NAT or Not - Issues with IP/IP and Transparent Proxy
Novell Cool Solutions: Feature
Digg This -
Posted: 25 Mar 2004
A user wrote and asked about implementing an IP/IP gateway and transparent proxy with Border Manager, instead of dynamic NAT, in order to apply user-based access rules. Here's the reply from one of our Border Manager experts:
User authentication and user-based access rules make use of the CLNTRUST (single-sign on) or SSL authentication methods. These are not dependent on using IP/IP gateway or dynamic NAT. They just require an IP stack on the client.
The preferred configuration I see at most sites these days is:
- Do not use an IP/IP gateway - it introduces an unnecessary overhead and is not supported by Novell.
- Do not use a transparent proxy - it has a major limitation that prevents you from seeing the name of the host that a user accesses in the proxy log file.
- Use dynamic NAT on the public interface to provide translation between internal addresses and a single external address (the address of the public interface).
- Use CLNTRUST.EXE for user authentication - this is loaded in the login script.
- Use ZENworks or a batch file to force the proxy settings as a registry fragment out to the users.
Using this configuration you will be able to apply access rules based on user, group or OU membership.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com