Troubleshooting Novell BorderManager

1
Troubleshooting Novell BorderManager

• Craig Johnson
• Novell SysOp
• craigsj_at_ix.netcom.com
• http//nscsysop.hypermart.net
• Caterina Luppi
• Novell SysOp
• caterina_at_wirediguana.com
• Shaun Pond
• Novell Consulting, UK
• spond_at_novell.com

2
Session Agenda

• BorderManager components
• Troubleshooting tools and techniques
• Common problems and solutions
• Questions and answers

3
BorderManager Components

• BorderManager is modular
• Proxies (forward and reverse)
• Access control
• Gateways (IPX/IP, IP/IP, SOCKS)
• VPN
• RADIUS
• Dial services
• Routing and filtering, including stateful
  filtering (3.x)

4
BorderManager Components
Layers of OSI model BorderManager components
Application Proxies, access control
Presentation VPN
Session Gateways (IPX/IP, IP, SOCKS), VPN
Transport VPN
Network Packet filtering, Network Address Translation (NAT), VPN
Data link Packet filtering, VPN
Physical N/A
5
BorderManager Components

• It is critical to understand the layers that
  BorderManager services are built on
• Network layerfilters, and routing
• The proxies do not work on this layer, but they
  depend on it to function
• The support for the network layer is included in
  the NetWare operating system
• Application, session layersproxies, gateways and
  access control
• This layer is provided by BorderManager
• Get routing working before worrying about proxies

6
BorderManager Components

• Network layer considerations
• Default filters and exceptions provide basic
  network layer functionality for proxy, gateways
  and VPN
• The proxies do not create the filter exceptions
  as needed
• Default exceptions do not cover a secondary IP
  address
• Bypassing the proxies requires extra work to be
  done using filter exceptions and ensuring routing
  is correct

7
BorderManager Components

• Proxies
• Proxies listen on certain ports on certain IP
  addresses
• Some proxies listen on all IP addresses, others
  only on IP addresses defined as private
• Acceleration listens on IP addresses defined as
  public
• Proxies need to have filter exceptions defined in
  order to function
• Most, but not all, proxy traffic is allowed with
  the default filter exceptions

8
BorderManager Components

• Proxies
• Why doesnt proxy need routing enabled?
• It regenerates traffic on an interface, and does
  not just route traffic between interfaces
• Why does bypassing proxy need routing enabled?
• Because if you bypass proxies, the only method
  left to move packets is to route them between
  interfaces, which means routing must be enabled,
  and filter exceptions must be added

9
BorderManager Components

• Access control list (access rules)
• Access rules control the use of the proxies, IP
  gateway and VPN
• Access rules are read from top to bottom
• Access rules can be inherited
• Only one access rule is ever actually used
• There is a default access ruleDeny All

10
BorderManager Components

• Access control list (cont.)
• Only a few proxies use Novell Directory Services
  (NDS)-based access rules
• HTTP proxy, FTP proxy, transparent (HTTP) proxy
  and transparent telnet proxy can use NDS-based
  access rules
• You must enable Proxy Authentication to make use
  of an NDS-based access rule
• If the client does not proxy authenticate, it
  cannot use NDS-based access rules, and will skip
  over them

11
BorderManager Components

• How Proxy Authentication works
• Proxy Authentication is initiated by the
  BorderManager server
• The BorderManager server asks the source IP
  address for NDS information
• The source IP address responds, via CLNTRUST or
  SSL login (Must be logged in for CLNTRUST to
  work)
• The BorderManager server remembers an
  authenticated connection for some time

12
BorderManager Components

• RADIUS
• Used to link authentication request from dial-up
  system through to NDS account
• Any RADIUS-compliant access system can work with
  BorderManager RADIUS
• BorderManager NIAS dial-up is not
  RADIUS-compliant
• May need a Login Policy Object

13
BorderManager Components

• The IPX/IP and IP/IP gateways
• Necessary for the clients with ONLY the IPX
  protocol
• Alternative to the proxies and NAT for clients
  with IP
• Simple to configure (no need to configure routing
  at the client) but not flexible
• ALL traffic is directed from the workstations to
  the BorderManager server, including the local
  traffic
• Performance slower than NAT/proxies (work at the
  session layer of the model)

14
BorderManager Components

• The IPX/IP and IP/IP gateways (cont.)
• Need a dedicated component of the client
  installed on the workstations (IP gateway)
• Only for Windows workstations running the Netware
  Client 32
• The applications must be Winsock compliant(no
  native TCP/IP)
• Access rules for ANY port and protocol
• Warning mature product

