www.novell.com troubleshooting novell bordermanager ® craig johnson novell sysop...
Post on 22-Dec-2015
254 views
TRANSCRIPT
www.novell.com
Troubleshooting Novell BorderManager®Troubleshooting Novell BorderManager®
Craig JohnsonNovell [email protected]://nscsysop.hypermart.net
Caterina LuppiNovell [email protected]
Shaun PondNovell Consulting, [email protected]
Session Agenda
• BorderManager® components• Troubleshooting tools and techniques• Common problems and solutions• Questions and answers
BorderManager Components
• BorderManager is modular Proxies (forward and
reverse) Access control Gateways (IPX/IP, IP/IP,
SOCKS) VPN RADIUS Dial services Routing and filtering,
including stateful filtering (3.x)
BorderManager Components
Layers of OSI model
BorderManager components
Application Proxies, access control
Presentation VPN
Session Gateways (IPX/IP, IP, SOCKS), VPN
Transport VPN
Network Packet filtering, Network Address Translation (NAT), VPN
Data link Packet filtering, VPN
Physical N/A
BorderManager Components
• It is critical to understand the layers that BorderManager services are built on
Network layer–filters, and routing• The proxies do not work on this layer, but they depend
on it to function• The support for the network layer is included in the
NetWare® operating system Application, session layers–proxies, gateways
and access control• This layer is provided by BorderManager
Get routing working before worrying about proxies
BorderManager Components
• Network layer considerations Default filters and exceptions provide basic
network layer functionality for proxy, gateways and VPN
The proxies do not create the filter exceptions as needed
Default exceptions do not cover a secondary IP address
Bypassing the proxies requires extra work to be done using filter exceptions and ensuring routing is correct
BorderManager Components
• Proxies Proxies listen on certain ports on certain IP
addresses Some proxies listen on all IP addresses, others
only on IP addresses defined as private Acceleration listens on IP addresses defined as
public Proxies need to have filter exceptions defined in
order to function• Most, but not all, proxy traffic is allowed with the
default filter exceptions
BorderManager Components
• Proxies Why doesn’t proxy need routing enabled?
• It regenerates traffic on an interface, and does not just route traffic between interfaces
Why does bypassing proxy need routing enabled?• Because if you bypass proxies, the only method left to
move packets is to route them between interfaces, which means routing must be enabled, and filter exceptions must be added
BorderManager Components
• Access control list (access rules) Access rules control the use of the proxies, IP
gateway and VPN Access rules are read from top to bottom Access rules can be inherited Only one access rule is ever actually used There is a default access rule—Deny All
BorderManager Components
• Access control list (cont.) Only a few proxies use Novell Directory
Services® (NDS®)-based access rules HTTP proxy, FTP proxy, transparent (HTTP)
proxy and transparent telnet proxy can use NDS-based access rules
You must enable Proxy Authentication to make use of an NDS-based access rule
If the client does not proxy authenticate, it cannot use NDS-based access rules, and will skip over them
BorderManager Components
• How Proxy Authentication works Proxy Authentication is initiated by the
BorderManager server The BorderManager server asks the source IP
address for NDS information The source IP address responds, via CLNTRUST
or SSL login (Must be logged in for CLNTRUST to work)
The BorderManager server remembers an authenticated connection for some time
BorderManager Components
• RADIUS Used to link authentication request from dial-up
system through to NDS account Any RADIUS-compliant access system can work
with BorderManager RADIUS BorderManager NIAS dial-up is not RADIUS-
compliant May need a Login Policy Object
BorderManager Components
• The IPX/IP and IP/IP gateways Necessary for the clients with ONLY the IPX
protocol Alternative to the proxies and NAT for clients
with IP Simple to configure (no need to configure routing
at the client) but not flexible ALL traffic is directed from the workstations to
the BorderManager server, including the local traffic
Performance slower than NAT/proxies (work at the session layer of the model)
BorderManager Components
• The IPX/IP and IP/IP gateways (cont.) Need a dedicated component of the client
installed on the workstations (“IP gateway”) Only for Windows workstations running the
Netware Client 32™
