Novell Home

Novell BorderManager 3.7 Update for N2H2 Integration: Part 3

Novell Cool Solutions: Feature

Digg This - Slashdot This

Posted: 6 Sep 2002
 

Version: BorderManager 3.7

There's a new tool available to help you filter Web content, monitor the Internet access of your users, and get reports of your users' activity on the web. Novell BorderManager 3.7 is now integrated with N2H2, with support for:

  • N2H2 Sentian for Novell BorderManager/Red Hat Linux and N2H2 Sentian for Novell BorderManager/Windows
  • N2H2 Bess for Novell BorderManager/Red Hat Linux and N2H2 Bess for Novell BorderManager/Windows

Other partner solutions previously supported by Novell BorderManager continue to be supported by this update.

Don't miss the other parts of this series:

In Part 3 of this series about N2H2 Integration with BorderManager, we answer some questions about troubleshooting and backward compatibility.

Troubleshooting

Q1: What happens when the N2H2 server is down or unreachable?

If the N2H2 server is down or unreachable, all connect attempts by Novell BorderManager server to the N2H2 server will time out. Time out error messages will be displayed on the Novell BorderManager server console (logger screen in case of NetWare 6). All Access Control Rules will return no match with any URL. A URL may be allowed or denied depending on the ACL of the Novell BorderManager server.

Q2: What will happen if the communication channel between my Novell BorderManager server and my N2H2 server is slow?

If the communication channel between the Novell BorderManager server and the N2H2 server is slow, connection attempts and/or requests made by Novell BorderManager server to the N2H2 server may time out. In case of a time out, Time Out error messages will be displayed on the Novell BorderManager server console (logger screen in case of NetWare 6). All Access Control Rules will return a ?no-match? with any URL. A URL may be allowed or denied depending on the ACL of the Novell BorderManager server.

Q3: What will happen when the DNS server is down or unreachable from the N2H2 category server?

When the N2H2 server is not able to contact the DNS server, it tries a DNS Look up for 30 seconds for each categorization request before it replies with a response of DNS Lookup failed. In the meantime, the categorization requests made by the Novell BorderManager server, waiting for a reply, may time out. The URLs corresponding to these requests will then return a ?no-match? with that Access Control Rule. The URL may be allowed or denied depending on the ACL of the Novell BorderManager server.

Q4: What should I do if a URL, belonging to a category in a Access Control Rule, is behaving opposite to its Access Control Rule action (allow/deny)?

A URL belonging to a category in an Access Control Rule may behave opposite to its configured action due to one of the following reasons:

  • The URL also belongs to an Exception Category and that Exception Category has been selected in the Access Control Rule. If you do not want the opposite action of the access rule for URLs falling in the Exception Category, uncheck the Exception Category in the access rule.
  • The Novell BorderManager server is not able to receive categorization replies from the N2H2 server (see server console for any error messages). If the ACL of the server has another Access Control Rule which returns a match with the request then the URL will be allowed for Allow All (in case all URLs are being allowed) or if the default Access Control Rule of Deny All is matched (in case all URLs are being denied).

Q5: What do I do if the Access Control Rules on Novell BorderManager server are not working (when N2H2 is the URL blocking product) even though the Access Control is enabled?

If the Access Control Rules on Novell BorderManager server are not working (when N2H2 is the URL blocking product) even though the Access Control is enabled, then either the Novell BorderManager server is unable to establish connection with the N2H2 server or the Novell BorderManager server is not able to receive categorization replies from the N2H2 server for the categorization requests it is sending (see server console for any error messages). In such a case do the following:

  • Check if the N2H2 server configuration is correct in NWADMN32.
  • Check if the N2H2 server is up and listening on the configured N2H2 port.
  • Check if the N2H2 server is able to contact a DNS server.

Q6: What do I do if I get an error message ?Error writing to FILTPROD.DAT file? or ?Error writing to N2H2.ACL file? in NWADMIN when I try to change the active thirdparty vendor or N2H2 category server specification?

Do the following:

  • Check if FILTPROD.DAT file or N2H2.ACL file is open.
  • Check if any of these two files are marked as read only.

Q7: What should I do if I'm getting frequent server console error messages saying ?Error writing to N2H2.ACL file?? Or, what do I do if I get an error message ?Couldn't read category server information? preceded by an error message ?Error opening n2h2.acl file? on the logger screen of server console when I load ACLCHECK.NLM (with N2H2 as the active third-party solution) or when I change my active vendor to N2H2?

Do the following:

  • Check if N2H2.ACL file is open.
  • Also check if this file is marked as read only.

Q8: What do I do if the N2H2.ACL file in the SYS: \ETC\BORDER\ENGLISH directory gets deleted/corrupted?

If this happens you can get the file from the Novell BorderManager 3.7 update for N2H2 zip. After which you would need to configure the N2H2 category server again from NWADMN32.

Q9: What do I do if I'm getting frequent receive time-out errors on the server console when my active vendor is N2H2?

You could do one or both of the following:

  • Check if the N2H2 server is up and listening on the configured N2H2 port.
  • Check if the N2H2 server is able to contact a DNS server.

Q10: What do I do if the browsers are waiting for some time when a request is sent and the active vendor is N2H2?

You could do one or all of the following:

  • Check the server console for any error messages. In case of connect receive errors check if your N2H2 category server is configured properly.
  • Check if the configured N2H2 server is up and listening on the configured N2H2 port.

Q11: What do I do if NWADMN32 is not showing the category list while adding/modifying Access Control Rules?

If your active vendor is N2H2 and NWADMN32 is not showing the category list for N2H2, check if SYS:\ETC\BORDER\ENGLISH\N2H2.ACL file is present. If it isn't, replace it from the Novell BorderManager 3.7 update for N2H2.

Q12: How can I ensure that I can connect to the N2H2 Sentian server from the Novell BorderManager server?

You could do the following:

  • Ensure that there is connectivity between the Novell BorderManager server and the N2H2 category server. Opening a telnet session to the N2H2 Sentian server on port 4004 is a good test of connectivity.
  • Ensure that the N2H2 category server configuration done through NWADMN32 is complete and correct.
  • Ensure that N2H2 server is listening on the configured n2h2 port (defaults- 4004 for Linux and 4000 for Windows).
  • Q13: How can I ensure that the N2H2 Sentian server is running?

    To ensure that the N2H2 Sentian server is running, check if N2H2 server is listening on the configured N2H2 port (defaults: 4004 for Linux and 4000 for Windows). To do this use the ?netstat? command on Windows or Linux.

    Q14: If users are moved from one group or container to another, will they still have access to URLs to which the previous group or containers had access?

    By default ACLCHECK maintains a cache that is refreshed every three hours. If the above changes take place and the cache is not refreshed, stale cache entries could cause the users to still have access to URLs allowed to a previous group. Whenever such a change occurs in the directory, refresh ACLCHECK. To do so, unload and reload ACLCHECK.

    Miscellaneous

    Q1: Are there any specific logs for N2H2 category server?

    Yes, they are as follows:

    • On Microsoft Windows platforms the Application Event View is a good source of N2H2 information. Also see DOWNWIN.LOG in the N2H2 filtering directory view database download histories and errors.
    • On Red Hat Linux see the INSTALL.LOG file in the /root/n2h2 [version] directory for installation information.

    Q2: Are there any specific logs for Novell BorderManager interaction with the N2H2 category server?

    Any errors and warnings are logged into the Console or to the Logger Screen. Alerts are also sent in case of fatal errors. The console log can be viewed to see the log.

    Q3: How scalable is the Novell BorderManager and N2H2 solution?

    The solution is quite scalable. N2H2 Sentian category server supports up to 1028 concurrent connections at a time. It recommends around 20 to 30 connections at a time. On the same connection, up to 256 requests can be queued at a time. Novell BorderManager uses up to 20 connections, and queues up to 256 requests to the N2H2 Sentian server at a time. This design scales well with respect to the number of requests to Novell BorderManager ACLCHECK.

    Q4. Does the solution support load balancing and failover?

    The N2H2 servers do not provide a request distribution mechanism (load balancing). However, you can configure Novell BorderManager to talk to an L2 switch that can forward the requests to more than one N2H2 server and thus you can have load balancing as well as failover.

    Backward Compatibility:

    Q1: Will my SurfControl access rules for Novell BorderManager continue to work with Novell BorderManager 3.7 update for N2H2?

    Yes, old SurfControl access rules will work with Novell BorderManager 3.7 update for N2H2 if your selected third-party vendor is SurfControl. To select SurfControl as the thirdparty vendor, go to NWADMN BorderManager Access Rules Tab and click the SurfControl radio button.

    Q2: Can you copy the SCONTROL.ACL file from one server to another?

    It may not work. The SCONTROL.ACL file is generated every time ACLCCHECK.NLM comes up (provided SurfControl is the active third-party URL blocking solution.)

    Q3: Is there any change in the format of SCONTROL.ACL (SurfControl categories) file?

    Yes, it has changed. The earlier category name and mask for the category was stored in the file. Now the category name and index are stored.


    Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

    © 2014 Novell