On April 13th Ron Nutter, the Novell Guru and BrainShare speaker, led us on a BorderManager journey of epic proportions.If you couldn’t join us then, enjoy the transcript and we hope to see you at our next live Guild Meeting.
On April13th Ron Nutter, the Novell Guru and BrainShare speaker, led us on a BorderManager journey of epic proportions. If you couldn’t join us then, enjoy the transcript and we hope to see you at our next live Guild Meeting.
Note: TechProGuild edits Guild Meeting transcripts for clarity.
Welcome to the Guild Meeting!
MODERATOR: Welcome to Thursday night's TPG Guild Meeting. The topic tonight will be BorderManager. Speaking will be Ron Nutter, contributing editor for TechRepublic’s TechProGuild. Ron recently presented at BrainShare 2000 where his topic was "Implementing Client side VPN using BorderManager." We'll be starting the meeting shortly. Don’t forget to stay tuned to see who wins tonight's participation prize—a black TechRepublic cap and T-shirt. Feel free to chat amongst yourselves for now.
MIKKILUSA: Hi all
KSHWARTZ: Hi everyone
MODERATOR: Before we start, how many of you are currently using NetWare and BorderManager?
KSHWARTZ: I am in a limited way
MIKKILUSA: NetWare yes, BorderManager no.
TCHASE: We are using both internally and have installed them at several client sites
JCADMUS: Just NetWare 5. I'm interested in learning more about BorderManager. We've got it, but haven’t used it yet.
MODERATOR: Great! Sounds like we have a crowd that really bleeds RED tonight. And now, here's Ron Nutter.... Ron?
DHOWELL: I'm using both
MIKKILUSA: Same here Carl
RON NUTTER: Thanks to everyone for coming tonight. Are there any particular questions that anyone would like to ask before I begin?
Problems with SMTP proxy
KSHWARTZ: Has anyone had problems with the AMTP proxy?
RON NUTTER: Do you mean SMTP proxy?
KSHWARTZ: Yes, SMTP.
DHOWELL: Can BorderManager slow down the speed of our T-1 line?
JCARLISLE: What does BorderManager do, anyway? Is it just to build a firewall?
RON NUTTER: Kschwartz, are you using BorderManager 3.5?
HAROLD66: I just used Novell 3.11 for one day... sorry. (sniff)
KSHWARTZ: Yes, with the latest Support Pack.
RON NUTTER: Kschwartz, you basically have two choices: either call Novell and open up a call ticket or stop using the SMTP gateway (aka Mail proxy).
KSHWARTZ: We ran into problems with the receive buffers shooting way up after awhile and hanging the server.
MIKKILUSA: Is Win2NCS part of BorderManager?
RON NUTTER: There is a known problem I have come across in BM 3.5 with the SMTP proxy not working consistently.
KSHWARTZ: We ended up just passing the mail packets through using a static NAT entry.
RON NUTTER: The company I work for during the day has a European office that was using SMTP proxy and could send e-mail to us or reply to e-mail that was sent from us. Jcarlisle, BorderManager is a firewall and much more, it can control who can access the Internet and when and who can get in.
We’ve got BM2
DHOWELL: We've got BorderManager 2. We had a similar problem when one user accessed certain SSL sites with Netscape. When they stopped using Netscape, it stopped locking up BorderManager.
JCARLISLE: IntraNetWare used to have an IPX/IP gateway. I don’t think this is in NetWare 5. Can BorderManager do the same thing?
RON NUTTER: Dhowell, properly configured, you should be able to get a little more speed from your T1.
JCARLISLE: How can BorderManager get more speed out of a T1 line? Isn’t there a bottleneck in the wire? It'll only go so fast.
RON NUTTER: Jcarlisle, I would recommend against using IPX/IP gateway; it uses more processor time on the BorderManager server. I would go with a private IP address scheme on the private card (i.e. 10.0.0.1 etc.) and use dynamic NAT to convert to a public IP address.
DHOWELL: Is there a security risk if we allow pinging through BM?
RON NUTTER: Jcarlisle, the key thing is to watch the access logs on BM to see the sites that your users go to and pre-fetch those Web sites on a periodic basis so that the users are getting it from BM cache and not across the wire.
MIKKILUSA: We cannot get WIN2NCS the modem server part of NetWare 5.
RON NUTTER: Dhowell, there is a potential for risk. Pinging should only be able to go through if you are using static NAT and filters aren’t in place.
KSHWARTZ: The cache works great.
MIKKILUSA: To work with Win2K any ideas?
