Novell Home

AppNote: Filtering Exceptions

Novell Cool Solutions: AppNote
By A Babula

Digg This - Slashdot This

Posted: 29 Apr 2004
 

Cool Solutions AppNote: Configuring Exceptions on NBM 3.8 Server Firewall to Access Novell Services

A Babula, Senior Software Engineer

ababula@novell.com

Abstract: This AppNote discusses secure ways to configure filters/exceptions on Novell BorderManager 3.8 (NBM 3.8) firewall to allow internal and external users to access well known services of Novell through the BorderManager Firewall. It explains the ideal way to configure firewall to allow intranet and Internet users to access services like iFolder, iPrint, GroupWise, VPN and so on. This article is aimed at administrators charged with configuring and administering BorderManager Firewalls.

INTRODUCTION

Novell Border Manager (NBM) is Novell's premier access and security solution. Packet filtering is a fundamental component of the overall security of the BorderManager. Packet filters are designed to allow required services, at the same time preventing all undesired traffic from passing through the firewall. This AppNote enables you to configure optimized packet filters so trusted traffic can access certain Novell internal and external services with high security.

NETWORK SETUP OF FIREWALL

Filter configuration works under certain assumptions and is based on the network configuration. Sample configurations are shown in Figures 1 & 2. For all network setups, a dedicated Internet connection is provided through a WAN link to a public router, and an NBM 3.8 server is set up with three interfaces.

Figure 1: NBM 3.8 with Proxy and Reverse Proxy

In Figure 1 a public Internet router is connected to an interface of the NBM 3.8 server. On the other side, the server connects to a DMZ network 172.16.0.0, with Reverse Proxy enabled through a public interface for a web server (172.16.16.16) in the DMZ network. Another interface is connected to the Internal LAN (10.0.0.0) for which the Proxy is enabled on the NBM 3.8 server.

Figure 2: NBM 3.8 with NAT enabled

In Figure 2, an interface of the NBM 3.8 server is connected to the public router. On the other side, one public interface is connected to a DMZ network (172.16.0.0), with static NAT enabled. Another public interface is connected to an internal LAN 10.0.0.0, with Dynamic NAT enabled.

It is assumed that multiple, publicly registered IP addresses are available on the external IP segment. For DMZ and internal networks, the NBM 3.8 server is the router.

CONFIGURING FILTERS/EXCEPTIONS USING IMANAGER AND FILTCFG

Two interfaces are provided to configure filters on the NBM 3.8 server. Filters can be configured using the FILTCFG.NLM, which is a TUI (Text-based User Interface). Remote configuration is also possible using iManager 2.0. The following sections in this document tell you how to use Novell iManager for filter configuration. The Novell BorderManager Access Management role and Packet Filtering configuration tasks are automatically plugged into Novell iManager when NBM 3.8 is installed. By default, this role is assigned to the administrator only.

To use iManager for filter configuration,

  1. Bring up Novell iManager 2.0 using this URL: http://IP Address of the server/nps/iManager.html
  2. Log in to iManager to use the Packet Filtering Configuration Task.

For more details, refer to the Novell BorderManager 3.8 Installation Guide available at http://www.novell.com/documentation/lg/nbm38/index.html.

CONFIGURING BASICS OF THE PACKET FILTER

Packet filtering is the process of checking the TCP/IP packet fields and allowing or denying the packet according to the field values and the configured filters. BorderManager administrators can use two types of IP filtering: "stateless" (static) and "stateful." There are many ways to configure filters, but there is a tradeoff between performance and security, as noted below.

Advantages and Disadvantages of Static IP Filters

There are several advantages to using a static IP filter. It has a combination of low overhead and high throughput. Also, it is very good for traffic management, since it does little else.

On the other hand, static IP filters have many disadvantages, especially regarding security:

  • They allow direct connections from the external network to hosts on the internal network.
  • They can become cumbersome to maintain in complex environments.
  • They are vulnerable to IP spoofing attacks, unless they have been specifically configured to prevent this. All holes in the firewall are permanent; either a hole exists or it doesn't, there is no opening and closing of connections based on outside criteria.

So, static packet filtering does not offer enough security to be the only gateway between an internal network and the Internet. Therefore, developers came up with a more intelligent solution: stateful packet filtering.

Stateful IP Filters

Simple IP filters do not remember packets that have already passed through the filter. Each packet is handled individually, so previously forwarded packets belonging to a connection have no bearing on the filter's decision to forward or drop the packet. In contrast, a stateful firewall has a state table that keeps track of open connections. This state table is what differentiates a stateful IP filter from a static IP filter. When a packet comes in with flags set in the header, but those flags should not be set, the firewall will drop those packets.

