Digg This -
Posted: 17 Jun 1999
Secure, Fast, Site Implementation of GroupWise WebAccess
If there's one thing that proves that we at Novell believe in our products, it's the fact that we use them, way before they ship, for everything, from simple file and print, to mission critical collaboration. And Cool Solutions readers are constantly clamoring for more info about how we implement our own products. So we went to IS&T, the people whose job it is to take early version software and make it work on the networks of one of the biggest software companies in the world (Novell, of course).
Access to information anytime, from anyplace is what Novell GroupWise is about. Protecting and accelerating information to and from your network, through the internet, is what Novell BorderManager is all about. Combined, these two products offer compelling solutions for IT professionals and their need to discreetly open their GroupWise system for access from outside their local networks.
Now, all that is well and good, but what might be more important than just telling you how great the products are, would be telling you how we install and use them ourselves. Bear in mind that Novell is a large international company, and due to various international concerns, sometimes we use an older version of a product.
The first step to implementing GroupWise WebAccess was to open specific ports from the Internet to a specific IP address at the border (the area between the inner and outer firewalls). We also opened a specific port in the inner firewall for traffic between two specific IP addresses, one within the border and one inside the inner firewall. And to make this solution truly cool, we have a hole through the firewall from a specific IP to a specific IP on a specific port. We can point our remote GW client to gmail.novell.com, connect to the POA, and then the MTA passes the info through the firewall to the corporate system. In other words, Novell employees can use this system to use Remote GroupWise from anywhere (really) on the Internet. Now that's cool.
We placed a Compaq Proliant 2500 (128 Mb RAM and 2 Gigabytes disk capacity) in the border, then installed NetWare 4.11 (we've since upgraded this to NetWare 5), creating a new and separate tree, Netscape Enterprise Server 3, and Border Manager onto this machine. And to top it off, we created an entry in DNS for GMAIL.NOVELL.COM that pointed to the IP address assigned to this machine.
Inside the firewall we placed a Compaq Proliant 5000 (256 Mb of RAM and 9 Gig disk capacity) and installed NT 4.0 Server (about to be upgraded to NetWare 5), GroupWise WebAccess, and Netscape Enterprise Server. We requested a Digital ID for GMAIL.NOVELL.COM (catchy, don't you think?) from Verisign, Inc. and installed it on the machine, enabling the Secure Socket Layer (SSL). As an additional measure of security, we created a generic user account and password with the Netscape Enterprise Server and allowed http access for only that user. Unfortunately, this requires one extra hoop for users to jump through to log in (in the form of an additional user name and password dialog box), but the additional security it provides seems well worth it.
Security was our primary concern in designing our cool WebAccess e-mail system. (Warning: Shameless, yet Well-Deserved Plug Ahead!) BorderManager gave us rock-solid security without compromising flexibility. In short, BorderManager rules.
Our second concern, as is often the case for IS&T professionals, was ease of use for the end user. We didn't want to have one of those hard-to-remember passwords, but we also didn't want to force the users to go through too many steps to get to their mail.
We were able to reconcile these seemingly conflicting objectives by configuring the BorderManager machine to handle a variety of incoming HTTP requests. Regardless of how a web broswer hits the BorderManager machine, the requests are redirected to the correct machine within the firewall on the proper port.
Here's an example of a Redirect Meta Tag:
meta http-equiv=refresh content="0; url=http://innerweb.novell.com/index/general.html"
WebAccess Architectural Implementation
We went with the tried and true Hub and Spoke architecture for the WebAccess design for two main reasons:
- Speed (for both internal and external access)
Our testing confirmed that the http link from the browser to the gwwebus process is the slowest link in the chain of processes used to get at the GroupWise data. So we created one access point from the Internet directly off a T3 line (which we love) to maximize the potential speed of the browsegwwebus link. That way we get to use the bandwidth to our myriad field sites (some of which are 56k connections) as efficiently as possible. Another speed benefit (you can't get enough speed benefits) of using a Hub and Spoke architecture is that when users are within the corporate network, they can access their site directly, bypassing the GMail infrastructure. So not only is access quicker for the user, but it also frees up the GMail system for external users. Very slick.
By maintaining one hub as the Internet access point, only one set of WebAccess HTML pages needs to be maintained, which anyone would admit is cool, security can be monitored more closely, which any propeller head would admit is cool, and field operations personnel are freed from managing links and Internet connectivity, which probably only they think is cool.
NOTE: For this system to work, the encryption key (defined in the NWAdmin GroupWise Snap- in) for the spoke machines must be identical to the encryption key on the hub machine. Without this, the interfacing processes will be unable to establish a connection and the system will not work. Which, anyone will admit, is definitely not cool.
The Bottom Line
This design currently serves approximately 7000 users dispersed among 40 sites in North and South America and 22 sites throughout the rest of the world. The links to these sites range from 56k Frame Relay to dedicated T1 lines. And it works beautifully.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com