Setting Up the Novell IP Gateway

The Novell IP Gateway is comprised of two circuit-level gateways:

• The IPX/IP gateway, which provides IPX clients with secure, controlled access to the Internet.
• The IP/IP gateway, which provides Windows-based IP clients with secure, controlled access to the Internet.

When the Novell IP Gateway is set up to act as a SOCKS server, it can also be used to authenticate SOCKS clients and determine their access to network resources using access control rules stored in the NDS or eDirectory database.

NOTE:  The IPX/IP gateway, IP/IP gateway, and SOCKS services can be enabled to run simultaneously on the same server. This permits Windows clients, as well as SOCKS clients, to access the Internet through the same Novell BorderManager 3.7 server.

All three gateway services are set up using NetWare Administrator. For detailed instructions, refer to the following procedure:

• Setting Up the Novell IP Gateway

Setting Up the IPX/IP or IP/IP Gateway Service

You can set up the IPX/IP gateway service to support the use of TCP/IP applications by Windows clients that do not have an assigned IP address. You can set up the IP/IP gateway service to support NDS or eDirectory access control for networks whose clients use TCP/IP.

To set up the IPX/IP or IP/IP gateway service:

1. In NetWare Administrator, select the Novell BorderManager 3.7 Setup page for the server.

2. Click the Gateway tab.

3. Under Enable Service, check the IPX/IP Gateway or IP/IP Gateway check box.

4. (Optional) If you want to assign a different port number for gateway traffic, complete the following substeps to change the gateway service port:

   1. Under Enable Service, double-click the gateway whose service port is to be changed, or highlight the gateway and click Details.

   2. Under Service Attributes, enter a different port number in the Service Port field.

      By default, both gateways use port 8225 (decimal). Although changing the service port is not recommended, if another service is using this port, you can assign a different port number for gateway traffic.

5. (Optional) If you want to enable single sign-on authentication for the IPX/IP gateway service, check the Single Sign On Authentication check box under Service Attributes.

   Single sign-on authentication enables the IPX/IP gateway to perform a background user authentication if the user has already logged in to NDS or eDirectory. With single sign-on, users are not required to provide a username and password to access resources through the gateway. If single sign-on is not enabled, the Novell IP Gateway software performs a secondary authentication when a user attempts to access resources using the IPX/IP gateway service, regardless of whether the user has already logged in.

   NOTE:  Single sign-on applies to the IPX/IP gateway service only. Single sign-on is ignored when the IP/IP gateway service is used.

6. Click OK twice to close the Configure Gateway Services window and the Novell BorderManager 3.7 Setup page.

   When you close the Novell BorderManager 3.7 Setup page, the server loads IPXIPGW.NLM, the gateway NLM file, and creates a Gateway Server object in the NDS or eDirectory tree.

Refer to Setting Up Access Control for information about setting up and using access control with the Novell IP Gateway.

IMPORTANT:  Access control rules set up for the Server object using IPX/IP gateway software released before Novell BorderManager 3.7 will no longer operate after you upgrade your server to Novell BorderManager 3.7 and enable the Novell IP Gateway. To take effect, these rules must be set up again for the Server object.

Setting Up the SOCKS 4 or SOCKS 5 Service

If you have SOCKS 4 or SOCKS 5 clients on your network and want to control their access to the Internet through the Novell IP Gateway, you must set up the SOCKS service.

As part of the configuration procedure, you must either specify SOCKS 5 authentication parameters or enable SOCKS 4 user verification, or do both, if your network has a combination of SOCKS 4 and SOCKS 5 clients.

To set up the SOCKS service on the Novell IP Gateway:

1. In NetWare Administrator, select the Novell BorderManager 3.7 Setup page for the server.

2. Select the Gateway tab.

3. Under Enable Service, check the SOCKS V4 and V5 check box.

4. (Optional) If you want to assign a different port number for SOCKS traffic, complete the following substeps to change the gateway service port:

   1. Under Enable Service, double-click SOCKS V4 and V5, or highlight SOCKS V4 and V5 and click Details.

   2. In the Service Port field, enter a different port number.

      By default, the SOCKS service uses port 1080 (decimal). Although changing the service port number is not recommended, if another service is using this port, you can assign a different port number for SOCKS traffic.

      IMPORTANT:  If you change the service port number, you must modify the setup of all SOCKS clients to use the new port number.

