Novell Cool Solutions: Tip
Digg This -
Posted: 14 Dec 2001
Version: BorderManager 3.5EE
We recently heard from Michael L. from Edinburgh who posed an interesting question. He wrote:
Presently we wish to add a secondary pipe so that we can split traffic between them. One for mail and the additional pipe for web things.
Can BM 3.5EE support two public internet connections?
Our current BM setup has one public, one private and one DMZ interface. We use NAT, Packet filters, forward proxy and RADIUS authentication.
There are many things to consider in solving this problem (BorderManager is an art, not a science), so here are a few ideas to mull over. If you have other suggestions, please let us know and we'll add them to the mix.
If you want to load balance, it is a good idea to do it with a router that has both public links and is designed to handle load balancing, rather than BorderManager. Some things can be done by static routes. Some things can be done by port forwarding in the default router pointing to the other router. Some things can be done by enabling dynamic NAT on the LAN interface of the non-default router.
Here's how one consultant did it for a customer just recently.
The customer wanted a DMZ with two NetWare servers acting as internal and external firewalls. However, the outside firewall had to manage three Internet links. The first (64K) was for e-mail only, the second (64K) was for general surfing purposes, and the third (128K) was dedicated to accessing Internet banking sites for their accountants.
They installed four interfaces: one internal and three external. E-mail could go anywhere so we gave that link the default route. The general surfing link got a static route to the ISP's caching box and the cache box in the DMZ was configured to only forward through the cache hierarchy. The banking-only link was destined for a specific banking site so it got its own set of static routes to the bank's network and that traffic trundled quite neatly down that link.
Firewalling was configured for each interface for the specific traffic requested to ensure the traffic did not spill over onto the other links, and to provide security.
These guys are smiling ear to ear as they can now do everything they want without having everything glutting their one link.
You could have two dedicated networks for your public interfaces, called "nonhttpl" and "http", each one having its own router to the public internet.
Scenario A: Pumping mail over a dedicated connection
Customer requires a mail host from his service provider.
Configure the server so that the default route points to the router handling the "http" interface. Add a host route to the mail provider server via the second public interface so that it will use the "nonmail" network and configure the e-mail system to use the provider's mail relay.
Scenario B: Pumping http traffic over a dedicated connection
Customer requires an http proxy either at his service provider or one of those public, private proxies.
Configure the server so that the default route points to router handling the "nonhttp" interface. Add a host route, using "http" as gateway to the parent proxy server. Add a parent proxy server (CERN) in BorderManager Configuration.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com