Novell Home

Novell BorderManager 3.7 Update for N2H2 Integration: Part 2

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 29 Aug 2002
 

There's a new tool available to help you filter Web content, monitor the Internet access of your users, and get reports of your users' activity on the web. Novell BorderManager 3.7 is now integrated with N2H2, with support for:

  • N2H2 Sentian for Novell BorderManager/Red Hat Linux and N2H2 Sentian for Novell BorderManager/Windows
  • N2H2 Bess for Novell BorderManager/Red Hat Linux and N2H2 Bess for Novell BorderManager/Windows

Other partner solutions previously supported by Novell BorderManager continue to be supported by this update.

Don't miss Part 1 Part 3 of this series.

Here's what's in Part 2 of this series about N2H2 Integration with BorderManager:

Novell BorderManager Access Control

Q1: How do Novell BorderManager Access Control Rules work?

If Access Control is enabled on the Novell BorderManager proxy server, all requests to the Novell BorderManager proxy are first checked for a match or no-match with the Access Control Rules in the ACL of the Novell BorderManager server. If there is a match with any one of the configured Access Control Rules, the request is processed by the Novell BorderManager proxy as per the action (deny/allow) of the Access Control Rule. If the request matches none of the configured Access Control Rules, the default rule of ?deny all? will be effective and the request will be denied by the proxy.

Q2: What is the order in which Access Control Rules in an ACL (as shown in NWADMN32) are hit?

The Access Control Rules will be checked in a top to bottom order as displayed in NWADMN32. The top most Access Control Rule will be checked first. In case of a match with the Access Rule, the rest of the Rules will not be checked. In case of a no match, the next Access Control Rule will be checked. If none of the Access Control Rule returns a match, the default rule of Deny All will become effective.

Q3: What are the typical Access Rule settings?

1. To deny a few categories and allow all others: create one or more deny rules based on categories. Make Allow All the last in the list of Access Control Rules.

2. To allow a few categories and deny all others: create one or more allow rules based on categories. Make Deny All the last in the list of Access Control Rules (default).

Q4: How should the rules be designed to get the best performance?

The rules should ideally be container or group based. The container based rules should be as high in the tree as possible (this is to get a better hit ratio in terms of caching).

Q5: When should I use exception categories?

Typically, exception categories should be used along with normal categories in a deny Access Control Rule. For example, you want to block all sites that are categorized in a violence category except those sites that talk about the violent events in history (these sites should be categorized in History Exception Category by N2H2 category server). You can achieve this by creating a deny Access Control Rule in which you select both Violence category and History Exception Category. When a site that falls in both Violence category and History Exception Category is requested, it will be allowed. This will happen even though the Access Control Rule is a deny rule.

Q6: Does only N2H2 support exception categories?

Yes.

Q7: What happens if I try to access a URL, when the N2H2 server is not available and I have an access rule to allow/block an N2H2 category server?

The ACL on any Novell BorderManager server has a default Deny All Access Control Rule. If your active third-party vendor is N2H2 and the N2H2 category server is not available, all the Access Control Rules with a third-party solution as its destination type will return a no match. If you have an Access Control Rule of Allow All in your ACL, then this Access Control Rule will return a match and all the URLs will be allowed. If you do not have an Access Control Rule of Allow All, the default rule of Deny All will return a match and all the URLs will be blocked.

Q8: What will be the status of access rules configured for N2H2 server when the N2H2 server is updating the latest category content?

The N2H2 category server does not categorize URLs when it is downloading. You will get a no-match with any Novell BorderManager Access Control Rule that has N2H2 as its third-party URL blocking solution (which is as good as the rule getting ignored). If there is an URL request during that time, the requested URL is allowed or denied depending on whether the request matches an Allow rule or Deny rule first in the remaining rules in the Novell BorderManager Access Control List.

Configuration

Q1: Should I have N2H2 and the Novell BorderManager server on the same network segment?

Preferably, yes for optimal performance of the Novell BorderManager server. Note: The two should be on the same network and on a different server.

Q2: What TCP or UDP ports should I open up if a firewall exists between my Novell BorderManager server and N2H2 server?

If a firewall exists between the Novell BorderManager and the N2H2 server, TCP port 4004 (if N2H2 server is running on Red Hat Linux platform) or port 4000 (if N2H2 server is running on Windows platform) should be opened.

These are the default N2H2 ports on each of these platforms. However, the port number is a configurable parameter on the N2H2 server. If the N2H2 server is not listening on the default port, the firewall should be opened for the configured N2H2 port. For Linux open port 443 for N2H2 configuration.

Novell BorderManager Access Control Configuration

Q1: Where does Novell BorderManager store the configuration information for the N2H2 server?

