Results 1 to 9 of 9

Thread: Novell BorderManager help needed

  1. #1
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130

    Novell BorderManager help needed

    Some of you may have read my previous posts regarding a small network I am required to set up as part of a networking / security project. I have reached a wall on this one and cannot find a solution, due mostly to my inexperience with NetWare. I have Googled and oogled and consulted every textbook I have available to me and am now blue in the face.

    The internals of the network are unimportant. What is important is that I am required to set up a private network within my college network which is protect by a Novell BorderManager firewall. All clients within this network are set up with static IP addresses currently, and can communicate with the NetWare box. The directory tree is visible, and all clients can authenticate to it and home drives are mapped correctly.

    The NetWare server is set up as a DNS proxy server, and internal clients are able to resolve DNS queries through it, whether to the school DNS servers or any other nameservers I specify on the gateway, so I am quite sure that the NetWare server has access to the Internet.

    I have successfully set up a Slackware box as a gateway (otherwise acting as the IDS) to an RFC1918 network, so I know it is possible to set up a private network within the school network; there is no security preventing me from doing so.

    However, I cannot access the Internet from anywhere behind the NetWare server / firewall. I am aware that NetWare, by default, turns off all security settings and everything must be specifically allowed for anything to work. To that effect, I have applied firewall rules at the top level context whilch *should* allow everything through the firewall (the security implications of this are at this point irrelevant; I simply want to get it working right now). NAT is enabled on the internal interface, and I have no reason to believe it is not functioning correctly.

    Given that the server has access outside the school network, and that internal clients can communicate with the server, is there some obvious setting I am missing which is preventing traffic from going through the firewall? Remember, I have zero experience with configuring and administering NetWare servers, and could be missing something which is quite obvious to even slightly experienced administrators.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    I know nothing about novell but a few things I would look for.

    Is there a IP configuration section of the firewall to set up the IP, DNS, and Gateway for the firewall? Make sure thats configured properly.

    Make sure your clients are configured to use the borderwall as their default gateway.

    Make sure your not blocking traffic on port 80 on the firewall.

    Have you tried setting the DNS servers to the ISP's DNS servers though using the netware box as a DNS server should work.

    Thats all I can think of now, sorry i can't help you more but I never deal with netware.
    =

  3. #3
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Heya Cheyenne, long time no talk I see your postwhoring has calmed down a lot.

    Is there a IP configuration section of the firewall to set up the IP, DNS, and Gateway for the firewall?
    Yes. Done.

    Make sure your clients are configured to use the borderwall as their default gateway.
    Already done.

    Make sure your not blocking traffic on port 80 on the firewall.
    Nope. Everything is allowed through.

    Have you tried setting the DNS servers to the ISP's DNS servers though using the netware box as a DNS server should work.
    That would be the secondary nameserver (one of them anyway). No joy.

    I've done everything I can think of and still no luck. I checked all your ideas over though, never hurts to double check. Thanks.

    BorderManager hates me.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    hmm..

    I'm gonna go to bed, but gonna think about that one. Not sure why that woudln't work.

    If you have all your IP info set up correctly.


    You can ping on the inside behind the borderwall, but once you try to ping outside, you get no reply? Did you say that DNS names resolved on your private network like google.com, yahoo.com etc?
    =

  5. #5
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Yes. But the queries don't go through it. It's a proxy DNS server, so it gets the query, and the itself queries the school nameservers, and then sends a reply back to the clients inside the network.

    So I can get to the gateway, and from the gateway, but not through the gateway.

    A web proxy on the NetWare box will let me browse the Internet, too, but still, I'm not going through it, it just does it all for me. I'm basically skipping over all the guts of the firewall because I can't get it to work.

    BorderManager hates me. RRRRRRGH!&$%@^!
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    May be a longshot, but have you launched NWADMIN32 and set up the user/client rules for Bordermanager ?

    With NWADMIN (or iManager me thinks) you can control the client/user proxy permissions and with FILTCFG from the netware comand line you can configure the global settings (host/network etc). I have seen cases when 'allow all' in FILTCFG not allows any clients to access internet cause it's blocked in NDS.

    Possible solution: install bordermanager snapins and launch NWADMIN, configure Bordermanager access rules and behavior on the Bordermanager server object, this is not best practise but you do see the result quickly and can move/recreate the rules on another ou where it's better applied depending on where you have your users etc when you have confirmed that it's working as intended .

    Signed ~Micael

  7. #7
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I have NO experience with Netware, but it sounded interesting and who knows, fresh eyes may see something you missed. You did not state what versions you were running. I will offer my help ( FWIW ) in the form of questions with links I found which prompted those questions. Although answering them to me may not help, answering them to yourself or others on AO may help you.

    BorderManager Firewall Technologies

    1) When you installed, did you enable "Access Control" ?
    Overview of Access Control
    If you choose to enforce access control on a BorderManager server, the service is enabled and you must create access control rules for BorderManager to function properly. Otherwise, all access requests are denied because the single default access rule is a Deny Any rule.
    2) What type of Caching did you specify? Passive caching, Active caching, Negative caching, Hierarchical caching
    Overview of Proxy Services


    3) Did you set up Proxy Authentication?
    Troubleshooting Proxy Services
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  8. #8
    Junior Member
    Join Date
    Nov 2004
    Posts
    13
    Ensure that authentication is disabled (via NWAdmin32). In addition, are you doing any type of NAT via the BorderManager solution? If not, you may need to implement your NAT rule to convert your internal networks to a public (Many to One).

    Novell assumes that your BorderManager system is directly connected to the Internet and requires NAT or some form of address translation.

    I know this was asked above, but do you have Proxy/Cache enabled as well or just the firewall component? Have you validated that your ALLOW rules are properly defined? Can you PING or traceroute from the Netware server that's hosting BorderManager (to the Internet)?

  9. #9
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Hmmm... I'm not sure if authentication is disabled. If it were, how would I then log in to the server? Remember, the BorderManager box is also the file server. I'll try it anyway though.

    As for ping and traceroute, the school blocks echo requests from leaving the network. Quite a source of frustration for problems like this.

    To my knowledge, the allow rules are properly defined. I have also told BorderManager not to enforce access rules, and that didn't work either. I think there may be a problem with the tree structure at this point.

    Thanks for your help.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •