Larico писал(а):Нет ничего не путаю. Книжка на диске есть. Но так как 3.7 вышел в 2002 году, то и книжка лежит 2002 года. Содержание книжки вот такое:
CHAPTER 1 - OVERVIEW. 11
CHAPTER 2 - BASICS 15
CHAPTER 3 - INSTALLATION 30
CHAPTER 4 – UNDERSTANDING PACKET FILTERING 78
CHAPTER 5 – THE INITIAL CONFIGURATION. 81
CHAPTER 6 - HTTP PROXY. 105
CHAPTER 7 - ACCESS RULES 128
CHAPTER 8 – INSTALLING SURFCONTROL. 136
Книжка, судя по оглавлению, урезана
[quote]
A Beginner’s Guide To
BorderManager 3.x
Understanding and Configuring Novell BorderManager,
versions 3.0, 3.5, 3.6, 3.7 and 3.8
Third Edition, Beta Version 1
November 13, 2003
Craig Johnson
Novell Support Connection Sysop
http://www.craigjconsulting.com/
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 2
Table of Contents
TABLE OF CONTENTS................................................................................................................. 2
WHAT’S NEW?........................................................................................................................... 17
New Content in this Version of the Book .................................................................................. 17
What Does a Beta Version of a Book Mean? ........................................................................... 20
PRINTING THIS BOOK ............................................................................................................... 21
ACKNOWLEDGEMENTS............................................................................................................ 22
ABOUT THE AUTHOR ................................................................................................................ 23
LICENSING ................................................................................................................................. 24
OFFICIAL DISCLAIMER.............................................................................................................. 25
CHAPTER 1 - OVERVIEW........................................................................................................... 27
What is BorderManager? .......................................................................................................... 27
Filtering................................................................................................................................. 27
Proxies.................................................................................................................................. 28
Gateways.............................................................................................................................. 28
VPN ...................................................................................................................................... 28
Differences Between BorderManager 3.8 and Previous Versions ........................................... 29
How This Book Is Organized .................................................................................................... 31
What this book covers ........................................................................................................... 32
What this book does not cover .............................................................................................. 32
CHAPTER 2 - BASICS ................................................................................................................ 33
Some Important Terminology.................................................................................................... 33
Prerequisite Knowledge ............................................................................................................ 34
TCP/IP Basics.......................................................................................................................... 35
Public & Private Networks..................................................................................................... 35
The Importance of the Default Route .................................................................................... 36
Domain Name Service (DNS) ............................................................................................... 38
Secondary IP Addresses....................................................................................................... 39
Proxy Versus Routing and NAT (How Proxies Work) ........................................................... 41
BorderManager Scenarios ........................................................................................................ 43
Scenario 1 - One Public IP Address...................................................................................... 43
Scenario 2 - A Cable Modem with DHCP Connection .......................................................... 45
Scenario 3 - Multiple Public IP Addresses ............................................................................ 48
Scenario 4 - BorderManager Used Only For HTTP Proxy.................................................... 50
Scenario 5 - A Single Firewall (3-NIC) DMZ Segment.......................................................... 51
Scenario 6 - A Classic Two-Firewall DMZ............................................................................. 53
Scenario 7 - A Simple Site-to-Site VPN ................................................................................ 54
Scenario 8 - A Simple Client-to-Site VPN ............................................................................. 55
Scenario 9 - Complex Multiple BorderManager Server Environments ................................. 56
Scenario 9A – The Original Network ................................................................................. 57
Scenario 9B – The More Current Network ........................................................................ 60
Some Rules of Thumb and Words of Wisdom.......................................................................... 64
CHAPTER 3 - INSTALLATION.................................................................................................... 67
Server Hardware Suggestions.................................................................................................. 67
NetWare Server Installation Tips .............................................................................................. 68
Using Caldera DRDOS and NetWare – MultiBoot Menu ...................................................... 68
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 3
Using MSDOS 6.22 and NetWare 5.1................................................................................... 71
Don’t Let The NetWare Installation Create the Volumes Automatically................................ 72
Install BorderManager from the Root of the CD.................................................................... 73
Get the Server on the Internet Before Configuring BorderManager ..................................... 73
Setting the Default Route and DNS Servers ......................................................................... 75
BorderManager Server Configuration Suggestions.................................................................. 80
NDS Design Considerations ..................................................................................................... 82
Background Information ........................................................................................................ 82
Version-Specific NDS Considerations................................................................................... 82
How to Install BorderManager Remotely .................................................................................. 83
Requirements ........................................................................................................................ 84
Example Scenario ................................................................................................................. 85
STARTX.NCF .................................................................................................................... 85
REMX.NCF........................................................................................................................ 85
DX.NCF............................................................................................................................. 85
Procedure .............................................................................................................................. 86
Recommended Patches and Installation Sequence................................................................. 87
Installing BorderManager 3.8 ................................................................................................ 87
on NetWare 6.5.................................................................................................................. 87
on NetWare 6.0.................................................................................................................. 89
on NetWare 5.1.................................................................................................................. 90
Installing BorderManager 3.7 ................................................................................................ 91
On NetWare 6.0................................................................................................................. 91
On NetWare 5.1................................................................................................................. 92
Installing BorderManager 3.6 ................................................................................................ 94
On NetWare 6.0................................................................................................................. 94
On NetWare 5.1................................................................................................................. 95
On NetWare 5.0................................................................................................................. 96
On NetWare 4.11/4.2......................................................................................................... 97
Installing BorderManager 3.5 ................................................................................................ 99
On NetWare 5.1................................................................................................................. 99
On NetWare 5.0............................................................................................................... 101
On NetWare 4.11............................................................................................................. 103
Installing BorderManager 3.0 .............................................................................................. 105
On NetWare 5.0............................................................................................................... 105
On NetWare 4.11 / 4.20................................................................................................... 105
Upgrade Considerations...................................................................................................... 107
Example Installation of BorderManager 3.8 on NetWare 6.0.............................................. 109
If You Are Upgrading BorderManager ............................................................................. 133
NetWare 6.5 – Automatic Cache Volume Selection / Creation ....................................... 134
Example Installation of BorderManager 3.7 on NetWare 6.0.............................................. 137
If You Are Upgrading BorderManager ............................................................................. 145
Fresh Install of BorderManager 3.7 ................................................................................. 146
Installation, Continued (Fresh Install or Upgrade Situation)............................................ 151
Post-Installation Procedures for BorderManager 3.7 or 3.8................................................ 154
Installing BorderManager 3.7 or 3.8 Licenses with iManager ......................................... 154
The FILTSRV MIGRATE Procedure....................................................................................... 159
Starting BorderManager.......................................................................................................... 160
BorderManager 3.0 / NetWare 4.x ...................................................................................... 160
BorderManager 3.7/3.8 / NetWare 5.x/6.x .......................................................................... 162
General Installation Notes....................................................................................................... 164
Working Around Licensing Startup Delays.......................................................................... 164
BorderManager 3.0, 3.5 and 3.6...................................................................................... 164
BorderManager 3.7 and 3.8............................................................................................. 165
NDS –601 Error Messages At Startup ................................................................................ 165
Loading and Unloading BorderManager Manually.............................................................. 166
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 4
BMOFF.NCF (BorderManager 3.6 or Earlier).................................................................. 167
BMON.NCF (BorderManager 3.6 or Earlier) ................................................................... 167
BMON.NCF (BorderManager 3.6 or Earlier) ................................................................... 168
BorderManager Licenses........................................................................................................ 169
What Are NLS Licenses? .................................................................................................... 169
NLS Issues .......................................................................................................................... 170
MLA Licenses...................................................................................................................... 171
Changing Out A BorderManager Server................................................................................. 173
Concerns ............................................................................................................................. 173
Concept ............................................................................................................................... 173
Procedure 1 – Primary IP Addresses Used ........................................................................ 173
Procedure 2 – Secondary IP Addresses Used.................................................................... 175
Critical BorderManager-Related Files..................................................................................... 178
Configuration Tools ............................................................................................................. 178
INETCFG.NLM ................................................................................................................ 178
NIASCFG.NLM ................................................................................................................ 178
VPNCFG.NLM ................................................................................................................. 178
BRDCFG.NLM................................................................................................................. 178
FILTCFG.NLM ................................................................................................................. 178
INSTALL.NLM.................................................................................................................. 178
NWCONFIG.NLM ............................................................................................................ 178
SYS:\PUBLIC\WIN32\NWADMN32.EXE......................................................................... 179
SYS:\PUBLIC\MGMT\CONSOLEONE\1.2\BIN\CONSOLEONE.EXE ............................ 179
iManager 2.0.................................................................................................................... 179
IManager 1.5.................................................................................................................... 179
CRON.NLM...................................................................................................................... 180
Novell Remote Manager (NRM) ...................................................................................... 180
Data Files ............................................................................................................................ 180
SYS:\ETC\HOSTS........................................................................................................... 180
SYS:\ETC\GATEWAYS................................................................................................... 180
SYS:\ETC\RESOLV.CFG ................................................................................................ 180
SYS:\ETC\TCPIP.CFG .................................................................................................... 180
SYS:\ETC\NETINFO.CFG............................................................................................... 181
SYS:\ETC\FILTERS.CFG................................................................................................ 181
SYS:\ETC\CRONTAB...................................................................................................... 181
SYS:\ETC\PROXY\PROXY.CFG .................................................................................... 181
Startup Files ........................................................................................................................ 181
C:\CONFIG.SYS.............................................................................................................. 181
C:\AUTOEXEC.BAT ........................................................................................................ 182
C:\NWSERVER\STARTUP.NCF ..................................................................................... 182
SYS:\SYSTEM\AUTOEXEC.NCF ................................................................................... 182
Troubleshooting Tools......................................................................................................... 182
TCPCON.NLM................................................................................................................. 182
CALLMGR.NLM............................................................................................................... 182
PPPTRACE.NLM............................................................................................................. 182
Keeping BorderManager Up-to-date....................................................................................... 183
Patches............................................................................................................................... 183
PROXY.CFG Settings ......................................................................................................... 183
The BorderManager 3.5 Enhancement Pack...................................................................... 184
Tips For Getting NWADMN32 To Work With BorderManager Server.................................... 185
Rename the ACNWAUTH.DLL Snapin ............................................................................... 185
Get The Latest Version of NWADMN32.............................................................................. 185
Fix Invalid BorderManager Snapin Modules Errors ............................................................ 185
Fix “No BorderManager Licenses Available” Messages ..................................................... 185
What snapins should I have? .............................................................................................. 186
BorderManager 3.8 / NetWare 6.0 .................................................................................. 186
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 5
BorderManager 3.7 / NetWare 6.0 .................................................................................. 187
BorderManager 3.6 / NetWare 5.1 .................................................................................. 188
BorderManager 3.5 / NetWare 5.0 .................................................................................. 189
BorderManager 3.0 / NetWare 4.11 ................................................................................ 190
CHAPTER 4 – UNDERSTANDING PACKET FILTERING ....................................................... 191
Default Packet Filters.............................................................................................................. 192
The BorderManager 3.x Default Packet Filters................................................................... 192
Outgoing RIP Filters: ....................................................................................................... 192
Incoming RIP Filters ........................................................................................................ 193
Outgoing EGP Filters:...................................................................................................... 193
Incoming EGP Filters....................................................................................................... 193
OSPF External Route Filters ........................................................................................... 193
Packet Forwarding Filters ................................................................................................ 193
Packet Filter Exceptions ......................................................................................................... 194
What are the Default Packet Filter Exceptions?.................................................................. 194
BorderManager 3.0, 3.5 and 3.6...................................................................................... 194
BorderManager 3.7.......................................................................................................... 196
BorderManager 3.8.......................................................................................................... 198
Using iManager to View Filtering Information ......................................................................... 201
CHAPTER 5 – THE INITIAL CONFIGURATION....................................................................... 205
BorderManager Setup Main Menu.......................................................................................... 207
BorderManager IP Address Configuration.............................................................................. 209
Secondary IP addresses used on BORDER1..................................................................... 211
Authentication Context (Proxy Authentication) ....................................................................... 212
Concept ............................................................................................................................... 212
Configuration ....................................................................................................................... 212
Proxy Authentication Settings ............................................................................................. 213
40-bit, 56-bit and 128-bit Encryption ................................................................................... 218
Using Proxy Authentication on the Client with CLNTRUST................................................ 220
CLNTRUST Problem Work-Around................................................................................. 221
Configuring SSL Proxy Authentication ................................................................................ 223
Creating a Security Container.......................................................................................... 224
Creating a Certificate Authority, pre-NetWare 5.1........................................................... 225
Creating a Certificate Authority, with NetWare 5.1 or 6.x................................................ 227
Creating a Key Material Object for BorderManager with NWADMN32........................... 228
Assigning the Key Material Object for SSL Proxy Authentication ................................... 237
Using SSL Proxy Authentication...................................................................................... 238
Test Conditions................................................................................................................ 239
The SSL Proxy Authentication Login Screen (HTML) ..................................................... 240
BorderManager 3.8 SSL Proxy Authentication Login Screen (HTML) ............................ 242
Cookie-based Proxy Authentication .................................................................................... 244
Proxy Authentication For Citrix and Terminal Servers ........................................................ 245
Concept........................................................................................................................... 245
Pros................................................................................................................................. 245
Cons................................................................................................................................ 245
Configuring Terminal Server Authentication.................................................................... 246
PROXY.CFG Configuration ............................................................................................. 246
DNS Parameters..................................................................................................................... 249
Transport................................................................................................................................ 251
CHAPTER 6 - HTTP PROXY..................................................................................................... 253
Concepts ................................................................................................................................ 253
Pros........................................................................................................................................ 253
Cons....................................................................................................................................... 254
How BorderManager HTTP Proxy Works With DNS.............................................................. 255
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 6
How Browsers Are Configured For HTTP Proxy .................................................................... 259
Internet Explorer.................................................................................................................. 260
Mozilla 1.5 ........................................................................................................................... 262
Opera 7............................................................................................................................... 264
Netscape 4.7 ....................................................................................................................... 265
HTTP Proxy Details ................................................................................................................ 267
HTTP .................................................................................................................................. 267
Cache Hierarchy Server ...................................................................................................... 269
Cache Hierarchy Client ....................................................................................................... 270
No Cache Hierarchy ........................................................................................................ 270
Cache Hierarchy Client Set ............................................................................................. 270
Cache Hierarchy Client Set ............................................................................................. 271
Cache Hierarchy Routing .................................................................................................... 272
No Cache Hierarchy ........................................................................................................ 272
Cache Hierarchy Configured ........................................................................................... 273
Logging............................................................................................................................... 274
Common Logging ............................................................................................................ 274
Extended Logging............................................................................................................ 276
Indexed Logging .............................................................................................................. 277
HTTP Proxy Caching .............................................................................................................. 279
Cache Aging........................................................................................................................ 279
Cache Control ..................................................................................................................... 280
Cache Location ................................................................................................................... 282
Cachable Object Control ..................................................................................................... 285
Entering a Non-Cacheable URL Pattern ......................................................................... 286
Clearing the Proxy Cache................................................................................................ 287
Scheduled Downloads......................................................................................................... 288
Entering a URL to download on a schedule .................................................................... 289
Set Download Frequency ................................................................................................ 290
HTTP Proxy - SOCKS Client .................................................................................................. 291
Concept ............................................................................................................................... 291
Pros .................................................................................................................................... 291
Cons ................................................................................................................................... 291
Setting Up a Cache Hierarchy ................................................................................................ 294
Concept ............................................................................................................................... 294
CERN Configuration, BorderManager Server as a Client................................................... 295
ICP Cache Hierarchy........................................................................................................... 297
Cache Hierarchy Routing Exceptions ................................................................................. 298
CHAPTER 7 - TRANSPARENT PROXY................................................................................... 301
Transparent Proxy (HTTP)...................................................................................................... 301
Concept ............................................................................................................................... 301
Pros................................................................................................................................. 301
Cons................................................................................................................................ 301
Configuring Transparent Proxy ........................................................................................... 303
BorderManager 3.0 Transparent Proxy configuration menu ........................................... 303
BorderManager 3.5 and Later Transparent Proxy configuration menu........................... 304
Transparent TELNET Proxy.................................................................................................... 307
Concept ............................................................................................................................... 307
Configuring Transparent TELNET Proxy ............................................................................ 308
User Authentication ............................................................................................................. 310
Transparent TELNET Proxy Usage .................................................................................... 311
Example 1 – No User-based Authentication Required.................................................... 311
Example 2 – NDS-Based User Authentication ................................................................ 312
CHAPTER 8 - FTP PROXY........................................................................................................ 315
Concept.................................................................................................................................. 315
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 7
Pros........................................................................................................................................ 315
Cons....................................................................................................................................... 315
Alternative For ACTIVE (PORT) FTP ..................................................................................... 315
Configuring FTP Proxy............................................................................................................ 316
User Authentication ............................................................................................................. 316
Clear Text User/Password............................................................................................... 316
Single Sign On................................................................................................................. 316
FTP Proxy Usage.................................................................................................................... 317
Example 1 – No User-based Authentication Required, DOS FTP Client ........................... 317
Example 2 – User-based Authentication Required, DOS FTP Client ................................. 319
Example 3 – User-based Authentication Required, CuteFTP Client .................................. 324
Example 4 – User-based Authentication Required, WS_FTP Client .................................. 326
All Examples, FTP Proxy Statistics Screen......................................................................... 327
CHAPTER 9 - MAIL PROXY...................................................................................................... 329
Concept.................................................................................................................................. 329
Pros........................................................................................................................................ 329
Cons....................................................................................................................................... 329
An Alternative......................................................................................................................... 330
A GWIA Alternative ................................................................................................................. 330
Configuring Mail Proxy............................................................................................................ 331
No Internal Mail Server, Mail Through Proxy ...................................................................... 331
Internal Mail Server, All Mail Through Proxy....................................................................... 333
PROXY.CFG Settings for Mail Proxy .................................................................................. 336
BorderManager 3.5 through 3.7 ...................................................................................... 336
BorderManager 3.8, With Multiple Domain Support........................................................ 336
GWIA Example Settings...................................................................................................... 338
Access Rules to Allow POP3 Through Mail Proxy.............................................................. 339
Inbound POP3 to Internal Mail Server............................................................................. 339
Outbound POP3 to External Mail Server......................................................................... 340
Access Rule To Allow SMTP Through Mail Proxy .............................................................. 341
Access Rules to Control Use of Mail Proxy......................................................................... 342
Internal Mail Server.......................................................................................................... 342
No Internal Mail Server .................................................................................................... 342
Access Rule Examples.................................................................................................... 343
Filter Exceptions Required for Mail Proxy with Internal Mail Server ................................... 346
Filter Exceptions Required for Mail Proxy with Internal Mail Server ................................... 346
SMTP Filter Exceptions ................................................................................................... 346
POP3 Filter Exceptions.................................................................................................... 348
CHAPTER 10 - NEWS PROXY.................................................................................................. 351
Concept.................................................................................................................................. 351
Pros........................................................................................................................................ 351
Cons....................................................................................................................................... 351
Using News Proxy With An External NNTP Server ................................................................ 352
Access Rules Blocking Posting ....................................................................................... 354
Access Rules Blocking Reading...................................................................................... 355
CHAPTER 11 - REAL AUDIO PROXY...................................................................................... 357
Concept.................................................................................................................................. 357
Pros........................................................................................................................................ 357
Cons....................................................................................................................................... 357
BorderManager 3.0 Settings ................................................................................................... 358
BorderManager 3.5 & Later Settings ...................................................................................... 359
BorderManager 3.0 RealAudio Proxy Access Rule................................................................ 360
BorderManager 3.5 & Later RealAudio and RTSP Access Rule............................................ 361
RealOne (Free) Player Configuration ..................................................................................... 362
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 8
RealPlayer G2 Configuration .................................................................................................. 366
CHAPTER 12 - DNS PROXY..................................................................................................... 367
Concept.................................................................................................................................. 367
Pros........................................................................................................................................ 367
Cons....................................................................................................................................... 367
An Alternative......................................................................................................................... 367
Configuring DNS Proxy........................................................................................................... 369
CHAPTER 13 - GENERIC TCP PROXY.................................................................................... 371
Concept.................................................................................................................................. 371
Pros........................................................................................................................................ 371
Cons....................................................................................................................................... 371
Configuring Generic TCP Proxy.............................................................................................. 373
Example for Novell Remote Manager..................................................................................... 375
Generic Proxy Configuration for Novell Remote Manager.................................................. 375
Access Rule Configuration for Novell Remote Manager..................................................... 377
Example for iManager............................................................................................................. 378
Generic Proxy Configuration for iManager.......................................................................... 378
Access Rule Configuration for iManager............................................................................. 379
Example for NetWare Web Manager...................................................................................... 380
Generic Proxy Configuration for Web Manager .................................................................. 381
Filter Exceptions for Web Manager..................................................................................... 382
Browser Configuration for Web Manager............................................................................ 384
Access Rule Configuration for Web Manager..................................................................... 385
Example For NNTP with Port Translation............................................................................... 386
Generic Proxy Configuration for NNTP............................................................................... 387
Access Rule Configuration for NNTP.................................................................................. 388
Outlook Express Configuration............................................................................................ 389
Agent /Free Agent Configuration......................................................................................... 397
Example Generic TCP Proxy for Inbound pcANYWHERE..................................................... 398
Generic Proxy Configuration for pcANYWHERE................................................................ 399
CHAPTER 14 - GENERIC UDP PROXY ................................................................................... 401
Concept.................................................................................................................................. 401
Pros........................................................................................................................................ 401
Cons....................................................................................................................................... 401
Generic UDP Proxy - Time Server Proxies............................................................................. 403
Configuring A Generic UDP Proxy for NTP......................................................................... 404
Configuring a Generic UDP Proxy for RDATE.................................................................... 405
Example Generic UDP Proxy for Inbound pcANYWHERE .................................................... 406
CHAPTER 15 – ACCELERATION (REVERSE PROXY) .......................................................... 409
Concept.................................................................................................................................. 409
Pros........................................................................................................................................ 409
Cons....................................................................................................................................... 410
Using The Primary Public IP Address..................................................................................... 410
Configuring Reverse Proxy Acceleration ............................................................................ 411
Using a Secondary Public IP Address ................................................................................ 414
Filter Exceptions Needed for Reverse Proxy Acceleration.............................................. 414
Access Rule Required for Reverse Proxy Acceleration .................................................. 418
FTP Acceleration .................................................................................................................... 419
Concept ............................................................................................................................... 419
Pros .................................................................................................................................... 419
Cons ................................................................................................................................... 419
Configuration ....................................................................................................................... 419
CHAPTER 16 – THE GATEWAYS............................................................................................ 423
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 9
IPX/IP Gateway....................................................................................................................... 423
Concept ............................................................................................................................... 423