Novell BorderManager stores the configuration information in the file
SYS:/ETC/BORDER/ENGLISH/N2H2.ACL
on the Novell BorderManager server. This file stores the N2H2 category server IPAddress/Hostname and port value as the configuration information.

Q2: What happens if I configure Novell BorderManager to use another URL blocking product when there are access rules for the currently configured product?

If this is the case, all the access control rules of the currently configured product become ineffective. A warning indicating this will appear in NWADMN32.

Q3: How do I setup access rules to work with exception categories?

To configure Access Control Rules that work with exception categories:

  1. Click Novell BorderManager Access Control Rules after launching NWADMN32 and select one of the two listed third-party URL blocking solutions, namely N2H2 Sentian or Bess and SurfControl's Web Filter.
  2. Click the add button in the tool bar. A screen titled ?Access Rule Definition? will be displayed.
  3. Select ?URL? as the Access Type. Exception categories should be used with a normal category in a deny Access Control Rule when you want certain sites in the blocked category to be allowed if they also fall in the Exception Category. Click ?Specified? as the Destination.
  4. Click the button next to ?Specified? and a screen titled ?URL Specifications? will be displayed.
  5. Click the combo box and select the third-party URL blocking solution category list entry.
  6. Select the categories that you want to deny for this Access Control Rule > Select the categories marked [Exception] that you want to allow in the Deny Access Control Rule even if the same URL falls in any of the normal categories selected in this Deny Access Control Rule.

To learn when to use exception categories see Q6 in the Novell BorderManager Access Control section above.

Q4: Does the Novell BorderManager server get notified if I change the N2H2 configuration information in NWADMN32?

Yes. If ACLCHECK.NLM is loaded when this change is made, it may take up to a minute for the Novell BorderManager server to get notified of this change.

Q5: How do I set up the N2H2 configuration information for multiple Novell BorderManager servers from NWADMN32?

To set up the N2H2 Configuration information from NWADMN32 on any Novell BorderManager server, map to the server and launch NWADMN32.EXE. Follow the steps given in Q3 of Section 5.2 N2H2 Configuration.

Note: Multiple Novell BorderManager servers cannot be configured for N2H2 category server information using NWADMN32 of any one Novell BorderManager server. To configure a Novell BorderManager server, launch NWADMN32 on that server and then continue with the configuration.

Q6: How can I find the IP address and port of the N2H2 Sentian server to specify in the NWADMN32 snap in?

Do the following:

For Linux users: go to https://<n2h2categoryserveripaddress>/controlcenter or https://<n2h2categoryserverhostname>/controlcenter. Login as N2H2 server Administrator (username and password set up during N2H2 registration) and go to Configure Server option. The IPAddress/hostname and Port fields will be available here.

For Windows users: you can view the IP address and port number that N2H2 category server listens on for Web requests. To do so:

1. On the Windows Start menu, point to Programs and then point to the N2H2 Sentian or Bess category server and click the General tab.

2. The IP address information is reflected in the IP address box. If the IP address box is 0.0.0.0 or blank the N2H2 category server is listening on all addresses.

3. The port information is reflected in the Port box.

Q7: Is there a configuration that supports failover for the N2H2 server?

The Novell BorderManager 3.7 update for N2H2 does not explicitly support failover for the N2H2 server as only one N2H2 server address can be specified at a time. However, you can configure Novell BorderManager to talk to an L2 switch that can forward the requests to more than one N2H2 server and thus you can have load balancing as well as failover.

Q8: How do I create a Novell BorderManager Access Control Rule?

Novell BorderManager Access Control Rules are configured using the NWADMN32.EXE (NetWare Administrator). To do so:

1. Go to the SYS:\PUBLIC\WIN32 directory and click NWADMN32.EXE.

2. Click Server Object, then BorderManager Access Rules Tab. The screen that comes up will show a list of configured Access Control Rules on the Novell BorderManager server. To add a new Access Control Rule, click the add button on the toolbar. Double click on an already existing Access Control Rule if you want to modify it.

Q9: How do I configure Novell BorderManager Access Control Rules to work with third-party URL blocking solutions to block/allow URLs of certain categories?

To configure Access Control Rules that work with third-party URL blocking solution, do the following:

1. Click BorderManager Access Control Rules after launching NWADMN32 and select one of the two listed third-party URL blocking solutions, namely N2H2 or SurfControl. Click the add button in the tool bar.

2. On the screen titled ?Access Rule Definition? Select ?URL? as the Access Type and ?Specified? as the Destination. Click the button next to ?Specified.?

