AppNote: Implementing iFolder Server in the DMZ with iFolder Data inside the Firewall
Novell Cool Solutions: AppNote
By Eugene Phua
Digg This -
Posted: 20 Jul 2004
Primary Support Engineer
The objectives of this documentation are as follows:
- To configure iFolder server in the DMZ with the iFolder data physically stored on another server inside the Firewall using two NetWare 6.5 servers.
- To cluster iFolder services via inexpensive iSCSI technology using three NetWare 6.5 servers.
Most customers want to implement iFolder but they are constrained by their company's security policy. Most companies have a security policy that there is no access from the Internet directly into the internal network (if you don't have such a policy, it is time to set up one). This implies 2 things:
- From the Internet, users cannot directly access data in the internal network, but can access application servers in the DMZ
- To protect data, data cannot be placed in the DMZ
Most companies will do one of the following:
- Set up a VPN solution. All access to applications from the Internet must be via the VPN application.
- Set up application servers in the DMZ. All access to applications from the Internet will hit the application servers and the application servers will then access the data via the firewall. The data is stored inside the firewall and the firewall is configured to only allow the application servers to access the data. With this setup, the data is secured.
- For customers with very tight security policies, an even more secure approach can be implemented by combining the above two methods. Customers may implement two firewalls. The first firewall blocks all access from the Internet into the Customer's Network except VPN traffic. All application servers are stored in the DMZ. The 2nd firewall blocks all traffic and allows only access from the application servers. This means that users must use VPN, which gets past the 1st firewall, to access the applications in the DMZ. However, because of the 2nd firewall, users cannot access their internal network directly. The application servers fetch the data from the Internal network and pass it back to users.
iFolder stores its data on the server. This creates two problems:
- iFolder cannot be placed in the DMZ because data would then be in the DMZ
- If iFolder is the Internal network, users cannot access iFolder because of the firewall. Security policy prevents users from accessing applications directly in the Internal network from the Internet
In the past, the only way to get around this problem was to implement VPN. However, for customers who do not have VPN, iFolder cannot be implemented. Furthermore, VPN will work only if customers allow Internet users access directly into the internal network. For customers with extremely tight security policies who do not allow VPN users to access directly into the internal network, even VPN is not a solution. Because of all these restrictions, many customers cannot implement iFolder.
NetWare 6.5 provides the solution. NetWare 6.5 allows the data to be stored remotely so that the iFolder server can be placed on the DMZ but the data can be placed in the internal network. This allows iFolder to meet most customers' security requirements. The key to implementing this is through iSCSI.
iSCSI is a standard for SCSI block storage protocols networked over TCPIP networks. This means that iSCSI allows a SAN to be built over a LAN network. In the past, a SAN was built using Fibre Cables, Fibre Cards, SAN switches and SAN storage; which was a very expensive solution. NetWare iSCSI lets you use NetWare servers to create a shared storage and a NetWare cluster without purchasing expensive SAN equipment.For more on ISCSI, refer to iSCSI Administration Guide for NetWare 6.5
In this documentation, we are simulating the following scenarios:
- iFolder server is setup in the DMZ and the iSCSI storage server is setup inside the firewall.
- iFolder Server will be clustered and setup in the DMZ, and the iSCSI storage server is setup inside the firewall.
- Setup two NetWare 6.5 servers with iFolder and iSCSI services.
One server is placed in the internal network, and the other is in the DMZ. The NetWare 6.5 server in the internal network can join the existing tree. The NetWare 6.5 server in the DMZ, however, should be a stand-alone server in its own tree.
In this example, the server in the DMZ shall have the following configuration:
Server Context: O=NOVELL
The IFOLDERSERVER1 will be configured as the iSCSI Initiator
The server in the internal network will have the following configuration:
Server Context: .SERVER1.NOVELL
The NW65SERVER will be configured as the iSCSI Target
- On the 'NW65SERVER' server, do the following:
- LOAD NSSMU > Partitions
- Press 'Insert' to create a new partition
- Select the Free Disk space and press 'Enter'
- Select iSCSI
- Define the partition size (which will be the size of your iFolder data store) and create
- On the NW65SERVER server, type TON.NCF
In the installation, TON.NCF is already loaded by default in the AUTOEXEC.NCF. In this case, you can type TOFF.NCF and then TON.NCF to reload the iSCSI target NLMs.
(If you have not realized it by now, TON stands for Target ON and TOFF stands for Target OFF.)
- Open up ConsoleOne, browse to the location of the NW65SERVER and you will see an iSCSI Target object that has been created. This object is automatically created when a iSCSI partition is created on a server and the 'TON.NCF' is loaded on that server. The object will look something like this:
- Create an iSCSI Initiator Object in the same context as the NW65SERVER object. You will get the following prompt, but click OK and key in the object name. For this example, the iSCSI Initiator Object is ifolderserver1
- Right Click on the iSCSI Target object created in Step 4 and choose 'Trustees of this object'. Select ifoldserver1 Initiator Object as a Trustee and click OK to select the default Trustee rights.
- On the IFOLDERSERVER1, type 'ION.NCF"
(You may have rightly guessed that ION stands for Initiator ON)
- On the IFOLDERSERVER1, type 'ISCSI LIST'
You will see the following screen
- You need to change the initiator server's IQN to correspond to the Initiator Object that you have created in the NW65SERVER-TREE. To do this, on the IFOLDERSERVER1, type the following:
iscsi set InitiatorName=iqn.1984-08.com.novell:.ifolderserver1.novell.nw65server-tree.
NOTE: ADD a Trailing '.' at the end of the ".ifolderserver1.novell.nw65server-tree." command, or you will not be able to connect.
- On the console screen, type => iscsinit Connect [IP Address of NETWARE 6.5SERVER]
This command will enable the iSCSI Initiator to connect to the iSCSI Target
- Open up a browser and browse to Remote Manager on IFOLDERSERVER1 server (https://[IP address of IFOLDERSERVER1]:8009)
- Under the MANAGE SERVER section, choose PARTITION DISK, and you will see the following screen. Click 'Initialize Partition Table'
- Once that is done, the disk is initialized and ready to be used.
- On the IFOLDERSERVER1, do the following:
- LOAD NSSMU > POOLS
- Press 'Insert' to create a new pool. Enter Pool name (e.g. IFOLDER_POOL)
- Choose the Free Disk space which has been created on the iSCSI Target
- Confirm the Partition Size
- Go to the Main Menu > VOLUMES
- Press 'Insert' to create a new volume. Enter volume name (e.g. IFOLDER)
- Select the pool (e.g. IFOLDER_POOL) and press 'Enter'
- Select your Volume properties and press 'Create'
- On IFOLDERSERVER1, type 'Edit AUTOEXEC.NCF' and add the following lines:
iscsinit connect [IP address of NW65SERVER]
As with any default installation of iFOLDER, the default location of ServerRoot and UserRoot is in SYS:\iFOLDER and the LDAP server configuration is usually pointing to itself (using DNS or IP address). The purpose of this section is to configure iFOLDER to:
- Use the LDAP server in the internal network to authenticate users
- Change the ServerRoot and UserRoot to be placed on the iSCSI volume created on the iSCSI Target located in the internal network
In this example, both the LDAP server and the iSCSI Target server in the internal network is NW65SERVER (220.127.116.11)
- On the iFOLDERSERVER1 server, edit the SYS:\APACHE2\IFOLDER\SERVER\ HTTPD_IFOLDER_NW.CONF file
Modify the following parameters:
- iFolderServerRoot: Change to IFOLDER:\iFolder
- iFolderUserRoot: Change to IFOLDER:\iFolder
- From your browser, open up the iFolder management URL (i.e https://[IP address of IFOLDERSERVER1]/iFolderServer/Admin
- Click 'Global Settings'. Type in the admin name and password of IFOLDERSERVER1
- On the left column, choose 'USER LDAPs' and delete all existing User LDAP server
- On the left column, choose 'USER LDAPs' and add User LDAP server.
Under the Host DNS or IP, key in the DNS or IP of your internal eDirectory LDAP server. In this example, NW65SERVER is the internal user LDAP server.
Key in the admin name and password of NW65SERVER
- The User LDAP configuration will pop up. Check the 'Search Subcontexts' option.
- Restart your apache web services by typing the following commands on IFOLDERSERVER1:
- Map a drive to IFOLDER volume on IFOLDERSERVER1. You will see that IFOLDER directory has been created on the volume.
After you have completed the above configuration, the following will have been accomplished:
- The iFolder Server in the DMZ is purely an application server that does not have user information or user data
- User information will be accessed from LDAP servers inside the firewall
- iFolder user data is physically stored on an iSCSI storage inside the firewall
installing Clustering Services over iSCSI
Some customers may consider iFolder services important enough that it warrants clustering of the iFolder services. In the past, this would be an costly endeavour because it requires expensive Fibre Cables, Fibre Cards, SAN switches and SAN storage. Now all you need is another NetWare 6.5 server.
- Setup a NetWare 6.5 server with iFolder and iSCSI services.
This NetWare 6.5 server will join the IFOLDER_TREE.
In this example, the NetWare 6.5 server in the DMZ shall have the following configuration:
Server Context: .SERVER2.NOVELL
- On the NW65SERVER_TREE, create an iSCSI Initiator Object in the same context as the NW65SERVER object. You will get the following prompt, but click OK and key in the object name. For this example, the iSCSI Initiator Object is ifolderserver2
- Right Click on the iSCSI Target object created and choose 'Trustees of this object'. Select ifoldserver2 Initiator Object as a Trustee and click OK to select the default Trustee rights.
- On the IFOLDERSERVER2, type 'ION.NCF'
- On the IFOLDERSERVER2, type 'ISCSI LIST'
You need to change the initiator server's IQN to correspond to the Initiator Object that you have created in the NW65SERVER-TREE. To do this, on the IFOLDERSERVER2, type the following:
iscsi set InitiatorName=iqn.1984-08.com.novell:.ifolderserver2.novell.nw65server-tree.
NOTE: ADD a Trailing '.' at the end of the ".ifolderserver2.novell.nw65server-tree." command, or you will not be able to connect.
- On the IFOLDERSERVER2 console screen, type => iSCSI Connect [IP Address of NETWARE 6.5SERVER]
- On IFOLDERSERVER2, type 'Edit AUTOEXEC.NCF' and add the following lines:
ion.ncfOn IFOLDERSERVER2, type the above 2 lines on the server console screen.
iscsinit connect [IP address of NW65SERVER]
If you have been following the exercise through, on IFOLDERSERVER1, use NSSMU to remove the IFOLDER volume and IFOLDER_POOL pool. Remove the following lines from AUTOEXEC.NCF file. Remember, we want to cluster the IFOLDER Volume and we don't want to mount the volume in the AUTOEXEC.NCF file.
- On both IFOLDERSERVER1 & IFOLDERSERVER2, do the following:
- NSSMU > Devices
- Choose the iSCSI device (the name contains 'NOVELL' in it)
- Press 'F6' to share the device
- The device configuration becomes 'Sharable for Clustering'
- Install Novell Cluster Services 1.7 on both IFOLDERSERVER1 & IFOLDERSERVER2 using Deployment Manager.
The details to install Novell Cluster Services can be found in NetWare 6.5 - Novell Cluster Services 1.7 Administration Guide
- After installation, type LDNCS.NCF on both server consoles, and both servers should join the Cluster. You should see both servers having Cluster Membership Monitor with the status 'UP'.
NOTE: Now you can provide better reliability by creating an iSCSI device for the SBD partition and another iSCSI device for iFOLDER partition.
If you have followed through the exercise, the SBD partition would have been created in the iSCSI device that was created in the previous exercise. It is then a simple matter of repeating the steps and then creating a larger iSCSI device for iFOLDER. Of course, you can extend this idea by creating another iSCSI device for SBD mirroring, but these are beyond the scope of this AppNote.
So for this exercise, if the SBD partition is created on the same device as the IFOLDER partition, it is fine. But you probably won't want to do this in a production environment.
- On IFOLDERSERVER1 server, type the following:
- NSSMU > POOLS
- Press 'Insert'. Type in Pool Name (e.g. IFOLDER_POOL)
- Choose the correct device and select partition size
- The Cluster Pool Configuration Screen will appear. Type in the IFOLDER Virtual IP address
- NSSMU > VOLUMES
- Press 'Insert'. Type in Volume Name (e.g. IFOLDER)
- Select the pool that you created in step 11 (e.g. IFOLDER_POOL)
- Choose the Volume properties > Create
That's it. You have just clustered the IFOLDER volume. You can use Remote Manger or ConsoleOne to migrate the IFOLDER volume between IFOLDERSERVER1 and IFOLDERSERVER2 to test whether or not it is working.
Clustering iFolder Services
- Loading iFolder in protected memory
iFolder does not by default load its own instance of apache in protected memory on NetWare. It will instead create an include statement on the default apache configuration file (SYS:\APACHE2\CONF\HTTPD.CONF) and load in the kernel address space.
The problem with this is that when you are not loading iFolder, you are unable to use all the NetWare 6.5 services that load on top of apache. To solve this problem, iFolder can be loaded in its own address space so that the apache services are not affected by iFolder. iFolder will be configured to be loaded up by cluster services only.
Below are the steps to load iFOLDER into its own memory space. These steps have to be done on all cluster nodes.
- The following changes were made to SYS:\APACHE2\IFOLDER\SERVER\HTTPD.CONF file
- Change from Listen 80 to Listen [iFOLDER Virtual IP address]:80 (e.g. Listen 18.104.22.168:80)
- Change from SecureListen 443 "SSL CertificateDNS" to SecureListen [iFOLDER Virtual IP address]:443 "SSL CertificateDNS" (e.g. Listen 22.214.171.124:443 "SSL CertificateDNS")
- Change from DocumentRoot "sys:/apache2/htdocs" to DocumentRoot "sys:/apache2/ifolder/DocumentRoot"
- Change from <Directory "sys:/apache2/htdocs"> to <Directory "sys:/apache2/ifolder/DocumentRoot">
- Change from JkWorkersFile "conf/mod_jk/workers.properties" to JkWorkersFile "sys:/adminsrv/conf/mod_jk/workers.properties"
- Change from JkLogFile "/logs/mod_jk.log" to JkLogFile "sys:/adminsrv/logs/mod_jk.log"
- In the SYS:\APACHE\CONF\HTTPD.CONF file, remarked off the include statement containing SYS:\Apache\iFolder\Server\httpd_ifolder_nw.conf. The following changes were made as follows:
- In the SYS:\APACHE\CONF\HTTPD_IFOLDER_NW.CONF file
- Change iFolderServerDNSorIP from [server IP address] to [cluster virtual IP address]
- Change iFolderUserServerDNSorIP from [server IP address] to [cluster virtual IP address]
- Copy SYS:\PUBLIC\ROOTCERT.DER to SYS:\APACHE2\IFOLDER\SERVER\LDAP\_MASTER.DER
- Cut STARTIFOLDER.NCF AND STOPIFOLDER.NCF from SYS:\SYSTEM and paste them to SYS:\APACHE\IFOLDER\SERVER.
Make the following changes to STARTIFOLDER.NCF
LOAD ADDRESS SPACE = IFOLDER APACHE 2 -f
# LOAD APACHE2 -f SYS:APACHE2\CONF\HTTPD.CONF
Remarked off 'UNLOAD APACHE' from STOPIFOLDER.NCF
- Edit AUTOEXEC.NCF file and add the following line:
SEARCH ADD SYS:\APACHE2\IFOLDER\SERVERType the above command in the server console as well
- The following changes were made to SYS:\APACHE2\IFOLDER\SERVER\HTTPD.CONF file
Open up the iFolder Management URL, under Global Settings > iFolder Server, change the IP address to the Virtual Cluster IP address
Add startifolder in the Cluster Load Script and stopifolder in the Cluster Unload Script as shown below. In the Cluster Unload Script, you may like to add a delay for iFolder to completely unload before proceeding with the rest of the script.
Cluster Load Script
Cluster unload Script
You will notice that iFolder service has not been loaded. Load the iFolder service by loading the Cluster service.
Ports to be open in the FirewallFinally, to get all these to work, the administrator has to open up the firewall. Below are the lists of ports required to be open at the firewall:
|Source IP||Destination IP||Destination Port||Description|
|NW65SERVER||636||LDAP with SSL port (if configured)|
With NetWare 6.5, you are able to configure a high availability iFolder solution that is both secure and inexpensive. It is secure because your data is protected inside the firewall. It is inexpensive because you only need three NetWare 6.5 servers without the costly SAN equipment. The best thing about NetWare 6.5 is that since licenses are based on per user, you can install as many NetWare 6.5 servers as you want.
iSCSI Administration Guide for NetWare 6.5
NetWare 6.5 - Novell Cluster Services 1.7 Administration Guide
Novell iFolder 2.1 Installation and Administration Guide
TID 10082707: How to run iFolder 2.1 in Protected Memory
TID 10087321 - How do I configure iSCSI when the iSCSI Target and Initiators are in different eDirectory Trees
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com