Novell Documentation: Novell BorderManager 3.7 - Novell IP Gateway Configuration Options and Limitations

Novell IP Gateway Configuration Options and Limitations

The Novell IP Gateway configuration options and limitations are described in the following sections:

Specifying the Preferred Gateway Server for Clients

Specifying DNS Servers

As part of the gateway server's configuration, you must provide a valid Domain Name System (DNS) domain name and the IP address of at least one DNS name server. The gateway server uses DNS to resolve IP hostnames on behalf of gateway clients on your private network.

NOTE: If a DNS name server was specified during Novell BorderManager 3.7 product installation, this requirement has already been satisfied.

Specifying the Preferred Gateway Server for Clients

The gateway client, which maintains a control connection between the client and the gateway server, attempts to connect to a preferred gateway server if one is configured. If the specified gateway server is not available, the gateway client searches for the following:

A Novell BorderManager 3.7 server running the IP/IP gateway service--- Starting in both the preferred gateway server's context and the user's context, the gateway client software searches downward in the eDirectory tree for a gateway Server object.

A Novell BorderManager 3.7 server running the IPX/IP gateway service---Starting in both the preferred gateway server's context and the user's context, the gateway client software searches downward in the eDirectory tree for a gateway Server object.

A Novell BorderManager 3.7 server running the IPX/IP gateway service---To locate the gateway server, the gateway client searches the bindery of the server to which the client is attached.

A Novell BorderManager 3.7 server in any NDS or eDirectory context running the IPX/IP gateway service---To locate the gateway server, the gateway client uses the Service Advertising Protocol (SAP).

Configuring a preferred gateway server usually reduces the amount of time required for the client to connect to the gateway server.

NOTE: If a preferred gateway server is specified for a client and a user who is not logged in to eDirectory attempts to run WinSock applications, the gateway client does not send the client's WinSock requests to the Novell IP Gateway until the user logs in.

Supporting SOCKS Clients

The Novell IP Gateway supports both SOCKS 4 and SOCKS 5 clients. Before you configure the gateway's SOCKS service, you should determine the versions of SOCKS clients that need access to the Internet through the gateway.

The SOCKS 4 protocol was created to allow users of TCP/IP applications transparent access to the Internet through a SOCKS 4 firewall. However, SOCKS 4 does not support authentication, which is a required security component for a firewall solution. SOCKS 5 enhances SOCKS 4 by providing strong authentication methods.

SOCKS 4 Clients

If you need to support SOCKS 4 clients but not SOCKS 5 clients, you do not need to configure an authentication scheme for the Novell IP Gateway because SOCKS 4 does not support user authentication. You can allow SOCKS 4 users on your network to access to the Internet through the gateway by doing the following:

Enabling the SOCKS 4 and SOCKS 5 service

Creating a User object in eDirectory for each SOCKS 4 user

Adding the User objects to the gateway server's users list

Enabling SOCKS 4 user verification

For the configuration procedures for these tasks, refer to the Novell IP Gateway and NAT online documentation.

SOCKS 5 Clients

If your network has SOCKS 5 clients, you can configure the gateway to authenticate these users before they can access the Internet through the gateway. If some SOCKS 5 users also use a Novell Client^TM, you can also enable single sign-on. This allows the gateway to perform SOCKS 5 authentication in the background if the user is already logged in to NDS or eDirectory with the Novell Client software. With single sign-on, the user is not aware that the authentication is occurring in the background because a prompt for a username and password does not appear. An option for no authentication is also available, allowing SOCKS 5 users to use the gateway without restriction.

You can allow SOCKS 5 users on your network to access the Internet through the gateway by doing the following:

Enabling the SOCKS 4 and SOCKS 5 service

Selecting an authentication scheme

Creating a User object in eDirectory for each SOCKS 5 user (not required when authentication is disabled)

Adding the User objects to the gateway server's users list (not required when authentication is disabled)

(Optional) Enabling single sign-on

For the configuration procedures for these tasks, refer to the Novell IP Gateway and NAT online documentation.

The following SOCKS 5 authentication options are supported:

NDS or eDirectory User/Password---A component within the SOCKS 5 client enables the client to authenticate the user in NDS or eDirectory without sending the password across the wire.

Clear Text User/Password---The user password is sent across the wire in plain, unencrypted text.

None---No user authentication is required.

IMPORTANT: If multiple authentication methods are selected, the client uses the strongest authentication method it is capable of using. NDS or eDirectory User/Password is the strongest method, followed by Clear Text User/Password and None. If you plan to implement access control for SOCKS 5 clients, you cannot select None.

Additional authentication options are available, but they do not constitute valid eDirectory authentication options by themselves. These options are as follows:

Secure Sockets Layer (SSL)---Requires that a secure connection be established between the client and the server before Novell IP Gateway eDirectory authentication can occur and encrypts all data exchanged between the client and the server.

Single Sign On---Enables the Novell IP Gateway to perform user authentication in the background if a user is already authenticated in eDirectory with the Novell Client software.

You should select authentication options that are consistent with your organization's security policy. Refer to the following table for a few configuration examples of SOCKS 5 authentication.

Authentication Schemes Selected	Result
eDirectory User/Password Single Sign On	Because single sign-on has been selected, all users already logged in to eDirectory with a Novell Client are not required to provide a username and password to have access through the gateway using a SOCKS 5 client. If a user is not already authenticated and the SOCKS 5 client supports eDirectory authentication, the challenge/response method is used to authenticate the user in eDirectory. The user password is never sent across the wire.
Clear Text User/Password SSL Single Sign On	Because single sign-on has been selected, all users already logged in to eDirectory with a Novell Client have automatic access through the gateway with a SOCKS 5 client. However, because SSL has been selected, an SSL connection must be established before data can be exchanged. If a user is not already authenticated, the Novell Client establishes an SSL connection to the server. The user's clear text password is encrypted at the client workstation using the SSL public and private key pairs before being sent to the server. After authentication, all data is also encrypted before being sent.
None	No authentication is required to use the gateway. Any SOCKS 5 client can access the Internet through the gateway.

Authentication Schemes Selected

Result

eDirectory User/Password

Single Sign On

Because single sign-on has been selected, all users already logged in to eDirectory with a Novell Client are not required to provide a username and password to have access through the gateway using a SOCKS 5 client.

If a user is not already authenticated and the SOCKS 5 client supports eDirectory authentication, the challenge/response method is used to authenticate the user in eDirectory. The user password is never sent across the wire.

Clear Text User/Password

SSL

Single Sign On

Because single sign-on has been selected, all users already logged in to eDirectory with a Novell Client have automatic access through the gateway with a SOCKS 5 client. However, because SSL has been selected, an SSL connection must be established before data can be exchanged.

If a user is not already authenticated, the Novell Client establishes an SSL connection to the server. The user's clear text password is encrypted at the client workstation using the SSL public and private key pairs before being sent to the server. After authentication, all data is also encrypted before being sent.

None

No authentication is required to use the gateway. Any SOCKS 5 client can access the Internet through the gateway.

Proxy as a SOCKS Client

You can also configure the Novell BorderManager 3.7 proxy server as a SOCKS client to the Novell IP Gateway. In this scenario, the proxy server does not connect directly to the Internet to contact an origin server; instead, it sends requests to the Novell IP Gateway which serves as a firewall to the Internet. The proxy server and Novell IP Gateway can be configured on the same physical server.

For more information about configuring the proxy as a SOCKS client, refer to the Proxy Services online documentation.

Using Access Control

When you use the Novell IP Gateway, all TCP and UDP traffic is funneled through one or more gateway servers. Novell IP Gateways can have complete control over user access to Internet resources. Access control information is stored in eDirectory and can be configured only by the administrator (or a user with administrative rights) using the NetWare Administrator utility. You can restrict access by TCP port (Web, FTP, Telnet, and so on), UDP port, or IP host address. You can also limit access to certain ports and IP addresses to a specific time of day. Note that access control restricts access to TCP/IP networks and services, not to directories or files on the Novell BorderManager 3.7 server running the Novell IP Gateway software.

You can specify the access control information for the Novell IP Gateway at different object levels in eDirectory: Server, Organizational Unit, Organization, or Country.

Novell IP Gateway Limitations

The Novell IP Gateway has the following limitations:

Only Windows 98, 2000, NT, XP and Me clients are supported.

Virtual Loadable Module^TM (VLM^TM) clients are not supported. Secure Sockets Layer (SSL) sessions are not supported by the IP/IP or IPX/IP gateway services. Not all WinSock applications work with all Windows clients that the Novell IP Gateway supports.