Presentation is loading. Please wait.

Presentation is loading. Please wait.

Novell BorderManager® VPN: No Secrets

Published byFelix Gray Modified over 6 years ago

Similar presentations

Presentation on theme: "Novell BorderManager® VPN: No Secrets"— Presentation transcript:

1 Novell BorderManager® VPN: No Secrets
Novell BrainShare 2002 Novell BorderManager® VPN: No Secrets Caterina Luppi Novell SysOp Novell Support Connection Craig Johnson TUT341—Novell BorderManager VPN: No Secrets

2 Vision…one Net Mission
A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

3

4 VPN=Virtual Private Network
Novell BrainShare 2002 What Is the VPN? If you’re here you should know this already, but… VPN=Virtual Private Network A network that uses the Internet as the medium for transporting data By using encryption and other security mechanisms, this system ensures that only authorized users can access the network and that the data cannot be intercepted TUT341—Novell BorderManager VPN: No Secrets

5 The BorderManager® VPN
Novell BrainShare 2002 The BorderManager® VPN The VPN is one of the modules included in the BorderManager (BM) product suite There are two types of VPN in BorderManager Site-to-site Client-to-site Site-to-Site VPN links two LANs together with an “encrypted tunnel” over the Internet Client-to-Site VPN allows a remote PC to make a secure connection to a LAN over the Internet TUT341—Novell BorderManager VPN: No Secrets

6 Important Things to Remember
Novell BrainShare 2002 Important Things to Remember About the site-to-site VPN It is established between two or more BM/VPN servers (one master, one or more slaves) An encrypted tunnel links two or more LANs connected to the same VPN It is mainly based on routing—traffic passes through the tunnel because a static route makes the tunnel the lowest-cost route Traffic passing through the tunnel is encrypted and decrypted at the VPN server No need for special software at the workstations TUT341—Novell BorderManager VPN: No Secrets

7 Important Things to Remember (cont.)
Novell BrainShare 2002 Important Things to Remember (cont.) About the client-to-site VPN It is established between a client, running special software, and a VPN server configured as “master” It provides secure access to the LAN and WAN behind the VPN server The user must be authorized to establish the VPN with a username and through “Access Rules” The client workstation must use MS Windows (Win 9x, NT, 2000; XP and ME soon) The VPN client and the NetWare® client are distinct and independent TUT341—Novell BorderManager VPN: No Secrets

8 The “Must Know” You should be familiar with
Novell BrainShare 2002 The “Must Know” You should be familiar with The terminology (VPTUNNEL IP address, Public IP address, Private IP address) How to configure a “standard” VPN by using VPNCFG.NLM NWADMN32.EXE Exchange of the VPN information and digest Basic routing concepts (default gateway, IP routing protocols used in your LAN) The details of the Internet connectivity for your LAN The emergency phone number of your ISP TUT341—Novell BorderManager VPN: No Secrets

9 The Secrets of Your Success
Novell BrainShare 2002 The Secrets of Your Success Make sure you are not doing anything against your company policy List your needs and know what you want to do What kind of VPN do you want to set up (client-to-site, site-to-site, or both) Will your users log into Novell eDirectory™ or only use IP services (HTTP, FTP, mail, etc)? Which version(s) of Windows are your users using? Pick a good ISP Bad ISPs (incompetent, not helpful, not flexible) are the “public enemy number one’’ of your VPN TUT341—Novell BorderManager VPN: No Secrets

10 “Intense” material ahead!
Novell BrainShare 2002 WARNING “Intense” material ahead! Concentration is required TUT341—Novell BorderManager VPN: No Secrets

11 The Guiding Flowcharts
Novell BrainShare 2002 The Guiding Flowcharts Instruction for the flowcharts Choose the map that suits your environment Start from “start here” and follow the flowchart by answering the questions When both the following conditions apply, Your LAN has a different “gateway” to the Internet (NOT the VPN server) You need both client-to-site and site-to-site You will need two separate VPN servers—apply the recommendations of flowcharts 4 and 5 TUT341—Novell BorderManager VPN: No Secrets

