Title: Troubleshooting Novell BorderManager
1Troubleshooting Novell BorderManager
- Craig Johnson
- Novell SysOp
- craigsj_at_ix.netcom.com
- http//nscsysop.hypermart.net
- Caterina Luppi
- Novell SysOp
- caterina_at_wirediguana.com
- Shaun Pond
- Novell Consulting, UK
- spond_at_novell.com
2Session Agenda
- BorderManager components
- Troubleshooting tools and techniques
- Common problems and solutions
- Questions and answers
3BorderManager Components
- BorderManager is modular
- Proxies (forward and reverse)
- Access control
- Gateways (IPX/IP, IP/IP, SOCKS)
- VPN
- RADIUS
- Dial services
- Routing and filtering, including stateful
filtering (3.x)
4BorderManager Components
Layers of OSI model BorderManager components
Application Proxies, access control
Presentation VPN
Session Gateways (IPX/IP, IP, SOCKS), VPN
Transport VPN
Network Packet filtering, Network Address Translation (NAT), VPN
Data link Packet filtering, VPN
Physical N/A
5BorderManager Components
- It is critical to understand the layers that
BorderManager services are built on - Network layerfilters, and routing
- The proxies do not work on this layer, but they
depend on it to function - The support for the network layer is included in
the NetWare operating system - Application, session layersproxies, gateways and
access control - This layer is provided by BorderManager
- Get routing working before worrying about proxies
6BorderManager Components
- Network layer considerations
- Default filters and exceptions provide basic
network layer functionality for proxy, gateways
and VPN - The proxies do not create the filter exceptions
as needed - Default exceptions do not cover a secondary IP
address - Bypassing the proxies requires extra work to be
done using filter exceptions and ensuring routing
is correct
7BorderManager Components
- Proxies
- Proxies listen on certain ports on certain IP
addresses - Some proxies listen on all IP addresses, others
only on IP addresses defined as private - Acceleration listens on IP addresses defined as
public - Proxies need to have filter exceptions defined in
order to function - Most, but not all, proxy traffic is allowed with
the default filter exceptions
8BorderManager Components
- Proxies
- Why doesnt proxy need routing enabled?
- It regenerates traffic on an interface, and does
not just route traffic between interfaces - Why does bypassing proxy need routing enabled?
- Because if you bypass proxies, the only method
left to move packets is to route them between
interfaces, which means routing must be enabled,
and filter exceptions must be added
9BorderManager Components
- Access control list (access rules)
- Access rules control the use of the proxies, IP
gateway and VPN - Access rules are read from top to bottom
- Access rules can be inherited
- Only one access rule is ever actually used
- There is a default access ruleDeny All
10BorderManager Components
- Access control list (cont.)
- Only a few proxies use Novell Directory Services
(NDS)-based access rules - HTTP proxy, FTP proxy, transparent (HTTP) proxy
and transparent telnet proxy can use NDS-based
access rules - You must enable Proxy Authentication to make use
of an NDS-based access rule - If the client does not proxy authenticate, it
cannot use NDS-based access rules, and will skip
over them
11BorderManager Components
- How Proxy Authentication works
- Proxy Authentication is initiated by the
BorderManager server - The BorderManager server asks the source IP
address for NDS information - The source IP address responds, via CLNTRUST or
SSL login (Must be logged in for CLNTRUST to
work) - The BorderManager server remembers an
authenticated connection for some time
12BorderManager Components
- RADIUS
- Used to link authentication request from dial-up
system through to NDS account - Any RADIUS-compliant access system can work with
BorderManager RADIUS - BorderManager NIAS dial-up is not
RADIUS-compliant - May need a Login Policy Object
13BorderManager Components
- The IPX/IP and IP/IP gateways
- Necessary for the clients with ONLY the IPX
protocol - Alternative to the proxies and NAT for clients
with IP - Simple to configure (no need to configure routing
at the client) but not flexible - ALL traffic is directed from the workstations to
the BorderManager server, including the local
traffic - Performance slower than NAT/proxies (work at the
session layer of the model)
14BorderManager Components
- The IPX/IP and IP/IP gateways (cont.)
