Novell BorderManager 3.9 Readme

April 5, 2007

Table of Contents

5.7 Proxy
5.8 Filter

1.0 Introduction

Novell® BorderManager® is a premier firewall and VPN technology to enable secure identity management solutions. With its powerful directory-integrated features, you can control, accelerate, and monitor your users' Internet activities. Because Novell BorderManager leverages identity-based access control and forward proxies, you can safeguard your network against undesirable Internet content while maintaining exceptional performance levels.

Novell BorderManager also integrates IPSec-based VPN services and an ICSA Labs-certified firewall to ensure that your network is protected and your users are productive.

This document provides a brief overview of the new components and features for Novell BorderManager 3.9. It also lists the known issues and limitations with this release.

2.0 What’s New

Following is the list of new features for Novell BorderManager 3.9 release:

2.1 New Administration Interface for the Proxy

With the Novell BorderManager 3.9 release, Proxy configuration can be done through iManager.

2.2 FTP Proxy Configuration in Active Mode

With this release, the Novell BorderManager has added the capability to the FTP proxy to connect in active mode to the origin FTP server.

2.3 Terminal Server and Session Failover Configuration Through iManager

The terminal server and session failover configuration is no longer done in the proxy.cfg file. You can now configure them using iManager.

2.4 Backup and Restore Functionality for Proxy and Access Rules Configuration

With this release, the proxy and Access Rules configuration file can now be backed up. You can restore this configuration file if you want to restore the backed up configuration. To back up the proxy or Access Rules configuration, click Back Up in the Proxy Services page and the Access Rules page respectively. To restore the backed up configuration, click Restore in the BorderManager proxy selection page, then browse and select the backed up file.

2.5 Rule Hit Logs Accessible Through Novell Audit

When configuring the access control rules, you can enable the Rule Hit Logging option. When selected, this option logs access attempts associated with the rule. These logs can be accessed through the Secure Logging server of Novell Audit.

2.6 New Look and Feel for VPN Administration Interface

The Novell BorderManager 3.9 VPN Administration interface comes with a new look and feel.

2.7 Pre-shared Key Support for VPN Site-to-Site Between Novell BorderManager Servers

Novell BorderManager 3.9 supports pre-shared key as a mode of establishing the VPN tunnels between two site-to-site members.

2.8 VPN Client for Linux

With this release, the Novell BorderManager provides a VPN client on Linux* platform. The VPN client runs on SUSE Linux Enterprise Desktop (SLED) 10 with the NDS NMAS method of authentication.

3.0 System Requirements

  • NetWare 6.5 SP 6.

4.0 Components and Features

This release provides the following components and features:

4.1 Install

The install for this release includes the following:

  • The VPN schema extension is done using NWCONFIG.

  • Auto-installation of the Proxy, Access Control List, Firewall, and VPN Configuration plug-ins for iManager 2.6 on NetWare® 6.5 SP 6.

  • A facility is included for creating traditional volumes to use for caching on NetWare 6.5.

  • Support for Proxy, Access Control List, Firewall, and VPN migration is included to enable upgrading from Novell BorderManager 3.8.

  • Option to recover from a failed install.

  • VPN packet filters have been added for upgrades.

  • An Install Summary describing major steps of the installation is output to the following file: sys:ni\data\NBM_Instlog.csv

4.2 Configuration Using iManager

You can configure the following services through iManager:

  • Proxy

  • Access Control List

  • Firewall services

  • VPN server

  • Client-to-Site service

  • Site-to-Site service

iManager 2.6 is supported for this release. The servers can be configured from any workstation with Internet Explorer 5.5 or 6.0 or later. This provides ease of use and a much greater ability to set traffic and authentication rules.

The following feature is implemented for this release:

4.3 Enhancements to the Proxy

A number of changes have been made to the Novell BorderManager proxy.

  • Session Failover

  • FTP proxy configuration in active mode

4.4 Client-to-Site Service

The client-to-site service supports granular policies to access private resources. The features supported are:

  • ike and PSK for key management.

  • The NMAS LDAP method is used for Novell BorderManager 3.98 to authenticate the user to the remote authoritative (LDAP) directory.

  • X.509 Certificate mode of authentication.

  • Novell BorderManager 3.9 VPN supports Novell Modular Authentication Services for client-to-site service. In addition to the certificate mode of authentication with ike, the VPN client and server can authenticate using NMAS methods. The eDirectory (NDS®) sequence enables a user to authenticate to the VPN authentication gateway with the eDirectory password. Novell BorderManager 3.9 requires NMAS 3.1.2 to be installed for the server and NMAS 2.2.4 or above for the client. The required NMAS methods should be installed and configured on both the client and the server.

  • You can perform VPN authentication using a pre-shared key configured in the VPN server. In this mode, the default encrypt rule is pushed to the client.

  • The aggressive mode is supported for ike SA/Phase 1 negotiation.

  • Changes to traffic rules include the following:

    • UDP Traffic: The UDP port number is no longer needed. The user needs to specify only the TCP port number.

    • Third-Party Connectivity: Different kinds of clients can now connect to the VPN server in PSS and Certificate mode. The clients could be on operating systems like Macintosh*, Linux, or could be SSH workstations.

    • DNS/SLP Configuration: This configuration provides the address list of the DNS servers and directory agents applied to the client during a VPN session. The directory agent list (SLP) is applicable if Novell authentication is taking place during a VPN session. When a connection ends, the client returns to its original DNS information.

  • The user can select either Certificate Authentication or NMAS Authentication, or select both. If Certificate Authentication is selected, you need to configure one or more trusted roots. For NMAS Authentication, configure the clearance level (minimum allowed authentication grade).

  • The IP Address Assignment feature is available on the General tab in the client-to-site configuration to help you maintain the unique connection in the server for different clients. It also solves the problems with client IP address conflicts behind NAT. When the IP address assignment is finished, the intermediate routers in the internal network should point to VPN server.

  • Instead of a certificate subject name, an alternative subject name can be used by users or VPN members.

4.5 Site-to-Site Service

The VPN server supports site-to-site services between two Novell BorderManager 3.9 VPN servers and between a Novell BorderManager 3.8 and a Novell BorderManager 3.9 server. This service supports granular policies. In iManager, the Novell BorderManager 3.9 server can be configured as a master or a slave. The site-to-site features supported are:

  • ike and PSK for key management.

  • X.509 certificate mode of authentication.

  • Mesh and star topology support

  • VPN server behind NAT

  • Third-Party connectivity support enables different kinds of servers to connect to the server in the PSS mode.

4.6 Web-Based Monitoring

The Web-based VPN and Proxy monitoring mechanism provides a view of the activities of the VPN and proxy server. This component is available through the NetWare Remote Management framework. The view is read-only, but it provides the ability to reset the connections. It provides data on a per-session and per-server basis. It also provides the status of the site-to-site service. The monitoring component is available at the administrator, user, and developer levels.

VPN

To launch the monitoring utility, go to https://<ipaddress>:8009. In the left pane, select NBM Monitoring > VPN Monitoring.

An important feature of VPN monitoring is the Synchronize button. For site-to-site services synchronization can be done in two ways:

  • Synchronize selected servers: Click the check box to select certain servers, then click the Synchronize Selected Servers button.

  • Synchronize all servers: Click the Synchronize All Servers button to synchronize all members together.

Proxy

To launch the monitoring utility, go to https://<ipaddress>:8009. In the left pane, select NBM Monitoring > Proxy Monitoring.

You can get the site statistics and cache statistics for all the proxy services. You can get the updated server statistics at fixed intervals.

4.7 Migration

VPN

The VPN component can also work as standalone utility.

The VPN install reads BorderManager 3.8 VPN configurations from their respective locations (configuration files or Novell eDirectory) and converts them to a configuration compatible with Novell BorderManager 3.9.

Stop all VPN services before installing the product if the server on which you are installing is a master server.

As a related functionality on public interfaces where packet filtering is enabled, the install automatically adds filters for Novell BorderManager 3.8 VPN services during an upgrade.

4.8 ICSA Labs Certification

The VPN and Firewall are ICSA Labs Firewall certified.

These components include the following:

  • Brdcfg.nlm can now be used to add exceptions for VPN services running on the Novell BorderManager 3.9 server. These exceptions will allow VPN traffic through the firewall.

  • Configuring packet forwarding filters through iManager has been simplified.

5.0 Known Issues and Limitations

This section contains the known issues and limitations of Novell BorderManager 3.9.

5.1 Install

  • During the server upgrade to NetWare 6.5, vptunnel.lan is deleted from the server.

  • An uninstall removes only the Novell BorderManager 3.8 files and not the configuration.

  • The filtsrv.nlm file is downgraded if you use the NetWare 6.5 SP6 overlay CDs or DVD to upgrade the server that already has Novell BorderManager 3.8 installed. To resolve this, copy the filtsrv.nlm file manually to the sys:\system directory. The correct file is filtsrv.nlm version 1.61.13 dated Thursday, November 24, 2005.