12 1 Novell BrainShare 2002 * ** * Novell Directory Service®
** Novell NetWare® TUT341—Novell BorderManager VPN: No Secrets

13 Novell BrainShare 2002 2 TUT341—Novell BorderManager VPN: No Secrets

14 Novell BrainShare 2002 3 TUT341—Novell BorderManager VPN: No Secrets

15 Novell BrainShare 2002 4 TUT341—Novell BorderManager VPN: No Secrets

16 Novell BrainShare 2002 5 TUT341—Novell BorderManager VPN: No Secrets

17 Tips for Partitioning the eDirectory
Novell BrainShare 2002 Tips for Partitioning the eDirectory We don’t recommend spanning your eDirectory tree across multiple sites connected through the VPN The eDirectory health depends on the reliability of the connection between the servers, and the connection between the servers is as reliable as the least reliable of all the links If you really really really need it…. TUT341—Novell BorderManager VPN: No Secrets

18 Tips for Partitioning the eDirectory (cont.)
Novell BrainShare 2002 Tips for Partitioning the eDirectory (cont.) Partition your tree sensibly Very little, if any, eDirectory traffic should travel across the VPN for standard office operations Store a copy of all the needed licenses locally The BorderManager server needs to hold a replica of the partition where its container resides The master replica of the partition associated to each remote site must be stored at the remote site TUT341—Novell BorderManager VPN: No Secrets

19 Case Study: VPN within a Corporate LAN
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN Your LAN is part of a larger corporate LAN, using an existing default gateway to the Internet What do you want to do? Establish site-to-site and client-to-site VPN eDirectory access only for VPN clients IP-only (HTTP, FTP, mail, database) access for sites Need access to certain corporate servers but can’t change the routing tables of these servers, or these servers are across routers whose routing tables can’t be changed TUT341—Novell BorderManager VPN: No Secrets

20 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) S_master (site-to-site) Priv. IP VPNtunnel: Slave LAN IP: x Def. Gw. Def.gw Dynamic NAT here Net C_master (client-to-site) Priv. IP VPNtunnel: S_slave Priv.IP VPNtunnel: TUT341—Novell BorderManager VPN: No Secrets

21 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) For BOTH site-to-site and client-to-site VPN, you need TWO separate VPN servers (S_master and C_master) The VPN server for the client-to-site (C_master) must have DYNAMIC NAT enabled on its PRIVATE interface only No NAT on the public interface Before anything else, fix the routing ROUTING ROUTING ROUTING TUT341—Novell BorderManager VPN: No Secrets

22 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Configure the “protected networks” in S_master in NWADMN32, BM set-up, VPN, site-to-site, details, double-click on each server name The protected network for each server is the private network behind that VPN server Ex. Protected network for S_master: /24 Protected network for S_slave: /24 etc. Make sure that “Enable IP RIP” is checked TUT341—Novell BorderManager VPN: No Secrets

23 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Select “encrypt only the listed networks” in C_master In NWADMN32, BM set-up, VPN, client-to-site, details You should add the private IP network behind the C_master server to the list of networks to encrypt Ex. The list of networks to encrypt should show “Public IP add. of C_master” mask mask TUT341—Novell BorderManager VPN: No Secrets

24 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) The servers (only the ones that you want to reach through the VPN) in your master LAN must have static routing entries for the slave LANs Ex: routing table of SRV1 (in the Master LAN) Destination Next Hop Default Gateway corporate firewall Network Network Network This is the VPTUNNEL network TUT341—Novell BorderManager VPN: No Secrets

25 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Problem There are servers or services within your corporate LAN that need to be accessible through the VPN, but you can’t change their routing table Solution You can configure generic proxies on the private IP address of your VPN server Ex: SQL server at IP address in your LAN Create a generic TCP proxy on the S_master private IP address for port 1433(SQL) and origin server The users in the slave LANs will access the SQL (private IP of S_master) TUT341—Novell BorderManager VPN: No Secrets