- Need a dedicated component of the client
installed on the workstations (IP gateway) - Only for Windows workstations running the Netware
Client 32 - The applications must be Winsock compliant(no
native TCP/IP) - Access rules for ANY port and protocol
- Warning mature product
15BorderManager Components
- Virtual Private Networks (VPN)
- Two types of VPN
- Site-to-site
- Client-to-site
- Site-to-site VPN links two LANs together with an
encrypted tunnel - Client-to-site VPN allows a remote PC to make a
secure connection to a LAN over the Internet
16BorderManager Components
- The site-to-site VPN
- It is mainly based on routing
- An encrypted tunnel links two or more LANs
connected to the same VPN - Traffic passes through the tunnel because a
static route makes the tunnel the lowest cost
route - Traffic passing through the tunnel is encrypted
and decrypted at the VPN server - No need of special software at the
workstations(it supports all client OS)
17BorderManager Components
- The client-to-site VPN
- It is established between a client, running
special software, and a VPN server - Both must be connected to the Internet
- It provides secure access to the LAN and WAN
behind the VPN server - The user must be authorized to establish the VPN
with a username and through Access Rules - The client workstation must use MS Windows(Win
9x, NT, 2000)
18BorderManager Components
- Miscellaneous components
- BorderManager stores some configuration in NDS
attributes of the server object - BorderManager can store access rules as user,
group, container or BorderManager server
attributes - Some proxy settings are stored in
SYS\ETC\PROXY\PROXY.CFG - Filters are stored in SYSETC\FILTERS.CFG
- Routes are stored in SYSETC\GATEWAYS
- BorderManager can use up to five different NLS
licenses
19Troubleshooting Tools and Techniques
- What isnt working?
- Define the scope of the problem
- One proxy?
- An access rule?
- Inbound traffic?
- NAT?
- What changed recently?
- Simplify, simplify, simplify
- Start from the bottom of the OSI model
- Is a cable plugged in?
- Is routing, filtering or NAT involved?
- Is a proxy or access rule involved?
- Disable features to isolate the problem
20Troubleshooting Tools and Techniques
- Techniques for isolating problems
- Uncheck Enforce Rules
- Disable filtersUnload IPFLT.NLM
- SET NAT DYNAMIC MODE TO PASS THRUON(or disable
NAT Implicit Filtering in INETCFG) - Reboot
- Does the problem go away?
21Troubleshooting Tools and Techniques
- Techniques for isolating problems
- Have you applied the latest patches?
- Do you know what the latest patches are?
- http//support.novell.com/misc/patlst.htm
- Novell public forums
- http//nscsysop.hypermart.net
- Look for error messages on the server console,
especially when BorderManager first starts - Look for NDS issues
22Troubleshooting Tools and Techniques
- Techniques for isolating problems
- Does the internal host see the BorderManager
server? - Is the internal host configured to use the
BorderManager service? - HTTP proxy settings, IP gateway service, SOCKS
settings - Is a proxy seeing the traffic?
- See Proxy Console Statistics
23Troubleshooting Tools and Techniques
cat speaker notes present
- General connectivity and routing diagnostic tools
- PINGto verify IP connectivity between two hosts
- TRACERT/IPTRACE.NLMto check every hop between
two hosts - SET TCP IP DEBUG1to dump the TCP/IP packets on
the server console (0 turns it off) - SET FILTER DEBUGON, (followed by appropriate
action) see only certain types of packets,
useful on busy servers - CONLOG.NLMthe console log, to capture the output
of the debug to the SYSETC\CONSOLE.LOG file - TCPCON.NLMto check the effective routing table
of the server - NETMON.NLMcapture trace data on the server
- Third party network analyzer
24Troubleshooting Tools and Techniques
- Deciphering TCP IP DEBUG data
- Packets not getting to the server a routing
problem - Packets to the server public side and
beingignored NAT implicit filtering - Packets not going out a missing default route
- Packets being discarded filters are dropping
the packets - Packets going out the public interface, with no
responses coming back NAT is needed - Packets going to an internal host (via Static NAT
or VPN) with no response missing default
gateway on internal host
25Troubleshooting Tools and Techniques
- Packet filtering
- FILTCFG.NLM to see what filter exceptions are in
place - UNLOAD IPFLT to make sure it is actually a
filtering issue - SET TCP IP DEBUG1 to dump the TCP/IP packets on
the server console (0 turns it off) - Look for the DISCARDED packets
- SET FILTER DEBUGON, for 3.x only, to see
selected types of IP packets
26Troubleshooting Tools and Techniques
- Proxy and access rules
- Access rule logging, see what is being denied (or
allowed) - Backup your rules (use Clipboard Viewer) before
experimenting - Proxy console statistics, see what the proxies
are seeing - NWADMN32, see if licenses are being used
- Simple notes relating when and where problems
occur
27Troubleshooting Tools and Techniques
- Are access rules seemingly being ignored
- Is Enforce Access Rules checked?