15
BorderManager Components

• Virtual Private Networks (VPN)
• Two types of VPN
• Site-to-site
• Client-to-site
• Site-to-site VPN links two LANs together with an
  encrypted tunnel
• Client-to-site VPN allows a remote PC to make a
  secure connection to a LAN over the Internet

16
BorderManager Components

• The site-to-site VPN
• It is mainly based on routing
• An encrypted tunnel links two or more LANs
  connected to the same VPN
• Traffic passes through the tunnel because a
  static route makes the tunnel the lowest cost
  route
• Traffic passing through the tunnel is encrypted
  and decrypted at the VPN server
• No need of special software at the
  workstations(it supports all client OS)

17
BorderManager Components

• The client-to-site VPN
• It is established between a client, running
  special software, and a VPN server
• Both must be connected to the Internet
• It provides secure access to the LAN and WAN
  behind the VPN server
• The user must be authorized to establish the VPN
  with a username and through Access Rules
• The client workstation must use MS Windows(Win
  9x, NT, 2000)

18
BorderManager Components

• Miscellaneous components
• BorderManager stores some configuration in NDS
  attributes of the server object
• BorderManager can store access rules as user,
  group, container or BorderManager server
  attributes
• Some proxy settings are stored in
  SYS\ETC\PROXY\PROXY.CFG
• Filters are stored in SYSETC\FILTERS.CFG
• Routes are stored in SYSETC\GATEWAYS
• BorderManager can use up to five different NLS
  licenses

19
Troubleshooting Tools and Techniques

• What isnt working?
• Define the scope of the problem
• One proxy?
• An access rule?
• Inbound traffic?
• NAT?
• What changed recently?
• Simplify, simplify, simplify
• Start from the bottom of the OSI model
• Is a cable plugged in?
• Is routing, filtering or NAT involved?
• Is a proxy or access rule involved?
• Disable features to isolate the problem

20
Troubleshooting Tools and Techniques

• Techniques for isolating problems
• Uncheck Enforce Rules
• Disable filtersUnload IPFLT.NLM
• SET NAT DYNAMIC MODE TO PASS THRUON(or disable
  NAT Implicit Filtering in INETCFG)
• Reboot
• Does the problem go away?

21
Troubleshooting Tools and Techniques

• Techniques for isolating problems
• Have you applied the latest patches?
• Do you know what the latest patches are?
• http//support.novell.com/misc/patlst.htm
• Novell public forums
• http//nscsysop.hypermart.net
• Look for error messages on the server console,
  especially when BorderManager first starts
• Look for NDS issues

22
Troubleshooting Tools and Techniques

• Techniques for isolating problems
• Does the internal host see the BorderManager
  server?
• Is the internal host configured to use the
  BorderManager service?
• HTTP proxy settings, IP gateway service, SOCKS
  settings
• Is a proxy seeing the traffic?
• See Proxy Console Statistics

23
Troubleshooting Tools and Techniques
cat speaker notes present

• General connectivity and routing diagnostic tools
• PINGto verify IP connectivity between two hosts
• TRACERT/IPTRACE.NLMto check every hop between
  two hosts
• SET TCP IP DEBUG1to dump the TCP/IP packets on
  the server console (0 turns it off)
• SET FILTER DEBUGON, (followed by appropriate
  action) see only certain types of packets,
  useful on busy servers
• CONLOG.NLMthe console log, to capture the output
  of the debug to the SYSETC\CONSOLE.LOG file
• TCPCON.NLMto check the effective routing table
  of the server
• NETMON.NLMcapture trace data on the server
• Third party network analyzer

24
Troubleshooting Tools and Techniques

• Deciphering TCP IP DEBUG data
• Packets not getting to the server a routing
  problem
• Packets to the server public side and
  beingignored NAT implicit filtering
• Packets not going out a missing default route
• Packets being discarded filters are dropping
  the packets
• Packets going out the public interface, with no
  responses coming back NAT is needed
• Packets going to an internal host (via Static NAT
  or VPN) with no response missing default
  gateway on internal host

25
Troubleshooting Tools and Techniques

• Packet filtering
• FILTCFG.NLM to see what filter exceptions are in
  place
• UNLOAD IPFLT to make sure it is actually a
  filtering issue
• SET TCP IP DEBUG1 to dump the TCP/IP packets on
  the server console (0 turns it off)
• Look for the DISCARDED packets
• SET FILTER DEBUGON, for 3.x only, to see
  selected types of IP packets

