--------------------------------------------------------------- NOV-BM.DOC -- 19980312 -- Email thread on Novell Border Manager --------------------------------------------------------------- Feel free to add or edit this document and then email it back to faq@jelyon.com Date: Mon, 3 Nov 1997 07:44:07 -0600 From: Tom Kustner Subject: Re: Bordermanager configuration >What hole is created by using NAT as opposed to an IP/IP or IP/IPX gateway? >My main complaint with the IP/IPX gateway is that there are some >restrictions as to what works. If an application isn't 'clean' winsock, >it won't work. One example is the Win95 ftp...works fine with real IP >but won't work with the IP/IPX gateway because the later uses a different >Winsock setup. > >I think the main reason for installing multiple BorderManager boxes would >be to keep traffic local. That would seem correct. At a BorderManager presentation I went to, the guy said that if you were dealing with over 10,000 people, he would recommend not using BM and using a Cisco router instead. He said that Novell has two Pentium 166 boxes with, maybe, 128MB RAM each running BorderManager that are sitting in front of Novell's external web site (probably mainly for proxying at this point), so it would *seem* that BorderManager can really handle a load. ------------------------------ Date: Fri, 7 Nov 1997 09:36:02 -0500 From: Jerry Shenk Subject: Re: Logging Internet access >We currently have a large network running Novell 3.12 (20 servers) >and where most of the clients are Win95 or Wfwg 311. Recently, Netscape >has been installed on most clients for access to the internet via a leased >line connection. > >One of the big problems we are experiencing is users downloading software >and saving in their home dir on the servers - this is causing many problems >on server space and performance. > >Does anyone know of any software (that I could trial etc) that would log >internet accesses, sites they have accessed ? - I need to start auditing >who is accessing what site - not necessarily stop them. Can I use >BorderManager in anyway ? Little Brother is GREAT for that.....I think the mfg in Kansman. --------- Date: Fri, 7 Nov 1997 08:59:04 -0600 From: Lawrence Sobilo Subject: Logging Internet access -Reply Border Manager addresses this problem. You can setup FTP proxy service. We use the Apache Web server for this. It requires these steps: 1. Change your router's packet filter to allow http and ftp requests only from the proxy server. 2. Modify all client browsers to use the proxy server. --------- Date: Fri, 7 Nov 1997 13:28:44 -0600 From: "Steven D. Mitzel" Subject: Re: Logging Internet access I am using IwareConnect by Quarterdeck to gain access to the Internet. This also lists who has been where, date, and how long they were at the site. You can also restrict access. --------- Date: Fri, 7 Nov 1997 17:18:49 -0800 From: Brandon Fouts Subject: Logging Internet access >We currently have a large network running Novell 3.12 >(20 servers) and where most of the clients are Win95 or Wfwg 311. UPGRADE to IntraNetWare 4.11 and management of your entire system will get easier. I use IPX/IP gateway and have log files for all Internet activity - and only the gateway IP address to worry about (all workstations only use IPX). >One of the big problems we are experiencing is users >downloading software and saving in their home dir on the >servers - this is causing many problems on server space >and performance. > >Can I use BorderManager in anyway ? This is just one of the things Border Manager will do, you can use a "trial" version for 45 days - contact your local Novell Office. I strongly suggest all Internet users check out Border Manager - a whole suite of Internet products that really do ROCK ! ------------------------------ Date: Mon, 10 Nov 1997 10:36:40 -0600 From: Joe Doupnik Subject: Re: Border Manager (NAT) - ftp to a few sites fails >>>I have a site with Border Manager between the users (on private IP - >>>10.0.0.0) and the internet. There are a few sites that will not allow ftp >>>access. >>>www.epa.gov >>>www.pasda.psu.edu >>>water.usgs.gov >>>There may be a few more but this is a good start. In testing, I have >>>consistently been able to connect to the server but I never get prompted for >>>a username. If I am using a 'real' IP address, I do get a username prompt >>>and it works fine. >>----------- >> A number of sites run inverse lookups of clients, and perhaps ident >>lookups too. If the responses are absent or inappropriate then access is >>denied. That is in addition to filtering many of us employ to rebuf nasty >>sites. You can see what is happening by capturing frames on the wire leading >>to the world. >> This means maladjusted DNS servers can provide, or not, inappropriate >>information. Check yours. >> Complaints about sites denying access should be directed to the >>manager of those sites. But first ensure your site looks proper from the >>outside. Recall, more sites are being careful about callers. >> Joe D. > >There is no inarpa set up for the IP address that this site is using. If I >'ping -a [bordermangerIPAddress]' I don't get a name resolved.....You're >saying that's my problem, right? Putting this into proper syntatical form, your DNS server has improperly lacks a in-addr.arpa structure for your site. It's not setup correctly and needs fixing. DNS servers are important and require skill to configure, and there should be more than one for your domain. You can also read the O'Reilly & Assoc book on DNS and Bind. Joe D. ------------------------------ Date: Mon, 17 Nov 1997 07:50:57 +0000 From: Shad Sluiter Subject: Re: BorderMgr and restrictions >I know I can install CyberPatrol to filter internet access, but ... >What I need to do is this. >Set up certain sites which I want to be prohibited, and by default, >everything else is OK. I believe that as soon as I enable the rules >option, the default is to deny everything except explicit sites. >Also, can I wildcard sites, to say *.site.com and have everything >from that site denied (www.site.com , home.site.com ,index.site.com >etc) My guess is that the proxy edition of cyber patrol has a list that is not editable or even viewable. We used the LAN edition of CP which invovled installing some VXD's on each client computer. I was told by the company that the cyber NOT list (list of restricted sites) is a binary file so that people cannot make a copy of it and use it in other internet security products. WHAT A DISASTER CYBER PATROL WAS TO US. I thnink Novell is making a big mistake by joining forces with Microsystems software (cyber patrol). Updating the cyber NOT list caused a multitude of headaches. Our entire LAN would freeze to a halt for hours while the list was updated. Restarting client computers only made the problem WORSE. We went through four version upgrades in less than a month. Every one of them caused a new problem. Finally, we returned the disks to them and told them to forget the whole project. I will never again buy any product from Microsystems Software if I can help it. We now use a product called BESS from N2H2. It has worked very well. --------- Date: Tue, 18 Nov 1997 05:38:06 -0500 From: Jerry Shenk Subject: Re: BorderMgr and restrictions >You do have the option of packet filtering when installing >BorderManager. If you choose to restrict packets, it will filter >packets between one NIC and the public interface, either another NIC, >or ISDN etc. But it doesn't offer any options I can see regarding >URLs. There is a BorderManger plug-in that allows you to manage that stuff from Win95. Once you install the plugin (probably under SYS:PUBLIC\BRDRMGR or something like that), then you can look at the details for the server that has Border Manager installed and you will see some extra tabs. That's where you can restrict access to certain URLs or IP addresses for specific users, groups and times. You have a LOT of control over where people go. ------------------------------ Date: Thu, 20 Nov 1997 19:48:20 -0500 From: Jerry Shenk Subject: Re: Border Manager It works...the slower the LAN connection (relative to usage), the more dramatic the speed improvement. On an ISDN line, it's nothing short of amazing. On a T1 it's merely a lot faster. The web is 70% static data (according to somebody's guess...that seems a little low to me). It's nothing short of amazing and it's relatively simple to install. >I'd like contact some people that are using Novell Border Manager. I'be >grateful for your reply. ------------------------------ Date: Fri, 21 Nov 1997 05:48:13 -0500 From: Jerry Shenk Subject: Re: BorderManager - monitor license use >>How do you know how many licenses are in use? > >Shouldn't be *any* unless you're 1) using the IPX/IP or IP/IP Gateway, and >2) only if you've implemented NDS access restrictions. And then it should >show up as a licensed connection in the MONITOR statistics screen. (I >haven't tested this -- my answer is based on theory only. I haven't >implemented Border Manager yet using anything other than NAT, which doesn't >use licensed connections.) The proxy part is also licensed. I talked with Novell about this...it's not an enforced license. You're supposed to estimate the number of concurrent proxy users and update that as necessary. I think the hard part is knowing how to count usage and defining concurrent. I think my browser is set up to use 6 connections...how about running two copies of the browser? In thinking about this, I considered counting IP addresses but that wouldn't work either because you can use the