
BorderManager Setup Main Menu
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 96
BorderManager IP Address Configuration
•
•
•
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 97
There could be additional secondary public IP addresses configured on the BorderManager server that do not show up in this NWADMN32 menu. Adding a secondary IP address to the server is done with the ADD SECONDARY IPADDRESS command. Once a secondary IP address is added to the server, it can then be added in NWADMN32 to make it available for BorderManager proxy services. Addresses used for static NAT do not require configuration in the BorderManager IP Address summary menu. However, if a secondary IP address were to be used for one of the proxies, it would have to be entered in the BorderManager IP Address Summary menu in order to configure that proxy. In the example above, there is no 4.3.2.251 IP address shown in the screenshot, but that IP address happens to be set up on the server and is used with static NAT, to bypass the BorderManager proxies for certain types of inbound traffic.
•
•
•
•
•
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 98
Secondary IP addresses used on BORDER1
•
•
•
•
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 99
Authentication Context (Proxy Authentication)
NDS-based rules can also be used with the FTP Proxy and Transparent TELNET Proxy. But the username/password has to be passed to these proxies in different ways. Also, the CLNTRUST utility has not worked with FTP Proxy in BorderManager 3.5 with patch sets up through at least BM35C11.EXE.
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 100
Proxy Authentication Settings
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 101
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 102
SSO is popularly thought of as meaning to use the CLNTRUST utility. However, both CLNTRUST and SSL authentication both make use of SSO. SSO stands for Single-Sign On, and SSO really means that the same user ID and password as the users normal login account are used for proxy authentication. This was not always the case. BorderManager 2.1 used a separate password tied to the user account, and that led to a lot of administrative burden. CLNTRUST and SSL are simply different ways to pass the user ID and password to the BorderManager server. CLNTRUST does not actually send the password across the wire, but makes use of Client32 RSA security features. SSL does send the password across the wire, but encrypts it. Unfortunately, the User ID and password for the FTP Proxy and Transparent TELNET Proxy are sent across the wire in clear text, and the FTP Proxy does not make use of the CLNTRUST utility, at least in BorderManager 3.5 patch sets up through BM35C06.EXE. Another point: Single Sign On in BorderManager is not the same as the Novell Single Sign On product.
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 103
40-bit, 56-bit and 128-bit Encryption
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 104
40-, 50-, and 128-bit encryption is different in the strength of the encryption process that is used. The practical meaning is that the higher the bit number, the harder it is to break the encryption by brute force attack.
As of this writing, a BorderManager server can be upgraded to 128-bit encryption by using a 128-bit version of TCPIP.NLM from the latest NetWare support pack, and installing the NICID156.EXE patch. If a VPN was originally configured without 128-bit encryption, it must be reconfigured (in VPNCFG) in order to upgrade to 128-bit encryption.
As of this writing, a bug has been seen in the certificate creation process when using NetWare 5.1 certificate server. ConsoleOne is used to create certificates with the newer certificate server, and it appears to be unable to create an SSL certificate at less than the highest value of encryption capable by the host server. In other words, although you may try to create a 40-bit certificate on a 128-bit server, the certificate will still be 128-bit. I have seen this happen on some networks but not others, and as of this writing do not know the cause.
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 105
Using Proxy Authentication on the Client with CLNTRUST
#F:\PUBLIC\DWNTRUST.EXE #F:\PUBLIC\CLNTRUST.EXE
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 106
If you should see many unsuccessful authentication requests (thousands), it may be that the user is not logged into the same NDS tree as the BorderManager server.
CLNTRUST Problem Work-Around
source interface=<private interface>, destination interface=<public interface> source ports=Any destination port=524 protocol=TCP destination IP address=<BorderManager server public IP address>
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 107
SET NCP EXCLUDE IP ADDRESSES x.x.x.x
SET NCP EXCLUDE IP ADDRESSES = x.x.x.x
SET NCP INCLUDE IP ADDRESSES x.x.x.x
SET NCP INCLUDE IP ADDRESSES = x.x.x.x
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 108
Configuring SSL Proxy Authentication
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 109
Creating a Security Container
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 110
Creating a Certificate Authority, pre-NetWare 5.1
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 111
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 112
Creating a Certificate Authority, with NetWare 5.1
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 113
Creating a Key Material Object for BorderManager with NWADMN32
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 114
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 115
As of this writing, a bug has been found in creating 40-bit certificates with ConsoleOne and Certificate Server 2 on some networks. Even though you try to create a custom certificate with 40-bit encryption, it comes up in the browser as using the highest level of encryption available on the server.
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 116
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 117
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 118
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 119
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 120
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 121
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 122
Assigning the Key Material Object for SSL Proxy Authentication
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 123
Using SSL Proxy Authentication
Test Conditions
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 124
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 125
The SSL Proxy Authentication Login Screen (HTML)
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 126
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 127
Macintosh computers may not be able to use SSL Proxy Authentication with Internet Explorer as the browser. Try a later version of Netscape instead.
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 128
Proxy Authentication for Citrix Users
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 129
DNS Parameters
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 130
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 131
Transport
Chapter 5 – The Initial Configuration May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 132
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 133
Chapter 6 - HTTP Proxy Concepts
How BorderManager HTTP Proxy Works With DNS
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 134
# SYS:\ETC\HOSTS # 127.0.0.1 loopback lb localhost # normal loopback address 192.168.10.252 BORDER1 192.168.10.250 www.bjhome.com 192.168.10.249 www2.bjhome.com 192.168.10.251 www3.bjhome.com
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 135
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 136
•
•
•
•
•
•
•
•
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 137
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 138
How Browsers Are Configured For HTTP Proxy
Netscape
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 139
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 140
Internet Explorer
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 141
HTTP Proxy Details
HTTP
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 142
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 143
Cache Hierarchy Server
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 144
Cache Hierarchy Client
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 145
Cache Hierarchy Routing
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 146
Logging
Common Logging
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 147
You should not allow the Common log files to be created on the (default) SYS volume unless you keep a very close eye on the amount of space the log files are using. I recommend setting up a dedicated log volume and directing all common log files there.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 148
Extended Logging
At the time of this writing, I am not aware of any commercial applications that make use of Extended log files to produce a report, therefore you may want to consider if it is worth enabling this type of logging.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 149
Indexed Logging
•
•
•
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 150
•
•
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 151
HTTP Proxy Caching
Cache Aging
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 152
Cache Control
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 153
Caution! Do not enable read-ahead in unpatched BorderManager 3.0 servers as there is a bug that can cause the HTTP Proxy to continuously loop back and request the same web page over and over if there is a broken link on the page. This setting generally improves performance, but it is critical to apply the latest BorderManager patches to avoid the bug, which can appear to the web site’s ISP as a denial of service attack, and to you as a large waste of bandwidth.
Many changes to caching parameters do not go into effect unless you reload PROXY.NLM. If in doubt, restart the server, or unload and reload PROXY.NLM.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 154
Cache Location
CAUTION This is a very important section! You should never leave the cache location on the default volume (SYS)!
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 155
When setting up the HTTP Proxy cache location, for BorderManager 3.0 you must create the initial directory (in this case you must manually create the CACHE1:PROXY\CACHE and CACHE2:PROXY\CACHE directories). BorderManager 3.5 and 3.6 will automatically create all the subdirectories needed according to the cache location parameters.
The cache volume should be set up with 16K block size, no suballocation and no compression enabled for good caching performance. Only DOS name space should be used on a cache volume.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 156
You must use VREPAIR to remove LONG name space in NetWare 5.x. NetWare 5.x volumes are created with LONG name space enabled by default, unlike NetWare 4.x. You cannot remove name spaces or change NSS volume parameters at all, which is one reason I don’t recommend NSS cache volumes.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 157
Cachable Object Control
•
•
•
•
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 158
The entries you configure here will not be cached AFTER you make the entries, but if you have already browsed to them, entries will already be in cache. You may need to clear the cache data by unloading PROXY.NLM, and then using a LOAD PROXY –CC command (clear ALL cache entries).
Entering a Non-Cacheable URL Pattern
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 159
Clearing the Proxy Cache
A faster way, to be used only when the cache is on a dedicated volume (and you should ALWAYS have the cache on a dedicated volume), is to delete and recreate the cache volume itself. Clearing the cache with the –CC option can be fairly slow on large cache volumes with many cached nodes.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 160
Scheduled Downloads
You must check the Enable Scheduled Download box to be able to manually pre-cache data from the server console, using the “Proxy” console screen, option 22. That option allows you to immediately pull data into cache (one time) from a URL.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 161
Entering a URL to download on a schedule
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 162
Set Download Frequency
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 163
HTTP Proxy - SOCKS Client
Only the HTTP Proxy really makes use of the SOCKS client. Other proxies will not use the SOCKS client setting (including the FTP Proxy, although the menu option makes it look like it can use SOCKS).
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 164
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 165
Setting Up a Cache Hierarchy
Concept
As far as I know, all HTTP Proxies can serve as a CERN proxy, but not all have ICP proxy capability.
The latest patch for BorderManager 3.5 and 3.6 (BM3CC01.EXE as of this writing) provides the capability of passing authentication information to an upstream caching server.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 166
CERN Configuration, BorderManager Server as a Client
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 167
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 168
ICP Cache Hierarchy
ICP packets are not sent if only one other ICP server is defined. There is no need to query the other ICP servers unless a choice is to be made for which of those servers might already have the data.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 169
Cache Hierarchy Routing Exceptions
See Scenario 8, earlier in this book, for a diagram of the servers and addressing used. The cache hierarchy being described is between BORDER1 and BORDER3.
Chapter 6 - HTTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 170
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 171
Chapter 7 - Transparent Proxy Transparent Proxy (HTTP)
Concept
Pros •
•
•
Cons •
•
•
•
•
•
•
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 172
Configuring Transparent Proxy
BorderManager 3.0 Transparent Proxy configuration menu
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 173
BorderManager 3.5 & 3.6 Transparent Proxy configuration menu
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 174
Transparent Proxy will cache data from a web site as a different node than the same web site accessed through HTTP Proxy. That is, the same data might be cached twice, once for Transparent Proxy and once for HTTP Proxy. Because of this difference, you also will continue to cache data that has been entered as a non-cacheable URL if you are using Transparent Proxy instead of HTTP Proxy.
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 175
CAUTION: HTTPS / SSL port 443 redirection does not work through transparent proxy by design. You should set up a stateful packet filter exception to pass this type of traffic through, or rely on the HTTP proxy, which will handle port 443 traffic.
Ways To Convert Browsers To Use HTTP Proxy
#regedit -s f:\public\proxy.reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"=dword:00000001 "ProxyServer"="10.10.10.1:8080"
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 176
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 177
Transparent TELNET Proxy
Transparent TELNET proxy is available only in BorderManager 3.5 and 3.6. It is not present in BorderManager 3.0.
Concept
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 178
Configuring Transparent TELNET Proxy
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 179
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 180
User Authentication
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 181
Transparent TELNET Proxy Usage
Example 1 – No User-based Authentication Required
TELNET UNIXSERVER.COM
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 182
Example 2 – NDS-Based User Authentication
TELNET UNIXSERVER.COM
Chapter 7 - Transparent Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 183
Novell Border Manager TELNET Proxy Service You are required to authenticate before connecting to the target host User Name:
User Name: Admin
Access Denied by Novell Border Manager:Access Control failure
Access Denied by Novell Border Manager:user login failure
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 184
Chapter 8 - FTP Proxy Concept
Limitations
Alternative For ACTIVE (PORT) FTP
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 185
Configuring FTP Proxy
User Authentication
Clear Text User/Password
Single Sign On
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 186
FTP Proxy Usage
Example 1 – No User-based Authentication Required, DOS FTP Client
FTP BORDER1
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 187
Connected to BORDER1.BJHOME.COM. 220 Service Ready User (BORDER1.BJHOME.COM:(none)):
User (BORDER1.BJHOME.COM:(none)): anonymous$ftp.sysop.com
331 Anonymous access allowed, send identity (e-mail name) as password. Password:
230-Welcome to the FTP Server 230 Anonymous user logged in. ftp>
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 188
Example 2 – User-based Authentication Required, DOS FTP Client
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 189
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 190
FTP BORDER1
Connected to BORDER1.BJHOME.COM. 220 Service Ready User (BORDER1.BJHOME.COM:(none)):
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 191
User (BORDER1.BJHOME.COM:(none)): anonymous$ftp.sysop.com
530 Access Denied by Novell Border Manager:Access Control failure Connection closed by remote host ftp>
ftp> Open BORDER1 Connected to border1. 220 Service Ready. User (border1:(none)): admin.dd$anonymous$ftp.sysop.com 331 Anonymous access allowed, send identity (e-mail name) as password. Password: <press enter, or type your email address> Connection closed by remote host. ftp>
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 192
ftp> Open BORDER1 Connected to border1. 220 Service Ready. User (border1:(none)): admin.dd$anonymous$ftp.sysop.com 331 Anonymous access allowed, send identity (e-mail name) as password. Password: <admin user password>$<press Enter, or type your email address> 230-Welcome to the FTP Server 230 Anonymous user logged in. ftp>
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 193
Example 3 – User-based Authentication Required, CuteFTP Client
Admin.DD$anonymous$ftp.sysop.com
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 194
<admin.dd NDS password>$<your email address>
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 195
Example 4 – User-based Authentication Required, WS_FTP Client
Chapter 8 - FTP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 196
All Examples, FTP Proxy Statistics Screen
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 197
Chapter 9 - Mail Proxy Concept
An Alternative
A GWIA Alternative
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 198
Configuring Mail Proxy
No Internal Mail Server, Mail Through Proxy
SYS:\ETC\PROXY\SPOOL\INCOMING
SYS:\ETC\PROXY\SPOOL\OUTGOING
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 199
Using an NSS volume to hold the spool directory may cause problems.
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 200
The latest Proxy/ACL patch (BM3XC01 at the time of this writing) may have specific settings required in the SYS:ETC\PROXY\PROXY.CFG file to be used for configuring the mail proxy. Check the patch instructions carefully.
Internal Mail Server, Mail Through Proxy
Source Interface: <public interface> Destination Interface: <public interface> Protocol: TCP Destination Port: 25 (SMTP) Destination IP Address: <public IP address of the BorderManager server>
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 201
Source Interface: <public interface> Destination Interface: <public interface> Protocol: TCP Destination Port: 110 (POP3) Destination IP Address: <public IP address of the BorderManager server>
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 202
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 203
Be sure to check the installation instructions in any BorderManager patches. The Proxy/ACL patch BM35C11 and later in particular calls out different values to be used than the ones shown in this example.
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 204
GWIA Example Settings
This example is for GroupWise Internet Agent running on an internal mail server, NOT on the BorderManager server. If you are running GWIA on the BorderManager server, you would not be using the Mail Proxy.
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 205
Access Rule and Packet Filter Exception to Allow POP3 Through Mail Proxy
Inbound POP3
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 206
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 207
Outbound POP3
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 208
Access Rule To Allow SMTP Through Mail Proxy
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 209
Access Rules to Control Use of Mail Proxy
Internal Mail Server
No Internal Mail Server
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 210
Access Rule Examples
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 211
Chapter 9 - Mail Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 212
Chapter 10 - News Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 213
Chapter 10 - News Proxy Concept
Using News Proxy With An External NNTP Server
Chapter 10 - News Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 214
Chapter 11 - Real Audio Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 215
Chapter 11 - Real Audio Proxy
BorderManager 3.0 Settings
Chapter 11 - Real Audio Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 216
BorderManager 3.5 & 3.6 Settings
Chapter 11 - Real Audio Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 217
BorderManager 3.0 RealAudio Proxy Access Rule
Chapter 11 - Real Audio Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 218
BorderManager 3.5 & 3.6 RealAudio and RTSP Access Rule
Chapter 11 - Real Audio Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 219
RealPlayer G2 Proxy Settings
The PC-to-proxy data for the RTSP protocol is sent using port 9090, while the proxy-to-RTSP host data will use port 554.
Chapter 12 - DNS Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 220
Chapter 12 - DNS Proxy Concept
An Alternative
Chapter 12 - DNS Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 221
Configuring DNS Proxy
If you configure DNS Proxy, you cannot run a DNS server on the same server as BorderManager because only one will be able to listen on port 53. (I do not recommend running a DNS server on BorderManager).
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 222
Chapter 13 - Generic TCP Proxy Concept
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 223
You cannot set up the same TCP port number as that used by one of the non-generic proxies, such as the HTTP, Mail, or News Proxies. Those port numbers are reserved, even if those proxies are not enabled. See the example on NNTP proxy below for a possible alternative.
Configuring Generic TCP Proxy
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 224
Example for NetWare Web Manager
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 225
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 226
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 227
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 228
Browser Configuration
Access Rule Configuration
HTTPS://4.3.2.247:12345
HTTPS://www3.bjhome.com:12345
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 229
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 230
Example For NNTP
"News", "NNTP" and Usenet are synonymous in this case.
An alternative to using any proxies for Usenet access is to set up a stateful packet filter exception, usually in combination with Dynamic NAT, to allow routing of outbound NNTP traffic to any Usenet server.
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 231
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 232
The access rule only specifies the destination port to be used on the Internet side of the BorderManager server. The custom port (listening port on the internal side of the BorderManager server) is not specified in an access rule.
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 233
Outlook Express Configuration
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 234
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 235
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 236
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 237
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 238
Not all Newsreader programs have a menu entry for setting a non-default port number. However, those programs, like Forte Free Agent, may allow you to change the default listening port number in an INI file.
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 239
Agent /Free Agent Configuration
[Servers] NewsServer="192.168.10.252" MailServer="<your mail server goes here>" POPServer="" NNTPPort=120 SMTPPort=25 POPPort=110 SMTPServerPort=25
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 240
Example Generic TCP Proxy for Inbound pcANYWHERE
pcANYWHERE locates other pcANYWHERE hosts using UDP port 5632, and if no response is received on 5632, then UDP port 22 is also tried. Once a pcANYWHERE host is located, a connection is made and traffic is exchanged on TCP port 5631. Both a UDP and a TCP generic proxy (along with appropriate access rules, and packet filter exceptions if using a secondary public IP address) are required.
Chapter 13 - Generic TCP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 241
Chapter 14 - Generic UDP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 242
Chapter 14 - Generic UDP Proxy Concept
You cannot set up the same UDP port number as used by one of the non-generic proxies, such as the DNS proxy. Those port numbers are reserved, even if those proxies are not enabled.
Chapter 14 - Generic UDP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 243
Chapter 14 - Generic UDP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 244
Generic UDP Proxy - Time Server Proxies
Chapter 14 - Generic UDP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 245
Configuring A Generic UDP Proxy for NTP
Chapter 14 - Generic UDP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 246
Configuring a Generic UDP Proxy for RDATE
Chapter 14 - Generic UDP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 247
Example Generic UDP Proxy for Inbound pcANYWHERE
Chapter 14 - Generic UDP Proxy May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 248
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 249
Chapter 15 – Acceleration (Reverse Proxy) HTTP Acceleration
Concept
Using Primary Public IP Address
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 250
Configuring Reverse Proxy Acceleration
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 251
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 252
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 253
Using a Secondary Public IP Address
Filter Exceptions Needed for Reverse Proxy Acceleration
Review the section toward the front of this book if you are not familiar with secondary IP addresses.
If you are using Dynamic NAT, you MUST either disable NAT Implicit Filtering in INETCFG, or SET NAT DYNAMIC MODE TO PASS THRU=ON (and put that in AUTOEXEC.NCF). There is also a ‘trick’ that effectively disables NAT Implicit filtering ONLY for a single IP address – static NAT the public secondary IP address to itself.
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 254
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 255
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 256
Access Rule Required for Reverse Proxy Acceleration
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 257
FTP Acceleration
Concept
Configuration
This is one case where the default packet filter exceptions do not cover the requirements of a proxy. You must add a packet filter exception to allow TCP destination port 21 to the BorderManager server’s public IP address being used for FTP Acceleration.
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 258
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 259
Chapter 15 – Acceleration (Reverse Proxy) May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 260
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 261
Chapter 16 – The Gateways IPX/IP Gateway
Concept
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 262
Pros •
•
•
•
•
Cons •
•
•
•
•
History of IPX/IP Gateway
IntranetWare IPX/IP Gateway
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 263
BorderManager 2.1 IPX/IP Gateway
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 264
BorderManager 3.x IPX/IP Gateway
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 265
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 266
The Single Sign On Authentication and Log settings for IPX/IP Gateway also affect the IP/IP Gateway.
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 267
Client Settings For IP Gateway
Use Proxy, No Authentication, No Rules, No Logging •
•
•
•
•
•
Use Proxy, Authentication, Access Rules and Logging •
•
•
•
•
•
•
•
•
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 268
Use IP gateway, No Proxy, Access Rules and Logging •
•
•
•
•
•
•
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 269
Installing IP Gateway Service on the PC
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 270
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 271
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 272
IP/IP Gateway
Concept
Pros •
•
•
•
Cons •
•
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 273
•
•
Access Rules, Proxies and the IP/IP Gateway
IP/IP Gateway With Access Rules And Without Proxy •
•
•
IP/IP Gateway Without Access Rules And With Proxy •
•
IP/IP Gateway With Proxy and With Access Rules •
•
•
•
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 274
Configuring IP/IP Gateway
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 275
The Single Sign On Authentication and Log settings for IP/IP Gateway also affect the IPX/IP Gateway.
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 276
SOCKS Gateway
Concept
Chapter 16 – The Gateways May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 277
•
•
•
•
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 278
Chapter 17 - Site-to-Site VPN Introduction to BorderManager VPN
Concept
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 279
Setting Up the Master VPN Server
Configuration Tasks at the Server Console
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 280
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 281
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 282
VPN IP and IPX Addressing Design Considerations
It is key that you assign unique IP and IPX network numbers to the VPN segments!
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 283
For the VPN server tunnel IP addressing, use a private Class C IP network number from the range between 192.168.0.0 and 192.168.254.0 for best results, with subnet mask 255.255.255.0. The examples in this book will show 192.168.99.0 in use. Refer to the Site-to-Site VPN scenario earlier in this book.
•
•
•
•
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 284
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 285
Setting Up The Master VPN Server, Continued
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 286
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 287
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 288
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 289
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 290
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 291
In order to set up Site-to-Site VPN slave servers, you will be required to supply the MINFO.VPN file at the slave server.
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 292
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 293
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 294
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 295
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 296
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 297
Configuring the VPN Master Server in NWADMN32
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 298
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 299
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 300
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 301
Adding a Site-to-Site Slave VPN Server – Server Console Procedures
Review the section ‘Configuring a Master VPN Server’ under the section on setting up Client-to-Site VPN for details on getting the first VPN server configured.
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 302
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 303
See the section in this book on configuring a Master VPN server for more explanation on VPN addressing considerations.
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 304
You will be required to provide the MINFO.VPN file from the Master VPN server at this point, and you will need the slave server’s authentication digest string (for comparison purposes). The easiest way to enter the data is to have that file on a floppy disk inserted in the slave server at this point.
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 305
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 306
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 307
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 308
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 309
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 310
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 311
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 312
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 313
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 314
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 315
Adding a VPN Slave Server – NWADMN32 Procedures
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 316
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 317
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 318
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 319
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 320
Adding a network or host address to the protected list will set a static route on the other Site-to-Site VPN servers pointing to the protecting server’s VPN tunnel IP address. In the example shown for BORDER2, if you look at the BORDER1 server’s SYS:\ETC/GATEWAYS file, you should see an entry for 192.168.11.0 pointing to a next hop of 192.168.99.253. Only protect networks that are actually ‘behind’ the server you are configuring.
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 321
Chapter 17 - Site-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 322
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 323
Chapter 18 - Client-to-Site VPN Concept
As of this writing, Client-to-Site VPN does not work on WindowsME.
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 324
Setting Up VPN Servers
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 325
The WAN Client IPX Network Address must not be the same as an IPX network number used anywhere else in the network, including on either side of a Site-to-Site VPN or an internal IPX Net Number of a NetWare server.
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 326
Caution: If you select Encrypt All Networks, ALL traffic from a VPN user will come across the WAN link to the BorderManager server and be encrypted, including that user’s regular Internet traffic! This setting often results in the client browsing to the Internet failing.
All internal TCP/IP hosts to be accessed via a VPN connection MUST be configured with a valid default gateway.
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 327
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 328
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 329
BorderManager Client-to-Site VPN Access Rules
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 330
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 331
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 332
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 333
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 334
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 335
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 336
Configuring a Client-to-Site VPN Client PC
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 337
VPN Client Connection Process – A Case Study
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 338
Step 1 – Try LAN VPN Client Connection to BORDER1
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 339
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 340
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 341
Step 2 – Repeat Test With Valid IP Address
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 342
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 343
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 344
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 345
Step 3 – Install/Reinstall VPN Client Software
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 346
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 347
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 348
Step 4 – Try LAN VPN Client Connection to BORDER2
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 349
I did not receive the same display in the test to BORDER1 only because I had previously tested a VPN connection to that server and accepted the Authentication Data. You should always get an Authentication Data displayed the first time you connect to a BorderManager VPN server.
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 350
Important! Most people having the problem shown here should be able to simply delete any existing LPOCACHE.DAT files they find rather than go through the exercise shown next to set up a Login Policy Object.
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 351
Step 5 – Create a Login Policy Object
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 352
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 353
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 354
Step 6 – Add Rule for VPN Authentication
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 355
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 356
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 357
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 358
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 359
Step 7 – Try LAN VPN Client Connection to BORDER2 Again
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 360
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 361
Client-to-Site VPN Using Pure IP Login
Windows 2000 does not support IPX over Client-to-Site VPN.
Routing Issues
Missing Default Route on Internal Hosts and Routers
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 362
Incorrect Default Route on Internal Hosts and Routers
CAUTION Using dynamic NAT on the private IP address of a BorderManager server should be done ONLY when the server is used as a dedicated Client-to-Site VPN server.
Issues with Client-to-Site over Site-to-Site Links
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 363
The problem above has been observed on my master VPN BorderManager 3.5 and 3.6 test servers, but not on my slave BorderManager 3.0 or 3.5 test servers. The slave test servers simply do not seem to forward the packets across the Site-to-Site VPN link at all. You may see either behavior in your environment, but the problem remains that traffic does not cross the Site-to-Site VPN link.
Issue with BorderManager 3.5 and 3.6 with Client-to-Site VPN and Dynamic NAT
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 364
Service Location Issues
Making Use of SLP
Using NWHOST Instead Of (Or In Addition To) SLP
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 365
Using the HOSTS File
JOHNSON 192.168.10.250 P200 192.168.10.250 BORDER1 192.168.10.252
192.168.10.250 JOHNSON 192.168.10.250 P200 192.168.10.252 BORDER1
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 366
The Importance of Client32 Protocol Preferences
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 367
The Bottom Line
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 368
Chapter 18 - Client-to-Site VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 369
Client-to-Site VPN Over NAT
As of this writing, the BorderManager server itself must not be behind a NAT connection. Its public IP address must be a registered public IP address on the Internet.
Disconnecting a Client-to-Site Connection
Chapter 19 - Viewing Audit Log Data for VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 370
Chapter 19 - Viewing Audit Log Data for VPN
Using NWADMN32 To View Log Data
Chapter 19 - Viewing Audit Log Data for VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 371
Chapter 19 - Viewing Audit Log Data for VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 372
Chapter 19 - Viewing Audit Log Data for VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 373
Chapter 19 - Viewing Audit Log Data for VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 374
Chapter 19 - Viewing Audit Log Data for VPN May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 375
An Alternative To Using NWADMN32
VPTUNNEL Debug Options
VPNINF/VPMASTER/VPSLAVE Debug Options
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 376
Chapter 20 - Access Rules Concept
The Default Rule
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 377
Rule Inheritance
Proxy Authentication and NDS-based Rules
NDS-based rules are simply skipped if the user is not proxy authenticated! And not all proxies can make use of proxy authentication.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 378
Enforce Rules
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 379
Time Restrictions
Unfortunately, Time Restrictions do not honor daylight savings time.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 380
Setting Up Access Rules
Caution: It is not recommended to apply rules to containers unless you thoroughly understand the ramifications of the rules inheritance, timing and NDS design issues involved.
Putting the least frequently used rules below more frequently used rules will enhance performance, though you may not notice any real difference.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 381
Explanation of the Effective Rules
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 382
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 383
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 384
Checking Effective Rules
I have adjusted the column borders in the examples shown so that the columns in view can be more easily seen. You can drag the rule divider columns as you like to see the complete column.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 385
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 386
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 387
It may be worthwhile to set up a separate CyberPatrol Deny rule for each CyberPatrol category in order to be able to tell users which category was denied to them, by tracking an Access Control Log entry to the access rule number.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 388
If you are using inherited rules, adding another rule to the very end of the rules list can only be done by adding the rule as high or higher in the NDS tree as the inherited rules.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 389
Rules Applied On BORDER1
Allow All users to Access Selected URL’s
You can go to the http://www.cyberpatrol.com web site to see if a particular URL has been placed on the CyberNOT list. You can also email CyberPatrol, using a link on their web site, to request that a URL be added or removed from the CyberNOT list.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 390
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 391
Allow the Admin User to Access a Reverse Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 392
Allow Selected Users Access to Any URL
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 393
If CLNTRUST is not running or SSL login has not been achieved, this rule will be ignored and access to a URL will be granted or denied based on other access rules farther down the rules list.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 394
Allow Access To Reverse Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 395
Track Usage for a Particular Web Site
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 396
Allow HTTPS/SSL Through Reverse Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 397
Block Selected Downloads
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 398
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 399
Deny Access to CyberNOT List URL’s
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 400
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 401
Allow Browsing to FTP Sites Through the HTTP Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 402
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 403
Track Specific Users with an Allow URL Rule
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 404
See Novell TID 2938132, “Managing the proxy cache log files” for a method of controlling the size of the log files. Or see Novell TID 10013835, “How to Manage the BorderManager Proxy Cache”, which is basically the same TID.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 405
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 406
Allow a Group of Users to Any URL
•
•
If Proxy Authentication is NOT enabled, this rule will be skipped over! None of the member of the InternetUsers.tuc.dd group will be able to browse any URL, except for www.yahoo.com.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 407
Allow Admin User to FTP Accelerator (FTP Reverse Proxy)
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 408
Deny All Users Access To FTP Reverse Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 409
Allowing Use of the FTP Proxy
FTP Proxy applies only to FTP clients. Browsing to FTP sites through the HTTP Proxy can be done using a browser if access rules have been set up to allow Any URL. If Access Rules are instead set up to allow ports 80 and 443, then FTP browsing should be blocked, but browsing to non-standard linked references will also be blocked.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 410
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 411
Allow External Access to Web Manager
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 412
Deny VPN Client Access to the BORDER1 Server
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 413
Allow VPN Client Access to the BORDER1 Server
You should realize that this rule only controls access to the VPN connection itself, not to internal resources once the VPN connection is established. You cannot allow a user to connect to the VPN, and then deny that user access to certain servers by using BorderManager Access Rules. Once the user is authenticated to the VPN, his/her PC becomes a remote node on the network, as if it were physically plugged into the local LAN.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 414
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 415
Allow Access to RealAudio Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 416
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 417
Allow Access To Generic UDP Proxy for Port 37 (RDATE)
RDATE.NLM is available for free from http://www.murkworks.com.
One syntax for using RDATE on an internal NetWare server might be: LOAD RDATE /u /p 60 /v 2 /m 999999999 192.168.10.254
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 418
Inbound pcANYWHERE Access Rules Using Generic Proxies
This example will only allow a single internal host to be set up for access from the Internet. If additional internal hosts are desired to be accessed from the Internet, static NAT using packet filter exceptions and secondary public IP addresses would be one comparatively easy way to accomplish the task. Using multiple generic proxies with secondary IP addresses can quickly get very complicated because of issue of needing to have a unique IP address/port number combination on the private interface.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 419
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 420
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 421
Access Rules Allowing The News Proxy
Allowing Use of the News (NNTP) Proxy for Reading
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 422
Allowing Use of the News (NNTP) Proxy for Posting.
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 423
Allow Outbound SMTP Through the Mail Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 424
Allow Inbound SMTP Mail Through the Mail Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 425
Deny All SMTP Mail Through the Mail Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 426
Allow Inbound POP3 Through the Mail Proxy
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 427
Deny All Ports for Troubleshooting Purposes
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 428
Deny All URLs For Troubleshooting Purposes
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 429
Example - Setting an Allow All URL Rule
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 430
Example - Adding a CyberPatrol CyberNOT List Deny Rule
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 431
CyberNOT List Selection
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 432
CyberNOT List Definitions in Use
•
•
•
•
•
•
•
•
•
•
•
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 433
•
•
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 434
The Refresh Server Button
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 435
Those Additional Rules Fields
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 436
Backing up Access Rules
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 437
Chapter 20 - Access Rules May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 438
Chapter 21 - Installing CyberPatrol May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 439
Chapter 21 - Installing CyberPatrol
Chapter 21 - Installing CyberPatrol May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 440
Registering CyberPatrol
For BorderManager 3.0 and 3.5, a newer version of cpfilter.nlm than that included on the installation CD is available from the Minimum Patch List at http://support.novell.com. You should install the newer version before configuring CyberPatrol for the first time to avoid duplication of effort.
Chapter 21 - Installing CyberPatrol May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 441
The CyberPatrol REGISTER.EXE Program
Chapter 21 - Installing CyberPatrol May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 442
Chapter 21 - Installing CyberPatrol May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 443
Downloading a new CyberNOT list on demand
Chapter 22 - Custom Error Pages May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 444
Chapter 22 - Custom Error Pages Concept
One Example
"403 Forbidden - You have attempted to access an unauthorized site. All such attempts are logged, and the logs are made available for managerial review. You could be subject to dismissal. Contact the systems administrator at 555-1234 and offer him/her a hefty bribe to tell management that you were testing CyberPatrol for him."
Chapter 22 - Custom Error Pages May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 445
Chapter 22 - Custom Error Pages May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 446
<!doctype html public "-//w3c//dtd html 4.0 transitional//en"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <meta name="GENERATOR" content="Mozilla/4.72 [en] (Win98; U) [Netscape]"> <title>BorderManager Information Alert</title> </head> <body bgcolor="#FFFFFF"> <table BORDER=0 CELLSPACING=4 CELLPADDING=8 frame > <tr height="30"> <td WIDTH="444" HEIGHT="30"><img SRC="<PROXY_ADDRESS>/data/bmtext.gif" height=40 width=445></td> </tr> <tr height="30"> <td WIDTH="444" HEIGHT="30" BGCOLOR="#FFFFFF"> <center><font face="Tahoma"><font color="#000000"><font size=+1>An error has occurred with your request </font></font></font></center> </td> </tr> <tr> <td WIDTH="444"><img SRC="<PROXY_ADDRESS>/data/<ERROR_STATUS>.gif" width=444></td> </tr> <tr height="30"> <td WIDTH="444" HEIGHT="30" BGCOLOR="#FFFFFF"><font face="Tahoma"><font color="#000000"><font size=+1>Description: </font></font></font><ERROR_DESCRIPTION></td> </tr> <tr> <td WIDTH="444">Contact the systems administrator at 555-1234 for additional explanations for the error message. The most common errors seen are: <p><b>403 Forbidden</b> - The user tried to access a site that is blocked by an access rule. X-rated sites are often blocked. <br><b>502 Bad Gateway</b> - This is a communications issue and generally means that an invalid URL was entered in the browser (mistyped the address). Can also result from DNS problems. <br><b>504 Gateway Time-out</b> - This is a communications issue and generally means that a valid URL was entered, but a DNS server is not available or the web server is down.. <p><img SRC="<PROXY_ADDRESS>/data/alertbar.gif" height=8 width=445></td> </tr> </table> </body>
</html>
Chapter 22 - Custom Error Pages May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 447
The source address for the GIF files is denoted as <PROXY_ADDRESS>/data/bmtext.gif (or whatever the filename happens to be). Some editors may cut off the directory part of the file name (leaving just bmtext.gif for instance), and that will not work. Also, in my sample PXYERR.HTM, I use a width of 444 pixels for <ERROR STATUS>.gif. Be careful not to make your GIF files too large or too small! (By the way, I used Paint to create the 403 forbidden.GIF file, though I used Viewprint to crop it down as it was too large initially.)
[MiniWeb Server] Port-Number=1959 Root-Directory=SYS:\ETC\PROXY\DATA
Chapter 23 - Using Dynamic NAT May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 448
Chapter 23 - Using Dynamic NAT
Some packet filter exceptions are also shown in the section on configuring reverse proxy acceleration on a secondary IP address.
Concept
Chapter 23 - Using Dynamic NAT May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 449
•
•
•
•
•
This is NOT intended to be a full explanation of working with packet filter exceptions, or to provide numerous examples. To thoroughly understand how packet filter exceptions work, and for many more examples, you should look in the book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html.
SET NAT DYNAMIC MODE TO PASS THRU=ON
Chapter 23 - Using Dynamic NAT May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 450
Outbound DNS
This is one example of using packet filter exceptions to allow selected traffic to bypass the BorderManager proxies and route to the Internet. Dynamic NAT is often (usually) required for the example shown to work. The exception (not using dynamic NAT) would be if the internal LAN is using properly registered public IP addresses. This example was taken from “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html. Much more explanation and many more examples are contained in that book.
DNS from Internal PC’s to an ISP’s DNS Servers
Chapter 23 - Using Dynamic NAT May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 451
Figure 1 - FILTCFG - DNS Filter Exception for UDP Port 53
Chapter 23 - Using Dynamic NAT May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 452
Figure 2 - FILTCFG - DNS Filter Exception for TCP port 53
Chapter 23 - Using Dynamic NAT May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 453
Outbound NNTP
This is one example of using packet filter exceptions to allow selected traffic to bypass the BorderManager proxies and route to the Internet. Dynamic NAT is often (usually) required for the example shown to work. The exception (not using dynamic NAT) would be if the internal LAN is using properly registered public IP addresses. This example was taken from my book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html/sysops.html. Much more explanation and many more examples are contained in that book.
Chapter 23 - Using Dynamic NAT May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 454
Chapter 24 - Using Static Nat May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 455
Chapter 24 - Using Static Nat Concept
That's right - I said the packet filter exceptions for static NAT use the internal IP address of the host, not the IP address assigned on the BorderManager server!
Chapter 24 - Using Static Nat May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 456
Static NAT To Internal SMTP Mail Server
This is one example of using packet filter exceptions to allow selected traffic to bypass the BorderManager proxies and route to the Internet. Dynamic NAT is often (usually) required for the example shown to work. The exception (not using dynamic NAT) would be if the internal LAN is using properly registered public IP addresses. This example was taken from my book “Novell BorderManager: A Beginner’s Guide to Configuring Filter Exceptions”, by Craig Johnson, available at http://www.caledonia.net/sysops.html. Much more explanation and many more examples are contained in that book.
Chapter 24 - Using Static Nat May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 457
Here is where you might want to add your ISP's mail server IP address as a Source IP address.
Chapter 24 - Using Static Nat May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 458
Chapter 24 - Using Static Nat May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 459
Chapter 24 - Using Static Nat May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 460
Chapter 25 -BorderManager Alerts May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 461
Chapter 25 -BorderManager Alerts Concept
Configuring Alerts
Chapter 25 -BorderManager Alerts May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 462
BorderManager 3.0
Chapter 25 -BorderManager Alerts May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 463
BorderManager 3.5 and 3.6
Chapter 25 -BorderManager Alerts May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 464
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 465
Chapter 26 - Logging Controlling the Size of the Indexed and Access Control Logs
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 466
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 467
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 468
Viewing Common Log Files
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 469
Configuring "WebTrends for Firewalls and VPN’s" For Novell BorderManager
WebTrends Configuration
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 470
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 471
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 472
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 473
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 474
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 475
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 476
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 477
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 478
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 479
•
•
•
•
•
•
This information is from an as yet unpublished article by Marcus Williamson, 'Understanding BorderManager Logging' Marcus Williamson Connectotel Ltd http://www.connectotel.com/
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 480
Viewing Extended Logs
Viewing Indexed Logs
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 481
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 482
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 483
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 484
•
•
•
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 485
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 486
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 487
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 488
Viewing Real-Time Proxy Cache Data
BorderManager 3.x only shows you 100 sites on this screen.
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 489
Viewing Access Control Logs
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 490
If you are NOT using Proxy Authentication, you will NOT see the user ID’s as shown in the example. You will instead see the IP addresses of the host PC’s used when browsing. If browsing was done via a Citrix server, the same IP address (or user ID) would probably be shown in the log files as all Citrix users will have the same IP address.
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 491
You will only see the URL’s accessed when using HTTP Proxy. If you are using Transparent Proxy, only the IP addresses of the hosts will be shown.
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 492
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 493
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 494
Usage Trends
•
•
•
•
•
•
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 495
Exporting the Access Control Log to Excel
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 496
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 497
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 498
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 499
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 500
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 501
Viewing VPN Activity
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 502
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 503
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 504
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 505
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 506
Chapter 26 - Logging May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 507
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 508
Chapter 27 - BorderManager Console Screens
IP Gateway / SOCKS
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 509
Proxy Console
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 510
Option 1 - FastCache Current Activity screen
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 511
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 512
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 513
Option 2 – Display Memory Usage
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 514
Option 3 – Display ICP Statistics
The screen shown here, and the ones that follow were not all taken from the same server or at the same time. Some screen examples will clearly contradict others.
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 515
Option 4 – Display DNS Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 516
Option 5 – Display Cache Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 517
Option 6 – Display Not Cached Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 518
Option 7 – Display HTTP Server Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 519
Option 8 – Display HTTP Client Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 520
Option 9 – Display Connection Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 521
Option 10 – Display FTP Client Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 522
Option 11 – Display GOPHER Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 523
Option 12 – Display DNS Cache Entry Information
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 524
Option 13 – Show hosts sorted by most DNS lookup requests
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 525
Option 14 – Show Origin Hosts Sorted by Amount of Data Transmitted by the Cache
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 526
Option 15 – Show Origin Hosts Sorted by the Amount of Data sent TO the Cache
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 527
Option 16 – Show Proxies and Origin Hosts Sorted By Most Data Directly Received
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 528
Option 17 – Display Configured Addresses and Services
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 529
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 530
Option 18 – Display SOCKS Client Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 531
Option 19 – Application Proxies
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 532
Mail Proxy Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 533
Real Audio Proxy Statistics
Chapter 27 - BorderManager Console Screens May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 534
Option 20 – Transparent Proxy Statistics
This option has always had a bug in that incorrect statistics were shown for Transparent Proxy, including negative values for some parameters.
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 535
Chapter 28 - Proxy Cache Configuration Console
Download the file BM3PCFG.EXE file from http://support.novell.com to see Novell’s explanation of many of the proxycfg screens. The explanations are quite good.
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 536
Option 1 – Display Object Cache Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 537
Option 2 – Display DNS/Miscellaneous Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 538
Option 3 – Display TCP Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 539
Option 4 – Display ICP Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 540
Option 5 – Display FTP/GOPHER Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 541
Option 6 – Display HTTP Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 542
Option 7 – Display Authentication Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 543
Option 8 – Display Generic TCP/UDP Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 544
Option 9 – Display RealAudio Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 545
Option 10 – Display SMTP Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 546
Option 11 – Display POP3 Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 547
Option 12 – Display NNTP Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 548
Option 13 – Display SOCKS Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 549
Option 14 – Display THTTP Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 550
Option 15 – Display Site Download Configuration
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 551
Option 16 – Display TTELNET Configuration
This console screen is seen only on BorderManager 3.5 or 3.6 servers.
Chapter 28 - Proxy Cache Configuration Console May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 552
Option 17 – Display RTSP Configuration
This console screen is seen only on BorderManager 3.5 or 3.6 servers.
Chapter 29 – Troubleshooting BorderManager May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 553
Chapter 29 – Troubleshooting BorderManager
Simplify the Configuration
Start at the Server
Chapter 29 – Troubleshooting BorderManager May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 554
Isolate the Problem
Look at the IP Packets at the Server
Is it a Filtering Problem?
Is it a NAT or a Routing Problem?
Chapter 29 – Troubleshooting BorderManager May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 555
•
•
•
•
•
Is it an Access Rule Problem?
Chapter 29 – Troubleshooting BorderManager May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 556
How To Search the Novell KnowledgeBase
HTTP Proxy Issues
Chapter 29 – Troubleshooting BorderManager May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 557
Transparent Proxy Issues
•
•
•
•
•
•
Mail Proxy Issues
DNS Proxy Issues
Chapter 29 – Troubleshooting BorderManager May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 558
IP Gateway Issues
Site-to-Site VPN Issues
Client-to-Site Issues
Chapter 29 – Troubleshooting BorderManager May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 559
Miscellaneous Issues
Dial-Up Connection Keeps Coming Up
Chapter 30 - Performance Tuning May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 560
Chapter 30 - Performance Tuning
General Recommendations • Get the latest patches and drivers. • Get the latest DISK and LAN drivers from your hardware vendor. • ALWAYS read the readme file for new patches before applying them. • Keep Cache Volumes Separate • Have Multiple Cache Volumes (best to have them on separate physical
drives). • Turn Compression Off • Turn Suballocation Off • 8k Block Size
I recommend 16K block size instead of 8K block size. I find it to be more efficient for RAM usage, and disk space is generally cheap these days.
• Use DOS Name Space only on cache volumes • If using NSS volumes for caching, LOAD NSS /cachebalance=65
I recommend legacy volumes for caching as I have been told (by someone at Novell who knows!) that NSS volumes are about 30% slower than legacy volumes for caching.
Chapter 30 - Performance Tuning May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 561
• Load NETDB.NLM /N directly after INITSYS.NCF • Clean out unnecessary entries from the SYS:\ETC\HOSTS file • Clean out unnecessary entries in the SYS:\ETC\RESOLV.CFG file • Delete the SYS:\ETC\PROXY\PXYHOSTS file if you suspect DNS cache
problems.
I also recommend you flag the PROXY directory for immediate purge of deleted files so that you do not build up endless copy of deleted PXYHOSTS files. A new PXYHOST file is saved every 10 minutes.
Use the Following Server Set Parameters
Maximum Physical Receive Packet Size = 1514
WARNING! With many modern LAN drivers, particularly with NetWare 5.x, you should use a Maximum Physical Receive Packet Size of no less than 2048 because the LAN drivers require additional overhead! Going too small on this parameter can cause tremendous communications problems. I prefer to waste some memory and leave the value at the default of 4224.
• Maximum Packet Receive Buffers = 10000 • Minimum Packet Receive Buffers = 5000 • New Packet Receive Buffer Wait Time = 0.1 sec • Maximum Interrupt Events = 50 • Garbage Collection Interval = 5 • Read Ahead Enabled = on • Maximum Concurrent Disk Cache Writes = 750 • Dirty Disk Cache Delay Time = 0.1 sec • Dirty Directory Cache Delay Time = 0.1 sec • Maximum Concurrent Directory Cache Writes = 125 • Directory Cache Allocation Wait Time = 0.1 sec • Directory Cache Buffer NonReferenced delay = 30 min • Minimum Directory Cache Buffers = 1000 • Maximum Directory Cache Buffers = 4000 • Maximum Number of Internal Directory Handles = 500 • Immediate Purge of Deleted Files = on • Enable File Compression = off • Maximum File Locks = 100000
Chapter 30 - Performance Tuning May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 562
The Maximum File Locks parameter must be set higher than the maximum hot nodes setting in the BorderManager setup in NWADMN32 or the hot nodes setting will not take effect. The maximum hot nodes usable will be about 2/3rds of this value.
• Enable Hardware Write Back = on • Enable Disk Read After Write Verify = off • Worker Thread Execute In A Row Count = 15 • Pseudo Preemption Count = 200 • Minimum Service Processes = 500 • Maximum Service Processes = 1000 • New Service Process Wait Time = 0.3 sec
Use The Following NetWare Administrator (NWADMN32) Settings
Your server may require customization from these parameters for bets results.
• Maximum Hot Unreferenced Time = 30 • Cache Hash Table Size = 256 • Maximum Number of Hot Nodes = 50000
Remember that this parameter requires you to set the Maximum File Locks setting higher (suggested value is 100,000 locks).
• Number of Directories = 128
You should enter a value or 128 times the number of cache volumes configured as the value entered will be divided across all the cache volumes.
Watch Your Memory - Memory Considerations
• Eliminate any NLM’s that you don't need. • Watch the LRU Sitting Time in Monitor – keep it above 15 minutes. • Use efficient buffer sizes • Use DOS name space only on the cache volume(s)
Chapter 30 - Performance Tuning May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 563
You cannot remove name spaces from an NSS volume, so don’t waste time trying. NetWare 5 automatically creates legacy volumes with LONG name space added, and you have to use VREPAIR to then remove the LONG name space.
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 564
Chapter 31 - Odds & Ends Documenting Your Server
Run CONFIG.NLM
You must use the LOAD command syntax on NetWare 5.x servers because you will otherwise run the internal CONFIG command and not the NLM. Alternative: Type CONFIG.NLM instead of CONFIG.
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 565
Caution! The output from CONFIG.NLM includes the serial number of the server, and can show the RCONSOLE password in the NETINFO.CFG data. If you plan on posting the config.txt file (in the Novell Support Connection public forums for troubleshooting perhaps), be sure to edit out this information first!
Comment Your Filter Exceptions
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 566
Screenshot your VPNCFG Screens
Screenshot your INETCFG Settings
Screenshot your NWADMN32 Screens
Back Up Your Access Rules
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 567
Miscellaneous Hints
I have not personally verified the accuracy of all of this information
PPTP to BorderManager 3.5
Converting Internet Explorer to Proxy Settings
VPN & Modems Tip
#regedit -s f:\public\proxy.reg
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 568
VPN Client with LAN Connection
•
•
VPN with Client 4.7x for NT
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 569
Citrix Setting for NAT
Remote Install of BorderManager 3.5 or 3.6 By Redirecting GUI
HOSTS File Tip
altaddr /set xxx.xxx.xxx.xxx
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 570
Load Balancing Internal Web Servers
I wonder how useful this actually is, since the static cache content still comes only from the one BorderManager server.
SSL Logout Page Location
St. Bernard Software – Don’t Use On BorderManager
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 571
Serving up the PROXY.PAC File from BorderManager
More PROXY.PAC File Help
function FindProxyForURL(url, host) { // Direct connections to local domain if (isPlainHostName(host) || dnsDomainIs(host, ".internal1.com") || dnsDomainIs(host, ".internal2.com") || dnsDomainIs(host, ".somewhereelse.co.uk") || dnsDomainIs(host, ".playdomain.uk") || dnsDomainIs(host, "127.0.0.1") || dnsDomainIs(host, "10.") || dnsDomainIs(host, ".nothere.int")) return "DIRECT"; // Otherwise use proxy else return "PROXY 10.119.208.11:8080; " + "PROXY 10.119.208.10:8080"; }
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 572
BorderManager and NetWare Cluster Services
If you don’t mind losing your build up of cache and storing the HTTP logs of both servers independently, then it isn’t necessary to configure the BorderManager resource to use a shared storage subsystem. The benefits of this include; faster cache performance (NSS volumes are about 30% slower than Netware Partitions), and a large savings in money. Saving the HTTP logs on each server’s separate volumes is not an issue as log analysis programs like WebTrends can easily coalesce the logs into one report for you.
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 573
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 574
The 255.255.255.254 subnet mask discussed above is not an error – it works for the filtering module to limit the filter exception to two valid addresses. Using that subnet mask would not work for IP address assignment, but it works fine for restricting filter exception addresses.
Source Interface : Public Destination Interface: Public Packet Type: ANY (IP) Source Addr Type: Host Src IP Address: 4.1.1.2 Dest Addr Type: Any Address
Source Interface : Public Destination Interface: Public Packet Type: ANY (IP) Source Addr Type: Network Src IP Address: 4.1.1.2/255.255.255.254 Dest Addr Type: Any Address
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 575
Common Log File Format
Field Example IP Address 10.1.1.2
Authenticated User Name .admin.acme
Date 03/Aug/1999
Time 12:07:41
Timezone +0000
HTTP Request GET
URL http://support.novell.com/images/support_nav_bar.gif HTTP Version HTTP/1.0
Completion Code 200
File Size 3264
IP Address
Authenticated User Name
Date
Time
Timezone
HTTP Request
HTTP Request Meaning GET Read a page or entity within a page HEAD Obtain the header information for a page POST Submit the results of a form
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 576
URL
Status Code
HTTP Status Code Meaning 200 OK 201 Created 202 Accepted 301 Moved Permanently 302 Moved Temporarily 304 Not Modified 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable
HTTP Status Code Meaning 100 Continue 101 Switching Protocols 200 OK 201 Created 202 Accepted 203 Non-Authoritative Information 204 No Content 205 Reset Content 206 Partial Content 300 Multiple Choices 301 Moved Permanently 302 Found 303 See Other 304 Not Modified 305 Use Proxy 306 Unused 307 Temporary Redirect 400 Bad Request
Chapter 31 - Odds & Ends May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 577
401 Unauthorized 402 Payment Required 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 409 Conflict 410 Gone 411 Length Required 412 Precondition Failed 413 Request Entity Too Long 414 Request-URI Too Long 415 Unsupported Media Type 416 Requested Range Not Satisfiable 417 Expectation Failed 500 Internal Server Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Gateway Timeout 505 HTTP Version Not Supported
Errata & Revisions May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 578
Errata & Revisions
Beta 2.0
Beta 3.0
First Edition
Errata & Revisions May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 579
Index May 18, 2001
Index 128-bit....................................103, 104, 115, 122, 326 40-bit......................................103, 104, 115, 116, 122 56-bit......................................................103, 104, 326 ABEND .........................................................220, 557 acceleration ................................21, 97, 135, 249, 411 Acceleration20, 21, 133, 249, 250, 257, 258, 394, 407 Access Control Log387, 399, 403, 427, 428, 465, 467,
489, 490, 493, 494, 495 access rule...18, 21, 30, 35, 40, 45, 50, 58, 72, 74, 93,
102, 107, 125, 138, 180, 181, 182, 183, 196, 197, 198, 200, 205, 207, 208, 209, 210, 211, 212, 213, 214, 216, 218, 221, 222, 228, 229, 232, 238, 240, 241, 242, 246, 247, 252, 256, 257, 260, 261, 266, 267, 268, 272, 273, 275, 328, 329, 335, 337, 377, 378, 379, 381, 385, 386, 387, 388, 389, 390, 391, 392, 393, 396, 397, 401, 402, 405, 406, 409, 421, 422, 424, 425, 426, 434, 436, 465, 509, 511, 531, 533, 553, 555, 564, 578
Access Rule ..19, 20, 21, 22, 44, 45, 94, 99, 102, 123, 133, 171, 180, 185, 186, 190, 193, 205, 208, 209, 210, 217, 218, 228, 232, 237, 238, 241, 247, 256, 257, 260, 261, 267, 268, 272, 273, 328, 329, 334, 354, 376, 378, 380, 395, 409, 413, 418, 421, 429, 434, 435, 436, 439, 490, 555, 557, 566
ACLCHECK........................................21, 82, 83, 434 alert ................................................461, 462, 463, 464 Alert .......................................................461, 463, 464 Audit Log...............................................370, 483, 504 authentication....17, 45, 84, 85, 90, 99, 101, 102, 103,
105, 106, 107, 108, 123, 125, 128, 139, 165, 180, 183, 185, 186, 193, 195, 249, 252, 261, 267, 268, 272, 273, 277, 302, 304, 340, 349, 350, 352, 353, 354, 355, 358, 359, 377, 403, 508, 542
Authentication.....19, 21, 99, 100, 101, 102, 107, 108, 115, 122, 123, 127, 128, 163, 180, 181, 182, 183, 185, 186, 188, 189, 193, 195, 266, 267, 273, 275, 340, 349, 350, 354, 542
BLACK-ICE ..................................................244, 245 BMAS......................................................................19 BORDER1 41, 42, 43, 81, 92, 95, 96, 97, 98, 99, 129,
134, 166, 169, 187, 190, 244, 245, 301, 320, 337, 338, 340, 344, 349, 370, 380, 381, 387, 388, 389, 412, 413, 414, 417, 440, 461, 468
BORDER2 ....41, 42, 43, 92, 311, 314, 315, 317, 320, 337, 348, 351, 359, 360
BRDSRV .............................................62, 82, 83, 439 Btrieve .............................56, 149, 150, 404, 465, 480 bug 26, 59, 60, 61, 104, 115, 153, 395, 510, 511, 534,
556, 568, 569 cache .....18, 21, 42, 44, 47, 56, 63, 74, 129, 130, 133,
135, 136, 137, 142, 144, 145, 150, 152, 154, 155, 156, 157, 158, 159, 160, 165, 166, 168, 169, 170,
172, 174, 249, 260, 404, 484, 509, 510, 511, 512, 514, 516, 517, 523, 525, 526, 527, 536, 541, 556, 560, 561, 562, 570, 572
Cache56, 143, 144, 145, 151, 152, 154, 159, 165, 166, 168, 169, 170, 404, 470, 482, 483, 484, 488, 511, 516, 523, 525, 526, 535, 536, 560, 561, 562
Cache Aging.......................................................... 151 cache control ......................................................... 152 Cache Hash Table ......................................... 152, 562 cache hierarchy42, 145, 165, 166, 168, 169, 170, 514,
527 cache location.......................................... 63, 154, 155 CERN. 20, 42, 43, 144, 165, 166, 167, 168, 169, 170,
442, 514, 525, 526, 527, 539 Citrix ..................................................... 128, 490, 569 Client-to-Site 18, 40, 43, 44, 66, 71, 76, 83, 278, 279,
280, 282, 301, 323, 324, 325, 327, 329, 330, 332, 334, 335, 336, 337, 340, 346, 348, 358, 359, 361, 362, 363, 364, 367, 369, 370, 412, 413, 414, 558, 568, 578, 579
CLNTRUST... 99, 101, 102, 103, 105, 106, 107, 108, 123, 127, 128, 185, 219, 264, 267, 268, 342, 393
common log.. 146, 147, 148, 268, 404, 468, 469, 472, 477, 478
Common log.................. 146, 147, 266, 275, 395, 468 config.txt ....................................................... 565, 566 CP_SETUP.EXE........................................... 439, 440 CPFILTER .............. 83, 433, 439, 440, 441, 442, 443 CSAUDIT ............................................... 57, 150, 465 CSLIB ............................................. 56, 149, 404, 465 custom error page............................ 63, 444, 446, 447 CyberNOT.... 379, 387, 389, 390, 399, 430, 431, 432,
433, 439, 440, 443, 490, 492 CyberPatrol .... 83, 379, 380, 387, 389, 390, 399, 404,
406, 429, 430, 431, 432, 433, 439, 440, 441, 442, 444, 490, 491
CyberYES ..................................................... 439, 440 Debug.................................................................... 375 default gateway .... 24, 30, 32, 34, 326, 361, 362, 363,
555, 573 default route 24, 25, 32, 34, 42, 43, 44, 45, 50, 51, 52,
54, 70, 73, 74, 77, 172, 361, 362, 555 Default route ........................................................... 74 default rule ...... 45, 123, 212, 376, 380, 386, 406, 428 digest .... 292, 302, 304, 305, 306, 314, 318, 327, 328,
349 DNS 18, 20, 21, 22, 25, 26, 27, 29, 30, 42, 50, 51, 52,
55, 74, 77, 129, 130, 133, 134, 135, 136, 137, 159, 169, 171, 172, 181, 182, 187, 190, 193, 200, 207, 214, 220, 221, 228, 231, 232, 242, 245, 246, 366, 380, 427, 450, 451, 452, 456, 462, 510, 515, 523, 524, 537, 553, 556, 557, 561, 571
Index May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 581
DNS Proxy...18, 20, 27, 130, 135, 136, 220, 221, 557 do not cache ...........................................................157 dynamic NAT .19, 23, 24, 29, 45, 184, 220, 340, 362,
363, 367, 376, 418, 448, 449, 450, 453, 456, 555, 559
Dynamic NAT ....20, 30, 50, 135, 184, 230, 253, 363, 448, 449, 450, 453, 456, 573
Effective Rules.......123, 376, 380, 381, 383, 384, 386 Enforce Rules.........................................133, 378, 555 Enhancement Pack.............................................79, 80 error page.......................................................256, 444 Ethernet............................................................47, 336 extended log...........................................................147 Extended Logging..................................................148 FILTCFG .......21, 76, 88, 89, 197, 200, 225, 253, 565 filter exception ..19, 27, 29, 30, 33, 36, 37, 38, 45, 52,
70, 72, 74, 76, 78, 87, 89, 90, 91, 106, 135, 136, 175, 184, 197, 198, 200, 201, 205, 206, 207, 214, 220, 222, 225, 226, 227, 230, 240, 242, 249, 253, 256, 257, 369, 376, 396, 418, 420, 422, 448, 449, 450, 451, 452, 453, 454, 455, 456, 457, 458, 459, 460, 529, 554, 557, 564, 565, 566, 573, 574
Filtering .......17, 19, 87, 227, 253, 340, 418, 449, 554 filters.....21, 22, 27, 36, 37, 45, 50, 76, 78, 87, 88, 91,
106, 133, 138, 206, 253, 283, 293, 294, 363, 369, 461, 554, 555, 565
FTP .18, 20, 21, 32, 33, 34, 37, 40, 42, 44, 45, 60, 99, 102, 107, 138, 139, 149, 152, 154, 163, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 195, 196, 257, 258, 259, 260, 336, 377, 401, 407, 408, 409, 410, 455, 521, 540, 578
FTP Acceleration ...........................257, 258, 260, 407 FTP Proxy18, 20, 34, 45, 99, 102, 139, 149, 163, 184,
185, 186, 187, 188, 189, 190, 191, 192, 193, 195, 196, 260, 377, 407, 409, 410, 578
Generic Proxy ................................228, 236, 238, 543 Generic TCP Proxy222, 223, 224, 228, 230, 234, 235,
240, 247, 411 Generic UDP Proxy ......240, 242, 243, 244, 245, 246,
247, 417 GroupWise.................................13, 79, 197, 200, 204 GWIA ............................................................197, 204 hierarchy ........143, 145, 165, 166, 168, 514, 525, 539 HOSTS26, 72, 77, 134, 135, 136, 169, 187, 190, 251,
365, 366, 367, 368, 561, 569, 579 hot nodes........................................................152, 562 HTTP Proxy....20, 29, 34, 35, 45, 56, 63, 73, 97, 107,
123, 130, 132, 133, 134, 135, 136, 138, 139, 141, 142, 144, 151, 153, 155, 163, 165, 166, 169, 170, 171, 172, 173, 174, 175, 176, 219, 220, 256, 268, 271, 377, 391, 397, 401, 404, 406, 409, 427, 442, 491, 515, 516, 517, 518, 519, 520, 521, 522, 523, 530, 536, 537, 541, 556, 557, 567
HTTPS......35, 90, 128, 133, 139, 157, 171, 175, 228, 249, 251, 253, 254, 396, 557
ICMP ...............................................................45, 361 ICP...................20, 165, 166, 167, 168, 514, 527, 539 indexed log.............................................................149 Indexed Logging ............................................149, 484
INETCFG... 22, 24, 27, 28, 30, 50, 51, 52, 55, 73, 76, 77, 135, 136, 184, 253, 262, 283, 303, 340, 448, 449, 555, 566, 573
Internet Explorer .. 127, 140, 175, 176, 219, 445, 567, 571
Internic .................................................................... 23 Java Applet Stripping............................................ 142 license ........................................... 66, 67, 68, 69, 433 LOAD PROXY –CC............................. 158, 159, 556 log .. 21, 44, 56, 63, 72, 103, 108, 127, 146, 147, 148,
149, 150, 171, 229, 334, 336, 344, 345, 359, 360, 364, 368, 369, 370, 371, 375, 377, 388, 395, 404, 427, 428, 430, 461, 465, 468, 471, 472, 474, 480, 484, 490, 493, 494, 495, 511, 557, 558, 559, 572, 577
logging 20, 44, 99, 146, 147, 148, 149, 156, 212, 215, 221, 244, 266, 275, 337, 361, 377, 388, 395, 404, 428, 461, 483, 490, 493, 558
Logging .. 57, 146, 148, 149, 171, 267, 268, 334, 395, 397, 399, 403, 413, 427, 428, 430, 465, 479, 490, 557, 577
mail25, 27, 32, 33, 42, 55, 83, 98, 197, 198, 199, 200, 201, 202, 203, 204, 205, 207, 208, 209, 211, 212, 423, 424, 425, 426, 456, 457, 458, 459, 460, 462, 532
Mail Proxy ..... 20, 32, 33, 44, 83, 197, 198, 199, 200, 201, 204, 205, 207, 208, 209, 210, 212, 423, 424, 425, 426, 529, 532, 557
Maximum Number of Hot Nodes.................. 152, 562 Microsystems ................................................ 432, 440 MLA license................................................ 44, 68, 69 NDS-based rule ....................................... 99, 102, 377 NETDB ........................................................... 82, 561 NETINFO.CFG................... 76, 77, 78, 301, 555, 565 Netscape123, 127, 138, 139, 140, 176, 219, 396, 444,
571 NetWare 4.11 . 22, 42, 47, 59, 62, 66, 68, 86, 96, 110,
262, 361, 558 NetWare 4.2 ...................................................... 59, 76 NetWare 5.0 .......................... 42, 59, 60, 85, 110, 264 NetWare 5.1 48, 57, 60, 62, 70, 77, 98, 104, 109, 110,
112, 113, 225 NetWare Connect .............................................. 19, 72 Network Address Translation...................... 18, 23, 24 NIAS ................... 17, 19, 50, 59, 60, 61, 76, 262, 279 NIASCFG ................................. 19, 76, 279, 280, 296 NICI ........................................................................ 69 NIST................................................ 82, 244, 246, 417 NLS............. 46, 62, 63, 66, 67, 68, 70, 81, 82, 83, 84 NLS Licenses .......................................................... 66 NLSFLAIM............................................................. 62 NLSLSP ............................................................ 66, 68 NNTP . 14, 20, 22, 42, 44, 55, 89, 213, 214, 223, 224,
230, 231, 232, 239, 242, 421, 422, 453, 454, 547 NTP............................................................... 244, 245 NWADMIN .................................................. 380, 461 NWHOST ..................... 364, 365, 366, 368, 558, 579 Outbound DNS...................................................... 450 PASV FTP .................................................... 139, 184
Index May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 582
patches ..22, 58, 59, 60, 61, 62, 66, 68, 70, 75, 79, 80, 81, 83, 93, 103, 128, 153, 185, 197, 198, 203, 401, 510, 534, 556, 557, 560, 568, 578
Patches ...............................................................58, 79 pcANYWHERE....224, 240, 241, 247, 248, 418, 420,
578 PING............................................45, 50, 51, 283, 553 POP3...18, 42, 98, 197, 198, 199, 200, 201, 202, 204,
205, 207, 209, 426, 546 port 110..................................................205, 206, 426 port 119..........................214, 230, 232, 422, 453, 454 port 123....................98, 226, 227, 228, 244, 245, 411 port 12345................................98, 226, 227, 228, 411 port 213....................................................................90 port 23............................................................177, 179 port 25............................................210, 457, 459, 460 port 353............................................................90, 369 port 37..............................................82, 244, 245, 417 port 443..............................35, 90, 175, 251, 255, 396 port 5631................................................240, 418, 420 port 5632........................................240, 418, 419, 420 port 80...34, 35, 90, 97, 123, 133, 141, 144, 165, 172,
174, 176, 251, 253, 255, 267, 442, 578 private ...18, 23, 24, 26, 27, 29, 30, 31, 32, 34, 36, 40,
41, 46, 47, 63, 72, 73, 74, 87, 88, 91, 96, 97, 98, 118, 123, 133, 138, 139, 172, 174, 184, 187, 190, 193, 200, 210, 214, 220, 221, 230, 231, 278, 282, 283, 284, 286, 287, 303, 362, 363, 365, 367, 417, 418, 451, 452, 453, 454, 455, 555, 559, 567, 573, 575
private interface ......29, 31, 41, 47, 73, 74, 87, 88, 91, 172, 184, 283, 363, 418, 451, 452, 453, 454
private IP address....23, 24, 27, 29, 32, 34, 63, 72, 74, 91, 96, 98, 118, 123, 138, 139, 174, 187, 190, 193, 200, 214, 220, 221, 230, 283, 284, 362, 363, 365, 367, 417, 559, 573, 575
Private IP address.....................................................96 Proxy Authentication ..21, 77, 99, 100, 101, 102, 103,
104, 105, 107, 108, 113, 115, 121, 122, 123, 124, 125, 127, 128, 133, 139, 171, 180, 219, 251, 252, 254, 376, 377, 380, 387, 393, 395, 403, 406, 490, 570, 577
PROXY Performance Tuning ................................153 PROXY.CFG.........................200, 256, 446, 556, 557 public interface .23, 29, 31, 32, 33, 34, 37, 41, 42, 45,
54, 72, 87, 88, 89, 90, 184, 225, 263, 283, 303, 340, 451, 452, 453, 454, 455
Public interface ..............................................226, 227 public IP address23, 24, 26, 27, 29, 32, 33, 34, 42, 44,
45, 50, 73, 87, 89, 90, 91, 96, 97, 98, 106, 107, 133, 197, 200, 201, 202, 205, 206, 207, 214, 224, 225, 226, 227, 240, 241, 247, 249, 253, 257, 259, 260, 283, 284, 285, 298, 303, 323, 348, 361, 363, 369, 396, 411, 418, 419, 420, 422, 448, 450, 453, 455, 456, 458, 555, 559, 569, 573
Public IP address................................................25, 97 PXYERR.HTM..............................444, 445, 446, 447 PXYHOSTS...134, 135, 137, 159, 510, 523, 556, 561 RADIUS ......................17, 19, 20, 44, 50, 62, 82, 354
RDATE ........................................... 82, 244, 246, 417 read-ahead ............................. 153, 395, 510, 511, 556 Real Audio ............................ 215, 216, 217, 218, 533 RealAudio Proxy........................... 215, 217, 415, 416 real-time ........................................ 370, 372, 374, 503 Refresh Server............................................... 380, 434 REGISTER.EXE........................... 433, 440, 441, 443 Reverse Proxy .... 20, 21, 43, 249, 250, 253, 256, 391,
394, 396, 407, 408, 455 reverse proxy acceleration.. 32, 33, 42, 135, 224, 249,
253, 394, 448 Reverse Proxy Acceleration20, 21, 249, 250, 253, 256 Rollover................................................................. 146 rule hit logging ...................................... 395, 430, 490 Rule Inheritance .................................................... 377 scheduled download ...................... 160, 161, 162, 550 secondary IP address28, 34, 46, 72, 73, 74, 75, 89, 90,
96, 97, 98, 107, 225, 231, 249, 253, 254, 255, 396, 418, 448, 455, 529, 559, 573
serial number................................................. 440, 565 SET TCP IP DEBUG...................... 51, 361, 554, 555 Single Sign On ...... 101, 102, 122, 185, 189, 266, 275 Site-to-Site . 18, 20, 39, 42, 43, 45, 66, 71, 75, 76, 81,
83, 278, 279, 280, 282, 283, 291, 295, 301, 320, 324, 325, 327, 362, 363, 370, 558, 579
SLP........................................ 337, 364, 366, 558, 579 SMTP . 18, 33, 42, 55, 83, 89, 98, 197, 198, 199, 200,
201, 202, 204, 208, 209, 210, 211, 212, 423, 424, 425, 426, 456, 457, 458, 459, 460, 461, 464, 545, 578
snapin .......................................... 84, 85, 93, 262, 375 SOCKS18, 20, 139, 163, 164, 276, 277, 508, 530, 548 SOCKS Client ................................. 20, 163, 530, 548 SOCKS Server ........................................................ 20 Software Virtual Server................................. 171, 557 SSL..... 77, 90, 99, 101, 102, 103, 104, 105, 108, 113,
115, 121, 122, 123, 124, 125, 127, 128, 139, 157, 171, 175, 228, 249, 251, 252, 253, 254, 277, 393, 396, 557, 570, 575
SSO ............... 102, 107, 261, 267, 268, 272, 273, 575 Stateful .................................................................... 27 static NAT 27, 32, 34, 36, 42, 70, 74, 78, 97, 98, 197,
253, 363, 367, 418, 455, 456, 457, 458, 459, 460, 555, 559, 573
Static NAT .. 19, 20, 33, 43, 45, 46, 98, 455, 456, 569 static route....................................................... 54, 320 statistics 106, 192, 196, 237, 238, 245, 343, 347, 488,
510, 511, 512, 514, 515, 516, 517, 518, 519, 520, 521, 522, 523, 526, 527, 530, 531, 533, 534
TID..... 56, 58, 69, 70, 82, 83, 84, 150, 152, 341, 350, 404, 444, 556, 560, 561, 567, 569
timeout .................... 63, 107, 108, 127, 130, 131, 373 transparent proxy................... 171, 172, 174, 175, 267 Transparent Proxy .. 20, 107, 133, 134, 138, 171, 172,
173, 174, 175, 178, 220, 261, 264, 272, 273, 491, 510, 534, 557
transport ................................................ 130, 323, 537 Transport ................................................. 22, 130, 131
Index May 18, 2001
A Beginner’s Guide to BorderManager 3.x - Copyright 2000, 2001, Craig S. Johnson Page 583
tuning...............................................................57, 560 unload ............55, 63, 73, 75, 153, 523, 554, 559, 573 URL Pattern ...........................................................158 Usage Trends .................................................487, 494 virtual IPX network number ..................................325 VPMASTER......................................62, 83, 301, 375 VPN over NAT ........................................44, 369, 578 VPNCFG 76, 104, 279, 280, 285, 289, 291, 292, 293,
294, 295, 296, 297, 301, 302, 303, 314, 318, 327, 566
VPSLAVE......................................... 62, 83, 301, 375 VPTUNNEL.................................................... 88, 375 VREPAIR ..................................................... 156, 563 Web Manager . 98, 224, 225, 226, 227, 228, 229, 411,
578 www.yahoo.com ................... 387, 388, 389, 390, 406 ZENworks ..... 105, 139, 175, 176, 262, 263, 272, 360