VPN client access using BorderManager

If you missed out on the tips and tricks that Ron Nutter had to offer us, it's not too late. Check them out!

On May 23rd, fresh from a stunning appearance at this year’s BrainShare in Salt Lake City, Ron Nutter offered these tips and tricks for using BorderManager to remotely log into your network using the Internet. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.

On May 23rd, fresh from a stunning appearance at this year’s BrainShare in Salt Lake City, Ron Nutter offered these tips and tricks for using BorderManager to remotely log into your network using the Internet. If you couldn’t join us then, enjoy the transcript and we hope to see you on our next live Guild Meeting.

Note: TechProGuild edits Guild Meeting transcripts for clarity.

Welcome to the Guild Meeting!
MODERATOR: Good evening folks. We'll get started in a moment or two, so get comfortable, have some java handy, and we'll rock.

WENDYWHITE: Java handy? Who can tell us what is it?

MODERATOR: Of course I meant the beverage, but if you want to program some Java while we talk, I won't stop you. ;-)


MODERATOR: Thanks, mikkil, for the translation. And now let's begin. Tonight I'm pleased to introduce Ron Nutter, NetWare guru, and Brainshare featured speaker. Tonight Ron is going to give some tips and tricks for using BorderManager to log on remotely. Let's have a hand for Ron —-=- Applause!!

WENDYWHITE: Thank you sir, and Mikki, sorry, I drink tea only.

MODERATOR: Ron, how was your experience at BrainShare, by the way?

RON NUTTER: Implementing VPNs with BorderManager was a pretty popular subject.

MODERATOR: Good crowd at the talks?

RON NUTTER: Popular enough that I was asked by Novell to go to France to BrainShare Europe to repeat the presentation.

MODERATOR: Awesome. Did that happen yet, or is that to come?

RON NUTTER: Just got back from France on Saturday. The presentation was standing room only at Salt Lake City.

MODERATOR: Great. Would you guests mind introducing yourselves to Ron? Let him know what you do so he knows what he's in for—- I mean, who's here! Who'd like to introduce first - c'mon don't be shy.

Now for the introductions
JMACLACHLAN: I'm Jim. I'm the Network Admin for The Shelter Group in Balt. MD.

SOLSON2: I'm from NC, work in RTP.

76327711: I'm a VAR and systems integrator and have several accounts, very interested in VPNs.

SOLSON2: IT consultant.

CLAUDERFERLAND: I'm a student, training in networking.

MGENNARO: My name is Mike, and I have a small Networking Company.

MODERATOR: Great - thanks all. By the way, two lucky chatters will win a TechRepublic hat and a tee shirt - I'll be keeping scientific score of the chat. ;-) We have our first question.

SOLSON2: Is NetWare aimed mostly for office users, more than graphic users?

RON NUTTER: Solson2: NetWare can be used by either.

MODERATOR: Ron, how can BorderManager help with VPN?

SOLSON2: Is NetWare capable of working on Alpha?

JMACLACHLAN: We're using BorderManager 2.1 right now and are going up to 3.x shortly. Is there much difference in the VPN?

RON NUTTER: Solson2: NetWare is only on the Intel platform at this time. Work is progressing for the Merced chip. Jmaclachlan:

76327711: Does BorderManager actually create the VPN or is additional software required?

RON NUTTER: Jmaclachlan: Client to Site VPN is a feature new to 3.x.

MIKKILUSA: So tell us how to do VPN on BorderManager, please uncle Ron?

RON NUTTER: I would equate BM 3.x to NW 4.x in maturity and stability. VPN is pretty easy to set up.

That’s what I call fast
JMACLACHLAN: The remote NetWare client used to take forever to load, is that faster now?

RON NUTTER: 76327711: Yes to both. BorderManager provides the VPN service. Additional software (included with BM) must be installed on the client in order for it to use the VPN service.

76327711: Does "client to site" mean single remote user? Is any special remote software needed or just the stuff bundled with Win95/98?

