Www.novell.com Troubleshooting Novell BorderManager ® Craig Johnson Novell SysOp [email protected] Caterina Luppi Novell

www.novell.com

Troubleshooting Novell BorderManager®Troubleshooting Novell BorderManager®

Craig JohnsonNovell [email protected]://nscsysop.hypermart.net

Caterina LuppiNovell [email protected]

Shaun PondNovell Consulting, [email protected]

Session Agenda

• BorderManager® components• Troubleshooting tools and techniques• Common problems and solutions• Questions and answers

BorderManager Components

• BorderManager is modular Proxies (forward and

reverse) Access control Gateways (IPX/IP, IP/IP,

SOCKS) VPN RADIUS Dial services Routing and filtering,

including stateful filtering (3.x)


Layers of OSI model

BorderManager components

Application Proxies, access control

Presentation VPN

Session Gateways (IPX/IP, IP, SOCKS), VPN

Transport VPN

Network Packet filtering, Network Address Translation (NAT), VPN

Data link Packet filtering, VPN

Physical N/A


• It is critical to understand the layers that BorderManager services are built on

Network layer–filters, and routing• The proxies do not work on this layer, but they depend

on it to function• The support for the network layer is included in the

NetWare® operating system Application, session layers–proxies, gateways

and access control• This layer is provided by BorderManager

Get routing working before worrying about proxies


• Network layer considerations Default filters and exceptions provide basic

network layer functionality for proxy, gateways and VPN

The proxies do not create the filter exceptions as needed

Default exceptions do not cover a secondary IP address

Bypassing the proxies requires extra work to be done using filter exceptions and ensuring routing is correct


• Proxies Proxies listen on certain ports on certain IP

addresses Some proxies listen on all IP addresses, others

only on IP addresses defined as private Acceleration listens on IP addresses defined as

public Proxies need to have filter exceptions defined in

order to function• Most, but not all, proxy traffic is allowed with the

default filter exceptions


• Proxies Why doesn’t proxy need routing enabled?

• It regenerates traffic on an interface, and does not just route traffic between interfaces

Why does bypassing proxy need routing enabled?• Because if you bypass proxies, the only method left to

move packets is to route them between interfaces, which means routing must be enabled, and filter exceptions must be added


• Access control list (access rules) Access rules control the use of the proxies, IP

gateway and VPN Access rules are read from top to bottom Access rules can be inherited Only one access rule is ever actually used There is a default access rule—Deny All


• Access control list (cont.) Only a few proxies use Novell Directory

Services® (NDS®)-based access rules HTTP proxy, FTP proxy, transparent (HTTP)

proxy and transparent telnet proxy can use NDS-based access rules

You must enable Proxy Authentication to make use of an NDS-based access rule

If the client does not proxy authenticate, it cannot use NDS-based access rules, and will skip over them


• How Proxy Authentication works Proxy Authentication is initiated by the

BorderManager server The BorderManager server asks the source IP

address for NDS information The source IP address responds, via CLNTRUST

or SSL login (Must be logged in for CLNTRUST to work)

The BorderManager server remembers an authenticated connection for some time


• RADIUS Used to link authentication request from dial-up

system through to NDS account Any RADIUS-compliant access system can work

with BorderManager RADIUS BorderManager NIAS dial-up is not RADIUS-

compliant May need a Login Policy Object


• The IPX/IP and IP/IP gateways Necessary for the clients with ONLY the IPX

protocol Alternative to the proxies and NAT for clients

with IP Simple to configure (no need to configure routing

at the client) but not flexible ALL traffic is directed from the workstations to

the BorderManager server, including the local traffic

Performance slower than NAT/proxies (work at the session layer of the model)


• The IPX/IP and IP/IP gateways (cont.) Need a dedicated component of the client

installed on the workstations (“IP gateway”) Only for Windows workstations running the

Netware Client 32™

The applications must be Winsock compliant(no native TCP/IP)

