The Novell IP Gateway and NAT are explained in the following sections:
To access the Internet, each host must use a globally unique (registered) IP address obtained from an Internet Service Provider (ISP) or from an Internet address registry, such as the Internet Assigned Numbers Authority (IANA). Unless you are requesting a large range of addresses, an ISP should be able to accommodate your addressing needs.
Nevertheless, because it can be costly or impractical to obtain registered IP addresses for every host on your network, you might choose not to assign registered addresses to each host on your private network by using either of the two circuit-level solutions provided with the Novell BorderManager® 3.7 software: the Novell IP Gateway and NAT.
The Novell IP Gateway and NAT are considered circuit-level solutions because they can establish connections to the Internet using registered IP addresses on behalf of multiple hosts on your private network that have not been assigned registered IP addresses. The original circuit (or connection) from a host is terminated at the gateway or NAT interface, and the gateway or NAT interface establishes the actual connection to the Internet for that host. Therefore, multiple hosts can share the same registered IP address if it is assigned to the Novell IP Gateway or NAT interface, and the IP addresses of your private network are essentially hidden from the Internet.
This section describes how the Novell IP Gateway functions and the clients that are supported. Additional information is also provided about
The Novell IP Gateway forwards requests from private Windows* clients to various Internet resources. In the process, the gateway uses a registered IP address in place of the client's private Internetwork Packet ExchangeTM (IPXTM) address or IP address to communicate with the Internet resource. This address substitution enables clients to access the Internet without changing their private addresses and effectively hides the addresses of your private network from the Internet.
NOTE: Windows clients that are supported by the Novell IP Gateway include Windows 98, 2000, NT, XP and Me.
SOCKS 4 and SOCKS 5 clients are also supported by the Novell IP Gateway. This service enables any SOCKS client to use the Novell IP Gateway as a default gateway to the Internet.
The Novell IP Gateway implements user access control by leveraging the information stored in the NDS® or Novell eDirectoryTM database to manage connectivity to the Internet. Access control based on NDS or eDirectory can be used to prevent specified users from accessing the Internet, or it can be used to prevent users from accessing specified sites or services on the Internet. You can create eDirectory User objects for users of SOCKS applications so the Novell IP Gateway can control the destinations or services that SOCKS users access through the gateway at any given time.
Using NetWare Administrator to configure and monitor the Novell IP Gateway, you can restrict TCP or UDP traffic to specified ports and IP addresses, change the gateway service port, monitor gateway use, examine the gateway server log, and gather statistics related to gateway usage over a specific period of time.
Both Windows-based Novell clients using IPX or IP and SOCKS clients can access the Internet (or other TCP/IP networks) through the Novell IP Gateway. The reason is that the Novell IP Gateway can provide any or all of the following three services:
Which service you enable depends on whether your network supports Windows IPX clients, Windows IP clients, Windows or non-Windows SOCKS clients, or some combination of these clients. The specific requirements of your security policy should also be considered.
A Novell IP Gateway that has been enabled for a network does not have to be used by all clients on that network. The Windows client interface allows a user to enable and disable the client's ability to use the Novell IP Gateway. Each client's use of the gateway can be enabled independent from other clients on the network. However, when the client's setting is changed, the workstation must be restarted for the change to take effect. SOCKS client configuration typically requires the IP address or DNS hostname of the Novell IP Gateway server to direct the client to use the Novell IP Gateway. The SOCKS client's ability to use the Novell IP Gateway is disabled by removing that information from its configuration parameters.
For the procedure to enable and disable Novell IP Gateway use from a client, refer to the Novell IP Gateway and NAT online documentation.
Novell IP Gateway clients have a gateway client transparent proxy feature enabled by default. After a user logs in to eDirectory, the gateway client immediately locates all proxy servers the user has permission to access. During a subsequent browser session, the gateway client intercepts the HTTP packets using TCP/IP port 80 and sends them directly to the first HTTP proxy it found in eDirectory instead of to the Novell IP Gateway. Because this feature is built into the Novell Client's gateway component, no additional configuration is required by an administrator.
NOTE: Do not confuse the gateway client transparent proxy feature with the transparent proxy feature for HTTP proxy. The transparent proxy feature for HTTP proxy requires an administrator to enable this feature from NetWare Administrator. When the transparent proxy is enabled for HTTP proxy, TCPIP.NLM running on the Novell BorderManager 3.7 server intercepts HTTP packets sent from a workstation's browser and directs them to the HTTP proxy running on the same server. The browser does not have to be configured to use a manual proxy. However, the proxy server must be in the workstation's IP routing path.
For more information about HTTP Transparent proxy, refer to Proxy Services Overview and Planning.
Clients using the IPX/IP gateway or SOCKS 5 services can take advantage of single sign-on authentication. The IP/IP gateway service does not support single sign-on authentication.
Single sign-on authentication enables clients to log in to eDirectory only once to use the IPX/IP gateway or SOCKS 5 service. If a user is already logged in to eDirectory and attempts to access resources through the Novell IP Gateway, eDirectory authentication by the gateway is performed in the background. Without single sign-on, users are presented with a username and password dialog box each time they establish a new gateway connection.
For single sign-on to work, the following conditions must be met:
Single sign-on occurs on port 3024 on the server. If single sign-on has been enabled on the same Novell BorderManager 3.7 server for both the Novell IP Gateway and Proxy Services, only one background authentication is required for a user to use both services. The reason is that port 3024 is a shared port.
IMPORTANT: For single sign-on to work, packet filtering firewalls in the routing path between a gateway or proxy client and a Novell BorderManager 3.7 server must allow packets designated for port 3024 to pass through.
For the procedure to enable single sign-on for Novell IP Gateway clients, refer to the Novell IP Gateway and NAT online documentation. For the procedure to enable single sign-on for proxy authentication, refer to the Proxy Services online documentation.
NAT translates private IP addresses to registered IP addresses. This address translation has benefits similar to those of the Novell IP Gateway. NAT enables private clients to access the Internet without the reconfiguration of their private addresses while it hides the addresses of the private network from the Internet.
However, NAT does not require Windows or a Novell Client for Windows. Because NAT operates on a network router interface, the interface's address translation capability can be used by network hosts running any platform, including Windows, Macintosh, UNIX, and OS/2. If these hosts send their TCP/IP packets through the NAT interface, their source IP addresses are not forwarded in the TCP/IP packet headers.
In addition to address translation, NAT can be used to provide other benefits, such as packet filtering based on IP address for enhanced network security. When a network interface is configured to use NAT in any of the three modes of operation, as described in Selecting a NAT Mode of Operation, each TCP/IP packet that reaches the interface is examined for its source or destination IP address. For more information about how NAT filters packets based on source and destination addresses, refer to Filtering Rules.
Because the Novell IP Gateway and NAT have similar functionality, you must determine whether to use one solution or the other.
The Novell IP Gateway might be a better choice if the following conditions exist:
The IPX/IP gateway component of the Novell IP Gateway is the only network address translation option for IPX clients.
NAT might be a better choice if the following conditions exist:
Because the Novell IP Gateway supports only Windows-based IP clients, other clients on your network must use NAT.
NAT operates faster than the Novell IP Gateway because it requires less protocol overhead to operate. Furthermore, NAT is unaffected by eDirectory problems. If a user cannot log in to NDS or eDirectory, access through a Novell IP Gateway could be delayed. Because NAT checks only for IP addresses in TCP/IP packet headers, its operation does not depend on the availability of eDirectory.
NOTE: Although you might have additional reasons to use one solution instead of the other, you might also experience situations in which you would want to implement both solutions on your network.