  • Authentication might fail during Novell BorderManager 3.8 installation if the password contains special characters such as % and #.

  • The iManager plug-in is not available after upgrading the iManager from 2.5 to 2.6 during the NetWare OS upgrade, if Novell BorderManager 3.8.x is already installed. Copy bm.npm and vpn.npm located at sys:\public\brdmgr\snapins\ folder to the plugins module of iManager and install them. Restart the iManager service.

5.2 Client-to-Site Service

  • Clients might be disconnected because of the short inactivity time-out period. Change the inactivity time-out default to a larger value if the users stay in idle mode for a long time.

  • In a VPN session, if the system falls into the idle state it might lose the IP address. Disconnect the VPN and disable the adapter. Enable it again to get the IP address.

5.3 Site-to-Site Service

  • If the vptunnel is not loaded on the slave after the initial configuration is done, run the reinitialize system command on the slave.

  • Ring topology is not supported for this release.

5.4 Proxy Migration

  • When migrating from Novell BorderManager 3.8 SP 5 to Novell BorderManager 3.9, bitmask in the Alerts configuration is not migrated.

5.5 VPN Migration

After migrating from Novell BorderManager 3.8 SP 5 to Novell BorderManager 3.9, Site-to-Site members fail to form tunnels. To work around this problem:

  1. Do one of the following:

    1. If the 3.8 Master is migrated to 3.9 Master, Select Site-to-Site Configuration > Member List, then change the member version to 3.9 of Master.

    2. If the 3.8 slaves are not migrated to 3.9, select Site-to-Site Configuration > Member List, then change the Member version to 3.8.

    3. If the 3.8 slaves are migrated to 3.9, then select Site-to-Site Configuration > Member List, then change the Member version to 3.9.

  2. Restart all the servers.

5.6 VPN Monitoring

  • It is not possible to monitor a slave server in the member list behind NAT. To monitor this kind of a slave, you must establish a NetWare Remote Manager connection directly with the slave.

5.7 Proxy

  • Terminal server authentication does not work for Java applet-based authentication or for Novell BorderManager Proxy single sign-on using clntrust.exe.

  • MAC OS SSL authentication to the Proxy does not support Java applet authentication.

  • Master and slave AuthAgents running on the same machine use the same log file.

  • NSS volumes are not supported for proxy caching. Traditional NetWare volumes are strongly recommended.

  • In clusters, the contents of a proxy cache are not available to other nodes for a failover.

5.8 Filter

  • Self pings are filtered but not logged.

  • Easy Filter Configuration lists only the Public interface configured on the server. This interface list won't get updated immediately on changing the interface status from Public to Private ( NetWare filtcfg > Configure Interface Options > Tag to toggle between Public and Private). This is updated every 30 seconds. To see the changes immediately, reinitialize the system (from NetWare inetcfg > Reinitialize System).

  • The stateful ping filter allows ping from one side of the firewall at a time. It does not allow simultaneous pings between a pair of hosts across the firewall. To make ping work simultaneously, create a static ICMP filter and disable the filters immediately after use. This is for security reasons.

5.9 Firewall

  • The full distinguished eDirectory name of the Novell BorderManager server should be limited to 64 characters. For example, cn=fw-server.o=novell.

  • A Firewall with logging enabled might not work properly after it has been stressed for a long time.

6.0 Documentation

The following sources provide information about Novell BorderManager 3.9:

  • Novell BorderManager 3.9 Installation Guide

  • Novell BorderManager 3.9 Administration Guide

  • Novell BorderManager 3.9 VPN Client Installation Guide

  • Novell BorderManager 3.9 Troubleshooting Guide

  • Online Help

7.0 Documentation Conventions

In this documentation, a greater-than symbol (>) is used to separate actions within a step and items in a cross-reference path.

A trademark symbol (® , TM, etc.) denotes a Novell trademark; an asterisk (*) denotes a third-party trademark

8.0 Document Updates

For the latest documentation and Readme on Novell BorderManager 3.9, see the Novell Documentation site.

9.0 Legal Notices

Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classification to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. Please refer to the Novell International Trade Services Web page for more information on exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright ©1997-2007 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.

Novell, Inc. has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed on the Novell Legal Patents Web page and one or more additional patents or pending patent applications in the U.S. and in other countries.

For a list of Novell Trademarks, see http://www.novell.com/company/legal/trademarks/tmlist.html

All third-party trademarks are the property of their respective owners.