Troubleshooting Novell BorderManager - PowerPoint PPT Presentation

About This Presentation
Title:

Troubleshooting Novell BorderManager

Description:

You must enable Proxy Authentication to make use of an NDS-based access rule ... proxy caching unwanted site/just added site as non-cacheable, but old site still ... – PowerPoint PPT presentation

Number of Views:524
Avg rating:3.0/5.0
Slides: 50
Provided by: crai67
Category:

less

Transcript and Presenter's Notes

Title: Troubleshooting Novell BorderManager


1
Troubleshooting Novell BorderManager
  • Craig Johnson
  • Novell SysOp
  • craigsj_at_ix.netcom.com
  • http//nscsysop.hypermart.net
  • Caterina Luppi
  • Novell SysOp
  • caterina_at_wirediguana.com
  • Shaun Pond
  • Novell Consulting, UK
  • spond_at_novell.com

2
Session Agenda
  • BorderManager components
  • Troubleshooting tools and techniques
  • Common problems and solutions
  • Questions and answers

3
BorderManager Components
  • BorderManager is modular
  • Proxies (forward and reverse)
  • Access control
  • Gateways (IPX/IP, IP/IP, SOCKS)
  • VPN
  • RADIUS
  • Dial services
  • Routing and filtering, including stateful
    filtering (3.x)

4
BorderManager Components
Layers of OSI model BorderManager components
Application Proxies, access control
Presentation VPN
Session Gateways (IPX/IP, IP, SOCKS), VPN
Transport VPN
Network Packet filtering, Network Address Translation (NAT), VPN
Data link Packet filtering, VPN
Physical N/A
5
BorderManager Components
  • It is critical to understand the layers that
    BorderManager services are built on
  • Network layerfilters, and routing
  • The proxies do not work on this layer, but they
    depend on it to function
  • The support for the network layer is included in
    the NetWare operating system
  • Application, session layersproxies, gateways and
    access control
  • This layer is provided by BorderManager
  • Get routing working before worrying about proxies

6
BorderManager Components
  • Network layer considerations
  • Default filters and exceptions provide basic
    network layer functionality for proxy, gateways
    and VPN
  • The proxies do not create the filter exceptions
    as needed
  • Default exceptions do not cover a secondary IP
    address
  • Bypassing the proxies requires extra work to be
    done using filter exceptions and ensuring routing
    is correct

7
BorderManager Components
  • Proxies
  • Proxies listen on certain ports on certain IP
    addresses
  • Some proxies listen on all IP addresses, others
    only on IP addresses defined as private
  • Acceleration listens on IP addresses defined as
    public
  • Proxies need to have filter exceptions defined in
    order to function
  • Most, but not all, proxy traffic is allowed with
    the default filter exceptions

8
BorderManager Components
  • Proxies
  • Why doesnt proxy need routing enabled?
  • It regenerates traffic on an interface, and does
    not just route traffic between interfaces
  • Why does bypassing proxy need routing enabled?
  • Because if you bypass proxies, the only method
    left to move packets is to route them between
    interfaces, which means routing must be enabled,
    and filter exceptions must be added

9
BorderManager Components
  • Access control list (access rules)
  • Access rules control the use of the proxies, IP
    gateway and VPN
  • Access rules are read from top to bottom
  • Access rules can be inherited
  • Only one access rule is ever actually used
  • There is a default access ruleDeny All

10
BorderManager Components
  • Access control list (cont.)
  • Only a few proxies use Novell Directory Services
    (NDS)-based access rules
  • HTTP proxy, FTP proxy, transparent (HTTP) proxy
    and transparent telnet proxy can use NDS-based
    access rules
  • You must enable Proxy Authentication to make use
    of an NDS-based access rule
  • If the client does not proxy authenticate, it
    cannot use NDS-based access rules, and will skip
    over them