RON NUTTER: jmaclachlan: It is much better. Installing the remote client takes just a couple of minutes. Establishing the connection can take anywhere from about a minute to 7 minutes depending on your ISP, the speed of the connection and if IP and or IPX are being used on the connection.

MODERATOR: Thanks for the great questions. And if you folks need any background info, don't be afraid to ask.

RON NUTTER: 76327711: Client to site means one or more clients. Client to site VPN rides on top of the site-to-site VPN service of BM.

SOLSON2: Isn't IPX slower?

RON NUTTER: The only thing that I would suggest is that you download the latest VPN client from Novell, the one that ships with BM 3.x doesn’t support Win2K out of the box. Solson2: IPX can be slower but there is an adjustment you can make in BorderManager to help with that.

SOLSON2: What about security, how safe is it?

JMACLACHLAN: The client can now use straight IP, correct?

RON NUTTER: The documentation says to use a unique network number for IPX for the client to site JPX configuration. But if you use a 0 for the network number, routing speed can be improved.

It’s been documented
76327711: Is the BM that ships with NW Small Business Suite complete and ready to set up? I thought that BM is implemented on a "pure IP" NW network. Where does IPX come in?

RON NUTTER: Solson2: It is about as safe as you can get. If you are using BM domestically as opposed to internationally, you can use 128-bit encryption. By making a small configuration change to BM, you can require that the remote clients also use 128-bit encryption. 76327711: BM can be implemented on an IP, JPX or IP/IPX network.

CLAUDERFERLAND: If you were making a hard sell to a client, what advantages would you list vs. setting up a VPN in an NT environment?

RON NUTTER: 76327711: It should be the same version as the version that ships separately. Haven’t had a chance to look at that one yet.

JMACAULAY: Hello all: jimmymac here tonight.

MODERATOR: Hello jimmymac.

JMACLACHLAN: On the internal side, if I am using NetWare 5 & BM3, can I do individual blocking without having to log in to the BM server each time I start an Internet session?

JMACAULAY: Hello, Moderator Dear!

RON NUTTER: Claudeferland: Using BM gives you a single point of administration, where other products require separate administration programs.

JMACLACHLAN: That's assuming the latest clients for 9.x & NT.

76327711: What are the advantages/disadvantages of BM VPN vs. a hardware-based VPN?

RON NUTTER: jmaclachlan: correct about the client assumption. Jmaclachlan: don’t know about individual blocking. There are VPN access rules created when you set up the VPN service, so it should be possible to block it on a user-by-user basis. Haven’t tried that but it should be possible.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.
RON NUTTER: 76327711: Hardware based VPN.

MGENNARO: Are there any Service Packs required on a NetWare 5 server, in order to install BM3.x?

RON NUTTER: 76327711: Hardware based VPNs can handle a higher user count than software based VPNs, but you are looking at a higher entry point in terms of cost for a hardware based VPN.

SOLSON2: Does BM3 have to be installed on a server?

RON NUTTER: mgennaro: In the article I wrote for TechRepublic and the subsequent presentations at the two Novell BrainShare conferences, I used SP3A on NetWare 5 and BM SP 2 with BM 3.0.

JMACLACHLAN: Does BM3 still use a separate FTP password from the regular login password for a client?

RON NUTTER: Solson2: Yes it has to be installed on a server. Since BorderManager ships with a runtime version of NetWare 5, you don’t have to buy another copy of NetWare to get it up and running.

76327711: If you were running a BM VPN on a 384k SDSL connection would 3 to 4 remote clients have access at a decent speed?

Could you please explain?
RON NUTTER: jmaclachlan: Could you please explain that further - FTP password vs. regular login? 76327711: Depending on what the users are accessing on your network, it should be doable.

JMACLACHLAN: In BM2.1, I have to set up a password for FTP access for my users. They can't log in to the FTP service until I do. This password is completely separate from the NDS pwd.

RON NUTTER: Jmaclachlan: Sounds like you are using the FTP proxy function in BM, right?


RON NUTTER: Jmaclachlan: The password that the user will use when establishing a VPN to your network will be their regular FTP password. Since they will be coming in from outside your network and if you don’t encrypt all communications from the client (i.e. encrypt only those communications destined for your network), they shouldn’t have to enter a password for FTP access to a site off of your network.