The applications must be Winsock compliant(no native TCP/IP)
Access rules for ANY port and protocol Warning: “mature product”
BorderManager Components
• Virtual Private Networks (VPN) Two types of VPN
• Site-to-site• Client-to-site
Site-to-site VPN links two LAN’s together with an “encrypted tunnel”
Client-to-site VPN allows a remote PC to make a secure connection to a LAN over the Internet
BorderManager Components
• The site-to-site VPN It is mainly based on routing An encrypted tunnel links two or more LANs
connected to the same VPN Traffic passes through the tunnel because a
static route makes the tunnel the lowest cost route
Traffic passing through the tunnel is encrypted and decrypted at the VPN server
No need of special software at the workstations(it supports all client OS)
BorderManager Components
• The client-to-site VPN It is established between a client, running
special software, and a VPN server• Both must be connected to the Internet
It provides secure access to the LAN and WAN behind the VPN server
The user must be authorized to establish the VPN with a username and through “Access Rules”
The client workstation must use MS Windows(Win 9x, NT, 2000)
BorderManager Components
• Miscellaneous components BorderManager stores some configuration in NDS
attributes of the server object BorderManager can store access rules as user,
group, container or BorderManager server attributes
Some proxy settings are stored in SYS:\ETC\PROXY\PROXY.CFG
Filters are stored in SYS:ETC\FILTERS.CFG Routes are stored in SYS:ETC\GATEWAYS BorderManager can use up to five different NLS
licenses
Troubleshooting Tools and Techniques
• What isn’t working? Define the scope of the problem
• One proxy?• An access rule?• Inbound traffic?• NAT?
What changed recently?• Simplify, simplify, simplify
Start from the bottom of the OSI model• Is a cable plugged in?• Is routing, filtering or NAT involved?• Is a proxy or access rule involved?
Disable features to isolate the problem
Troubleshooting Tools and Techniques
• Techniques for isolating problems Uncheck Enforce Rules Disable filters—Unload IPFLT.NLM SET NAT DYNAMIC MODE TO PASS THRU=ON
(or disable NAT Implicit Filtering in INETCFG) Reboot
• Does the problem go away?
Troubleshooting Tools and Techniques
•Techniques for isolating problems Have you applied the latest patches? Do you know what the latest patches are?
• http://support.novell.com/misc/patlst.htm• Novell public forums• http://nscsysop.hypermart.net
Look for error messages on the server console, especially when BorderManager first starts
Look for NDS issues
Troubleshooting Tools and Techniques
•Techniques for isolating problems Does the internal host see the BorderManager
server? Is the internal host configured to use the
BorderManager service?• HTTP proxy settings, IP gateway service, SOCKS
settings Is a proxy seeing the traffic?
• See Proxy Console Statistics
Troubleshooting Tools and Techniques
• General connectivity and routing diagnostic tools PING—to verify IP connectivity between two hosts TRACERT/IPTRACE.NLM—to check every hop between
two hosts SET TCP IP DEBUG=1—to dump the TCP/IP packets on
the server console (=0 turns it off) SET FILTER DEBUG=ON, (followed by appropriate
action) —see only certain types of packets, useful on busy servers
CONLOG.NLM—the console log, to capture the output of the debug to the SYS:ETC\CONSOLE.LOG file
TCPCON.NLM—to check the effective routing table of the server
NETMON.NLM—capture trace data on the server Third party network analyzer
cat:
speaker notes present
cat:
speaker notes present
Troubleshooting Tools and Techniques
• Deciphering TCP IP DEBUG data Packets not getting to the server = a routing
problem Packets to the server public side and being
ignored = NAT implicit filtering Packets not going out = a missing default route Packets being discarded = filters are dropping
the packets Packets going out the public interface, with no
responses coming back = NAT is needed Packets going to an internal host (via Static NAT
or VPN) with no response = missing default gateway on internal host
Troubleshooting Tools and Techniques
• Packet filtering FILTCFG.NLM: to see what filter exceptions are
in place UNLOAD IPFLT to make sure it is actually a
filtering issue SET TCP IP DEBUG=1: to dump the TCP/IP
packets on the server console (=0 turns it off)• Look for the “DISCARDED” packets
SET FILTER DEBUG=ON, for 3.x only, to see selected types of IP packets
Troubleshooting Tools and Techniques
• Proxy and access rules Access rule logging, see what is being denied
(or allowed) Backup your rules (use Clipboard Viewer)
before experimenting Proxy console statistics, see what the proxies
are seeing NWADMN32, see if licenses are being used Simple notes relating when and where
problems occur
Troubleshooting Tools and Techniques
• Are access rules seemingly being ignored Is Enforce Access Rules checked? A rule higher in the list may be taking precedence Check effective rules—you might be inheriting rules An NDS rule will be ignored (skipped) if the internal
PC is not proxy authenticated Adding a rule with logging enabled can help find out
what is being seen by the BorderManager server “Authenticate Only when user attempts to access a
restricted page”—use with care
Troubleshooting Tools and Techniques
• Johnny can’t get a generic proxy for NTP to work
TCP Debug shows no data coming to server• Internal server on internally routed segment
– Did not have a default route configured Proxy Console, option 19, shows no traffic for proxy
• Internal server not configured to point to proxy private IP address for NTP
Proxy Console, option 19, shows ACL rejects• No Allow Port 123 Access Rule configured
TCP Debug shows inbound traffic discarded• Did not allow UDP Port 123 to public IP address with filter
exception
Troubleshooting Tools and Techniques
• IPX/IP and IP/IP gateways Read TID 2928290 and 2928294 Look at the Status in the IP gateway component
in “Settings”, “Control Panel”, “Network” at the client
It is better not to specify the context of the server than rather specifying a wrong context
Use WINPING.EXE to check if you can ping (do not use the DOS ping)
IPXIPGW.NLM must be loaded• Check messages in the “Novell IP gateway access
status” screen
Troubleshooting Tools and Techniques
• IPX/IP and IP/IP gateways (cont.) To enable the gateway debug at the client in
the c:\windows\novws.ini file add the lines[Gwtraceinfo]trace=4
the output will be in C:\GWDBG32.TXT To enable the gateway debug at the server use
SET NWGATEWAY DEBUG=(0-7)SET NWGATEWAY LOG=ON
The output will be in SYS:\IPXIPGWx.LOGit slows down the server
Common Problems and Solutions
• No default route/gateway on some host in the process
Check host, and all intervening routers• Did not install default filters
Load BRDCFG, follow prompts (secure the public IP address only)
• Access rules in wrong sequence Change the rule order
Common Problems and Solutions
• NDS-based rule, no proxy authentication Must run CLNTRUST at client, or use SSL
Authentication Not all proxies use NDS-based rules
• Licensing issues See Novell TID 10013723
• Slow shutdown of server Unload BorderManager services before downing
server• Get BMOFF.NCF file at • http://nscsysop.hypermart.net/bmoff.html
Common Problems and Solutions
• NWADMN32 snapin issues Rename to ACNWAUTH.DLL snapin to
ACNWAUTH.DL_ See http://nscsysop.hypermart.net/nwadmin.html
• Proxy cache not on dedicated volume(s) Always put cache on a dedicated volume, never
SYS• BorderManager not tuned for performance
See TID 10018669
Common Problems and Solutions
• Mail proxy Has had a number of issues over the years,
be sure to check latest patches LOAD PROXY -M to allow mail proxy to use
more than one MX record when sending SMTP• LOAD BRDSRV/NOLOAD to prevent autoloading
• DNS proxy Don’t try with NAMED loaded on the server May need to clear cached data by deleting
SYS:ETC\PROXY\PXYHOSTS file
Common Problems and Solutions
• HTTP proxy caching unwanted site/just added site as non-cacheable, but old site still comes up
Need to clear the (entire) cache as follows• Unload proxy• Delete SYS:ETC\PROXY\PXYHOSTS (optional)• Load Proxy –cc
Common Problems and Solutions
• Transparent proxy Somewhat slower than HTTP proxy Doesn’t do DNS lookup for the client
• Client must be configured to do DNS Logs web sites visited by IP address instead of
URL Does not support HTTPS/SSL
• Massive TCP/IP communications failure NETDB 4.09 manually loaded before
INITSYS.NCF– load it after INITSYS, or let it autoload as needed
Common Problems and Solutions
• RADIUS Dial access system—redundancy Do you need a profile? Attributes with attitude
• RADATR3A.EXE Testing:
www.nttacplus.com/download/radping.cfm
Common Problems and Solutions
• IPX/IP and IP/IP gateway
I am using Novell Client 3.3, the gateway status at the client is always “not connected”
The IP gateway component of the Client v.3.3 doesn’t work properly
Try to use Client 3.1 or 3.21
In ZENworks all the workstations appear to have the IP address of the gateway
This is the way the gateway works The workstations talk to the gateway, and the gateway
communicates on their behalf with the other devices
Common Problems and Solutions
• IPX/IP and IP/IP gateway (cont.)
The browsers, IE more frequently, fail to connect to the gateway. Netscape returns the “unable to open socket connection message”
Make sure you are using the correct Winsock version at the client• For BorderManager 2.1 you must use the Novell Winsock I
(latest client version using this Winsock version is 2.5)• For BorderManager 3.x, use the MS Winsock II
This limitation applies only to the gateways
Common Problems and Solutions
• IPX/IP and IP/IP gateway (cont.)
I am using SSO authentication to the gateway, but when I try to use the HTTP proxy with authentication (to use ACL) I get the message: “403 Forbidden, you are not logged in”
The IP gateway and the standard HTTP proxy cannot work together
If you want to use proxy authentication with the IP gateway you must use the Transparent HTTP proxy
SSL authentication to the HTTP proxy doesn’t work either You can use the HTTP proxy without authentication
Common Problems and Solutions
• IPX/IP and IP/IP gateway (cont.)
How do I enable the transparent proxy for my IP gateway clients without affecting the user using the native TCP/IP stack?
To enable the transparent proxy for the IP gateway client ONLY you can use the command line (at the server)
SET NWGATEWAY CLIENT TRANSPARENT PROXY=ON
Common Problems and Solutions
• Site-to-Site VPN
I configured the VPN between two servers. The VPN was established but I can’t reach the internal LAN
Make sure that your VPN tunnel IP address is in a different network from the private and the public IP addresses of the serveri.e. Public IP address 123.123.123.1
Private IP address 10.1.1.1VPN TUNNEL IP address 192.168.1.1/255.255.255.0
Common Problems and Solutions
• Site-to-Site VPN (cont.)
In the logs in NWadmn32 I have the message“Time synchronization error from connection XXX (SKIP) Construction of SA failed for peer <IP_address>”The VPN stays in the “Being configured” status
Check that the time (clock) in the servers is not more than one hour apart in UTP
Make sure that your ISP is not filtering any packet type
Common Problems and Solutions
• Site-to-Site VPN (cont.)
When loading VPNCFG I get a lot of undefined public symbols
The TCPIP.NLM you are using doesn’t support encryption
It was probably overwritten by a service pack
The VPN is up and running but I cannot contact the devices in the private segment
The VPN server should be the gateway to the Internet for the LAN
Common Problems and Solutions
• Client-to-Site VPN
I can login to the VPN but when I try to login to the NDS I get the “Tree or server not found” error message
Three solutions:• Use IPX over the tunnel to login• Use the IP address of the server on the private LAN instead
of the server name in the NetWare login screen• Set up a SLP DA in your LAN and configure the client to
statically query that DA for service location
• Client to Site VPN (cont.)
The VPN is up and running but I cannot contact the devices in the private segment. The devices in the LAN access the internet though a device that is NOT the VPN server.
Use a VPN server dedicated to the client to site VPN Enable dynamic NAT on the PRIVATE interface only
Common Problems and Solutions
• Client-to-Site VPN (cont.)
When I try to authenticate to the VPN I get the message “Unable to authenticate token password”
If you aren’t using ActivCard, and you aren’t using Radius, delete the Login Policy Object from the NDS and delete the LPOCACHE.DAT file from the server
I am not able to use the VPN on Windows ME That’s right, the VPN client doesn’t work on Windows ME!
For More Information
• Novell Support web site http://support.novell.com
• Novell Documentation web site www.novell.com/documentation
• Novell public forums (best with news reader) support-forums.novell.com (NNTP) http://support.novell.com/forums
• Other web sites http://nscsysop.hypermart.net www.connectotel.com