1 / 49

Troubleshooting Novell BorderManager ®

Troubleshooting Novell BorderManager ®. Craig Johnson Novell SysOp craigsj@ix.netcom.com http://nscsysop.hypermart.net Caterina Luppi Novell SysOp caterina@wirediguana.com Shaun Pond Novell Consulting, UK spond@novell.com. Session Agenda. BorderManager ® components

pepin
Download Presentation

Troubleshooting Novell BorderManager ®

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Troubleshooting Novell BorderManager® Craig Johnson Novell SysOp craigsj@ix.netcom.com http://nscsysop.hypermart.net Caterina Luppi Novell SysOp caterina@wirediguana.com Shaun Pond Novell Consulting, UK spond@novell.com

  2. Session Agenda • BorderManager® components • Troubleshooting tools and techniques • Common problems and solutions • Questions and answers

  3. BorderManager Components • BorderManager is modular • Proxies (forward and reverse) • Access control • Gateways (IPX/IP, IP/IP, SOCKS) • VPN • RADIUS • Dial services • Routing and filtering, including stateful filtering (3.x)

  4. BorderManager Components

  5. BorderManager Components • It is critical to understand the layers that BorderManager services are built on • Network layer–filters, and routing • The proxies do not work on this layer, but they depend on it to function • The support for the network layer is included in the NetWare® operating system • Application, session layers–proxies, gateways and access control • This layer is provided by BorderManager • Get routing working before worrying about proxies

  6. BorderManager Components • Network layer considerations • Default filters and exceptions provide basic network layer functionality for proxy, gateways and VPN • The proxies do notcreate the filter exceptions as needed • Default exceptions do notcover a secondary IP address • Bypassing the proxies requires extra work to be done using filter exceptions and ensuring routing is correct

  7. BorderManager Components • Proxies • Proxies listen on certain ports on certain IP addresses • Some proxies listen on all IP addresses, others only on IP addresses defined as private • Acceleration listens on IP addresses defined as public • Proxies need to have filter exceptions defined in order to function • Most, but not all, proxy traffic is allowed with the default filter exceptions

  8. BorderManager Components • Proxies • Why doesn’t proxy need routing enabled? • It regenerates traffic on an interface, and does not just route traffic between interfaces • Why does bypassing proxy need routing enabled? • Because if you bypass proxies, the only method left to move packets is to route them between interfaces, which means routing must be enabled, and filter exceptions must be added

  9. BorderManager Components • Access control list (access rules) • Access rules control the use of the proxies, IP gateway and VPN • Access rules are read from top to bottom • Access rules can be inherited • Only one access rule is ever actually used • There is a default access rule—Deny All

  10. BorderManager Components • Access control list (cont.) • Only a few proxies use Novell Directory Services® (NDS®)-based access rules • HTTP proxy, FTP proxy, transparent (HTTP) proxy and transparent telnet proxy can use NDS-based access rules • You must enable Proxy Authentication to make use of an NDS-based access rule • If the client does not proxy authenticate, it cannot use NDS-based access rules, and will skip over them

  11. BorderManager Components • How Proxy Authentication works • Proxy Authentication is initiated by the BorderManager server • The BorderManager server asks the source IP address for NDS information • The source IP address responds, via CLNTRUST or SSL login (Must be logged in for CLNTRUST to work) • The BorderManager server remembers an authenticated connection for some time

  12. BorderManager Components • RADIUS • Used to link authentication request from dial-up system through to NDS account • Any RADIUS-compliant access system can work with BorderManager RADIUS • BorderManager NIAS dial-up is not RADIUS-compliant • May need a Login Policy Object

  13. BorderManager Components • The IPX/IP and IP/IP gateways • Necessary for the clients with ONLY the IPX protocol • Alternative to the proxies and NAT for clients with IP • Simple to configure (no need to configure routing at the client) but not flexible • ALL traffic is directed from the workstations to the BorderManager server, including the local traffic • Performance slower than NAT/proxies (work at the session layer of the model)

  14. BorderManager Components • The IPX/IP and IP/IP gateways (cont.) • Need a dedicated component of the client installed on the workstations (“IP gateway”) • Only for Windows workstations running the Netware Client 32™ • The applications must be Winsock compliant(no native TCP/IP) • Access rules for ANY port and protocol • Warning: “mature product”

  15. BorderManager Components • Virtual Private Networks (VPN) • Two types of VPN • Site-to-site • Client-to-site • Site-to-site VPN links two LAN’s together with an “encrypted tunnel” • Client-to-site VPN allows a remote PC to make a secure connection to a LAN over the Internet

  16. BorderManager Components • The site-to-site VPN • It is mainly based on routing • An encrypted tunnel links two or more LANs connected to the same VPN • Traffic passes through the tunnel because a static route makes the tunnel the lowest cost route • Traffic passing through the tunnel is encrypted and decrypted at the VPN server • No need of special software at the workstations(it supports all client OS)

  17. BorderManager Components • The client-to-site VPN • It is established between a client, running special software, and a VPN server • Both must be connected to the Internet • It provides secure access to the LAN and WAN behind the VPN server • The user must be authorized to establish the VPN with a username and through “Access Rules” • The client workstation must use MS Windows(Win 9x, NT, 2000)

  18. BorderManager Components • Miscellaneous components • BorderManager stores some configuration in NDS attributes of the server object • BorderManager can store access rules as user, group, container or BorderManager server attributes • Some proxy settings are stored in SYS:\ETC\PROXY\PROXY.CFG • Filters are stored in SYS:ETC\FILTERS.CFG • Routes are stored in SYS:ETC\GATEWAYS • BorderManager can use up to five different NLS licenses

  19. Troubleshooting Tools and Techniques • What isn’t working? • Define the scope of the problem • One proxy? • An access rule? • Inbound traffic? • NAT? • What changed recently? • Simplify, simplify, simplify • Start from the bottom of the OSI model • Is a cable plugged in? • Is routing, filtering or NAT involved? • Is a proxy or access rule involved? • Disable features to isolate the problem

  20. Troubleshooting Tools and Techniques • Techniques for isolating problems • Uncheck Enforce Rules • Disable filters—Unload IPFLT.NLM • SET NAT DYNAMIC MODE TO PASS THRU=ON(or disable NAT Implicit Filtering in INETCFG) • Reboot • Does the problem go away?

  21. Troubleshooting Tools and Techniques • Techniques for isolating problems • Have you applied the latest patches? • Do you know what the latest patches are? • http://support.novell.com/misc/patlst.htm • Novell public forums • http://nscsysop.hypermart.net • Look for error messages on the server console, especially when BorderManager first starts • Look for NDS issues

  22. Troubleshooting Tools and Techniques • Techniques for isolating problems • Does the internal host see the BorderManager server? • Is the internal host configured to use the BorderManager service? • HTTP proxy settings, IP gateway service, SOCKS settings • Is a proxy seeing the traffic? • See Proxy Console Statistics

  23. cat: speaker notes present Troubleshooting Tools and Techniques • General connectivity and routing diagnostic tools • PING—to verify IP connectivity between two hosts • TRACERT/IPTRACE.NLM—to check every hop between two hosts • SET TCP IP DEBUG=1—to dump the TCP/IP packets on the server console (=0 turns it off) • SET FILTER DEBUG=ON, (followed by appropriate action) —see only certain types of packets, useful on busy servers • CONLOG.NLM—the console log, to capture the output of the debug to the SYS:ETC\CONSOLE.LOG file • TCPCON.NLM—to check the effective routing table of the server • NETMON.NLM—capture trace data on the server • Third party network analyzer

  24. Troubleshooting Tools and Techniques • Deciphering TCP IP DEBUG data • Packets not getting to the server = a routing problem • Packets to the server public side and beingignored = NAT implicit filtering • Packets not going out = a missing default route • Packets being discarded = filters are dropping the packets • Packets going out the public interface, with no responses coming back = NAT is needed • Packets going to an internal host (via Static NAT or VPN) with no response = missing default gateway on internal host

  25. Troubleshooting Tools and Techniques • Packet filtering • FILTCFG.NLM: to see what filter exceptions are in place • UNLOAD IPFLT to make sure it is actually a filtering issue • SET TCP IP DEBUG=1: to dump the TCP/IP packets on the server console (=0 turns it off) • Look for the “DISCARDED” packets • SET FILTER DEBUG=ON, for 3.x only, to see selected types of IP packets

  26. Troubleshooting Tools and Techniques • Proxy and access rules • Access rule logging, see what is being denied (or allowed) • Backup your rules (use Clipboard Viewer) before experimenting • Proxy console statistics, see what the proxies are seeing • NWADMN32, see if licenses are being used • Simple notes relating when and where problems occur

  27. Troubleshooting Tools and Techniques • Are access rules seemingly being ignored • Is Enforce Access Rules checked? • A rule higher in the list may be taking precedence • Check effective rules—you might be inheriting rules • An NDS rule will be ignored (skipped) if the internal PC is not proxy authenticated • Adding a rule with logging enabled can help find out what is being seen by the BorderManager server • “Authenticate Only when user attempts to access a restricted page”—use with care

  28. Troubleshooting Tools and Techniques • Johnny can’t get a generic proxy for NTP to work • TCP Debug shows no data coming to server • Internal server on internally routed segment • Did not have a default route configured • Proxy Console, option 19, shows no traffic for proxy • Internal server not configured to point to proxy private IP address for NTP • Proxy Console, option 19, shows ACL rejects • No Allow Port 123 Access Rule configured • TCP Debug shows inbound traffic discarded • Did not allow UDP Port 123 to public IP address with filter exception

  29. Troubleshooting Tools and Techniques • IPX/IP and IP/IP gateways • Read TID 2928290 and 2928294 • Look at the Status in the IP gateway component in “Settings”, “Control Panel”, “Network” at the client • It is better not to specify the context of the server than rather specifying a wrong context • Use WINPING.EXE to check if you can ping (do not use the DOS ping) • IPXIPGW.NLM must be loaded • Check messages in the “Novell IP gateway access status” screen

  30. Troubleshooting Tools and Techniques • IPX/IP and IP/IP gateways (cont.) • To enable the gateway debug at the client in the c:\windows\novws.ini file add the lines [Gwtraceinfo] trace=4 the output will be in C:\GWDBG32.TXT • To enable the gateway debug at the server use SET NWGATEWAY DEBUG=(0-7) SET NWGATEWAY LOG=ON The output will be in SYS:\IPXIPGWx.LOG it slows down the server

  31. Common Problems and Solutions • No default route/gateway on some host in the process • Check host, and all intervening routers • Did not install default filters • Load BRDCFG, follow prompts (secure the public IP address only) • Access rules in wrong sequence • Change the rule order

  32. Common Problems and Solutions • NDS-based rule, no proxy authentication • Must run CLNTRUST at client, or use SSL Authentication • Not all proxies use NDS-based rules • Licensing issues • See Novell TID 10013723 • Slow shutdown of server • Unload BorderManager services before downing server • Get BMOFF.NCF file at • http://nscsysop.hypermart.net/bmoff.html

  33. Common Problems and Solutions • NWADMN32 snapin issues • Rename to ACNWAUTH.DLL snapin to ACNWAUTH.DL_ • See http://nscsysop.hypermart.net/nwadmin.html • Proxy cache not on dedicated volume(s) • Always put cache on a dedicated volume, never SYS • BorderManager not tuned for performance • See TID 10018669

  34. Common Problems and Solutions • Mail proxy • Has had a number of issues over the years,be sure to check latest patches • LOAD PROXY -M to allow mail proxy to use more than one MX record when sending SMTP • LOAD BRDSRV/NOLOAD to prevent autoloading • DNS proxy • Don’t try with NAMED loaded on the server • May need to clear cached data by deleting SYS:ETC\PROXY\PXYHOSTS file

  35. Common Problems and Solutions • HTTP proxy caching unwanted site/just added site as non-cacheable, but old site still comes up • Need to clear the (entire) cache as follows • Unload proxy • Delete SYS:ETC\PROXY\PXYHOSTS (optional) • Load Proxy –cc

  36. Common Problems and Solutions • Transparent proxy • Somewhat slower than HTTP proxy • Doesn’t do DNS lookup for the client • Client must be configured to do DNS • Logs web sites visited by IP address instead of URL • Does not support HTTPS/SSL • Massive TCP/IP communications failure • NETDB 4.09 manually loaded before INITSYS.NCF– load it after INITSYS, or let it autoload as needed