11
BorderManager Components
  • How Proxy Authentication works
  • Proxy Authentication is initiated by the
    BorderManager server
  • The BorderManager server asks the source IP
    address for NDS information
  • The source IP address responds, via CLNTRUST or
    SSL login (Must be logged in for CLNTRUST to
    work)
  • The BorderManager server remembers an
    authenticated connection for some time

12
BorderManager Components
  • RADIUS
  • Used to link authentication request from dial-up
    system through to NDS account
  • Any RADIUS-compliant access system can work with
    BorderManager RADIUS
  • BorderManager NIAS dial-up is not
    RADIUS-compliant
  • May need a Login Policy Object

13
BorderManager Components
  • The IPX/IP and IP/IP gateways
  • Necessary for the clients with ONLY the IPX
    protocol
  • Alternative to the proxies and NAT for clients
    with IP
  • Simple to configure (no need to configure routing
    at the client) but not flexible
  • ALL traffic is directed from the workstations to
    the BorderManager server, including the local
    traffic
  • Performance slower than NAT/proxies (work at the
    session layer of the model)

14
BorderManager Components
  • The IPX/IP and IP/IP gateways (cont.)
  • Need a dedicated component of the client
    installed on the workstations (IP gateway)
  • Only for Windows workstations running the Netware
    Client 32
  • The applications must be Winsock compliant(no
    native TCP/IP)
  • Access rules for ANY port and protocol
  • Warning mature product

15
BorderManager Components
  • Virtual Private Networks (VPN)
  • Two types of VPN
  • Site-to-site
  • Client-to-site
  • Site-to-site VPN links two LANs together with an
    encrypted tunnel
  • Client-to-site VPN allows a remote PC to make a
    secure connection to a LAN over the Internet

16
BorderManager Components
  • The site-to-site VPN
  • It is mainly based on routing
  • An encrypted tunnel links two or more LANs
    connected to the same VPN
  • Traffic passes through the tunnel because a
    static route makes the tunnel the lowest cost
    route
  • Traffic passing through the tunnel is encrypted
    and decrypted at the VPN server
  • No need of special software at the
    workstations(it supports all client OS)

17
BorderManager Components
  • The client-to-site VPN
  • It is established between a client, running
    special software, and a VPN server
  • Both must be connected to the Internet
  • It provides secure access to the LAN and WAN
    behind the VPN server
  • The user must be authorized to establish the VPN
    with a username and through Access Rules
  • The client workstation must use MS Windows(Win
    9x, NT, 2000)

18
BorderManager Components
  • Miscellaneous components
  • BorderManager stores some configuration in NDS
    attributes of the server object
  • BorderManager can store access rules as user,
    group, container or BorderManager server
    attributes
  • Some proxy settings are stored in
    SYS\ETC\PROXY\PROXY.CFG
  • Filters are stored in SYSETC\FILTERS.CFG
  • Routes are stored in SYSETC\GATEWAYS
  • BorderManager can use up to five different NLS
    licenses

19
Troubleshooting Tools and Techniques
  • What isnt working?
  • Define the scope of the problem
  • One proxy?
  • An access rule?
  • Inbound traffic?
  • NAT?
  • What changed recently?
  • Simplify, simplify, simplify
  • Start from the bottom of the OSI model
  • Is a cable plugged in?
  • Is routing, filtering or NAT involved?
  • Is a proxy or access rule involved?
  • Disable features to isolate the problem

20
Troubleshooting Tools and Techniques
  • Techniques for isolating problems
  • Uncheck Enforce Rules
  • Disable filtersUnload IPFLT.NLM
  • SET NAT DYNAMIC MODE TO PASS THRUON(or disable
    NAT Implicit Filtering in INETCFG)
  • Reboot
  • Does the problem go away?

21
Troubleshooting Tools and Techniques
  • Techniques for isolating problems
  • Have you applied the latest patches?
  • Do you know what the latest patches are?
  • http//support.novell.com/misc/patlst.htm
  • Novell public forums
  • http//nscsysop.hypermart.net
  • Look for error messages on the server console,
    especially when BorderManager first starts
  • Look for NDS issues

22
Troubleshooting Tools and Techniques
  • Techniques for isolating problems
  • Does the internal host see the BorderManager
    server?
  • Is the internal host configured to use the
    BorderManager service?
  • HTTP proxy settings, IP gateway service, SOCKS
    settings
  • Is a proxy seeing the traffic?
  • See Proxy Console Statistics

23
Troubleshooting Tools and Techniques
cat speaker notes present
  • General connectivity and routing diagnostic tools
  • PINGto verify IP connectivity between two hosts
  • TRACERT/IPTRACE.NLMto check every hop between
    two hosts
  • SET TCP IP DEBUG1to dump the TCP/IP packets on
    the server console (0 turns it off)
  • SET FILTER DEBUGON, (followed by appropriate
    action) see only certain types of packets,
    useful on busy servers
  • CONLOG.NLMthe console log, to capture the output
    of the debug to the SYSETC\CONSOLE.LOG file
  • TCPCON.NLMto check the effective routing table
    of the server
  • NETMON.NLMcapture trace data on the server
  • Third party network analyzer

24
Troubleshooting Tools and Techniques
  • Deciphering TCP IP DEBUG data
  • Packets not getting to the server a routing
    problem
  • Packets to the server public side and
    beingignored NAT implicit filtering
  • Packets not going out a missing default route
  • Packets being discarded filters are dropping
    the packets
  • Packets going out the public interface, with no
    responses coming back NAT is needed
  • Packets going to an internal host (via Static NAT
    or VPN) with no response missing default
    gateway on internal host

25
Troubleshooting Tools and Techniques
  • Packet filtering
  • FILTCFG.NLM to see what filter exceptions are in
    place
  • UNLOAD IPFLT to make sure it is actually a
    filtering issue
  • SET TCP IP DEBUG1 to dump the TCP/IP packets on
    the server console (0 turns it off)
  • Look for the DISCARDED packets
  • SET FILTER DEBUGON, for 3.x only, to see
    selected types of IP packets

26
Troubleshooting Tools and Techniques
  • Proxy and access rules
  • Access rule logging, see what is being denied (or
    allowed)
  • Backup your rules (use Clipboard Viewer) before
    experimenting
  • Proxy console statistics, see what the proxies
    are seeing
  • NWADMN32, see if licenses are being used
  • Simple notes relating when and where problems
    occur

27
Troubleshooting Tools and Techniques
  • Are access rules seemingly being ignored
  • Is Enforce Access Rules checked?
  • A rule higher in the list may be taking
    precedence
  • Check effective rulesyou might be inheriting
    rules
  • An NDS rule will be ignored (skipped) if the
    internal PC is not proxy authenticated
  • Adding a rule with logging enabled can help find
    out what is being seen by the BorderManager
    server
  • Authenticate Only when user attempts to access a
    restricted pageuse with care

28
Troubleshooting Tools and Techniques
  • Johnny cant get a generic proxy for NTP to work
  • TCP Debug shows no data coming to server
  • Internal server on internally routed segment
  • Did not have a default route configured
  • Proxy Console, option 19, shows no traffic for
    proxy
  • Internal server not configured to point to proxy
    private IP address for NTP
  • Proxy Console, option 19, shows ACL rejects
  • No Allow Port 123 Access Rule configured
  • TCP Debug shows inbound traffic discarded
  • Did not allow UDP Port 123 to public IP address
    with filter exception

29
Troubleshooting Tools and Techniques
  • IPX/IP and IP/IP gateways
  • Read TID 2928290 and 2928294
  • Look at the Status in the IP gateway component in
    Settings, Control Panel, Network at the
    client
  • It is better not to specify the context of the
    server than rather specifying a wrong context
  • Use WINPING.EXE to check if you can ping (do not
    use the DOS ping)
  • IPXIPGW.NLM must be loaded
  • Check messages in the Novell IP gateway access
    status screen

30
Troubleshooting Tools and Techniques
  • IPX/IP and IP/IP gateways (cont.)
  • To enable the gateway debug at the client in the
    c\windows\novws.ini file add the lines
  • Gwtraceinfo
  • trace4
  • the output will be in C\GWDBG32.TXT
  • To enable the gateway debug at the server use
  • SET NWGATEWAY DEBUG(0-7)
  • SET NWGATEWAY LOGON
  • The output will be in SYS\IPXIPGWx.LOG
  • it slows down the server

31
Common Problems and Solutions
  • No default route/gateway on some host in the
    process
  • Check host, and all intervening routers
  • Did not install default filters
  • Load BRDCFG, follow prompts (secure the public IP
    address only)
  • Access rules in wrong sequence
  • Change the rule order

32
Common Problems and Solutions
  • NDS-based rule, no proxy authentication
  • Must run CLNTRUST at client, or use SSL
    Authentication
  • Not all proxies use NDS-based rules
  • Licensing issues
  • See Novell TID 10013723
  • Slow shutdown of server
  • Unload BorderManager services before downing
    server
  • Get BMOFF.NCF file at
  • http//nscsysop.hypermart.net/bmoff.html

33
Common Problems and Solutions
  • NWADMN32 snapin issues
  • Rename to ACNWAUTH.DLL snapin to ACNWAUTH.DL_
  • See http//nscsysop.hypermart.net/nwadmin.html
  • Proxy cache not on dedicated volume(s)
  • Always put cache on a dedicated volume, never SYS
  • BorderManager not tuned for performance
  • See TID 10018669

34
Common Problems and Solutions
  • Mail proxy
  • Has had a number of issues over the years,be
    sure to check latest patches
  • LOAD PROXY -M to allow mail proxy to use more
    than one MX record when sending SMTP
  • LOAD BRDSRV/NOLOAD to prevent autoloading
  • DNS proxy
  • Dont try with NAMED loaded on the server
  • May need to clear cached data by deleting
    SYSETC\PROXY\PXYHOSTS file

35
Common Problems and Solutions
  • HTTP proxy caching unwanted site/just added site
    as non-cacheable, but old site still comes up
  • Need to clear the (entire) cache as follows
  • Unload proxy
  • Delete SYSETC\PROXY\PXYHOSTS (optional)
  • Load Proxy cc

36
Common Problems and Solutions
  • Transparent proxy
  • Somewhat slower than HTTP proxy
  • Doesnt do DNS lookup for the client
  • Client must be configured to do DNS
  • Logs web sites visited by IP address instead of
    URL
  • Does not support HTTPS/SSL
  • Massive TCP/IP communications failure
  • NETDB 4.09 manually loaded before INITSYS.NCF
    load it after INITSYS, or let it autoload as
    needed

37
Common Problems and Solutions
  • RADIUS
  • Dial access systemredundancy
  • Do you need a profile?
  • Attributes with attitude
  • RADATR3A.EXE
  • Testing www.nttacplus.com/download/radping.cfm

38
Common Problems and Solutions
  • IPX/IP and IP/IP gateway
  • I am using Novell Client 3.3, the gateway status
    at the client is always not connected
  • The IP gateway component of the Client v.3.3
    doesnt work properly
  • Try to use Client 3.1 or 3.21
  • In ZENworks all the workstations appear to have
    the IP address of the gateway
  • This is the way the gateway works
  • The workstations talk to the gateway, and the
    gateway communicates on their behalf with the
    other devices

39
Common Problems and Solutions
  • IPX/IP and IP/IP gateway (cont.)
  • The browsers, IE more frequently, fail to
    connect to the gateway. Netscape returns the
    unable to open socket connection message
  • Make sure you are using the correct Winsock
    version at the client
  • For BorderManager 2.1 you must use the Novell
    Winsock I(latest client version using this
    Winsock version is 2.5)
  • For BorderManager 3.x, use the MS Winsock II
  • This limitation applies only to the gateways

