Novell Home

My Favorites

Close

Please to see your favorites.

Novell BorderManager 3.7 Filter Configuration Frequently Asked Questions

(Last modified: 16Sep2003)

This document (10070403) is provided subject to the disclaimer at the end of this document.

goal

Novell BorderManager 3.7 Filter Configuration Frequently Asked Questions

fact

Novell BorderManager 3.7

note

Novell BorderManager 3.7 comes with a Packet Filtering Configuration Task based on Novell iManager for configuring TCP/IP filters. The Novell BorderManager Access Management Role and Packet Filtering Configuration Task is automatically plugged into Novell iManager during Novell BorderManager 3.7 installation. This FAQ helps you resolve some frequent queries on the Packet Filtering Configuration Task.

===================
TABLE OF CONTENTS
General:
Upgrade:
Configuration:
Browser Version:
Filters:
Troubleshooting:
===================
Upgrade:
Configuration:
Browser Version:
Filters:
Troubleshooting:
===================

======
General:
======

Q 1. How is packet filtering configuration different in NBM 3.7?
Ans. With all the earlier versions of BorderManager Enterprise Edition 3.6, Filter Configuration was done through FILTCFG (a Textual User Interface based utility that runs on the server). The Configuration information was stored in ASCII text files.

In Novell BorderManager (NBM) 3.7, Filter configuration can be done from the server console (FILTCFG) as well as from a web-browser. The entire configuration information is stored in the eDirectory. This requires a read/write replica of the partition where the server object resides to be NDS 8.78 (or greater) for NetWare 5.1 SP4 and eDirectory version 8.6.2 for NetWare 6.0 SP 1 on the Novell BorderManager server.

Q 2. Why should I go for the iManager-based filter configuration utility?
Ans. Filter configuration through Novell iManager is browser based. Filter configuration through iManager is role based and can be done by the assigned users only. The utility is user friendly and streamlined. It is also much more intuitive than the FLTCFG utility. The iManager based filtering shares a common look and feel with other iManager plugins. So once you know how to manage any one plugin on iManager, it becomes relatively easy to navigate through Novell BorderManager related packet filtering. The iManager based filtering also comes with a ready context sensitive help to facilitate your packet filtering operations.

Q 3. What Novell operating system platforms allow me to configure the Filter Configuration through the browser?
Ans: NetWare 6 ships with an iManager management framework - NetWare 5.1 doesn't. If there is no NetWare 6 server in your tree, you will have to configure the filters through FILTCFG. If there is a NetWare 6 server with NBM 3.7 in the same tree, use the iManager interface to select the NetWare 5.1 server in the 'BorderManager server selection' screen and proceed with the configuration.

Q 4. What are the files, directories that constitute the iManager plugin for Filter Configuration?
Ans. The files and directories on the NetWare 6 server that constitute the iManager plugin for Filter Configuration are:

- sys:\webapps\eMFrame\WEB-INF\install\bm\bm.xml
- sys:\webapps\eMFrame\WEB-INF\plugins\bm\bmtasks.xml
- sys:\webapps\eMFrame\WEB-INF\lib\bm.jar
- sys:\webapps\eMFrame\WEB-INF\classes\templates\BMResources*.properties
- sys:\webapps\eMFrame\WEB-INF\classes\templates\browser\bm\*.*
- sys:\webapps\eMFrame\help\en\bm\*.*
- sys:\webapps\eMFrame\images\bm\*.*


Q 5. What are the NLMs responsible for packet filtering?
Ans. The FILTSRV.NLM reads the rules from eDirectory (FILTERS.CFG in case of IPX and AppleTalk filters) and informs the IPFLT module. The IPFLT module consists of two NLMs: IPFLT.NLM and IPFLT31.NLM.

The IPFILT.NLM checks the version of FILTERS.CFG and loads the IPFLT31.NLM. IPFLT31.NLM does the actual packet filtering.