Access rules for ANY port and protocol Warning: “mature product”


• Virtual Private Networks (VPN) Two types of VPN

• Site-to-site• Client-to-site

Site-to-site VPN links two LAN’s together with an “encrypted tunnel”

Client-to-site VPN allows a remote PC to make a secure connection to a LAN over the Internet


• The site-to-site VPN It is mainly based on routing An encrypted tunnel links two or more LANs

connected to the same VPN Traffic passes through the tunnel because a

static route makes the tunnel the lowest cost route

Traffic passing through the tunnel is encrypted and decrypted at the VPN server

No need of special software at the workstations(it supports all client OS)


• The client-to-site VPN It is established between a client, running

special software, and a VPN server• Both must be connected to the Internet

It provides secure access to the LAN and WAN behind the VPN server

The user must be authorized to establish the VPN with a username and through “Access Rules”

The client workstation must use MS Windows(Win 9x, NT, 2000)


• Miscellaneous components BorderManager stores some configuration in NDS

attributes of the server object BorderManager can store access rules as user,

group, container or BorderManager server attributes

Some proxy settings are stored in SYS:\ETC\PROXY\PROXY.CFG

Filters are stored in SYS:ETC\FILTERS.CFG Routes are stored in SYS:ETC\GATEWAYS BorderManager can use up to five different NLS

licenses

Troubleshooting Tools and Techniques

• What isn’t working? Define the scope of the problem

• One proxy?• An access rule?• Inbound traffic?• NAT?

What changed recently?• Simplify, simplify, simplify

Start from the bottom of the OSI model• Is a cable plugged in?• Is routing, filtering or NAT involved?• Is a proxy or access rule involved?

Disable features to isolate the problem


• Techniques for isolating problems Uncheck Enforce Rules Disable filters—Unload IPFLT.NLM SET NAT DYNAMIC MODE TO PASS THRU=ON

(or disable NAT Implicit Filtering in INETCFG) Reboot

• Does the problem go away?


•Techniques for isolating problems Have you applied the latest patches? Do you know what the latest patches are?

• http://support.novell.com/misc/patlst.htm• Novell public forums• http://nscsysop.hypermart.net

Look for error messages on the server console, especially when BorderManager first starts

Look for NDS issues


•Techniques for isolating problems Does the internal host see the BorderManager

server? Is the internal host configured to use the

BorderManager service?• HTTP proxy settings, IP gateway service, SOCKS

settings Is a proxy seeing the traffic?

• See Proxy Console Statistics


• General connectivity and routing diagnostic tools PING—to verify IP connectivity between two hosts TRACERT/IPTRACE.NLM—to check every hop between

two hosts SET TCP IP DEBUG=1—to dump the TCP/IP packets on

the server console (=0 turns it off) SET FILTER DEBUG=ON, (followed by appropriate

action) —see only certain types of packets, useful on busy servers

CONLOG.NLM—the console log, to capture the output of the debug to the SYS:ETC\CONSOLE.LOG file

TCPCON.NLM—to check the effective routing table of the server

NETMON.NLM—capture trace data on the server Third party network analyzer

cat:

speaker notes present

cat:

speaker notes present


• Deciphering TCP IP DEBUG data Packets not getting to the server = a routing

problem Packets to the server public side and being

ignored = NAT implicit filtering Packets not going out = a missing default route Packets being discarded = filters are dropping

the packets Packets going out the public interface, with no

responses coming back = NAT is needed Packets going to an internal host (via Static NAT

or VPN) with no response = missing default gateway on internal host


• Packet filtering FILTCFG.NLM: to see what filter exceptions are

in place UNLOAD IPFLT to make sure it is actually a

filtering issue SET TCP IP DEBUG=1: to dump the TCP/IP

packets on the server console (=0 turns it off)• Look for the “DISCARDED” packets