JCARLISLE: Oh. so it works as a firewall, a NAT, and a proxy cache of sorts?
RON NUTTER: Jcarlisle, yes to all of the above.
Problems with WIN2NCS
RON NUTTER: Mikkilusa, What kind of problems are you having with WIN2NCS?
DHOWELL: NAT? (I'm sure I should know this, but...)
KSHWARTZ: Network address translation.
RON NUTTER: Dhowell, NAT network address translation. Basically what happens is that…
MIKKILUSA: It just sits there on Win2K machines then times out. In other words, it does not play nice with Win2K.
RON NUTTER: BorderManager converts the private IP addresses you are using into the public IP address on the BM server. When the return traffic arrives, it uses a table that it builds to send the traffic to the correct private IP address.
MODERATOR: If Jack were here, he'd tell you to switch to Linux Mikkil.
DHOWELL: So NAT is the "psuedo" IP addresses set up for security purposes?
RON NUTTER: Mikkilusa, you may need to talk to Novell about this. WIN2NCS hasn’t seen any improvements in a couple of years, so unless Novell hears there is a demand, they may not include support for Win2K
MIKKILUSA: Yeah, in fact we are thinking about using it on our Internet unless Ron convinces me that BorderManager is better!
MODERATOR: Better put on your marketing suit, Ron!
RON NUTTER: Dhowell, the "pseudo" IP addresses are for security purposes and to allow you to have many users passing out to the Internet without requiring a lot of public IP addresses.
CHET: How involved is it to implement the "single sign-on" feature of BorderManager for the clients already logging into NDS?
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly, or on the Guild Meeting calendar.
KSHWARTZ: BorderManager as a proxy server works very well for us. Mine has been up for months.
RON NUTTER: Chet, have a couple of hours for me to explain that? Seriously, I wrote an article on how to use single sign on in BorderManager; you basically have to execute a clntrust.exe at the client (the best way is to copy the file local and run it out of the login script). In this way, you can control the access rules by NDS object name and the user name also shows up in the access logs.
DHOWELL: Is there any way for me to test the quality (i.e. speed) of my T-1? A utility or something to see why it is going slower than expected, or where the hang-up is?
TCHASE: Not to get off subject, I have BorderManager 3.5 installed with all patches. Ron you helped me to receive Internet e-mail by unchecking the mail proxy in NWADMIN. Now I can't send Internet e-mail. Keep getting "too many hops". What am I doing wrong?
RON NUTTER: Dhowell, this can get kind of expensive. It requires a special piece of test equipment at each end of the T1 called a "redbird." It tests the connection at each end to tell you what it is capable of doing.
CHET: Could ZENworks be used execute or distribute the clntrust.exe file?
RON NUTTER: Tchase, we do this at my day job, enabling static NAT on BorderManager. Bind a secondary IP address on the public card and map the public address to the private address. You will also want to enable dynamic pass through for NAT and everything should go okay.
CHET: Also, is that article (BorderManager and single sign-on) archived here on TechRepublic's site for retrieval?
RON NUTTER: Chet, that is a possibility. We happened to use a batch file to copy the clntrust.exe to the local workstation. Chet, yes, you should be able to find it on the past articles list.
Don’t miss our TechRepublic articles
CHET: Great, thanks! I will look it up.
RON NUTTER: Mikkilusa, I would hold of on putting Win2K into production for at least several months. We have it in testing at my day job but have found some applications that don’t work with it yet. We have also found that it is a little particular as to the hardware it will work with.
JCARLISLE: Does BorderManager 3.5 only run on Netware 5 or can I run it on our 4.x servers as well?
RON NUTTER: BorderManager 3.5 should be able to run on either platform, as far as I know. If you are concerned about having to buy another copy of NetWare to use it with, it should ship with a run-time version that should get you up and running. Jcarlisle, do you already have BorderManager 3.0?
JCARLISLE: Actually, we only have 2.1. What's the difference?
RON NUTTER: Chet, let me know if you can't find the article and I will get it to you.
DHOWELL: I've seen some utilities (trace route) that show the route your data is going over the Net, however, it requires the ability to send and receive pings. It is also supposed to show where any packets are lost or where bottlenecks exist on the route. For pinging, you mentioned static NAT. Does this mean the workstation has the same private IP address each time it logs on?
CHET: OK, I will let you know.
RON NUTTER: Jcarlisle, big difference! Not all of the proxies worked in 2.1; the rules were kind of quirky. Dhowell, use NeoTrace from www.neoworx.com. I will be talking about this in an upcoming article and at a presentation I am giving at Novell's BrainShare Europe in France next month. NeoTrace is a lot better than ping.