JMACLACHLAN: Can you encrypt FTP transfers?

MGENNARO: With the GroupWise client installed on the remote workstation, will the user be able to access their mail or would they still have to use the Web interface?

JMACLACHLAN: Oh, sorry, I see what you mean.

RON NUTTER: Jmaclachlan: The only way that I know you could encrypt FTP transfers is if the FTP server was internal to your network. Outside of the network might require a little additional thinking on how to do that.

MODERATOR: You said earlier that BM offered one point of administration. What helpful tools does BM offer for setting up remote logins?

Remote logins
RON NUTTER: Mgennaro: If you select the Encrypt All Communications option, you will need to reference the GW server by its internal address. Shouldn’t need to use the Web interface unless you want to. The tools for supporting remote logins can be as simple as the messages that pop up on the server console screen as users log in and log out of the VPN connection. By using NWAdmin and going into the BorderManager properties page, you can get a more graphical view of what is going on as well as a historical view of what a particular user went through when logging in.

JMACLACHLAN: How much history and what type is available?

RON NUTTER: In NWAdmin, you also have the option of seeing exactly what users are connected to the BorderManager server on a VPN connection, what protocols are in use, and what type of activity each connection has experienced in the last minute, 5 minutes and 10 minutes.


RON NUTTER: Jmaclachlan: Depending on the size you allow the log files to grow to, you should be able to get to several days of info. By default, you will see the last 6 hours worth of VPN activity.

JMACLACHLAN: Are there any tools for pulling this information out into an area where searches can be done on it? Or is it a text file like the other logs typical to Novell 4.x?

MODERATOR: Twenty minute bell... ding.

RON NUTTER: jmaclachlan: There probably is. You might be able to get to some of the text file but I don’t know where they are right off hand. Some of the info is kept in Btrieve files, so it might take a little bit of digging.

A bit of digging
WENDYWHITE: Mr. Ron, currently VPN is applying on commercial or normal communication, please.

MODERATOR: Can you clarify that, Wendywhite?

RON NUTTER: Wendywhite: When a VPN is active, it encrypts all traffic to and from the VPN server that you are connecting to.

MODERATOR: And you said it uses 128-bit encryption in the U.S.?

WENDYWHITE: I meant there are not solo net tool now , VPN rank what positioning for stability and reliability.

JMACLACHLAN: I don't know when or if this would apply, but can someone have a non-licensed connection to the VPN?

RON NUTTER: For those that would like a guiding hand on setting up client to site VPN in BorderManager, Novell has a good hot start document that leads you through the server side. I will give you the short version - the butler did it. You should be able to get it running by going with the default settings. Yes, BM in the U.S. can use 128-bit encryption if you purchased the non-exportable version. Otherwise, I believe that you can only get 56-bit encryption.

MODERATOR: Any idea what the speed hit is when using 128 bit?

RON NUTTER: Wendywhite: the question you ask is a little difficult to answer in this type of forum. The best thing I can say is that I set up BM VPN for a customer in late December and haven’t had to touch it since. Jmaclachlan: No way to do that that I know of. Since you have to authenticate to BM in order to establish a connection.

VPN seminar
NOTREALLYTHEMOD: I've been to one VPN seminar, so I'm not knowledgeable by any means - so excuse if this question is naive, but I don't understand how BorderManager is hardware based VPN - did I miss something?

RON NUTTER: In the situation I used when setting it up for a customer, I had a T1 to the internet and used a dial-up connection from a portable to connect to an ISP, didn’t notice any perceivable hit over using those same services over a non-encrypted connection.


RON NUTTER: Notreallythemod: I would consider BM software based VPN since it is running on a server with other services. Cisco's PIX firewall would be a hardware based VPN.

76327711: ***Moderator*** is there a way to save this dialogue without waiting for the transcript to be published on the Forum?

MODERATOR: 76327711: You ought to have the whole meeting cached - try blocking it all and drop in a text editor.

