Technical Tip

Problem

A Forum reader recently asked:

"I want to install eDirectory in a remote office and sync NDS over the Internet so we can add a GroupWise domain at the remote site. We don't have a VPN set up, and both sides are using static NAT addresses behind a firewall. Is this possible?"

And here are a few of the responses ...

Solution

(Massimo Rosen)

Officially, no. Technically, it is possible, but I would strongly advise against doing this in a permanent production situation. The trick to make this work is to make an additional TCP/IP binding on the servers with their public, natted address. This can create all sorts of funny routing issues and delays in both sync and client access to the servers, though.

And that's not to mention the security risk involved with syncing servers over the Internet, unencrypted.

(Edward Vandermaas)

Don't do it. Spend some money on getting a VPN and you'll save yourself lots of hassle.

Or, another option is to create a separate tree for that site and span your groupwise over 2 trees. You'll safe yourself the hassle of getting NCP to work over NAT, and the GroupWise traffic is encrypted natively.

(Akos Szechy)

As others said, don't do it. NAT will only replace the IP addresses in the TCP header, and it obviously doesn't care about what's inside the package.

For example, suppose the eDirectory NetWare box is running on 192.168.1.1, and the Windows one is on 192.168.0.1. Clients ask where can they find admin.novell user, and the local server will return the IP addresses of the servers. Then the client will try to connect to the boxes, but it will not be able to find these addresses. They are local addresses, and NAT does not translates them - they are in the NCP header of the packet and not on the TCP level. So, the clients will fail to locate the server.