26
Troubleshooting Tools and Techniques

• Proxy and access rules
• Access rule logging, see what is being denied (or
  allowed)
• Backup your rules (use Clipboard Viewer) before
  experimenting
• Proxy console statistics, see what the proxies
  are seeing
• NWADMN32, see if licenses are being used
• Simple notes relating when and where problems
  occur

27
Troubleshooting Tools and Techniques

• Are access rules seemingly being ignored
• Is Enforce Access Rules checked?
• A rule higher in the list may be taking
  precedence
• Check effective rulesyou might be inheriting
  rules
• An NDS rule will be ignored (skipped) if the
  internal PC is not proxy authenticated
• Adding a rule with logging enabled can help find
  out what is being seen by the BorderManager
  server
• Authenticate Only when user attempts to access a
  restricted pageuse with care

28
Troubleshooting Tools and Techniques

• Johnny cant get a generic proxy for NTP to work
• TCP Debug shows no data coming to server
• Internal server on internally routed segment
• Did not have a default route configured
• Proxy Console, option 19, shows no traffic for
  proxy
• Internal server not configured to point to proxy
  private IP address for NTP
• Proxy Console, option 19, shows ACL rejects
• No Allow Port 123 Access Rule configured
• TCP Debug shows inbound traffic discarded
• Did not allow UDP Port 123 to public IP address
  with filter exception

29
Troubleshooting Tools and Techniques

• IPX/IP and IP/IP gateways
• Read TID 2928290 and 2928294
• Look at the Status in the IP gateway component in
  Settings, Control Panel, Network at the
  client
• It is better not to specify the context of the
  server than rather specifying a wrong context
• Use WINPING.EXE to check if you can ping (do not
  use the DOS ping)
• IPXIPGW.NLM must be loaded
• Check messages in the Novell IP gateway access
  status screen

30
Troubleshooting Tools and Techniques

• IPX/IP and IP/IP gateways (cont.)
• To enable the gateway debug at the client in the
  c\windows\novws.ini file add the lines
• Gwtraceinfo
• trace4
• the output will be in C\GWDBG32.TXT
• To enable the gateway debug at the server use
• SET NWGATEWAY DEBUG(0-7)
• SET NWGATEWAY LOGON
• The output will be in SYS\IPXIPGWx.LOG
• it slows down the server

31
Common Problems and Solutions

• No default route/gateway on some host in the
  process
• Check host, and all intervening routers
• Did not install default filters
• Load BRDCFG, follow prompts (secure the public IP
  address only)
• Access rules in wrong sequence
• Change the rule order

32
Common Problems and Solutions

• NDS-based rule, no proxy authentication
• Must run CLNTRUST at client, or use SSL
  Authentication
• Not all proxies use NDS-based rules
• Licensing issues
• See Novell TID 10013723
• Slow shutdown of server
• Unload BorderManager services before downing
  server
• Get BMOFF.NCF file at
• http//nscsysop.hypermart.net/bmoff.html

33
Common Problems and Solutions

• NWADMN32 snapin issues
• Rename to ACNWAUTH.DLL snapin to ACNWAUTH.DL_
• See http//nscsysop.hypermart.net/nwadmin.html
• Proxy cache not on dedicated volume(s)
• Always put cache on a dedicated volume, never SYS
• BorderManager not tuned for performance
• See TID 10018669

34
Common Problems and Solutions

• Mail proxy
• Has had a number of issues over the years,be
  sure to check latest patches
• LOAD PROXY -M to allow mail proxy to use more
  than one MX record when sending SMTP
• LOAD BRDSRV/NOLOAD to prevent autoloading
• DNS proxy
• Dont try with NAMED loaded on the server
• May need to clear cached data by deleting
  SYSETC\PROXY\PXYHOSTS file

35
Common Problems and Solutions

• HTTP proxy caching unwanted site/just added site
  as non-cacheable, but old site still comes up
• Need to clear the (entire) cache as follows
• Unload proxy
• Delete SYSETC\PROXY\PXYHOSTS (optional)
• Load Proxy cc

36
Common Problems and Solutions

• Transparent proxy
• Somewhat slower than HTTP proxy
• Doesnt do DNS lookup for the client
• Client must be configured to do DNS
• Logs web sites visited by IP address instead of
  URL
• Does not support HTTPS/SSL
• Massive TCP/IP communications failure
• NETDB 4.09 manually loaded before INITSYS.NCF
  load it after INITSYS, or let it autoload as
  needed

37
Common Problems and Solutions

• RADIUS
• Dial access systemredundancy
• Do you need a profile?
• Attributes with attitude
• RADATR3A.EXE
• Testing www.nttacplus.com/download/radping.cfm

38
Common Problems and Solutions

• IPX/IP and IP/IP gateway
• I am using Novell Client 3.3, the gateway status
  at the client is always not connected
• The IP gateway component of the Client v.3.3
  doesnt work properly
• Try to use Client 3.1 or 3.21
• In ZENworks all the workstations appear to have
  the IP address of the gateway
• This is the way the gateway works
• The workstations talk to the gateway, and the
  gateway communicates on their behalf with the
  other devices

39
Common Problems and Solutions

• IPX/IP and IP/IP gateway (cont.)
• The browsers, IE more frequently, fail to
  connect to the gateway. Netscape returns the
  unable to open socket connection message
• Make sure you are using the correct Winsock
  version at the client
• For BorderManager 2.1 you must use the Novell
  Winsock I(latest client version using this
  Winsock version is 2.5)
• For BorderManager 3.x, use the MS Winsock II
• This limitation applies only to the gateways

40
Common Problems and Solutions

• IPX/IP and IP/IP gateway (cont.)
• I am using SSO authentication to the gateway,
  but when I try to use the HTTP proxy with
  authentication (to use ACL) I get the message
  403 Forbidden, you are not logged in
• The IP gateway and the standard HTTP proxy cannot
  work together
• If you want to use proxy authentication with the
  IP gateway you must use the Transparent HTTP
  proxy
• SSL authentication to the HTTP proxy doesnt work
  either
• You can use the HTTP proxy without authentication

41
Common Problems and Solutions

• IPX/IP and IP/IP gateway (cont.)
• How do I enable the transparent proxy for my IP
  gateway clients without affecting the user using
  the native TCP/IP stack?
• To enable the transparent proxy for the IP
  gateway client ONLY you can use the command line
  (at the server)
• SET NWGATEWAY CLIENT TRANSPARENT PROXYON

42
Common Problems and Solutions

• Site-to-Site VPN
• I configured the VPN between two servers. The
  VPN was established but I cant reach the
  internal LAN
• Make sure that your VPN tunnel IP address is in a
  different network from the private and the public
  IP addresses of the server
• i.e. Public IP address 123.123.123.1 Private IP
  address 10.1.1.1
• VPN TUNNEL IP address 192.168.1.1/255.255.255.0

43
Common Problems and Solutions

• Site-to-Site VPN (cont.)
• In the logs in NWadmn32 I have the message
• Time synchronization error from connection XXX
• (SKIP) Construction of SA failed for peer
  ltIP_addressgt
• The VPN stays in the Being configured status
• Check that the time (clock) in the servers is not
  more than one hour apart in UTP
• Make sure that your ISP is not filtering any
  packet type

44
Common Problems and Solutions

• Site-to-Site VPN (cont.)
• When loading VPNCFG I get a lot of undefined
  public symbols
• The TCPIP.NLM you are using doesnt support
  encryption
• It was probably overwritten by a service pack
• The VPN is up and running but I cannot contact
  the devices in the private segment
• The VPN server should be the gateway to the
  Internet for the LAN

45
Common Problems and Solutions

• Client-to-Site VPN
• I can login to the VPN but when I try to login
  to the NDS I get the Tree or server not found
  error message
• Three solutions
• Use IPX over the tunnel to login
• Use the IP address of the server on the private
  LAN instead of the server name in the NetWare
  login screen
• Set up a SLP DA in your LAN and configure the
  client to statically query that DA for service
  location

46

• Client to Site VPN (cont.)
• The VPN is up and running but I cannot contact
  the devices in the private segment. The devices
  in the LAN access the internet though a device
  that is NOT the VPN server.
• Use a VPN server dedicated to the client to site
  VPN
• Enable dynamic NAT on the PRIVATE interface only

47
Common Problems and Solutions

• Client-to-Site VPN (cont.)
• When I try to authenticate to the VPN I get the
  message Unable to authenticate token password
• If you arent using ActivCard, and you arent
  using Radius, delete the Login Policy Object from
  the NDS and delete the LPOCACHE.DAT file from the
  server
• I am not able to use the VPN on Windows ME
• Thats right, the VPN client doesnt work on
  Windows ME!

48
For More Information

• Novell Support web site
• http//support.novell.com
• Novell Documentation web site
• www.novell.com/documentation
• Novell public forums (best with news reader)
• support-forums.novell.com (NNTP)
• http//support.novell.com/forums
• Other web sites
• http//nscsysop.hypermart.net
• www.connectotel.com

49
(No Transcript)