   3. Click OK to close the Configure SOCKS V4 and V5 window.

5. Set SOCKS 5 authentication parameters by completing the following substeps:

   1. Under Enable Service, double-click SOCKS V4 and V5, or highlight SOCKS V4 and V5 > click Details.

   2. Under SOCKS V5 Authentication, select any or all of the following authentication schemes (listed in order of lowest to highest priority):

      An additional method of authentication is available for SOCKS 5 client users. SOCKS 5 client users can use security devices such as hardware tokens in addition to using their NDS or eDirectory password. Login policies defining the authentication rules and access methods required for remote users to authenticate are stored in the NDS or eDirectory Login Policy object. See the Authentication Services online documentation for more information.

      IMPORTANT:  If multiple authentication schemes are selected, the Novell IP Gateway uses the highest priority scheme that the client is capable of performing.

      • None---This option is equivalent to the null authentication option for SOCKS 5 clients. No authentication is required by the Novell IP Gateway.
      • Clear Text User/Password---When the Novell IP Gateway authenticates a user, the user's password is transmitted across the wire in clear text without any encryption. The password is checked against the user's password stored in NDS or eDirectory, but this is not the same as NDS or eDirectory authentication. Because a password that is transmitted in clear text is insecure, this option should be used only if SSL is also selected to encrypt the password before it is transmitted.
      • NDS or eDirectory User/Password---When the Novell IP Gateway authenticates a user, the user's password is never transmitted across the wire. Instead, similar to the authentication of a Novell client, the password is used to generate a secure key pair. Successive challenge handshakes between the client and the server complete the authentication. An NDS or eDirectory authentication option must be available in the SOCKS client for this authentication scheme to work.
      • SSL---This option requires that an SSL connection between the client and the server must be established before the Novell IP Gateway can authenticate a user with any of the other authentication schemes. SSL uses a public key/private key encryption system. Enabling this option also ensures the encryption of all data transmitted between the client and the server.

      IMPORTANT:  If SSL and access control are both enabled for the Novell IP Gateway, you must also select NDS or eDirectory User/Password or Clear Text User/Password because the SSL protocol does not perform user authentication for NDS or eDirectory access control.

   3. (Optional) If you selected Clear Text User/Password as an authentication scheme, click Authentication Context > Context > Add > enter the user's default NDS or eDirectory context and tree > click OK.

      Enter a fully distinguished NDS or eDirectory container name (sales.my.org, for example). The NDS or eDirectory container name can have up to 256 characters. This entry is optional and makes logging in easier for users. Users in the specified container can log in by typing only their login names without the complete context string.

   4. (Optional) If you selected SSL as an authentication scheme, use the Key ID pull-down menu to select from a list of available files.

      NOTE:  A key ID file is available only after you create a KMO in NDS or eDirectory for the server using NetWare Administrator. For more information about how to create a KMO, refer to the PKI online help in NetWare Administrator or the PKI information located in the NetWare online documentation.

   5. (Optional) Enable single sign-on for SOCKS 5 clients by checking the Single Sign On check box under SOCKS V5 Authentication.

      This option is provided for clients that use both the Novell Client for Windows and a third-party SOCKS 5 client on the same workstation. If a user has already authenticated to NDS or eDirectory by logging in from a Novell client and attempts to use a SOCKS 5 client to access the Internet through the Novell IP Gateway, the gateway does not authenticate the user again.

      For single sign-on to occur, the client machine must be running CLNTRUST.EXE and DWNTRUST.EXE. For more information about these files, refer to Setting Up Gateway Clients.

      NOTE:  If single sign-on is enabled but the user has not logged in to NDS or eDirectory or is limited to the use of a SOCKS 5 client, the gateway will authenticate the user with one of the authentication schemes. If single sign-on fails and no authentication scheme has been selected, the user's connection is dropped.

   6. Click OK to close the Configure SOCKS V4 and V5 window.

6. Enable SOCKS 4 user verification by completing the following substeps:

   1. Under Enable Service, double-click SOCKS V4 and V5, or highlight SOCKS V4 and V5 > click Details.

   2. Check the check box for SOCKS V4 User Verification.

      SOCKS 4 user verification requires the Novell IP Gateway to verify that the user exists in NDS or eDirectory, but the gateway does not authenticate the user. The user does not need to provide a password to gain access to the Internet through the gateway.

   3. Click OK to close the Configure SOCKS V4 and V5 window.

7. Click OK to close the Novell BorderManager 3.7 Setup page.

Refer to Setting Up Access Control for information about setting up and using access control with the Novell IP Gateway.

NOTE:  NDS or eDirectory-based access rules for SOCKS clients can restrict access sites only and not to specific URLs. For content filtering, use SurfControl* installed on the Novell BorderManager 3.7 server.