Q 6. Will filtering in NBM 3.7 work if I remove the file FILTERS.CFG?
Ans. No, if the file FILTERS.CFG is removed then filtering for NBM 3.7 will not work. NBM 3.7 still has a dependency on FILTERS.CFG even though NBM 3.7 reads the IP Filters from eDirectory.

Q 7. Does storing information in eDirectory pose any new requirements?
Ans. Yes. A major requirement is that the NBM 3.7 server needs to have a read/write replica of the partition on which the server object resides on the eDirectory. The versions of eDirectory are: version 8.0.9 for NetWare 5.1 SP4 and version 8.6.2 for NetWare 6.0 SP 1.

Q 8. What happens to my filter configuration setup when problems in communication with eDirectory occur on my NBM 3.7 server?
Ans: When FILTSRV loads, it tries to read the filtering information from the eDirectory (get object details). If the FILTSRV cannot read this information from the eDirectory, all packets will be allowed through the firewall. A new FILTSRV is available that will deny all packets through the firewall when eDirectory is down, and this file can be downloaded from support.novell.com (the filename is BM37FLT.EXE).

Q 9. How do the actual filtering modules (FILTSRV and IPFLT) learn of the changes made through iManager?
Ans. FILTSRV.NLM registers with eDirectory for Event Notification. Whenever there is a change in the eDirectory, eDirectory notifies FILTSRV. FILTSRV reads the latest list of filters from eDirectory and informs the IPFLT module. This may cause a maximum delay of 30 seconds between the configuration and the actual filtering coming into effect.

=======
Upgrade:
=======

Q 1. How do I move/migrate existing filters on my BorderManager server from file (FILTERS.CFG) to eDirectory in an upgrade scenario?
Ans. If you are upgrading from BorderManager 3.5 or BorderManager Enterprise Edition 3.6 to Novell BorderManager 3.7, ensure that all filters have been migrated to Novell eDirectory.

To migrate existing BM filters from files to eDirectory follow these steps:

- After the installation of NBM 3.7 is over > restart the server.
- If FILTSRV is already loaded, first unload FILTSRV
- Load FILTSRV with the migrate option. That is, run ·FILTSRV MIGRATE· from the system console.
- Unload FILTSRV after migration and load it in normal mode (use only the ·FILTSRV· option).

All existing filters will be stored in the eDirectory. Migration will not remove existing filters, instead it would only add filters from FILTERS.CFG.

.

- FILTSRV MIGRATE can be done at any point of time you want to move filters from FILTERS.CFG to eDirectory.

- FILTSRV MIGRATE must be done AFTER unloading FILTSRV! FILTSRV cannot be loaded re-entrantly.

- If you forget to load FILTSRV MIGRATE, the configured FILTERS will not be displayed with the FILTCFG menu, and the SYS:\ETC\FILTERS.CFG file will be empty. To get around this, recopy a backed up version of FILTERS.CFG to the server. If none is available, run BRDCFG (to get the BorderManager 3.6 default filters back in place, unload FILTSRV and then do a FILTSRV migrate.

==========
Configuration:
==========

Q 8. How do I configure packet forwarding filters using iManager?
Ans. The screen after you choose BorderManager Server for filter configuration shows a list of operations. Select ·Configure Packet Forwarding Filter· and click Next. For further details refer to http://www.novell.com/documentation/lg/bmee37/index.html > Administration Guide > Filters > Packet Filtering based on Novell iManager > Configuring the Packet Forwarding Filter.

Q 9. Can I configure interface (toggle status between private and public) through iManager?
Ans. No, this functionality is not provided in iManager. It has to be done using FILTCFG.NLM.

Q 10. Can I configure filters on BMEE 3.6 server using the NBM 3.7 iManager plug in?
Ans. No you can·t.

Q 11. How can we use iManager to configure filters on the same (on which iManager is running) or on another server?
Ans. To configure filters on the same or another server, follow these steps:

- From a web-browser use the URL: https://<IP address>:2200/eMFrame/iManager.html where <IP Address> is the IP address of a NetWare 6 machine with NBM 3.7 installed on it.
       