IP/IPX gateway and still user the proxy server to cache and police things. Anyway, they don't enforce it and it's not displayed on any of the screens. ------------------------------ Date: Mon, 24 Nov 1997 14:58:30 -0500 From: Rik Thomas Subject: Re: BGP >Does anyone have more info on BGP? Just the basics will be fine. [Floyd: Border Gateway Protocol] This is written by a friend of mine. I believe this article appeared in BoardWatch Magazine. Avi is the source: He owns Netaxs, Inc. http://www.netaxs.com/~freedman/bgp/bgp.html ------------------------------ Date: Wed, 26 Nov 1997 19:56:29 -0500 From: Nathan Durland Subject: Re: BorderManager >Because we have a intranetwork (with some segments of unix-server >and unix-user) I thought about the Border Manager from Novell. >When I have got the pricelist, I saw that the price is separated by the >number of users. 5, 20, 100, 1000 user-licences and the server need >the same Novell-Intranet licence also. Expensive. > >A licence by the number of users for a packet filter?? >Or is it for special services inside the BorderManager packet? >What can I use with a 2er licence? The packet filter only? Border Manager would likely be a great choice, but remember a few things: Border Manager is not just a "packet filter". It is complete management of all your user's access to internet resources; logging of events; caching of often used web pages; IP-TO-IP NAT; IP-TO-IPX gateway; communication server (dial-up networking). Border Manager is licensed by the number of "managed" users. You can have a 1000 user Border Manager running on a netware run-time box. All of the managed users *must* be in your NDS tree. If you have any Unix users who are not also in your NDS database, you will not be able to apply many of the managment tools of BorderManager. If all you want is a cheap, down & dirty packet filter/ip-to-ip translator, you should check out GnatBox. It will run on an 8MB 386, and has flat pricing. ------------------------------ Date: Sun, 30 Nov 1997 05:30:42 +0000 From: Jed Proujansky & Joan Deely Subject: Re: Border Manager Licensing. You buy licenses to the Border manager product. It accesses a Netware Server (can be the same or different machine). Your access to the server is counted by border manager. Therefore if you have a 100 user border manager and a 2 user Intranetware 4.11 you can have 100 people accessing the Netware 4.11 server. Border Manager comes with a 2 user version of Intranetware. Border Manager Add On server (which is put on the other side of a WAN) has no license limitations, but also uses the Border manager licensing. So 100 user Border Manager can yield 50 local users, and 50 users at the add on server site. (or 60 /40 etc.). You can have several add on servers with one Border Manager. If the link between the two sites goes down, you can still access the add on server site and there is no license restrictions that are in effect. Add On server is a full Intranetware 4.11 server, without physical license restrictions. This does not mean that you are legally allowed to have as many people log in as you want, you legal obligation is to have the Border Manager license count be greater than or equal to the number of concurrent users that are logged in through the border manager or the add on server(s). This is as it was told to me a a Novell Border Manager Seminar. ------------------------------ Date: Tue, 9 Dec 1997 09:20:37 -0800 From: Craig Willox Subject: Border Manager >I would like to restrict access to the Internet with out using the >IP/IP or IPX/IP gateways. I set it up the way I think that it should >be, but can still get to the Internet by taking out the proxy addresses >in Netscape. I don't want the users/students to be able to do that. Am >I missing something. After you have NAT setup, you have to load brdcfg.nlm and enable filters. This will restrict all access not going through the proxy. The online docs that come with NBM take you through this procedure. If you've done this and it still isn't working, you probably have a setup problem. Good luck. ------------------------------ Date: Tue, 16 Dec 1997 17:41:30 -0600 From: Joe Doupnik Subject: Re: Border Manager DNS Error >Every now and then our Border Manager Proxy box returns and error 504. > >An search of Novell's TIDs produced a filename to correct this - >ftcpsv08.exe. Something to do with FTP or NW/IP services. I can't locate >this file on the site. Get file nsd\FTCPSV09.EXE, the current temp tcpip.nlm file. This file also defends against the "self-SYN" (my name) denial of service attack from the crazies (aka, the land program). Joe D. ------------------------------ Date: Tue, 13 Jan 1998 16:45:09 -0200 From: Diego Deboni Rossetto Subject: Re: Bordermanager >Bordermanager was installed in a Intranetware server and after >installation I received BRDSRV.NLM message "Unable to read configuration > >for NDS -603 error". After I install BMSPA2.EXE - Bordermanager Support >Pack 2A - dated january 7 1998, nothing changed. Perhaps this could help you: If your BM configuration is damaged, you may clean all BM NDS settings using BRDREMOV.NLM . This would erase BM NDS settings, but will not touch BM files. After this, you will need to re-configure BM. Have been usefull here. It's available from support.novell.com , file name BRDREM1.EXE ------------------------------ Date: Wed, 14 Jan 1998 21:04:32 -0500 From: "Nathan (Bud) Durland" Subject: Re: Monitoring users who change IP Addresses... >There are several users here changing their IP addresses, so they >believe they can not be caught, and proceed to internet sites which >management deems inappropriate... Sounds like a job for (trumpets blaring..) BorderManager! --------- Date: Wed, 14 Jan 1998 18:14:05 +0000 From: Randy Richardson Subject: Re: Monitoring users who change IP Addresses... >Does anyone know how to monitor &/or prohibit users from changing their >IP address? > >There are several users here changing their IP addresses, so they >believe they can not be caught, and proceed to internet sites which >management deems inappropriate... Install IPX/IP gateway, with logging enabled, and remove TCP/IP from that segment of the network. The other alternative is to implement policies (pointless in Windows 95, but Windows NT Workstation stops the majority), but if your users are at the level where they can reconfigure network settings, then you can bet that they'll find backdoors around policies as well. What are your users trying to hide? ------------------------------ Date: Thu, 22 Jan 1998 17:06:15 -0600 From: Tom Kustner Subject: Re: BorderManager Problems >I have installed Bordermanager on a 4.11 server. I also have applied >BMSP2A. When I did the initial configuration I turned on the ip/ipx >gateway and installed it as a deny all default rule. Now when I create a >rule that allows an individual user access to any, it does not work. If I >add a rule that allows any to any it does. I have looked at the audit logs >and when the individual user rule is used I get a "user xxxx is not allowed >access to ip address x.x.x.x" message. I have even tried giving the user >explicit access to x.x.x.x but it still does not work. I am waiting until >bordermanager syncs with the database and it tells me that it has read the >correct amount of rules but still does not work. Does anyone have any >ideas on how to get this to work? Something brought up here at TechShare '98 this afternoon by a Novell wizard named Doc Hodges was to make sure your rules are in the right order. If your "Deny all" rule is listed first on the screen, it will take precedence over any "Allow" rules that follow for the given individual(s). It is very important to remember that the rules are processed in order. That's why the "Allow all" rule for ADMIN should always be on the top. 8^) ------------------------------ Date: Thu, 12 Feb 1998 14:07:00 -0500 From: "ROY, LEONARD" Subject: Re: BorderManager & Inte/Intranet monitor >I am not familiar with BorderManager, but for those of you that may use >it I just have a question for you- > >In our mixed Netware 3.x/4.x and NT (acting as the main DNS/DHCP server) >environment we want to track what users are accessing what Internet >sites (and Intranet locations on our WAN - our Intranet runs on an NT4 >server). Currently we use a product called 'On Guard' by On Technology >which works OK. > >Do you know if BorderManager would allow us to monitor what users are >accessing what web sites (Internet and Intranet based)? Also, how does >BorderManager link sites to a user (ie Win95 Computer Name, IP address >only, Netware Username, etc)? When you use authentication through Bordermanager, the users will get a prompt to enter their tree ID and proxy password when they first try to web browse. Bordermanager uses this ID as the source in it's log files. Except that it really doesn't. Out of the box, BM is busted, and the field for the user ID is blank in the log files. Ok - patch to BMSP1A - still busted. Ok - patch to BMSP2A - now the user ID is actually in the log file, (and about five zillion other problems are fixed). Except that now BM is unstable, and will crash, so back off 2A. So - BM will not at this point track internet access by user ID - just by IP address. For most people, this is useless - freeware proxies could do that much. BM Fastcache does write the logs out correctly, so if you just want a proxy server for performance reasons and a log of who goes where, use that instead. If you need the rules functionallity of BM to limit access by user/group/destination/whatever, or