26 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) S_master Priv. IP VPNtunnel: Generic TCP proxy on port 1433 origin IP Dynamic NAT here SQL server IP C_master Priv. IP VPNtunnel: INTERNET TUT341—Novell BorderManager VPN: No Secrets

27 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Problem You want to hide the structure of your slave LANs to the master LAN Solution Enable dynamic NAT on the VPTUNNEL interface of each slave This trick can also be used to simplify the routing in your LAN if you don’t need to reach the remote LANs individually from the master LAN WARNING: If you do this, and something goes wrong, you might expect to reconfigure the networking part of your slave server (including the VPN) TUT341—Novell BorderManager VPN: No Secrets

28 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) To enable dynamic NAT on the VPTUNNEL interface, in the sys:\etc\tcpip.cfg of the slave server, edit this section as follows <snip> Interface { Address Port VPTUNNEL Type nbma RouterDiscovery no SolicitationAddress multicast NATStatus Enabled HeaderCompression no } TUT341—Novell BorderManager VPN: No Secrets

29 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Problem You want only certain services/servers from the slave LANs to be available to the master Solution Enable generic proxies for specific service on the VPTUNNEL interface the slave server Ex: SQL server at IP address in the slave LAN. Create a generic TCP proxy on the C_master VPTUNNEL address for port 1433 (SQL) and origin server The users in the master LAN will access the SQL TUT341—Novell BorderManager VPN: No Secrets

30 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Slave LAN IP: x Def. Gw INTERNET SQL server IP Generic TCP proxy on port 1433 origin IP S_slave Priv.IP VPNtunnel: TUT341—Novell BorderManager VPN: No Secrets

31 Case Study: VPN within a Corporate LAN—The Client Configuration
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration If possible, choose only one protocol for the VPN tunnel (IPX or IP)—see the flowcharts Note that IPX is not required if you don’t need eDirectory access SCMD doesn’t work over the VPN If login to eDirectory is required, install the NetWare client in addition to the VPN client When installing the NetWare client, choose only the protocol you decided to encrypt in the VPN configuration (IPX or IP) TUT341—Novell BorderManager VPN: No Secrets

32 Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration (cont.) If you have both IPX and IP over the VPN Only IPX will be used for eDirectory communication (in most cases) If you have only IPX over the VPN Make sure IPX is NOT bound to the physical NIC of the VPN client, but only to the VPN interface If necessary, use hardware profiles Check that you don’t have more than four IPX bindings in your network components at the workstation Doesn’t work with Win2000 (or XP) TUT341—Novell BorderManager VPN: No Secrets

33 Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration (cont.) If you have only IP over the VPN, the VPN client will be able to login to eDirectory only if it properly receives the SLP information The SLP information, even if properly configured, takes about 10 minutes to propagate to the VPN client, starting from the moment in which the VPN is established Not very convenient Solution... TUT341—Novell BorderManager VPN: No Secrets

34 Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration (cont.) Complement the SLP information with static HOSTS information Configure SLP at the client with a static SLP DA Populate the HOSTS file of your VPN client with the names and IP addresses of the NetWare servers you want to log into Use the server name instead of the eDirectory tree in the NetWare login window TUT341—Novell BorderManager VPN: No Secrets

35 Case Study: VPN within a Corporate LAN—The Client Configuration
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration You have two ways to perform name resolution for the internal servers Populate the HOSTS file of your VPN client with the names and IP addresses of the services that the client has to reach through the VPN Ex SQL_Server SRV1 Set your internal DNS server (reachable only through the VPN) as second DNS server in the VPN client TUT341—Novell BorderManager VPN: No Secrets

36 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) You are done! TUT341—Novell BorderManager VPN: No Secrets

37 Case Study: VPN within a Corporate LAN (cont.)
Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Let’s troubleshoot now... TUT341—Novell BorderManager VPN: No Secrets

38 Common Problems and Solutions: Site-to-Site VPN
Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN Symptom I configured the VPN between two servers The VPN was established but I can’t reach the internal LAN Make sure that your VPN tunnel IP address is in a different network from the private and the public IP addresses of the server Public IP address Private IP address /24 VPN TUNNEL IP address /24 TUT341—Novell BorderManager VPN: No Secrets

39 Common Problems and Solutions: Site-to-Site VPN (cont.)
Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN (cont.) Symptom In the logs in NWadmn32 I have the message “Time synchronization error from connection XXX (SKIP) Construction of SA failed for peer <IP_address>” The VPN stays in the “Being configured” status Check That the time (clock) in the servers is not more than one hour apart in UTP That your ISP is not filtering any packet type (especially SKIP and UDP) TUT341—Novell BorderManager VPN: No Secrets

40 Common Problems and Solutions: Site-to-Site VPN (cont.)
Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN (cont.) Symptom Proxies and VPN seem OK, I can ping the VPTUNNEL from the slave server, but I cannot ping anything in the master site from the clients in the slave site Check The default gateway of the clients in the slave LAN NAT should be enabled on the public interface of the BM server ONLY (not on the private one) TUT341—Novell BorderManager VPN: No Secrets

41 Common Problems and Solutions: Site-to-Site VPN (cont.)
Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN (cont.) Symptom The VPN seems okay, I can read the logs and connect to the slave site, but ping to the VPTUNNEL address doesn’t respond Check The VPN licenses The slave server might not be able to read its VPN licenses and even if the VPN is established, it is not activated TUT341—Novell BorderManager VPN: No Secrets

42 Common Problems and Solutions: Client-to-Site VPN
Novell BrainShare 2002 Common Problems and Solutions: Client-to-Site VPN Symptom When I try to authenticate to the VPN I get the message “Unable to authenticate token password” If you aren’t using ActivCard or Radius, delete the Login Policy Object from the eDirectory and delete the LPOCACHE.DAT file from the server Or, configure VPN and Proxy rules in the Login Policy Object TUT341—Novell BorderManager VPN: No Secrets

43 Common Problems and Solutions: Client-to-Site VPN (cont.)
Novell BrainShare 2002 Common Problems and Solutions: Client-to-Site VPN (cont.) Symptom I am not able to use the VPN client from Windows ME Other VPN clients, running different OS versions, are fine Correct—the VPN client doesn’t work for Windows ME Announced for BorderManager v.3.7 TUT341—Novell BorderManager VPN: No Secrets

44 Common Problems and Solutions: Client-to-Site VPN (cont.)
Novell BrainShare 2002 Common Problems and Solutions: Client-to-Site VPN (cont.) Symptom When trying to connect to the VPN, the IPX negotiation fails (if IPX is enabled) and I can see that the client receives only unencrypted packets Check That the return traffic is actually routed through the VPN server That the public IP address associated to the VPN (in VPNCFG) is NOT a secondary IP address lower than the primary IP address bound to the NIC TUT341—Novell BorderManager VPN: No Secrets

45 wiN big Access and Security table one Net solutions lab visit the
in the to obtain an entry form

46

Download ppt "Novell BorderManager® VPN: No Secrets"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Computer networks Fundamentals of Information Technology Session 6.

Computer networks Fundamentals of Information Technology Session 6.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.

Novell iChain ® 2.x Configuration Using the Web Server Accelerator Wizard Cary Andrews Senior Software Engineer Novell, Inc.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 14: Troubleshooting Remote Connections.
Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Virtual Private Network

Virtual Private Network
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.

Securing Your GroupWise ® System Morris Blackham Software Engineer Novell, Inc. Danita Zanrè Senior Consultant Caledonia.
Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.
Configuring Routing and Remote Access(RRAS) and Wireless Networking

Configuring Routing and Remote Access(RRAS) and Wireless Networking
Intranet, Extranet, Firewall. Intranet and Extranet.

Intranet, Extranet, Firewall. Intranet and Extranet.
NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.

NetworkProtocols. Objectives Identify characteristics of TCP/IP, IPX/SPX, NetBIOS, and AppleTalk Understand position of network protocols in OSI Model.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.

1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Similar presentations

Ads by Google