40
Common Problems and Solutions
  • IPX/IP and IP/IP gateway (cont.)
  • I am using SSO authentication to the gateway,
    but when I try to use the HTTP proxy with
    authentication (to use ACL) I get the message
    403 Forbidden, you are not logged in
  • The IP gateway and the standard HTTP proxy cannot
    work together
  • If you want to use proxy authentication with the
    IP gateway you must use the Transparent HTTP
    proxy
  • SSL authentication to the HTTP proxy doesnt work
    either
  • You can use the HTTP proxy without authentication

41
Common Problems and Solutions
  • IPX/IP and IP/IP gateway (cont.)
  • How do I enable the transparent proxy for my IP
    gateway clients without affecting the user using
    the native TCP/IP stack?
  • To enable the transparent proxy for the IP
    gateway client ONLY you can use the command line
    (at the server)
  • SET NWGATEWAY CLIENT TRANSPARENT PROXYON

42
Common Problems and Solutions
  • Site-to-Site VPN
  • I configured the VPN between two servers. The
    VPN was established but I cant reach the
    internal LAN
  • Make sure that your VPN tunnel IP address is in a
    different network from the private and the public
    IP addresses of the server
  • i.e. Public IP address 123.123.123.1 Private IP
    address 10.1.1.1
  • VPN TUNNEL IP address 192.168.1.1/255.255.255.0

43
Common Problems and Solutions
  • Site-to-Site VPN (cont.)
  • In the logs in NWadmn32 I have the message
  • Time synchronization error from connection XXX
  • (SKIP) Construction of SA failed for peer
    ltIP_addressgt
  • The VPN stays in the Being configured status
  • Check that the time (clock) in the servers is not
    more than one hour apart in UTP
  • Make sure that your ISP is not filtering any
    packet type

44
Common Problems and Solutions
  • Site-to-Site VPN (cont.)
  • When loading VPNCFG I get a lot of undefined
    public symbols
  • The TCPIP.NLM you are using doesnt support
    encryption
  • It was probably overwritten by a service pack
  • The VPN is up and running but I cannot contact
    the devices in the private segment
  • The VPN server should be the gateway to the
    Internet for the LAN

45
Common Problems and Solutions
  • Client-to-Site VPN
  • I can login to the VPN but when I try to login
    to the NDS I get the Tree or server not found
    error message
  • Three solutions
  • Use IPX over the tunnel to login
  • Use the IP address of the server on the private
    LAN instead of the server name in the NetWare
    login screen
  • Set up a SLP DA in your LAN and configure the
    client to statically query that DA for service
    location

46
  • Client to Site VPN (cont.)
  • The VPN is up and running but I cannot contact
    the devices in the private segment. The devices
    in the LAN access the internet though a device
    that is NOT the VPN server.
  • Use a VPN server dedicated to the client to site
    VPN
  • Enable dynamic NAT on the PRIVATE interface only

47
Common Problems and Solutions
  • Client-to-Site VPN (cont.)
  • When I try to authenticate to the VPN I get the
    message Unable to authenticate token password
  • If you arent using ActivCard, and you arent
    using Radius, delete the Login Policy Object from
    the NDS and delete the LPOCACHE.DAT file from the
    server
  • I am not able to use the VPN on Windows ME
  • Thats right, the VPN client doesnt work on
    Windows ME!

48
For More Information
  • Novell Support web site
  • http//support.novell.com
  • Novell Documentation web site
  • www.novell.com/documentation
  • Novell public forums (best with news reader)
  • support-forums.novell.com (NNTP)
  • http//support.novell.com/forums
  • Other web sites
  • http//nscsysop.hypermart.net
  • www.connectotel.com

49
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com