any of the other BM features, you're screwed. YMMV - I haven't spent a whole lot of time seeing if there are workarounds, since providing Internet access logs is a (very) low priority to me. There are other issues that make Bordermanager tough to roll out in large environments right now. Inability to set default contexts to authenticate to, no method for changing proxy passwords other then NWAdmin or that all-or-nothing .NLM they're testing. I'm also not happy that there is a separate ------------------------------ Date: Thu, 5 Mar 1998 10:47:48 -0600 From: Darren Rogers Subject: Re: BorderManager Help Needed. >I will be installing BorderManager for the first time some time next >week. I have the Online docs but they still leave me wondering about >certain things. First of all, I saw in the Groupwise documentation that >the web access agent for groupwise should be loaded on the dirty side of >the firewall. Which means to me that I must put a sever on the dirty >side of the firewall. Being that it is outside it has very limited >usefulness for anything other than Webaccess. My question is can it be >loaded on the same server that is running Bordermanager which will be >our firewall? Also does anyone here know if the GWIA agent has to be >outside the firewall too? > >Those 2 are side questions. The main question regards connection 2 >sites via VPn in BM. Both sites have 56K leased line to the internet. >Both will be runinng BM as a firewall. I know within BM you can use VPNs >to connect too sites. The question is 1) if the only thing these sites >will share is the same tree and once in a blue moon some data is there >any need to use VPNs because after all it will all be in IPX over IP (I >am assuming server to server communication is via IPX). Also, if I use >VPN does it need its own NIC or does it use the regular public NIC (i am >pretty sure it uses public)? Does anyone know of any good documentation >on BM other than what ships with it? See if you can get your hands on a copy of the february Netware Connections magazine, it has a great article detailing the usage of BM for VPNs. --------- Date: Thu, 5 Mar 1998 14:12:23 -0500 From: CHENGD1 Subject: Re: BorderManager Help Needed. Also available at http://www.novell.com/nwc/feb.98/vpn28/index.html ------------------------------ Date: Mon, 9 Mar 1998 09:23:00 -0500 From: David Weaver Subject: Re: BorderMgr, NetConnect & NAT >I have a BorderManager server that has a public NIC, a private NIC and 4 >dialin ports also on the private side. Access from the dialin connections >to the public side is horribly slow and if I do a trace, I see the same >information being passed multiple times and lots of checksum errors. I have >everything patched up to date. > >This BorderManager installation was installed a few months ago and the modem >pool users were able to get to the internet without any problem until >recently. That actually surprised me - according to some TID, NetConnect >doesn't really come under the control so NAT doesn't work. I told them when >we installed it that they'd only be able to get to their IP boxed on the >inside -that was fine with them since that's all they wanted...but much to >my surprise, it worked anyway...but now it doesn't. Anybody have an ideas >what I could do to make it work again? Are Cisco routers involved? Seems there are some issues with Cisco ISO release 11.2 that could be the culprit. http://hq.svzserv.kemerovo.su/cisco/software-doc/data/doc/software/11_2/relnotes/rn112.htm#HDR70 ------------------------------ Date: Wed, 11 Mar 1998 13:34:33 -0000 From: Eliot Mansfield Subject: Re: Bordermanager Netscape Mail >>>I have installed BM & dynamic only NAT. I have also installed the >>>filter exceptions as laid out in TID 2933125 for allowing Netscape >>>mail through. I have checked and rechecked and the filters are exactly >>>as they are in the TID, but Netscape mail still cannot get through to >>>my ISP. >> >>Are you sure the your Network Address Translation is working OK?. >>I've had problems with it. The binding order in \etc\TCP.CFG can get >>confused. Their's a TID on it. >> >>1)Use the Set tcp ip debug=1 command, to ensure that the translation >>is occuring. >>2)Can you ping your isp using a dns name from your workstation.? >>3)Have you correctly setup the rules for mail in BOTH directions? >>I followed the TID myself and it worked fine.(It took a bit of >time!, Re-check your work) >> >>I've got MS internet mail working thru BM, with NAT with only one >>problem; I could collect my mail but not send mail via my isp's mail >>server. This is because my enail account with the isp is supposed to >>bea dial-up account, and when I was using the Bordermanager, I was >>using my companies leased line into the internet. >>So when I sent mail, my isp's mail server thought I was trying to >>'relay' mail, so of course is blocked it. So I used another >>mailserver to relay the mail out onto the internet and all was fine. > >Thanks for responding. Checked out TID 2930569 per your suggestion and >sure enough the bindings were in the wrong order. I changed it and >still no mail. > >I'm not sure as to what I should see with tcp ip debug. Can you give >me a hint? I definitely do not see any of the ports that I put into the >filter exceptions. > >No, I can't ping my ISP's mail server using a DNS name nor an IP >address >for that matter. Am I supposed to? It does convert the name >to the correct IP address, so it looks like the DNS query is getting >through. > >I think the ICMP packets are filtered coming back so the pings timeout. >Is this what is supposed to happen? If I go by the netscape windows it >looks like it is contacting the server but it is not responding which >would tell me that the replies for pop3 are not coming through the >filters. Does this sound right to you? > >I have checked the filter exceptions several times and they all look >as the TID says they should. You need to take a look at your \etc\filters.cfg file; They should look similar to mine, The reason that you can't ping, is because you havn't allowed ping's to go through the firewall. You need to allow ICMP's thru the firewall. The most secure way of doing it is to allow only imcp to and from a specific machine on your side of the lan, to a specific machine on the internet, say your ISP's dns server or similar. The Other thing that I usally do when I get stuck with filters, is to disable them temporarily, go into filtcfg, and DISABLE IP packet forwarding filters. then see if your apps works. It usally cut's the fault in half. (remember to re-enable them) One other thing to check, is in INETCFG go into the bindings for the lan card and make sure that ip packet forwarding is enabled. I know that you think that that it should be disabled, but you enable forwarding and rely on the filters to do the rest. This one caught me out! (NOTE:These are only the Defined packet types, I have not included the actual rules for security reasons,) PROTOCOL-SERVICE IP, DNS RESPONSE IN, pid=UDP port=1024-65535 srcport=53, INBOUND DNS QUERY PROTOCOL-SERVICE IP, DNS QUERY OUT, pid=UDP port=53 srcport=1024-65535, OUTBOUND DNS QUERY PROTOCOL-SERVICE IP, POP3 QUERY OUT, pid=TCP port=110 srcport=1024-65535, POP3 QUERY OUT PROTOCOL-SERVICE IP, POP3 RESP BACK, pid=TCP port=1024-65535 srcport=110, POP3 RESPONSE BACK PROTOCOL-SERVICE IP, SMTP QUERY OUT, pid=TCP port=25 srcport=1024-65535, SMTP QUERY OUT PROTOCOL-SERVICE IP, SMTP RESP IN, pid=TCP port=1024-65535 srcport=25, SMTP RESP IN ------------------------------ Date: Thu, 12 Mar 1998 05:21:53 -0500 From: Jerry Shenk Subject: Re: Border manager question >I need to connect a customers networks over a WAN. The LAN:s are >Intranetware and the sites are about 30-70 km apart. There are 4 >sites all together. >I'd like to keep this an all Novell installation so I've been >thinking about Border Manager. > >If there is some good documentation pertatining to this problem could >you kindly point me towards it. > >The company needs to share a database on one of the servers. Also >normal file transfer is needed. > >1. Do I need as many BM licenses as there are licenses on the server? >2. Will the server (and its volumes) on one location be visible on >the other sites if I set up a VPN? >3. What kind of hardware do I need for the server. One more NIC and a >router and....???? >4. Should I merge the NDS trees on the different sites in to one? 1. No. BorderManager licenses are licensing the gateways (IP/IP & IP/IPX) and the proxy cache for concurrent usage. 'concurrent' on the http proxy is a little vague - when I fire up my browser, I often grab 4 connections and then when the page is pulled in and I'm reading the page, the connections will drop back off to 0. We generally put in the number of licenses to match the expected number of simultaneous, active web browsers. This is NOT official from Novell....that's been sketchy. This is MY interpretation of the license agreement mixed with how it actually works. 2. Yes (if you want). VPN will extend the private network through the tunneled network so that the remote and local users will all be 'together'. Obviously you want to plan resource location to keep traffic off the VPN...just like you would for any WAN but even more so. 3.Doesn't need to be particularly beefy. BorderManager's proxy cache can use a lot of drive space if there is a lot of http activity. Private and public NICs makes sense. 4.Given no information, I probably would. That depends more on how you do business and the size of the business than anything. ------------------------------