JMACLACHLAN: Ron, is there any sort of wizard or help out there for filtering ports for BM?

76327711: Not working. Thanks.

JMACLACHLAN: (Didn't work for me, either.)

MODERATOR: Hold on - let me try something, here. In the meantime, 10-minute bell. Ding Ding. Now's the time to ask those questions you want to get covered.

NOTREALLYTHEMOD: OK - appreciate it. You said you can run by default. But are there some default settings that you recommend changing?

WENDYWHITE: Chairman, does the VPN install on UNIX too?

76327711: Does Novell or another publisher have a good "how to" book on setting up BM and the clients?

RON NUTTER: jmaclachlan: You have hit on one of the points I love to gripe about to the development folks at Novell handling BM. There isn’t a wizard at this point (unless you consider bowing towards Provo when starting to use filters - always worked for me <G>. I have heard rumors that there will be this type of interface in BM 4, due out hopefully later this year. Send me an e-mail message and I can forward you a few suggestions - don’t have access to them on the machine I am using for this meeting.

76327711: Clarification: a how-to book for setting up the BM VPN and clients.

JMACLACHLAN: Wow! Thanks. I thought it was just my ignorance and paranoia showing. <G>

RON NUTTER: notreallythemod: you have to enter a string to be used to generate the encryption key. And you will need to use a unique IP class address for the VPN IP address in vpncfg.nlm.

MGENNARO: What version of the NetWare client is needed for the remote client?

RON NUTTER: Wendywhite: BM VPN only installs on an Intel box running NW 4 or 5. 76327711: check out and put a request in for that type of book. I am in discussion with them to write such a book. Mgennaro: I have using 3.1, 3.1 sp1, 3.1 sp2 and 3.2 on Windows 95/98. You will need the latest NT client with NT 4 to get things running smoothly. 763227711: Look for the pod books link.

Some raw information
MODERATOR: Here's the raw transcript info - I should have a raw transcript by tomorrow. If you send a request to I'll see what I can do to shoot it to you by e-mail. I'd like to give out a couple of prizes. First, I thank you all for coming. I'll be quick so we can get to the last few questions.

RON NUTTER: For those that have additional questions about BM VPN, please feel free to e-mail me at and I will put them together for a future article.

76327711: I'll take one, thanks.

MODERATOR: You all did great. Thanks for great questions. Well, 76327711 - you got one - I got a TechRepublic cap for you. You'll be the most stylish in your office. Jmaclachlan, I got a tee shirt for you. Plus, you get to enter our drawing for a trip for 2 to the Himalayas. Just kidding.

76327711: Thank you. :-)

JMACLACHLAN: Thanks! I'd like a transcript as well, please.

MIKKILUSA: Congrats you guys.

MODERATOR: Please send me your snailmail, and real live name to, as well as your tee size—And now, quickly, if there's time, a few more questions...

Thanks guys!
WENDYWHITE: Chairman, VPN could telnet other clients or server as own work interface?

MIKKILUSA: Ron I have question on 2000 and Novell clients posted on TechRepublic. Stop by and give it a shot if you have a chance, please?

JMACLACHLAN: We had a bad problem with opportunistic locking on Win95 machines with GroupWise 5.5.2.when we put on the 3.2 client.

MODERATOR: If we don't get to answer in a couple of minutes - great material for our TPG forums -

RON NUTTER: Wendywhite: VPN is independent of other services or it can pass traffic such as telnet depending on your configuration.

MODERATOR: Ron, just a couple of final comments, if you can sum up, and we'll call it a night. ("A night!").

RON NUTTER: mikkilusa: Will try jmaclachaln: did you try the latest GW service pack? Hadn’t heard of that problem.

MODERATOR: Ron Nutter, ladies and gentleman. What a fine job he did, too. Hope to see you all in future Guild Meetings.

RON NUTTER: Thanks to everyone for stopping by.

JMACLACHLAN: No, we didn't put that on GroupWise. We also found we didn't have just IP connections set. Still, the easiest fix in the middle of a busy day was to fall back a client version.

MODERATOR: Good night all, and thanks again.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.

Editor's Picks