MIKKILUSA: NeoTrace rules!
RON NUTTER: Static NAT? Does mean that you will have to have a permanently assigned IP address on the private side (you would normally only need this for a server). Workstations use dynamic NAT which means the path to them from the outside world is only open while the workstation is talking to the outside world.
JCARLISLE: So the run-time version will run on a separate box and not tie down the main NetWare box?
RON NUTTER: Jcarlisle, yes, that is correct.
CHET: Found the article—"Creating access rules for BorderManager"—correct?
RON NUTTER: Chet, the title should say something about using single sign on with BorderManager.
LAYALA: Should BorderManager be left alone on a server, or can it work together with another application running?
TCHASE: Where do I enable static NAT? INETCFG?? How do I bind a secondary IP to a card?
RON NUTTER: Layala, depends on the other application. I have known companies to be able to run their Web server on the same box as BorderManager. It didn’t seem to be a problem. Just make sure you have plenty of memory on the server.
LAYALA: Thanks Ron!
RON NUTTER: Tchase, enable static NAT in INETCGF. Syntax for secondary IP address is: add secondary ipaddress x.x.x.x (replace x's with public IP address). Be sure to put this command in your AUTOEXEC.NCF towards the bottom to it will automatically happen each time the server is started.
MIKKILUSA: We started testing Win2K, too, and are having to run MS client and Novell's 4.7 client to print. It will not see the print servers otherwise.
DHOWELL: So when you say to enable static NAT, will the workstations still be dynamic while the server is static?
RON NUTTER: Mikkilusa, you might want to look at the lpr functionality in NetWare 5. It might let you print to the Novell printers without using the client. Dhowell, both would be static. If the workstation's IP address were to change, you would have to change the static NAT mapping in INETCFG, otherwise it won’t be reachable from the outside world.
KSHWARTZ: What about using NDPS?
RON NUTTER: Mikikilusa, lpr– is a UNIX term that means remote IP based printer.
TCHASE: I have 2 NICs on my BorderManager; one configured with private IP and one with public IP. Do I still need to add a secondary IP address to the private card?
JCADMUS: NetWare client versions less than 4.7 seem to not have full functionality with everything. With Win2K, that is.
RON NUTTER: Jcadmus, 4.7 was the first one to really be able to support Win2K. Tchase, you add the secondary IP address to the public card and put a static NAT mapping on the public IP entry binding in INETCFG.
JCADMUS: I discovered that after much "gnashing of the teeth!"
LAYALA: Is there any firewall device running BorderManager like the Nokia IP440 runs CheckPoint?
DHOWELL: Okay, our dynamic addresses are set by our NT server, so I am guessing this would throw a wrench into the BorderManager static NAT deal.
RON NUTTER: Tchase, I believe if you look for my implementing BorderManager article here on the TechProGuild site, you should be able to see how it is done. Layala, I don’t understand your question. BorderManager runs on just about any Intel platform.
MIKKILUSA: So we have straight NAT running and so far no problems. Is BorderManager going to be that much better?
RON NUTTER: Dhowell, for static NAT mappings, you will need to have a static IP address assigned to the device that you want to be reached from the outside world.
TCHASE: Back to binding a secondary IP to the public card. Earlier you stated this would be a public address. Do I need two public addresses to bind to the card? I only have access to one public IP.
RON NUTTER: Tchase, yes you would be adding an additional public address to the public card on your BorderManager server.
CHET: FYI, I can't find the article on BorderManager and single sign on. Do you remember the exact title?
MODERATOR: "Enabling Single Sign on with BorderManager"
DHOWELL: Would it be possible to set only my workstation as static while all others remain dynamic?
RON NUTTER: Mikkilusa, BorderManager has three levels of NAT: static only (requires a one to one mapping for workstations to get in or out), dynamic only (where all systems on your private card share the same public IP address—not good for letting e-mail pass through BorderManager to your mail server), and dynamic/static mode where you can get the best of both worlds.
TCHASE: I don't understand why I need two public IP address bound to the same card. My client site only uses one public IP and the send/receive Internet e-mail works just fine.
RON NUTTER: Tchase, using an additional public IP address is the only way I have ever done it. It might be possible to use one address to send e-mail to your server while other traffic is routed accordingly, but I think that would require filtering to be in place and that is not a subject that is easy to get into.
Playing with ZENworks
MIKKILUSA: I have been playing with ZENworks to my handle single sign on because I read it will handle PeopleSoft in the next upgrade. Will BorderManager do the same?
RON NUTTER: Tchase, are they using the SMTP proxy?
TCHASE: SMTP is enabled, yes. Mikkilusa, I believe that BorderManager single sign on is a little different from the single sign on used with PeopleSoft. I haven’t heard of the two working together. Tchase, that explains it. In other configurations, you would need an additional public IP address bound to the public card and NAT'd to a private address on your local network for mail to go in and/or out.
LAYALA: I'm trying to figure out if BorderManager is a server-only installation or there are individual boxes for it to work with? Does this clarify my previous question?
RON NUTTER: Layala, BorderManager is a server-only installation. Workstations pass through it to get to the Internet. Mikkilusa, I am not sure.I haven’t worked with the PeopleSoft piece.
MIKKILUSA: I heard you are a ZEN guru though.
CHET: Can the VPN option be used to connect offices (cheap frame-relay so to speak)? And does it have to have BorderManager on both ends, or can we use a VPN appliance on one end?
TCHASE: I'm sorry I answered incorrectly. SMTP is enabled in the GroupWise Internet agent, SMTP is disabled in PROXYCFG.
BorderManager IP filters
DHOWELL: What do the BorderManager IP filters do exactly? Add more security?
RON NUTTER: Chet, VPN can do what you suggest. In the case you have outlined you would need a BorderManager server at each end to do a site-to-site VPN. Unfortunately at this point in the game VPNs are a proprietary solution from vendor to vendor, so you have to use the same equipment at each end of the connection.
HAROLD66: Is there a similar thing like BorderManager in the Microsoft world?
RON NUTTER: Dhowell, filters control what is allowed to pass through Border Manager. Where access rules control where you can go, filters control how you can get there (i.e. you can prevent the ping command from coming through). Harold66, MS proxy and Checkpoint 1 to mention a couple of products that work with Microsoft. But there are disadvantages to using both; you may be looking at dual administration because neither—as far as I know—integrates to NWADMIN.
MIKKILUSA: BorderManager can also filter out sites by category, too, right?
RON NUTTER: Mikkilusa, that involves the use of a third party add-on to BorderManager that ships with a 45 day evaluation period.
RON NUTTER: I also wrote an article on how to implement that option as well. Past the 45 days, you have to subscribe to the service to get updated category lists.
MIKKILUSA: Man, I've got to move out of the Win2K and Linux sections of TPG and get back into the Novell stuff.
Oh my goodness!
MODERATOR: *gasp* You mean you haven’t been already?!
MIKKILUSA: Yes, just not as much. Now I've got to get the Novell everyday too.
LAYALA: Where can we get that article about the site filter that works with BorderManager?
MIKKILUSA: If you guys here do not know you can get e-mail everyday on the great TechRepublic articles. (The preceding was unpaid plug.)
MODERATOR: The article is titled "Setting up client to site VPN in BorderManager."
RON NUTTER: Layala, I believe that you are talking about the Cyber Patrol add-on. It is on the BorderManager CD and should be fully functional out of the box (except for the 45 day window). Depending on the speed of the line, the initial download of the updated category files may take a while.
MODERATOR: Alright everyone. It's the top of the hour... Thanks to Ron for presenting tonight... But wait....
RON NUTTER: For those that are looking at implementing BorderManager for the first time, I would recommend that you take it slowly. Don't turn up all the features at once. Get used to each one before going onto the next one.
MIKKILUSA: Thanks Ron!
MODERATOR: It's time for the Flying Fickle Finger of Fate to pick tonight's Guild Meeting winner...
MODERATOR: Sorry Mikkilusa... it's not you...
RON NUTTER: Mikkilusa, thank you and everyone else for coming by tonight.
Time’s almost up
MIKKILUSA: Yeah, it’s been cool!
MODERATOR: The winner is… It's.... It's.... It's.... Chet!
MODERATOR: Congratulations to Chet! Send your information to firstname.lastname@example.org Thanks to Ron and thanks to everyone for their participation.
RON NUTTER: Moderator, you aren’t going to send out the rubber chicken again are you?
MODERATOR: Nope. Tonight was a black TechRepublic T-shirt and cap combo.
TCHASE: Ron you were a great help. Thanks
MIKKILUSA: Night you all… You all come back now ya here? heehee
RON NUTTER: Tchase, glad I could help
MODERATOR: Guild Meeting adjourned.
Our Guild Meetings feature top-flight professionals leading discussions on interesting and valuable IT issues. You can find a schedule of Guild Meetings in your weekly TechProGuild Notes TechMail, or on the Guild Meeting calendar.