However, stateful filters are still not as secure as an application gateway (or proxy server, in the case of BorderManager). An application gateway not only maintains a state table and ACK, as does a stateful packet filter, but will also inspect a packet at the application level. Because BorderManager provides application gateways for a number of protocols, you should enable static IP filters for these protocols. This way the overhead at the IP stack level is low, but the security concerns with IP filtering are handled by the application proxy. You should also enable stateful filtering on the less secure applications that have no application gateways and therefore require security at the packet filtering level.

Setting Up the Firewall

The firewall should be set up so that the main internal LAN hosts cannot be accessed via the Internet. Only extremely limited traffic between the DMZ and the main internal LAN should be allowed. This is so that if a host in the DMZ is compromised, it doesn't have direct access to the main internal LAN. Traffic to and from the DMZ segment is controlled in its access to both the Internet and main Internal LAN.

This can be accomplished by denying all incoming and outgoing packets on the public interface and the DMZ interface (considering this as a second public interface). Specific ports should be opened using the proxy or static NAT with filter exceptions. Only specific traffic should be allowed using stateful exceptions between the main internal LAN and the DMZ network.

To do this,

  1. Run the BRDCFG program against the public IP address. This will produce a set of default filters to block all traffic and set of exceptions to allow specific traffic.
  2. Then run BRDCFG against the IP address assigned to the DMZ interface. This will again create a set of filters to block all traffic and the set of exceptions.
  3. Delete all default exceptions for the DMZ address that were added by BRDCFG. This will leave out the following filters and exceptions:
  • Filters blocking all traffic to and from the public interface
  • Filters blocking all traffic to and from the DMZ interface
  • Default exceptions for selected services
Exception: Accessing the Web Server from the DMZ

To enable Web server access, you need to open inbound exceptions to access DMZ services from the Internet. For example, suppose a web server is available in the DMZ network and is exposed to the Internet using static NAT. To access the web server from the DMZ network, you would open one stateful exception from the public interface to the DMZ interface on port 80. The detailed exceptions are given here:

Source Interface Type: Interface
Source Interface: Public Interface
Destination Interface Type: Interface
Destination Interface: DMZ Interface
Service type: www-http-st
Protocol: TCP
Source port: Any
Destination port: 80
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: Web server IP address

Exception: Accessing the Web Server from the Internal LAN

To access the web server which is available in the DMZ network from the internal LAN, you need another stateful exception from the internal interface to the DMZ Interface, to open port 80. The exception is the same as the one above, except that the Source Interface is Private, not Public.

CONFIGURING OUTBOUND FILTERS EXCEPTIONS TO ACCESS PUBLIC SERVICES

Suppose that clients from an internal LAN need to access publicly available Novell services. The connection is initiated by the internal client. The first packet is sent from inside so it has is outbound traffic. Exceptions can be configured to access Novell services from an internal LAN, as described below. Exceptions are provided for default or standard ports only. Some Novell service ports listen on non-standard ports, so you may need some extra configuration in that case.

Note: The following configuration sections are split across the page in the same way they appear on the FILTCFG screen.

A: iFolder

Novell iFolder gives you automatic, secure, and transparent synchronization of files between your hard drive and the iFolder server, which results in easy access to personal files anywhere, anytime.

  1. For web access and web administration of iFolder, define the first exception below to open port 443.
  2. To access iFolder using the client, define the second exception below to open Port 80.

It is assumed that the LDAP server is in the internal LAN for authentication and that no exception is required for authentication.

Exception: Secure Web Access and Administration

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: www-https-st
Protocol: TCP
Source port : Any
Destination port: 443
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: iFolder Server IP address

Exception: Accessing iFolder using the iFolder Client

The exception is the same as the one above, except that the Destination Port is 80. Other exceptions may also be required, depending on the set up. If iFolder is accessed through a proxy, ports 3128, 8080, and 8088 need to be opened. If it is accessed through SOCKS, port 1080 may also be needed.

B: iMonitor

Novell iMonitor provides cross-platform monitoring and diagnostic capability to all servers in the eDirectory tree. This utility lets you monitor your servers from any location on your network where a Web browser is available. When an iMonitor executable loads, it will attempt to listen on the traditional http port 80. If that port is in use, it will revert to port 8008. For secure authentication it uses port 8009.

It is assumed that iMonitor listens on port 8008 and redirects traffic over SSL.

  1. To access iMonitor, define the exception below to open port 8008. A new service type iMonitor-st is provided to configure the exception.
  2. If iMonitor needs to redirect traffic to port 8009 for secure authentication, then open port 8009.
  3. If iMonitor listens on any other port, the exception below is not applicable. You must define new exceptions for the listened ports.

Exception for iMonitor Web Access:

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: iMonitor-st
Protocol: TCP
Source port: Any
Destination port: 8008-8009
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: iMonitor server IP address.

C: iPrint

iPrint is a printing solution that enables you to send documents to printers located throughout the Internet. Using Internet technologies - including the industry-standard Internet Printing Protocol (IPP) - iPrint provides you with global access to printers, customizable views of any print environment, flexible print deployment configurations, and secure printing. iPrint is based on Novell Distributed Print Services (NDPS), a time-tested print solution known for its manageability, scalability, reliability, and ease of use.

  1. 1. To open a connection to iPrint from an internal LAN (non-secure print), define the first exception below to open port 631. A new service of the type Spooler support-st is provided to configure the exception.
  2. 2. For secure print, open port 443 and use the second exception below instead of the first. The print data is encrypted and all communication happens over port 443.

Exception for Spooler Support

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: Spooler support-st
Protocol: TCP
Source port: Any
Destination port: 631
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: iPrint server IP address.

Exception for Secure Print Access

The exception is the same as the one above, except that the Service Type is www-https-st, and the Destination Port is 443.

D: NetWare Core Protocol

The NetWare Core Protocol listens on port 524 for both TCP and UDP packets.

  • For internal client logging to an external server, define the first exception below to open port 524.
  • For server-to-server NCP communication, define the second exception below to open port 524.

Exception for NCF: Client to External Server

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: NCP-TCP-ST
Protocol: TCP or UDP
Source port: Any
Destination port: 524
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: IP address of NCP server

Exception for NCF: Server-to-Server NCP

The exception is the same as the one above, except that the Source Interface is Public, and the Source Address is the IP address of the NCF server.

E: Netware Enterprise Web Server

The Netware Enterprise Web Server listens on port 80 and secure port 443.

  • For non-secure access, define the first exception below to access port 80.
  • For secure access, define the second exception below to access port 443.

Exception for Non-secure Web Access

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: www-http-st
Protocol: TCP
Source port: Any
Destination port: 80
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: IP address of Web server

Exception for Secure Web Access:

The exception is the same as the one above, except that the Destination Port is 443.

F: NetWare Remote Manager (NRM)

NetWare Remote Manager lets you use a Web browser to securely access NetWare servers from any workstation and perform specific server management tasks. From Remote Manager, you can monitor the health of your servers, their processes, and CPU usage.

  • To access NRM, define the exception below to open ports 8008 and 8009.
  • If other ports are configured, they must also be opened.

Exception for NRM:

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: NRM-ST
Protocol: TCP
Source port: An
Destination port: 8008-8009
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: IP address of NRM server

G: Novell exteNd (Portal Services)

For Web access with exteNd, define the first exception below to open port 80.

Exception for Web access:

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: www-http-st
Protocol: TCP
Source port: Any
Destination port: 80
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Any address
Destination address: NA

Exception for secure access:

The exception is the same as the one above, except that the Destination Port is 443.

Exception for 8080:
Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: 8080
Protocol: TCP
Source port: Any
Destination port: 8080
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Any address
Destination address: NA

H: Remote Console Java

RconJ by default, it listens on port 2034 for insecure connections or on port 2036 for secure connections. And these ports are configurable. So, if it listens on a default port, then for insecure connection exception for port 2034 is enough; otherwise for secure connection exception for port 2036 is required. If some other ports are configured to listen, new exceptions need to be defined for those ports to allow traffic.

Exception for RconJ:

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: Rconj-ST
Protocol: TCP
Source port: Any
Destination port: 2034
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: IP address of Rconj server

Exception for RconJ Secure Access:

The exception is the same as the one above, except that the Destination Port is 2036.

I: iManager

iManager server listens on TCP port 443, so an exception is required to access iManager from a LAN.

Exception for iManager:

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: www-https-st Protocol: TCP
Source port: Any Destination port: 443
ACK bit filtering: Disabled Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: IP address of iManager server

J: GroupWise remote client

The GroupWise Agent listens on the default TCP port 1677. So an exception is required to access GroupWise. But as the remote port is configurable we need to change the exception according to the destination port on which it listens.

Exception for GroupWise Client:

Source Interface Type: Interface
Source Interface: Private
Destination Interface Type: Interface
Destination Interface: Public
Service type: gw-st
Protocol: TCP
Source port: Any
Destination port: 1677
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: IP address of GroupWise server

K: Proxy

If a service is accessed through Proxy an exception is required to allow traffic from public interface of the Proxy to the public world on the port on which the server is listening. For example, HTTP proxy. By default http server listens on port 80. So the following exception is required.

But at times we implicitly use another proxy (like DNS and HTTPS proxy) for our web access. So if web access is happening through a DNS name we need to define another exception for DNS traffic. Some time when we do a web access and it diverts the traffic from port 80 to port 443 for a secure connection. So, we need to configure another exception for https traffic.

Exception for HTTP Proxy:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: HTTP-St
Protocol: TCP
Source port: Any
Destination port: 80
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Any address
Destination address: NA

CONFIGURING INBOUND EXCEPTIONS TO ACCESS INTRANET SERVICES

This section describes the filter exceptions designed to allow traffic to services available on the NBM 3.8 server. The exceptions could be VPN, reverse proxy, or services available from internal LAN and DMZ network using NAT. Figure 1 and Figure 2 (beginning of the document) describe the network setups. It is assumed that mail server for web access and the web server are in the DMZ network, and that filter exceptions are given for accessing the above mentioned services from the DMZ network.

Here are some extra exceptions to allow access to the iManager server and RconJ service from internal LAN to Internet. However, it is not advisable to provide this type of facility; it should be used only when clearly necessary.

A: VPN Client (SKIP Mode)

In this scenario the VPN Client (SKIP Mode) directly connects from the Internet to the NBM 3.8 server. Here it is assumed that the VPN service is available on the same server on which NBM Firewall is running. Following exceptions are required.

  • VPN-Auth-Gw (TCP, 353, Incoming)
  • VPN-Keep Alive (UDP, 353, Incoming)
  • VPN-SKIP-ST (57, Incoming)
  • VPN-SKIP-ST (57, Outgoing
  • )

Exception for VPN Authentication:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-AuthGw-st
Protocol: TCP
Source port: Any
Destination port: 353
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for SKIP Inbound:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-SKIP
Protocol: 57
Source port: NA
Destination port: NA
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Any
Source address: NA
Destination addresses type: Host
Destination address: Public address of VPN server

Exception for SKIP Outbound:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-SKIP
Protocol: 57
Source port: NA
Destination port: NA
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Host
Source address: Public address of VPN server
Destination addresses type: Any address
Destination address: NA

Exception for VPN Keep Alive:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-Keep Alive-st
Protocol: UDP
Source port: Any
Destination port: 353
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

B: NBM Client- to-Site (SKIP Mode, Client Behind NAT)

All the exceptions of NBM (SKIP Mode) Client-to-Site connections remain the same except for incoming SKIP. VPTUNNEL-st exception is required in place VPN-SKIP.

Exception for VPTUNNEL_Incoming:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPTUNNEL-st
Protocol: UDP
Source port: Any
Destination port: 2010
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: Public IP address of VPN server.

C: NBM 3.8 Client-to-Site (IKE Mode)

To make a Client-to-Site connection using NBM 3.8 (IKE Mode), the following exceptions are required:

  • VPN-Auth-Gw (TCP, 353, Incoming)
  • VPN-Keep Alive (UDP, 353, Incoming)
  • ESP-ST (50, Incoming)
  • IKE-ST (UDP, 500, Incoming)

Exception for VPN Authentication:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-AuthGw-st
Protocol: TCP
Source port: Any
Destination port: 353
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for VPN Keep Alive:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-Keep Alive-st
Protocol: UDP
Source port: Any
Destination port: 353
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for VPN ESP_Incoming:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: ESP-st
Protocol: 50
Source port: Any
Destination port:
ACK bit filtering: Disabled
Stateful filtering: enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for VPN IKE_Incoming:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: IKE-st
Protocol: UDP
Source port : 500
Destination port: 500
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

D: NBM 3.8 (IKE Mode) Client-to-Site (Client behind NAT)

In this scenario the client behind the NAT tries to make a Client-to-Site connection. One more exception is required to open destination port 4500 (in addition to exceptions of NBM 3.8 Client-to-Site connection).

  • VPN-Auth-Gw (TCP, 353, Incoming)
  • VPN-Keep Alive (UDP, 353, Incoming)
  • ESP-ST (50, Incoming)
  • IKE-ST (UDP, 500, Incoming)
  • IKE-ST (UDP, 4500, Incoming)

Exception for VPN Authentication:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-AuthGw-st
Protocol: TCP
Source port: Any
Destination port: 353
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for VPN Keep Alive:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: VPN-Keep Alive-st
Protocol: UDP
Source port: Any
Destination port: 353
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for VPN ESP_Incoming:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: ESP-st
Protocol: 50
Source port: Any
Destination port:
ACK bit filtering: Disabled
Stateful filtering: enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for VPN IKE_Incoming (Port 500):

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: IKE-st
Protocol: UDP
Source port: Any
Destination port: 500
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

Exception for VPN IKE_Incoming (Port 4500):

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: IKE-NAT-st
Protocol: UDP
Source port: any
Destination port: 4500
ACK bit filtering: Disabled
Stateful filtering: Enabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of VPN server

E: Reverse Proxy

Generally a reverse proxy takes the internal server in the DMZ network and accelerates it to the external world, using a secondary IP address. By default, the NBM 3.8 Firewall blocks this type of traffic. Two stateful exceptions are required to allow this traffic: one to allow the traffic to public interface and another to allow traffic to DMZ interface, because all incoming and outgoing traffics are blocked using BRDCFG for both the interfaces. For example, one internal web server listens on port 80. The public secondary IP address assigned to reverse http proxy is 164.xx.xxx.xx, and it listens at port 80.

The following exceptions are required to access web server from the public interface. If an accelerator listens on a different port, the exception for that port needs to be configured.

Exception for HTTP Reverse Proxy, Web Access:

Source Interface Type: Interface
Source Interface : Public Interface
Destination Interface Type: Interface
Destination Interface : Public Interface
Service type: www-http-stProtocol: TCP
Source port : Any
Destination port: 80
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: Secondary IP address on which Accelerator listens

Exception for Web access (at Web server location):

Source Interface Type: Interface
Source Interface : DMZ interface

Destination Interface Type: Interface
Destination Interface : DMZ interface
Service type: www-http-stProtocol: TCP
Source port : AnyDestination port: 80
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Host
Source address: IP address bound to DMZ interface
Destination address type: Host
Destination address: IP address of web server

F: GroupWise Web Access

The GroupWise Web Access Agent may use the SSL (Secure Socket Layer) protocol to enable secure connections to Post Office Agents (POAs) and the Web Access Agent Web console. In that case, one stateful exception is required to access the GroupWise server available in the DMZ network using static NAT. It allows the request from the client to the destination port 443.

Exception for GroupWise Web Access

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: DMZ Interface
Service type: www-https-st
Protocol: TCP
Source port: Any
Destination port: 443
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: Static NAT IP address of GroupWise server.

G: RconJ on Generic TCP Proxy

These exceptions are to allow inbound RconJ traffic to an internal NetWare server (which is in internal LAN not in DMZ) using generic proxy. Here the default destination port is TCP 2034. RconJ can also be launched in secure mode, where the default destination port is 2036. So, in secure mode one exception is required for the destination port 2036 and in general mode exception is required for the destination port 2034. Here two new service types Rconj-st, RconJ-Secure-st, are configured.

Exception for RconJ:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: RConj-st
Protocol: TCP
Source port: Any
Destination port: 2034
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Any address
Source address: NA
Destination addresses type: Host
Destination address: Public IP address of reverse proxy server

Exception for RconJ Secure Access:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Public
Service type: RconJ-Secure-st
Protocol: TCP
Source port: Any
Destination port: 2036
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Any
Source address: NA
Destination address type: Host
Destination address: Public IP address of reverse proxy server

H: iManager

To access internal iManager server which is available in internal LAN using static NAT, one stateful exception is required to allow port 443 traffic.

Exception for iManager:

Source Interface Type: Interface
Source Interface: Public
Destination Interface Type: Interface
Destination Interface: Private
Service type: www-https-stProtocol: TCP
Source port : Any
Destination port: 443
ACK bit filtering: Disabled
Stateful filtering: Disabled
Source address type: Any address
Source address: NA
Destination address type: Host
Destination address: IP address of iManager server

CONCLUSION

This AppNote has describes how to configure filter exceptions to access some of the Novell services by internal and external user. The information in this AppNote is derived strictly from test scenarios. In real user scenarios, you may experience deviations from these results. Novell does not recommend deploying monitoring directly in a production network. You should always verify monitoring on a simulated test network before you deploy anything in a production environment.

SUMMARY

This solution is basically meant for those VPN customers who don't want their VPN Master to be down for more than half an hour. This solution guarantees that the failed VPN setup will be up and running within not more than 30 minutes. The setup shown in Figure 1 was successfully demonstrated in less than 30 minutes. (The number of objects in the eDirectory was about 10,000; if there are more objects in eDirectory, it depends on the restore capabilities).


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell