Novell Home

Setting up a Secure Internet Connection

Novell Cool Solutions: Feature

Rate This Page

Reader Rating  stars  from 9 ratings

Digg This - Slashdot This

Posted: 21 Mar 2002 		 

Current version NSBS 6

Download the pdf version of the implementation guide here.

Control and Secure Your Internet Connection

To remain competitive in today's Net economy, it is imperative that companies both large and small are able to conduct business on the Internet with their vendors, suppliers, partners and customers.

However, when connected, businesses expose themselves to a variety of threats from the Internet including hackers and cyber criminals. In addition, businesses are opening the door to employees using the Internet for non-business purposes, such as accessing objectionable sites.

In a recent research note, Gartner Group predicts that by 2003, 50 percent of small- to medium-sized businesses that manage their own network security and use the Internet for more than e-mail, will experience a successful Internet attack. Moreover, more than 60 percent of those companies will not know that their site has been penetrated.

That's why it is imperative that the Internet connection be controlled and secure. The connection must protect against unauthorized entry from outside the organization, and it must provide effective control over outgoing Internet access from inside the organization.

Setting up a Secure Internet Connection

As a Novell? Solution Provider, you are often called upon to implement the Internet connection for your clients. With Novell Small Business Suite 6, you can implement a highly functional Internet connection, yet one that offers a high degree of security and control.

Novell Small Business Suite 6 includes Novell BorderManager? to enable you to implement a controlled and secure Internet connection. Novell BorderManager provides a variety of services that enhance and secure the Internet connection.

These services include strong firewall protection against outside intruders, Internet access control to limit outgoing access by employees and Internet caching to speed up Internet access.

As Figure 1 shows, you connect the Novell Small Business Suite 6 server to the Internet and to your internal network using two separate network interface cards (NICs). This isolates your internal network from the Internet, preventing intruders from entering your private network through the Internet.

Figure 1. Single-Server Secure Internet Connection

You install the Novell BorderManager firewall, Internet access control and Internet cache on the Novell Small Business Suite 6 server. (You may also install the Apache Web server, included with Novell Small Business Suite 6, on the server if your customer wants to take advantage of the browser-based services provided by Novell Small Business Suite 6, such as browserbased server management, Novell iFolder? and Novell iPrint.) You then install your server applications and data on the Novell Small Business Suite 6 server behind the Novell BorderManager firewall. By placing the applications and data behind the firewall, you protect them against intruders from the Internet. In addition, the Internet access control provided by Novell BorderManager limits outgoing access to the Internet by employees.

For added protection, you can implement a two-server Novell Small Business Suite 6 configuration that further protects applications and data by running them on a second Novell Small Business Suite 6 server that is on the internal network (see Figure 2). This isolates the second server from the Internet, preventing intruders from accessing the second server through the Internet. Because Novell Small Business Suite 6 includes a two-server license, you can expand to two servers at no additional software licensing cost.

Figure 2. Two-Server Secure Internet Connection

This guide presents a step-by-step procedure for installing and configuring a secure Internet connection using Novell BorderManager firewall, Internet access control and Internet. The procedure is identical for both the single and the two-server configuration. That's because in the two-server configuration, Novell BorderManager is installed on only one server, and that's the server with two NICs (see Figure 2).

Estimated time to complete
The estimated time to complete Steps 2 through 8 below is about one hour. This time assumes that you have performed Step 1 correctly.

Step 1. Preinstallation

Make sure that you have correctly performed the following steps prior to installing Novell BorderManager:

  1. You have installed Novell Small Business Suite 6 on the server (on both servers in a two-server configuration).
  2. You have installed the Apache Web server (if required) on the server.
  3. You have installed two network interface cards (NICs) on the server, configured and named both NICs and bound them to your server with an IP address for each NIC. This step will enable you to implement public and private access to the server on separate NICs (see Figure 1 and Figure 2).

    NOTE: You can preconfigure the NICs by adding the following lines to the autoexec.ncf file:

    LOAD CE100B.LAN SLOT=6
         FRAME=ETHERNET_II NAME=PUBLIC
    LOAD CE100B.LAN SLOT=7
         FRAME=ETHERNET_II NAME=PRIVATE
    BIND IP PUBLIC ADDR=<ip addess for public
         network> MASK=<subnet mask>
    BIND IP PRIVATE ADDR=<ip addess for public
         network> MASK=<subnet mask>

    (You may choose a different LAN driver and Slot numbers.)

  4. You have created a 4 Gb volume called Cache in addition to the SYS or Data volumes on the server. Novell BorderManager Internet Caching Services will use the Cache volume instead of the SYS volume to prevent the cache from filling the SYS volume.

Creating the Cache Volume

You create the Cache volume from ConsoleOne?, either from a workstation at the server or from a workstation that is on the same network. To create the Cache volume, perform the following steps:

  1. If you already have a Data volume that contains data, back up the data before proceeding.
  2. From ConsoleOne, log into the tree for your Novell BorderManager server and then select the Pool Disk Management icon, which is a blue diamond shaped icon that represents data pools. Click on this icon and specify the tree, context and server that you wish to manage. After doing so, you will see a screen with the properties SERVERNAME.TREENAME under the Media tab, and the listed NSS Pools with allocated space for each under the NSS Pools tab.
  3. If you have 4 GB of free space in your NSS pool, you can select New and create the Cache volume from the free space. Otherwise, you must delete the DATA NSS Logical volume, create a new volume called CACHE and allocate 4GB of space to the Cache volume. You can then use the remaining space to create a new DATA volume and other volumes as needed.

Installing Novell Small Business Suite 6 on the Second Server

In a two-server configuration, you install NSBS 6 on the second server as follows:

  1. Insert the Novell Small Business Suite 6 software CD and select Advanced Install. The install program will automatically install the NetWare? 6 baseline operating system, all Novell Small Business Suite 6 software components and Novell eDirectory?.

    NOTE: You must install the second server into the existing directory tree, that is, the tree that you created when you installed the first server. However, the first and second servers must be installed into different contexts within the directory tree.

  2. Insert the license diskette. The Advanced Install program will install the second server license. NOTE: The Advanced Install program will display a notification indicating that it has installed the second server license but has not installed any additional client licenses.
  3. Select to install the Net services that you wish to run on the second server.
  4. Install any additional products that you want to run on the second server from the Novell Small Business Suite 6 software CD. Install each product according to the installation instructions for that product included in the Novell Small Business Suite 6 documentation CD.

Step 2. Install Novell BorderManager

In this step you will install Novell BorderManager on the server. In a two-server configuration, you install Novell BorderManager on the first server, that is, the server with two NICs (see Figure 2).

To install Novell BorderManager:

  1. Insert the Novell BorderManager 3.6 CD. Be sure that it mounts. Enter the word ?Volumes? at the console prompt and make sure that BMEE36 is one of the mounted volumes. You should also see a volume named CACHE, which you should have created during the Novell Small Business Suite 6 installation process.
  2. Go to the GUI interface. If it's not loaded, enter the command Startx to load it.
  3. Click on the Novell button and then select Install. A screen displays that lists the installed products. Click on the Add button. Click on the Browse icon to the right for the Novell BorderManager 3.6 CD. Click OK to begin. The message Please wait, copying files will appear.
  4. Next, the Novell BorderManager Services Installation screen displays and gives you a warning to ensure that you have the latest support packs installed for your operating system. Currently there are no support packs for Novell Small Business Suite 6, so accept the license agreement to proceed.
  5. A display of the three Novell BorderManager package displays (Firewall Services and Caching Services, VPN Services and Authentication Services). This guide covers only Firewall and Caching services.
  6. Click on the dropdown box to view the license path. Enter the path to the License File. Typically this will be an a:\ file.
  7. Login as the Admin user or with Admin privileges.
  8. The Novell BorderManager install screen will display showing a list of interfaces. Select Public for the interface that connects you to your ISP and select Private for the interface that connects you to your LAN.
  9. Select Enable filters to secure the public interface. This step will invoke the default settings for the firewall.

    NOTE: The default firewall filter settings will filter out all incoming access from the Internet. As a result, you will not be able to use any Novell Small Business Suite 6 services that require access from the Internet. This includes such services as browser-based server management, GroupWise? Web Access, Novell iFolder, iPrint and Apache Web server. If you want to enable any Internet services, you must set the appropriate filter exceptions in the firewall. The procedures for setting the required filter exceptions are described in the Novell BorderManager documentation on the Novell Small Business Suite 6 Documentation CD. Another useful reference is ?A Beginner's Guide for Novell BorderManager? by Craig Johnson, available at: www.caledonia.net

  10. Select HTTP proxy to enable the Web proxy only on the LAN interface (for your internal users). This step prevents internal users from accessing objectionable Web sites. Click OK.
  11. A screen displays that asks if you want to enable access control (through the Web proxy). Access control enables you to control outgoing access to the Internet. There are two modes of operation. With Access Control disabled, anyone can access the Internet. With Access Control enabled, Novell BorderManager enforces the access control rules that you specify. The default access control rule is to deny Internet access to all users. You must then expressly grant permission for users to access the Internet. (We will do that later.) Click OK.
  12. A screen displays that prompts for your Internet domain name. Enter the domain name that you obtained from your ISP. Click OK.
  13. A screen displays that prompts you for the IP addresses of up to three domain name servers. These are the IP addresses provided by your ISP. Enter up to three addresses. Click OK.
  14. A screen displays that indicates that the product to be installed is Novell BorderManager 3.6. The installation process begins. NOTE: At various points during the installation you may be asked if you want to overwrite files with their newer versions. In this case, always select Never overwrite, then click OK to continue.
  15. When the installation program completes the file copy and has made all the necessary configurations to Novell eDirectory, select Close. Do not select Reboot.

Step 3. Install the Novell BorderManager and NIAS Support Packs

In this step, you will install the Novell BorderManager Support Pack and Novell Internet Access Server (NIAS) Support Pack.

  1. Press the Ctrl-Esc keys to return to the system console.
  2. Insert the Partner CD. (The Partner CD includes the Novell BorderManager Support Pack and the NIAS Support Pack.)
  3. At the console prompt, enter ?NWCONFIG?. Go to Product Options, select Install Products Not Listed and press F3.
  4. A box appears asking you to enter the path from the Partner CD. Enter the Novell BorderManager Support Pack path. The path is NSBSPartner:\sup_paks\border\bm36sp1a (At this time, you can also select the option to backup the files from the support pack.) Press the F10 key to continue.
  5. When you get notification that the installation has completed, press Enter. Do not reboot. Select Install Products Not Listed. Press Esc. Press F3. A box appears asking you to enter the path from the Partner CD. Enter the NIAS Support Pack path: NSBSPartner:\sup_paks\nias\nias_sp1
  6. When the install completes, press the Esc key twice in succession to exit the install utility.
  7. Restart the server.

Step 4. Tour the New Screens

When the server finishes rebooting, press Ctrl-Esc. You will see a display similar to that shown below. Your display may differ somewhat, depending on the applications that are running.

Current Screens

  1. System Console
  2. Logger Screen
  3. WTM.NLM
  4. PKERNEL
  5. Apache for NetWare
  6. Novell RADIUS Services
  7. X Server?Graphical Console
  8. PROXYCFG
  9. Novell BorderManager Proxy Cache Server
  10. Proxy Console

Note that there are four new screens active as the result of the Novell BorderManager installation. These are Novell RADIUS Services, Proxy Services, PROXYCFG screen and Novell BorderManager Proxy Cache Server. (If you select the Novell RADIUS Services screen, it will prompt you to enter the Dial access system name. Do not enter any information at this time.)

We will now examine these four new screens individually.

Press the Ctrl-Esc keys. Select the PROXYCFG screen.

The following display appears:

NetWare Proxy Cache Configuration Console
  1. Display Object Cache Configuration.
  2. Display DNS/Miscellaneous Configuration.
  3. Display TCP Configuration.
  4. Display ICP Configuration.
  5. Display FTP / Gopher Configuration.
  6. Display HTTP Configuration.
  7. Display Authentication Configuration.
  8. Display Generic TCP / UDP Configuration.
  9. Display RealAudio Configuration.
  10. Display SMTP Configuration.
  11. Display POP3 Configuration.
  12. Display NNTP Configuration.
  13. Display SOCKS Configuration.
  14. Display THTTP Configuration.
  15. Display Site Download Configuration.
  16. Display TTelnet Configuration.
  17. Display RTSP Configuration.
Enter Option:

What you see is the information that we will be entering in NWADMIN. You can only display the current configuration here. You cannot make configuration changes from this screen. You must make configuration changes from NWADMIN.

Press the Ctrl-Esc keys. Select Novell BorderManager Proxy Cache Server from the list of screens. This screen shows the currently running services and on what IP addresses they are listening.

Press the Ctrl-Esc keys. Select Proxy Console from the list of screens. The following display appears. In this display, you can observe the current activity:

Proxy Console
  1. Display current activity
  2. Display memory usage
  3. Display ICP statistics
  4. Display DNS statistics
  5. Display cache statistics
  6. Display not cached statistics
  7. Display HTTP server statistics
  8. Display HTTP client statistics
  9. Display connection statistics
  10. Display FTP client statistics
  11. Display GOPHER client statistics
  12. Display DNS Cache Entry information
  13. Show hosts sorted by most DNS lookup requests
  14. Show origin hosts sorted by amount of data transmitted from the cache
  15. Show origin hosts sorted by amount of data received by the cache
  16. Show proxies and origin hosts sorted by most data directly received
  17. Display configured address and services
  18. Display SOCKS client statistics
  19. Application Proxies
  20. Transparent Proxy statistics
  21. Send splash screens?current setting DISABLED
  22. Site download options
Enter option:

Step 5. Configure the Network

In this section, you will configure the network.

  1. Enter inetcfg at the console and press Enter. You will be asked if you want to transfer LAN driver, protocol and remote access commands. Answer Yes.
  2. INETCFG will ask you whether you want to restart the server now. Answer No.
  3. INETCFG will ask you if you want to use the fast setup method. Select No. The INETCFG menu will display.

    NOTE: If you have set up to perform the NIC preconfiguration through autoexec.ncf as described in Step 1, you do not have to perform sub-steps 4 and 5 below. Proceed to sub-step 6.

  4. Select Boards. You will see the two network cards displayed. Note the configuration settings for each board. You will need this information later to rename the boards. (The only way to rename a board is to delete the board and re-enter the configuration information with the new board name.)
  5. Rename the boards by deleting each NIC and re-entering it with its new name.

    NOTE: Novell recommends naming the NIC on the LAN side ?Private? and the NIC on the ISP side ?Public.? This simplifies troubleshooting by making it easy to remember which board is on the Internet side. Press the ESC key. Answer Yes to Save Changes?

  6. The inetcfg menu appears. Select Protocols. Another menu appears. Select TCP/IP. The IP configuration screen displays. Make sure that IP packet forwarding is enabled, RIP is disabled and LAN static routing is enabled.
  7. Select LAN Static routing table. The TCP/IP Static Route screen displays. Press the Insert key. For Route type, Select Default route. Enter the Next Hop Router on Route: This is the next IP address on the way to your ISP.
  8. Press the Esc key twice to update the database. This will return you to the TCPIP configuration screen. Go to the DNS resolver configuration item and make sure that it shows the IP address that you entered during the installation of Novell BorderManager.
  9. Go to the Bindings screen and bind the NICs to the IP addresses. Bind the Public NIC to the IP address provided by your ISP and bind the Private NIC to the IP address for your LAN.
  10. At this time, you can also enable Network Address Translation (NAT) on the public interface. This is done by selecting the Public binding. The Binding TCP/IP to a LAN interface screen displays. Select Expert TCP/IP bind options. Select Network Address Translation. Change Status to Dynamic only.
  11. Press the Esc key four times to return to INETCFG menu. You will be asked if you want to save the configuration. Answer Yes. This will update the information. Press the Esc key to exit inetcfg.
  12. Edit autoexec.ncf. Change the Load conlog maximum= from 100KB to 1000KB. On the line beginning RCONAG6, where it says ?password,? replace the word ?password? with your actual password. If you are not using RADIUS, enter a semicolon ?;? before the words ?Load RADIUS.NLM.? Press the Esc key. When asked if you want to save changes, answer YES.
  13. Remove the Partner CD, exit and then restart the server.

When the server is back up, you should verify that the configuration has loaded correctly. Enter the word ?CONFIG? at the console prompt and press the Enter key. You should see both network cards with the IP addresses that you configured.

This completes the server-side configuration of Novell BorderManager. You perform the remaining steps from a Windows* 95/98/2000/ME/XP workstation. The workstation must be connected to the same network as the server.

Step 6. Install NWAdmin Snap-ins and Cyber Patrol

In this step, you will install two additional items: NWADMIN snap-ins and the CyberPatrol Internet access filter.

  1. From the Windows workstation, login to the server. You must have a drive mapped to the sys volume to install the NWADMIN snapins.
  2. Go to Start, Run and enter \\server\sys\public\brdrmgr\snapins\setup.exe. A box will display asking you to enter the destination for the snap-in files. The correct path should already be displayed. If the correct path is not displayed, browse to the correct location for NWADMIN. After the file copy completes, you will be asked if you want to read the readme file and if you want to start NWADMIN. Deselect both and click Done.
  3. Select Start, Run and browse to the setup program for CyberPatrol. It's at \\server\sys\ etc\cpfilter\cp_setup.exe. Enter the drive letter of the sys volume with no colon.
  4. When the file copy is complete, you will be asked for your registration information. Enter it if you have it. NOTE: CyberPatrol will update at no charge for the first 45 days. After that you will need to purchase an update subscription. Go to www.surfcontrol.com for information on purchasing the subscription.
  5. At the system console, enter sys:\etc\cpfilter\ cpfilter and press the Enter key. An alert will display saying Connected to IntranetWare proxy server. Edit the autoexec.ncf file by adding the line sys:\etc\cpfilter\cpfilter at the end of the file. This will cause CyberPatrol to load automatically in the future. Press the Esc key to exit and save.

Step 7. Configure Novell BorderManager

  1. In NWADMIN, browse to your server object and double click it. You should see three new property buttons: BorderManager Alert, BorderManager Setup and BorderManager Access Rules.

  2. Select BorderManager Setup and verify the configuration. You should see the default settings that were set during installation, that is, http Proxy is enabled and Enforce Access Rules is checked.


  3. Click on the IP Address button. Verify that the NIC for your ISP is set to Public and the NIC for your LAN is set to Private. Click OK.

  4. Click the Authentication context button. This forces users to authenticate to the proxy server before they are allowed out to the Internet. In this way, you can control outgoing Internet access by user identity. You can also log activity by user identity for users that are logged into Novell eDirectory.


  5. At this point, you have the option to implement the Single Sign-on feature of Novell Small Business Suite 6. Single Sign-on requires both a server and a client component. The client component is the CLNTrust.exe. (The installation of the client component is described in Step 8.) With Single Sign-on, when a user logs in to the proxy server, he or she is automatically authenticated to Novell eDirectory at the same time. (Login to the proxy server is transparent when the user is authenticated to Novell eDirectory.) As a result, the user has to log in only once. To enable Single Sign-on, de-select SSL and make sure that Single Sign-on is checked. Click OK. This returns you to the Novell BorderManager setup screen.


  6. To configure the Web proxy, select it on the Application Proxy tab and click Details. The only thing you need to change is to enable Common Logging, Extended Logging and Indexed Logging. Enabling all three provides wide flexibility for real-time monitoring of users' activity on the Internet.

    To ensure that log doesn't fill the sys volume, select the Delete files older than option and specify how long you want to retain your logs. You need to do this separately for Common logs and Extended logs. Click OK to save the settings. This returns you to the Novell BorderManager setup screen.

  7. Click the Cache button to go to the Cache Location tab. Change the Default location by entering the cache volume that you created during the NetWare Novell Small Business Suite 6 installation. In the Cache volume list window, select the icon for adding a volume to the list. Enter ?cache:.? Click OK. Click on SYS and remove it so that the only volume that remains is Cache. Click OK twice. Changes to the Novell BorderManager configuration are automatically pushed out to the Novell BorderManager server.

  8. You can create access rules at this point. Double click the Server object. Select the Novell BorderManager Access rules property page. At this point, there will not be any rules listed. If you click Effective rules you will see a Deny any rule that is grayed out and cannot be removed. That's because the default is to deny all access to the proxy.

  9. Create an ?Allow all? rule by clicking the Add rule button. The Add access rule definition screen displays. Select Enable rule hit logging. Click OK. The Novell BorderManager Access rules screen displays. Click on Effective rules and you will see the Allow any listed before the Deny any. Rules higher on the list take precedence over rules lower on the list.


  10. You can create additional rules to block objectionable sites. For each rule you wish to create:
    1. Click the Add rule button. The Access rule definition screen appears. For Action, Select Section deny. For Access type, select URL. For Destination, select Specified. Click the Browse button. A screen called URL specifications displays.
    2. From the drop-down box, select from the Microsystems CyberNOT* list. You will see a list of categories. From the list of categories, select those to which you want to block access.
    3. Click OK.
    4. Check Enable Rule hit logging.
    5. Click OK. New rules are added to the bottom of the list.
    6. Use the arrow keys to move the rule you just created to the top of the list so that it takes precedence over the Allow any rule. The Novell BorderManager Access rules screen displays.

  11. Click Effective rules. You will see that the rule using CyberPatrol appears first. At this point you have completed the configuration of the access rules on the proxy server.

Step 8. Install the Client Trust Component on Users' Workstations (optional)

If you wish to enable users to take advantage of Novell SecureLogin, you need to install the CLNTrust.exe program or the CLNTrust shortcut on each user's workstation that is to use Novell SecureLogin. The CLNTrust.exe is located in the public directory on the Novell BorderManager server at Z:\PUBLIC\CLNTrust.exe.

There are two methods you can use to install the CLNTrust.exe or the CLNTrust shortcut on the user workstations:

  • Use Novell ZENworks? for Desktops to distribute the CLNTrust.exe or CLNTrust shortcut to all target workstations. For more information on the distribution process, refer to the Novell ZENworks for Desktops documentation on the Novell Small Business Suite 6 Documentation CD.
  • On each user's desktop, place either the CLNTrust.exe or the CLNTrust shortcut in the Windows Startup folder. Users can browse to the public directory on their Novell BorderManager server, then drag and drop the CLNTrust.exe or the CLNTrust shortcut from the public directory into their Startup folder.

Congratulations. You have successfully installed a secure Internet connection for your Novell Small Business Suite 6 customer. Now your customer can extend business to the Internet safely and in a controlled fashion.

? 2002 Novell, Inc. All rights reserved. Novell, the Novell logo, NetWare, BorderManager, ConsoleOne, GroupWise and ZENworks are registered trademarks, and eDirectory and Novell iFolder are trademarks of Novell, Inc in the United States and other countries.

*Windows is a registered trademark of Microsoft Corporation. CyberPatrol and CyberNOT are trademarks of SurfControl, Inc. All other third-party trademarks are the property of their respective owners.

Novell Product Training and Support Services

For more information about Novell's worldwide product training, certification programs, consulting and technical support services, please visit: www.novell.com/services

For More Information

Contact your local Novell Authorized Reseller, or visit the Novell Web site at: www.novell.com

You may also call Novell at:
1 888 321 4272 US/Canada
1 801 861 4272 Worldwide
1 801 861 8473 Facsimile

Novell, Inc.
1800 South Novell Place
Provo, Utah 84606 USA
www.novell.com

Reader Comments

  • I have been looking for something like this for some time. I'd also like this written for NSBS 5.1
  • Pretty much every SB customer I see wants this, so it's a very handy guide.
  • Excellent ;}

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

Novell® Making IT Work As One

© 2009 Novell, Inc. All Rights Reserved.