Pros .................................................................................................................................... 424
Cons ................................................................................................................................... 424
History of IPX/IP Gateway................................................................................................... 424
IntranetWare IPX/IP Gateway.......................................................................................... 424
BorderManager 2.1 IPX/IP Gateway ............................................................................... 425
BorderManager 3.x IPX/IP Gateway ............................................................................... 426
Client Settings For IP Gateway............................................................................................... 429
Use Proxy, No Authentication, No Rules, No Logging........................................................ 429
Use Proxy, Authentication, Access Rules and Logging ...................................................... 429
Use IP gateway, No Proxy, Access Rules and Logging ..................................................... 430
Installing IP Gateway Service on the PC ................................................................................ 431
IP/IP Gateway ......................................................................................................................... 434
Concept ............................................................................................................................... 434
Pros .................................................................................................................................... 434
Cons ................................................................................................................................... 434
Access Rules, Proxies and the IP/IP Gateway ................................................................... 435
IP/IP Gateway With Access Rules And Without Proxy.................................................... 435
IP/IP Gateway Without Access Rules And With Proxy.................................................... 435
IP/IP Gateway With Proxy and With Access Rules ......................................................... 435
Configuring IP/IP Gateway.................................................................................................. 436
SOCKS Gateway .................................................................................................................... 438
Concept ............................................................................................................................... 438
Pros .................................................................................................................................... 438
Cons ................................................................................................................................... 438
CHAPTER 17 – LEGACY SITE-TO-SITE VPN ......................................................................... 441
Introduction to BorderManager Legacy VPN.......................................................................... 441
Concept.................................................................................................................................. 441
Filter Exceptions Required...................................................................................................... 441
Setting Up the Master VPN Server ......................................................................................... 443
Configuration Tasks at the Server Console ........................................................................ 443
VPN IP and IPX Addressing Design Considerations .......................................................... 446
Setting Up The Master VPN Server, Continued.................................................................. 449
Configuring the VPN Master Server in NWADMN32 .......................................................... 461
Adding a Site-to-Site Slave VPN Server – Server Console Procedures ................................ 468
Adding a VPN Slave Server – NWADMN32 Procedures ....................................................... 482
CHAPTER 18 – LEGACY CLIENT-TO-SITE VPN .................................................................... 491
Concept.................................................................................................................................. 491
Setting Up VPN Servers ......................................................................................................... 492
BorderManager Client-to-Site VPN Access Rules .............................................................. 498
Configuring a Client-to-Site VPN Client PC ............................................................................ 505
VPN Client Connection Process – A Case Study ............................................................... 506
Step 1 – Try LAN VPN Client Connection to BORDER1................................................. 507
Step 2 – Repeat Test With Valid IP Address................................................................... 510
Step 3 – Install/Reinstall VPN Client Software ................................................................ 514
Step 4 – Try LAN VPN Client Connection to BORDER2................................................. 517
Step 5 – Create a Login Policy Object............................................................................. 520
Step 6 – Add Rule for VPN Authentication ...................................................................... 523
Step 7 – Try LAN VPN Client Connection to BORDER2 Again ...................................... 528
Client-to-Site VPN Using Pure IP Login.................................................................................. 530
Routing Issues..................................................................................................................... 530
Missing Default Route on Internal Hosts and Routers .................................................... 530
Incorrect Default Route on Internal Hosts and Routers................................................... 531
Missing Encrypted Network on VPN Server.................................................................... 531
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 10
Issues with Client-to-Site over Site-to-Site Links ................................................................ 532
Issue with BorderManager 3.5 and 3.6 with Client-to-Site VPN and Dynamic NAT ....... 533
Name Resolution (Service Location) Issues ....................................................................... 533
Making Use of SLP .......................................................................................................... 533
Using NWHOST Instead Of (Or In Addition To) SLP (Win9x Only) ................................ 534
Using the HOSTS File (All Windows Platforms) .............................................................. 535
The Importance of Client32 Protocol Preferences .......................................................... 536
The Bottom Line .................................................................................................................. 538
Client-to-Site VPN Over NAT .............................................................................................. 540
Disconnecting a Client-to-Site Connection.......................................................................... 540
CHAPTER 19 – BORDERMANAGER 3.8 SITE-TO-SITE VPN................................................ 541
Theory.................................................................................................................................... 541
Overview ................................................................................................................................ 542
Upgrade Considerations ......................................................................................................... 543
Network Diagram .................................................................................................................... 545
Prerequisites ........................................................................................................................... 546
Site-to-Site VPN...................................................................................................................... 547
Understanding Certificates and VPN .................................................................................. 547
Custom Server Certificates.............................................................................................. 547
User Certificates (for Client-to-Site VPN) ........................................................................ 548
Trusted Root Containers.................................................................................................. 548
Site-to-Site VPN - Summary of Major Steps ....................................................................... 548
Configure JACK as a VPN Server....................................................................................... 550
Configure JACK as the Master Site-to-Site VPN Server..................................................... 561
VPN Server Configuration ............................................................................................... 561
Configure Site-to-Site VPN Service................................................................................. 563
Configure MOE as a VPN Server........................................................................................ 574
Configure MOE as a Site-to-Site VPN Slave Server........................................................... 582
Prerequisites................................................................................................................... 582
Configuring MOE ............................................................................................................. 583
Adding MOE as a VPN Slave Server to the VPN................................................................ 592
Configuring Site-to-Site VPN Parameters ........................................................................... 604
General Parameters ........................................................................................................ 605
Traffic Rules..................................................................................................................... 606
3rd Party Traffic Rules ...................................................................................................... 607
Configure MANNY as a VPN Server Behind NAT .............................................................. 608
Configuration Steps Performed ....................................................................................... 608
Linksys Router Configuration (NAT Configuration) ......................................................... 609
VPN Certificate Details .................................................................................................... 613
Trusted Root Object in Slave Server NDS Tree.............................................................. 616
Trusted Root Object in Master Server NDS Tree............................................................ 617
Slave Server MANNY VPN Configuration ....................................................................... 618
Configuration of Slave Server MANNY on Master VPN Server ...................................... 619
Manually Creating A Trusted Root Object (TRO), Using ConsoleOne ............................... 622
Exporting JACK’s VPN Certificate to a .DER File using ConsoleOne............................. 623
Create MOE’s Trusted Root Object from a .DER File Using ConsoleOne...................... 629
Manually Creating A Trusted Root Object (TRO), Using iManager .................................... 634
Exporting MOE’s VPN Certificate to a .DER File using iManager................................... 635
Create JACK’s Trusted Root Object from a .DER File Using iManager.......................... 647
Manually Creating a Trusted Root Container (TRC)........................................................... 656
Using iManager 2.0.......................................................................................................... 656
Using ConsoleOne........................................................................................................... 659
Manually Creating a VPN Server Certificate ....................................................................... 662
Using iManager................................................................................................................ 662
Using ConsoleOne........................................................................................................... 678
Table of Contents November 13, 2003
A Beginner’s Guide to BorderManager 3.x - Copyright 2000-2003, Craig S. Johnson Page 11
CHAPTER 20 - BORDERMANAGER 3.8 CLIENT-TO-SITE VPN............................................ 691
Quick Summary ...................................................................................................................... 691
Limitations ............................................................................................................................... 692
NDS Context........................................................................................................................ 692
Traffic Rule Limitations........................................................................................................ 692
Authentication Rule Limitations........................................................................................... 692
LDAP Configuration............................................................................................................. 693
Configure A Server for Client-to-Site VPN.............................................................................. 694
Configure General Parameters ........................................................................................... 694
Configure Traffic Rules........................................................................................................ 701
Traffic Rules – Allow Admin User to All ........................................................................... 705
Traffic Rules - Allow VPN Users to All Hosts Except 10.1.1.50 ...................................... 711
Deny All Access to 10.1.1.50 Rule .................................................................................. 712
Traffic Rule - Allow VPN Users Group to All Hosts ......................................................... 716
Traffic Rule - Allow All Users in NDS Tree Access to 10.1.1.100 ................................... 719
Traffic Rule – Allow All Users to iFolder Server, Unencrypted........................................ 723
Configure Client-to-Site Authentication Rules..................................................................... 728
LDAP Configuration............................................................................................................. 734
DNS/SLP Configuration....................................................................................................... 735
Assign the Client-to-Site VPN Service to VPN Server JACK ................................................. 741
Novell VPN Client Installation And Configuration ................................................................... 747
Installing the Novell VPN Client........................................................................................... 747
Using BorderManager 3.8 VPN Client – Backwards Compatibility Mode .............................. 753
Using BorderManager 3.8 VPN Client – NMAS Authentication Mode.....................