- A rule higher in the list may be taking
precedence - Check effective rulesyou might be inheriting
rules - An NDS rule will be ignored (skipped) if the
internal PC is not proxy authenticated - Adding a rule with logging enabled can help find
out what is being seen by the BorderManager
server - Authenticate Only when user attempts to access a
restricted pageuse with care
28Troubleshooting Tools and Techniques
- Johnny cant get a generic proxy for NTP to work
- TCP Debug shows no data coming to server
- Internal server on internally routed segment
- Did not have a default route configured
- Proxy Console, option 19, shows no traffic for
proxy - Internal server not configured to point to proxy
private IP address for NTP - Proxy Console, option 19, shows ACL rejects
- No Allow Port 123 Access Rule configured
- TCP Debug shows inbound traffic discarded
- Did not allow UDP Port 123 to public IP address
with filter exception
29Troubleshooting Tools and Techniques
- IPX/IP and IP/IP gateways
- Read TID 2928290 and 2928294
- Look at the Status in the IP gateway component in
Settings, Control Panel, Network at the
client - It is better not to specify the context of the
server than rather specifying a wrong context - Use WINPING.EXE to check if you can ping (do not
use the DOS ping) - IPXIPGW.NLM must be loaded
- Check messages in the Novell IP gateway access
status screen
30Troubleshooting Tools and Techniques
- IPX/IP and IP/IP gateways (cont.)
- To enable the gateway debug at the client in the
c\windows\novws.ini file add the lines - Gwtraceinfo
- trace4
- the output will be in C\GWDBG32.TXT
- To enable the gateway debug at the server use
- SET NWGATEWAY DEBUG(0-7)
- SET NWGATEWAY LOGON
- The output will be in SYS\IPXIPGWx.LOG
- it slows down the server
31Common Problems and Solutions
- No default route/gateway on some host in the
process - Check host, and all intervening routers
- Did not install default filters
- Load BRDCFG, follow prompts (secure the public IP
address only) - Access rules in wrong sequence
- Change the rule order
32Common Problems and Solutions
- NDS-based rule, no proxy authentication
- Must run CLNTRUST at client, or use SSL
Authentication - Not all proxies use NDS-based rules
- Licensing issues
- See Novell TID 10013723
- Slow shutdown of server
- Unload BorderManager services before downing
server - Get BMOFF.NCF file at
- http//nscsysop.hypermart.net/bmoff.html
33Common Problems and Solutions
- NWADMN32 snapin issues
- Rename to ACNWAUTH.DLL snapin to ACNWAUTH.DL_
- See http//nscsysop.hypermart.net/nwadmin.html
- Proxy cache not on dedicated volume(s)
- Always put cache on a dedicated volume, never SYS
- BorderManager not tuned for performance
- See TID 10018669
34Common Problems and Solutions
- Mail proxy
- Has had a number of issues over the years,be
sure to check latest patches - LOAD PROXY -M to allow mail proxy to use more
than one MX record when sending SMTP - LOAD BRDSRV/NOLOAD to prevent autoloading
- DNS proxy
- Dont try with NAMED loaded on the server
- May need to clear cached data by deleting
SYSETC\PROXY\PXYHOSTS file
35Common Problems and Solutions
- HTTP proxy caching unwanted site/just added site
as non-cacheable, but old site still comes up - Need to clear the (entire) cache as follows
- Unload proxy
- Delete SYSETC\PROXY\PXYHOSTS (optional)
- Load Proxy cc
36Common Problems and Solutions
- Transparent proxy
- Somewhat slower than HTTP proxy
- Doesnt do DNS lookup for the client
- Client must be configured to do DNS
- Logs web sites visited by IP address instead of
URL - Does not support HTTPS/SSL
- Massive TCP/IP communications failure
- NETDB 4.09 manually loaded before INITSYS.NCF
load it after INITSYS, or let it autoload as
needed
37Common Problems and Solutions
- RADIUS
- Dial access systemredundancy
- Do you need a profile?
- Attributes with attitude
- RADATR3A.EXE
- Testing www.nttacplus.com/download/radping.cfm
38Common Problems and Solutions
- IPX/IP and IP/IP gateway
-
- I am using Novell Client 3.3, the gateway status
at the client is always not connected - The IP gateway component of the Client v.3.3
doesnt work properly - Try to use Client 3.1 or 3.21
- In ZENworks all the workstations appear to have
the IP address of the gateway - This is the way the gateway works
- The workstations talk to the gateway, and the
gateway communicates on their behalf with the
other devices
39Common Problems and Solutions
- IPX/IP and IP/IP gateway (cont.)
- The browsers, IE more frequently, fail to
connect to the gateway. Netscape returns the
unable to open socket connection message - Make sure you are using the correct Winsock
version at the client - For BorderManager 2.1 you must use the Novell
Winsock I(latest client version using this
Winsock version is 2.5) - For BorderManager 3.x, use the MS Winsock II
- This limitation applies only to the gateways
40Common Problems and Solutions
- IPX/IP and IP/IP gateway (cont.)
- I am using SSO authentication to the gateway,
but when I try to use the HTTP proxy with
authentication (to use ACL) I get the message
403 Forbidden, you are not logged in - The IP gateway and the standard HTTP proxy cannot
work together - If you want to use proxy authentication with the
IP gateway you must use the Transparent HTTP
proxy - SSL authentication to the HTTP proxy doesnt work
either - You can use the HTTP proxy without authentication
41Common Problems and Solutions
- IPX/IP and IP/IP gateway (cont.)
- How do I enable the transparent proxy for my IP
gateway clients without affecting the user using
the native TCP/IP stack? - To enable the transparent proxy for the IP
gateway client ONLY you can use the command line
(at the server) - SET NWGATEWAY CLIENT TRANSPARENT PROXYON
42Common Problems and Solutions
- Site-to-Site VPN
- I configured the VPN between two servers. The
VPN was established but I cant reach the
internal LAN - Make sure that your VPN tunnel IP address is in a
different network from the private and the public
IP addresses of the server - i.e. Public IP address 123.123.123.1 Private IP
address 10.1.1.1 - VPN TUNNEL IP address 192.168.1.1/255.255.255.0
43Common Problems and Solutions
- Site-to-Site VPN (cont.)
- In the logs in NWadmn32 I have the message
- Time synchronization error from connection XXX
- (SKIP) Construction of SA failed for peer
ltIP_addressgt - The VPN stays in the Being configured status
- Check that the time (clock) in the servers is not
more than one hour apart in UTP - Make sure that your ISP is not filtering any
packet type
44Common Problems and Solutions
- Site-to-Site VPN (cont.)
- When loading VPNCFG I get a lot of undefined
public symbols - The TCPIP.NLM you are using doesnt support
encryption - It was probably overwritten by a service pack
- The VPN is up and running but I cannot contact
the devices in the private segment - The VPN server should be the gateway to the
Internet for the LAN
45Common Problems and Solutions
- Client-to-Site VPN
- I can login to the VPN but when I try to login
to the NDS I get the Tree or server not found
error message - Three solutions
- Use IPX over the tunnel to login
- Use the IP address of the server on the private
LAN instead of the server name in the NetWare
login screen - Set up a SLP DA in your LAN and configure the
client to statically query that DA for service
location
46- Client to Site VPN (cont.)
- The VPN is up and running but I cannot contact
the devices in the private segment. The devices
in the LAN access the internet though a device
that is NOT the VPN server. - Use a VPN server dedicated to the client to site
VPN - Enable dynamic NAT on the PRIVATE interface only
47Common Problems and Solutions
- Client-to-Site VPN (cont.)
- When I try to authenticate to the VPN I get the
message Unable to authenticate token password - If you arent using ActivCard, and you arent
using Radius, delete the Login Policy Object from
the NDS and delete the LPOCACHE.DAT file from the
server - I am not able to use the VPN on Windows ME
- Thats right, the VPN client doesnt work on
Windows ME!
48For More Information
- Novell Support web site
- http//support.novell.com
- Novell Documentation web site
- www.novell.com/documentation
- Novell public forums (best with news reader)
- support-forums.novell.com (NNTP)
- http//support.novell.com/forums
- Other web sites
- http//nscsysop.hypermart.net
- www.connectotel.com
49(No Transcript)