  37. Common Problems and Solutions • RADIUS • Dial access system—redundancy • Do you need a profile? • Attributes with attitude • RADATR3A.EXE • Testing: www.nttacplus.com/download/radping.cfm

  38. Common Problems and Solutions • IPX/IP and IP/IP gateway I am using Novell Client 3.3, the gateway status at the client is always “not connected” • The IP gateway component of the Client v.3.3 doesn’t work properly • Try to use Client 3.1 or 3.21 In ZENworks all the workstations appear to have the IP address of the gateway • This is the way the gateway works • The workstations talk to the gateway, and the gateway communicates on their behalf with the other devices

  39. Common Problems and Solutions • IPX/IP and IP/IP gateway (cont.) The browsers, IE more frequently, fail to connect to the gateway. Netscape returns the “unable to open socket connection message” • Make sure you are using the correct Winsock version at the client • For BorderManager 2.1 you must use the Novell Winsock I(latest client version using this Winsock version is 2.5) • For BorderManager 3.x, use the MS Winsock II This limitation applies only to the gateways

  40. Common Problems and Solutions • IPX/IP and IP/IP gateway (cont.) I am using SSO authentication to the gateway, but when I try to use the HTTP proxy with authentication (to use ACL) I get the message: “403 Forbidden, you are not logged in” • The IP gateway and the standard HTTP proxy cannot work together • If you want to use proxy authentication with the IP gateway you must use the Transparent HTTP proxy • SSL authentication to the HTTP proxy doesn’t work either • You can use the HTTP proxy without authentication

  41. Common Problems and Solutions • IPX/IP and IP/IP gateway (cont.) How do I enable the transparent proxy for my IP gateway clients without affecting the user using the native TCP/IP stack? • To enable the transparent proxy for the IP gateway client ONLY you can use the command line (at the server) • SET NWGATEWAY CLIENT TRANSPARENT PROXY=ON

  42. Common Problems and Solutions • Site-to-Site VPN I configured the VPN between two servers. The VPN was established but I can’t reach the internal LAN • Make sure that your VPN tunnel IP address is in a different network from the private and the public IP addresses of the server i.e. Public IP address 123.123.123.1 Private IP address 10.1.1.1 VPN TUNNEL IP address 192.168.1.1/255.255.255.0

  43. Common Problems and Solutions • Site-to-Site VPN (cont.) In the logs in NWadmn32 I have the message “Time synchronization error from connection XXX (SKIP) Construction of SA failed for peer <IP_address>” The VPN stays in the “Being configured” status • Check that the time (clock) in the servers is not more than one hour apart in UTP • Make sure that your ISP is not filtering any packet type

  44. Common Problems and Solutions • Site-to-Site VPN (cont.) When loading VPNCFG I get a lot of undefined public symbols • The TCPIP.NLM you are using doesn’t support encryption • It was probably overwritten by a service pack The VPN is up and running but I cannot contact the devices in the private segment • The VPN server should be the gateway to the Internet for the LAN

  45. Common Problems and Solutions • Client-to-Site VPN I can login to the VPN but when I try to login to the NDS I get the “Tree or server not found” error message • Three solutions: • Use IPX over the tunnel to login • Use the IP address of the server on the private LAN instead of the server name in the NetWare login screen • Set up a SLP DA in your LAN and configure the client to statically query that DA for service location

  46. Client to Site VPN (cont.) The VPN is up and running but I cannot contact the devices in the private segment. The devices in the LAN access the internet though a device that is NOT the VPN server. • Use a VPN server dedicated to the client to site VPN • Enable dynamic NATon the PRIVATE interface only

  47. Common Problems and Solutions • Client-to-Site VPN (cont.) When I try to authenticate to the VPN I get the message “Unable to authenticate token password” • If you aren’t using ActivCard, and you aren’t using Radius, delete the Login Policy Object from the NDS and delete the LPOCACHE.DAT file from the server I am not able to use the VPN on Windows ME • That’s right, the VPN client doesn’t work on Windows ME!

  48. For More Information • Novell Support web site • http://support.novell.com • Novell Documentation web site • www.novell.com/documentation • Novell public forums (best with news reader) • support-forums.novell.com (NNTP) • http://support.novell.com/forums • Other web sites • http://nscsysop.hypermart.net • www.connectotel.com

More Related