- From the login screen, login to the eDirectory tree that has the server where you want to configure the filters.

- After a successful login you will be able to see the role ·NBM Access Management· on the left panel.

- Click the role to see the Filter Configuration Task.

- Click the task to bring up the BorderManager Server Selection screen on the right panel.

- Use the object selector to browse the eDirectory tree and select the appropriate sever where you want to configure filters. This server should have NBM 3.7 installed on it.

============
Browser Version:
============

Q 1. What are the recommended browser versions for Filter Configuration using iManager?
Ans. The recommended browser versions are Internet Explorer 5.5 and above.

Q 2. Is it possible to browse iManager pages using Netscape?
Ans. Yes, it is possible. But currently the NBM Filter configuration is not supported through Netscape.

=====
Filters:
=====

Q 1. Are filters in eDirectory and FILTERS.CFG synchronized?
Ans. No, they are not fully synchronized.

When you configure filters using the FILTCFG utility, FILTERS.CFG gets updated with the latest information from eDirectory. But when you use iManager to configure filters, the filters will not be reflected in FILTERS.CFG until you use FLTCFG next time.

Q 2. How does backup and restore work in NBM 3.7?
Ans. NBM 3.7 features filtering based on eDirectory. All the stored filters will be created under the container NBMRuleContainer. The container NBMRuleContainer is created at the same level as the NCP server object of the server where Novell BorderManager 3.7 is installed.

· To back up IP filters in eDirectory use the following command on the console prompt:

FILTSRV_BACKUP_FILTERS <FILE NAME>

This will back up the filters to the specified file in the SYS:/ETC folder. If you do not specify the file name, the filters will be backed-up in SYS:/ETC/FILTERS.BAK file. The FILTERS.BAK file is essentially in the same format as FILTERS..CFG file.

· To restore IP filters to eDirectory copy the backed up file (FILTERS.BAK) as SYS:/ETC/FILTERS.CFG on the system where you want to restore filters. Use the following command on the console prompt:

FILTSRV MIGRATE

.

If FILTSRV is already loaded, first unload FILTSRV and then run FILTSRV MIGRATE.

Q 3. How do I force FILTSRV to read latest filter information from eDirectory?
Ans. FILTSRV.NLM registers with eDirectory for Event Notification. Whenever there is a change in the eDirectory, eDirectory notifies FILTSRV. FILTSRV reads the latest list of filters from eDirectory and informs the IPFLT module. This may cause a maximum delay of 30 seconds between the configuration and the actual filtering coming into effect.

If you want to force FLTSRV to read the latest information from eDirectory immediately, enter the following command on the console prompt:

REINITIALIZE SYSTEM

Q 4. How does filtering work when the eDirectory is not available?
Ans. The FILTSRV.NLM tries to read filters from eDirectory every thirty seconds until it reads the directory successfully. Till such time, temporary ·DENY ALL· filters are added to protect all public interfaces of the system.

Q 5. What specific eDirectory objects are created by the NBM 3.7 install for filter configuration?
Ans: The specific objects created by eDirectory during install are:

· Individual objects:

· NBMRuleContainer object will be created at the same level as the NCP server object
of the BorderManager server.
· Role, Module and Task Objects are created under Role Based Service objects for iManager management tasks

· Extension of NCP Server object:
· fwsAuxFiltServer auxiliary class will be attached to the NCP server object with
fwsAction and fwsStatus attributes initialized to zero.

============
Troubleshooting:
============

Q 1. I configured the filters using iManager/FILTCFG.NLM, but the filters are not functional?
Ans. To understand the reasons follow these steps:

a. Check if filter support is enabled in INETCFG.NLM. Filters configured will not be active until this is done. Go to INETCFG > Protocols >TCP/IP > Filter Support. Enable the Filter Support.

b. Verify if the IPFLT31 module is loaded. Executing the following command on the console prompt can do this:

m ipflt

c. Verify that FILTERS.CFG exists in SYS:ETC.

d. Verify the actual filters in place to see that there is no rule allowing or blocking access to a service that is not behaving as it should. A document on troubleshooting packet filtering issues exists at http://support.novell.com/cgi-bin/search/searchtid.cgi?/10018659.htm

Q 2. iManager is not coming up after changing the IP Address of the NetWare 6 server.
Ans. If this is the case please follow the TID mentioned here:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10067789.htm

Q 3. Why do IP filters not show up in the FILTCFG utility immediately after reboot?
Ans. If the eDirectory database is not initialized by the time FILTSRV/IPFLT loads you will not be able to see the filters. However, the FILTSRV.NLM tries to read filters from eDirectory every thirty seconds until it reads the directory successfully. Till such time, temporary ·DENY ALL· filters are added to protect all public interfaces of the system.

Q 4. After install, when I log in to iManager, I do not see the Role ·NBM Access Management· on the left panel?
Ans. Login to iManager with the same user name as the user who installed NBM 3.7 on the server or as the user who has been assigned the NBM Access Management role.

If you still do not see the role NBM Access Management on the left panel, follow these steps:
 
- Go to the iManager Configure button.

- Click ·Modify Role· under ·Role Management· on the left panel.

- Check if the role ·NBM Access Management· is visible in the list of roles on the right panel.

- If it the role is visible, then proba.bly, the jar file (sys:\webapps\eMFrame\WEB-INF\lib\bm.jar) and folder for plugins is not named properly. ·bm.jar· and all folders names should be named in lower case.

- If the role is not visible, Click the Install plugin task. (iManager Configure button > Role Based Services Setup > Install Plugin)

- Select ·bm· as the plugin to install.

- Using the Object Selector browse the eDirectory and select Role Based Service as the Collection Container.

- Click OK to install plugin.

Q 5. iManager does not come up, no one is listening on port 2200?
Ans. If this the case, please go to the link specified below:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10065902.htm

Q 6. I have configured filters through iManager, still I am not able to see the filters in FILTCFG. Why?
Ans. Probably because FILTCFG.NLM was already loaded in the server. Unload and reload FILTCFG.NLM.

Q 7. How do I manually extend the schema for filtering?
Ans. Normally the schema gets extended during NBM 3.7 installation. Still if you need to extend the schema run SCHEXT.NLM at the console prompt. Enter the following mandatory parameters:

SCHEXT <USER FDN> <PASSWD>

The user must have supervisor rights at the Root level of the tree.

Example: SCHEXT .CN=ADMIN.O=NOVELL PASSWORD

Q 8. Are the filters added by running BRDCFG and those added by installing NBM 3.7 the same?
Ans. No these filters are different. BRDCFG adds the BMEE 3.6 default filters. While NBM 3.7 install adds all stateful filters.

BRDCFG will be modified to add NBM 3.7 filters and this would be made available as a patch with NBM 3.7 SP1.

Q 9. General issues with iManager?
Ans. If you are facing general issues with Novell iManager please look at the following doc http://www.novell.com/documentation/lg/imanage10/index.html?imanage/data/ac1jn64.html.

Q 10. Proxies listening on non-standard ports (other than 8080) are not working after upgrading to NBM 3.7.
Ans. NBM 3.7 adds filters to protect the public interfaces and opens some standard ports used by proxy (such as 8080, 21 and so on). So, if you configure your proxy to listen to some other port you need to create filtering exceptions to allow the traffic through that port. This can be done using FILTCFG or iManager..

.

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.

  • Document ID:
  • 10070403
  • Solution ID: NOVL78024
  • Creation Date: 26Apr2002
  • Modified Date: 16Sep2003
    • NovellNetWare

      BorderManager Services

Did this document solve your problem? Provide Feedback