Accessing NetWare 5.1 files from a Browser
Novell Cool Solutions: Trench
By Andreas Bach, Gary Stothers, Grey Canada
Digg This -
Posted: 28 Jun 2001
Version: NetWare 5.1
Our employees wanted access to their files on their server from other office locations or from home (don't we all?).
The requirements for the solution were:
- Low Cost
- NDS eDirectory integrated to simplify administration
- Provided access to our NetWare 5.1 file server's subdirectories
- Matched NetWare file rights if possible for viewing, deleting, etc.
- Easy to use (Browser-based, right?)
- Easy to Implement
- Secure, Encrypted access from anywhere
- Optionally allow uploading as well
- Did I mention inexpensive?
After looking around at solutions based on Virtual Private Networks (VPN), File Transfer Protocol (FTP), and Web Servers (all of which are out there, or we owned already, but don't meet the ease of implementation or cost criteria), I hit upon the idea of letting NetWare 5.1 itself provide the answer.
NetWare 5.1 comes with a web-based Management Portal. As part of that, the engineers at Novell had the brilliance to include a file-access component. To learn more about the NetWare Management Portal, check here in the manual.
To provide easy Browser access to files from inside our network, all I had to do was provide a URL for our users that pointed to the Server, Volume and Subdirectory in the following form:
This does not involve any web servers since port 8008 is the default for the HTTP stack in the NetWare 5.1 Management Portal.
This would take the users directly to the server/volume/subdirectory specified and would ask them to login using their NDS ID and password. The user would need to enter their full-context NDS ID, but could be able to get away with only their short Login ID depending on such factors as being defined in the same container as the server, bindery context etc. The NetWare Management Portal would then grant access to files as appropriate based on the usual NetWare file rights and build HTML pages listing the directory contents. The users couldn't see anything they don't normally have rights to while in the office. The portal even provides an upload button automatically if "write" rights exist in a directory, and has a feature to search text files.
This took all of about 30 minutes to set up and it was "mission accomplished!" for everything except the "Secure, Encrypted access from anywhere" part, but hey it's a great start!
The rest of this article describes how to make this easier to use, handles setting up the Secure Socket Layer (SSL) Encryption for outside access, and using our BorderManager firewall to further increase security.
Making Life Easier
Now that I had a method to provide Browser access to files on our NetWare 5.1 server, I wanted to save my users the effort of having to remember and type in long long URLs for paths users needed regularly. To do this I created a nice two-frame web "Welcome" page with links to the relevant Drive mappings..
When the user clicks on a link in the left pane, the files are listed on the right side of the screen.
(Note: You don't have to do the two-frame web-page thing if you don't want. It's just a nice addition to this solution.)
I then published this on our Intranet, and later when I set up outside access, posted it on our public web server. I also used standard html "mouseovers" to help hide the big ugly URLs, when they pointed their cursors to the links. I also set up a DNS name for the server (files.digitalairlines.com for example).
Locking the Gate
These instructions assume you are running a standard install of NetWare 5.1 with SP3 installed. If SP3 is not out yet, you need NetWare 5.1 and patches SP2/2a and wsock3a.exe
For this server to now be accessed from anywhere in the world, one needs to ensure it has a Public IP address, or be proxied behind a firewall like our BorderManager.
By default, connectivity to the NetWare Management Portal is available only at the first IP address bound to the server's LAN card as viewed in AUTOEXEC.NCF or INETCFG > View Configuration > Protocol Bind Commands. For each additional network card for which Portal access is desired (ie., if you have two NIC's then I mean the Public one), the following server command must be issued. Add this command to the AUTOEXEC.NCF file for each network card where you need SSL encryption.
HTTPBIND XXX.XXX.XXX.XXX /keyfile:"<SSL Certificate Name>"
Replace XXX.XXX.XXX.XXX with the NIC IP address and replace <SSL Server Certificate Name> with the name of a certificate created for the given IP Address. In our case the keyfile was called "SSL CertificateIP".
If the client web browser complains that the name of the site doesn't match the keyfile information, go into ConsoleOne, click on the container the server is in, and create new NDSPKI Key Material object with a name that matches the DNS name for your server (ie., files.digitalairlines.com) and use that.
You can now surf into your site with the encrypted URL:
Notice it's now using secure HTTP, and is on a new port: 8009.
...at Every Border!
So even though this worked, I didn't like the idea of having my server directly accessible from the outside world, so lastly I figured out how to put it behind my BorderManager firewall and use Network Address Translation (NAT). This serves two purposes:
- BorderManager proxies requests for the two-frame Welcome page. ,
- It proxies the NetWare Management Portal-provided file listings.
In my case, the BorderManager box has nothing else running on it. If you have file listings or web servers running there, these instructions may require some adjustment, and see the security info at the end of this article. If you have a different firewall than BorderManager, the steps below should be helpful also.
The first part was easy to implement as BorderManager reverse proxies or "accelerates" HTTP traffic in its sleep! To learn how to set it up see TID 10023055.
The second BorderManager proxy piece involved creating a Generic TCP proxy on a high port (anything from 1024-33000 is recommended), and having it fill from port 8009 on your file server's IP address.
In NWAdmin, I clicked on the Server Properties, went into the BorderManager Setup page and created a Generic TCP proxy with the following properties:
Origin server: your File Server's IP address
Origin port: 8009
Proxy IP: your BorderManager's Public IP address (what all links on the front-end web page point to)
Proxy port: an obscure high port the links point to (say 12345)
With this, the URLs on my page are now of the form:
As I mentioned above, I have few services running on my BorderManager server. If you wish to provide access to the NetWare 5.1 Management Portal on the BorderManager box, (say for file access, or server management), there are some security considerations. I spoke to BorderManager Forum Sysop Craig Johnson who said that the default filter exceptions will automatically allow you to access the NetWare 5.1 Management Portal on the BorderManager server itself, assuming it is listening on a public IP address.
He also mentioned that he runs a web site http://nscsysop.hypermart.net/, that has an article describing all the Security Issues around the NetWare 5.1 Management Portal. His book on configuring BorderManager filter exceptions, referred to on the same site, is also invaluable for all BorderManager users, although there is not a specific example for the NetWare 5.1 Management Portal.
That's all there is to it.
My users now have an clear front end web page to click on, and get or upload only their files. Everything is easy, secure, encrypted, and best of all, this was all FREE!
Pretty cool, eh?
If you have any questions you may contact Gary at email@example.com
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com