SET FILTER DEBUG=ON, for 3.x only, to see selected types of IP packets


• Proxy and access rules Access rule logging, see what is being denied

(or allowed) Backup your rules (use Clipboard Viewer)

before experimenting Proxy console statistics, see what the proxies

are seeing NWADMN32, see if licenses are being used Simple notes relating when and where

problems occur


• Are access rules seemingly being ignored Is Enforce Access Rules checked? A rule higher in the list may be taking precedence Check effective rules—you might be inheriting rules An NDS rule will be ignored (skipped) if the internal

PC is not proxy authenticated Adding a rule with logging enabled can help find out

what is being seen by the BorderManager server “Authenticate Only when user attempts to access a

restricted page”—use with care


• Johnny can’t get a generic proxy for NTP to work

TCP Debug shows no data coming to server• Internal server on internally routed segment

– Did not have a default route configured Proxy Console, option 19, shows no traffic for proxy

• Internal server not configured to point to proxy private IP address for NTP

Proxy Console, option 19, shows ACL rejects• No Allow Port 123 Access Rule configured

TCP Debug shows inbound traffic discarded• Did not allow UDP Port 123 to public IP address with filter

exception


• IPX/IP and IP/IP gateways Read TID 2928290 and 2928294 Look at the Status in the IP gateway component

in “Settings”, “Control Panel”, “Network” at the client

It is better not to specify the context of the server than rather specifying a wrong context

Use WINPING.EXE to check if you can ping (do not use the DOS ping)

IPXIPGW.NLM must be loaded• Check messages in the “Novell IP gateway access

status” screen


• IPX/IP and IP/IP gateways (cont.) To enable the gateway debug at the client in

the c:\windows\novws.ini file add the lines[Gwtraceinfo]trace=4

the output will be in C:\GWDBG32.TXT To enable the gateway debug at the server use

SET NWGATEWAY DEBUG=(0-7)SET NWGATEWAY LOG=ON

The output will be in SYS:\IPXIPGWx.LOGit slows down the server

Common Problems and Solutions

• No default route/gateway on some host in the process

Check host, and all intervening routers• Did not install default filters

Load BRDCFG, follow prompts (secure the public IP address only)

• Access rules in wrong sequence Change the rule order


• NDS-based rule, no proxy authentication Must run CLNTRUST at client, or use SSL

Authentication Not all proxies use NDS-based rules

• Licensing issues See Novell TID 10013723

• Slow shutdown of server Unload BorderManager services before downing

server• Get BMOFF.NCF file at • http://nscsysop.hypermart.net/bmoff.html


• NWADMN32 snapin issues Rename to ACNWAUTH.DLL snapin to

ACNWAUTH.DL_ See http://nscsysop.hypermart.net/nwadmin.html

• Proxy cache not on dedicated volume(s) Always put cache on a dedicated volume, never

SYS• BorderManager not tuned for performance

See TID 10018669


• Mail proxy Has had a number of issues over the years,

be sure to check latest patches LOAD PROXY -M to allow mail proxy to use

more than one MX record when sending SMTP• LOAD BRDSRV/NOLOAD to prevent autoloading

• DNS proxy Don’t try with NAMED loaded on the server May need to clear cached data by deleting

SYS:ETC\PROXY\PXYHOSTS file


• HTTP proxy caching unwanted site/just added site as non-cacheable, but old site still comes up

Need to clear the (entire) cache as follows• Unload proxy• Delete SYS:ETC\PROXY\PXYHOSTS (optional)• Load Proxy –cc


• Transparent proxy Somewhat slower than HTTP proxy Doesn’t do DNS lookup for the client

• Client must be configured to do DNS Logs web sites visited by IP address instead of

URL Does not support HTTPS/SSL

• Massive TCP/IP communications failure NETDB 4.09 manually loaded before

INITSYS.NCF– load it after INITSYS, or let it autoload as needed


• RADIUS Dial access system—redundancy Do you need a profile? Attributes with attitude

• RADATR3A.EXE Testing:

www.nttacplus.com/download/radping.cfm


• IPX/IP and IP/IP gateway

I am using Novell Client 3.3, the gateway status at the client is always “not connected”

The IP gateway component of the Client v.3.3 doesn’t work properly

Try to use Client 3.1 or 3.21

In ZENworks all the workstations appear to have the IP address of the gateway

This is the way the gateway works The workstations talk to the gateway, and the gateway

communicates on their behalf with the other devices


• IPX/IP and IP/IP gateway (cont.)

The browsers, IE more frequently, fail to connect to the gateway. Netscape returns the “unable to open socket connection message”

Make sure you are using the correct Winsock version at the client• For BorderManager 2.1 you must use the Novell Winsock I

(latest client version using this Winsock version is 2.5)• For BorderManager 3.x, use the MS Winsock II

This limitation applies only to the gateways



I am using SSO authentication to the gateway, but when I try to use the HTTP proxy with authentication (to use ACL) I get the message: “403 Forbidden, you are not logged in”

The IP gateway and the standard HTTP proxy cannot work together

If you want to use proxy authentication with the IP gateway you must use the Transparent HTTP proxy

SSL authentication to the HTTP proxy doesn’t work either You can use the HTTP proxy without authentication



How do I enable the transparent proxy for my IP gateway clients without affecting the user using the native TCP/IP stack?

To enable the transparent proxy for the IP gateway client ONLY you can use the command line (at the server)

SET NWGATEWAY CLIENT TRANSPARENT PROXY=ON


• Site-to-Site VPN

I configured the VPN between two servers. The VPN was established but I can’t reach the internal LAN

Make sure that your VPN tunnel IP address is in a different network from the private and the public IP addresses of the serveri.e. Public IP address 123.123.123.1

Private IP address 10.1.1.1VPN TUNNEL IP address 192.168.1.1/255.255.255.0


• Site-to-Site VPN (cont.)

In the logs in NWadmn32 I have the message“Time synchronization error from connection XXX (SKIP) Construction of SA failed for peer <IP_address>”The VPN stays in the “Being configured” status

Check that the time (clock) in the servers is not more than one hour apart in UTP

Make sure that your ISP is not filtering any packet type


• Site-to-Site VPN (cont.)

When loading VPNCFG I get a lot of undefined public symbols

The TCPIP.NLM you are using doesn’t support encryption

It was probably overwritten by a service pack

The VPN is up and running but I cannot contact the devices in the private segment

The VPN server should be the gateway to the Internet for the LAN


• Client-to-Site VPN

I can login to the VPN but when I try to login to the NDS I get the “Tree or server not found” error message

Three solutions:• Use IPX over the tunnel to login• Use the IP address of the server on the private LAN instead

of the server name in the NetWare login screen• Set up a SLP DA in your LAN and configure the client to

statically query that DA for service location

• Client to Site VPN (cont.)

The VPN is up and running but I cannot contact the devices in the private segment. The devices in the LAN access the internet though a device that is NOT the VPN server.

Use a VPN server dedicated to the client to site VPN Enable dynamic NAT on the PRIVATE interface only


• Client-to-Site VPN (cont.)

When I try to authenticate to the VPN I get the message “Unable to authenticate token password”

If you aren’t using ActivCard, and you aren’t using Radius, delete the Login Policy Object from the NDS and delete the LPOCACHE.DAT file from the server

I am not able to use the VPN on Windows ME That’s right, the VPN client doesn’t work on Windows ME!

For More Information

• Novell Support web site http://support.novell.com

• Novell Documentation web site www.novell.com/documentation

• Novell public forums (best with news reader) support-forums.novell.com (NNTP) http://support.novell.com/forums

• Other web sites http://nscsysop.hypermart.net www.connectotel.com

Documents

Www.novell.com Troubleshooting Novell BorderManager ® Craig Johnson Novell SysOp [email protected] Caterina Luppi Novell