3. On the screen titled ?URL Specifications? click the combo box and select the thirdparty URL blocking solution category list entry. Select the categories that you want to deny/allow for this Access Control Rule.

N2H2 Configuration

Q1: Is the N2H2 configuration merged with Novell BorderManager configuration? How do I configure N2H2?

No, the Novell BorderManager configuration can be done using NWADMN32.EXE.

For Linux users: To configure the N2H2 server on Linux, go to the site
https://<n2h2serveripaddressr>/controlcenter or
https://<n2h2serverhostname>/controlcenter

For Windows users: To configure the N2H2 server on Windows do the following:

1. On the Windows Start menu, point to Programs, and then point to the N2H2 Sentian or Bess category server and click the General tab.

2. In the IP Address box, type the IP address that the Sentian or Bess category server binds to. To listen on all available addresses, type 0.0.0.0 or leave the box blank. To listen on one address only, type that address.

3. In the Port box, type the port that the Sentian or Bess category server listens on.

4. Under Set Idle Connection Time-out, choose the length of time a client connection can remain idle before Sentian category server closes the connection. For optimal performance with Novell BorderManager select this to be ?Never Time Out.?

5. Click OK.

Q2: Why is the value of ?IdleTimeOut? on the N2H2 category server to be set to ?Never Time Out? for optimal performance?

For optimal performance of Novell BorderManager with the N2H2 third-party blocking solution, the Idle TimeOut on the N2H2 server should be set to ?Never Time Out.? This ensures that any connection between Novell BorderManager and N2H2 server is not reset in case of a period of inactivity on the connections. If the connections are reset, the next few requests will not be serviced until a connection is again set up between the Novell BorderManager and N2H2 servers. Moreover, the access rules may not work during the time when the connection is being re-established.

Q3: How do I enable and configure N2H2 as the third-party URL blocking solution for Novell BorderManager?

To accomplish this, do the following:

1. Launch NWADMN32 and click BorderManager Access Control Rules.

2. Select N2H2 as the third-party URL blocking solution.

3. A dialog box for N2H2 category server configuration will pop up. Enter IPAddress/hostname of the N2H2 category server and the port on which the N2H2 category server is listening. Click OK.

4. Create one or more Access Control Rules with N2H2 as the third-party URL blocking solution.

Q4: What are the parameters that need to be configured for the N2H2 Sentian server?

The parameters to be configured are:

? The IP address of N2H2 category server.
? The Port that the N2H2 category server will listen on.
? The Idle Time out--select this to be ?Never Time Out.?
? The day and time for download updates.

Q5: How do I configure the N2H2 category server for enhanced performance of URL blocking in Novell BorderManager Proxy?

For enhanced performance of URL blocking, do the following:

? Select ?Never Time Out? as the Idle TimeOut of the N2H2 category server.
? Select the download time of the N2H2 category server so the download happens when the load on proxy is minimal.

Q6: How can I change the N2H2 category server that I'm using for URL blocking?

Do the following:

1. Launch NWADMN32 and click BorderManager Access Control Rules.

2. Click the Category Server Information button. A dialog box for N2H2 category server configuration will pop up. Change the IP Address/hostname of the N2H2 category server and/or the port on which the N2H2 category server is listening. Click OK.

Q7: How long will it take to update the change in the category server Information (IP Address/Host Name and/or Port) in NWADMN32 in Proxy?

If the proxy is loaded and a category server information change is made through NWADMN32, it will take a maximum of one minute for the information to be updated.

Q8: How do I make N2H2 run on a port other than the default port?

Do the following:

For Linux users: Go to https://<n2h2categoryserveripaddress>/controlcenter or https://<n2h2categoryserverhostname>/controlcenter. Login as N2H2 server Administrator (username and password set up during N2H2 registration) and go to Configure Server option. Change the Port field.

For Windows users: On the Windows Start menu, point to Programs, and then point to the N2H2 Sentian or Bess category server and click the General tab. In the Port box, type the port that the Sentian or Bess category server listens on. Click OK.

Q9: How can I modify the N2H2 server configuration information once it is set?

Do the following:

For Linux users: Go to https://<n2h2categoryserveripaddress>/controlcenter or https://<n2h2categoryserverhostname>/controlcenter. Login as N2H2 server Administrator (username and password set up during N2H2 registration) and go to Configure Server option. Change the IP Address/Hostname and/or Port field.

For Windows users: On the Windows Start menu, point to Programs, and then point to the N2H2 Sentian or Bess category server and click the General tab. In the IP Address box, type the IP address that Sentian or Bess category server binds to. To listen on all available addresses, type 0.0.0.0 or leave the box blank. To listen on one address only, type that address. Click OK.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell