Before you start to set up the VPN component of the Novell BorderManager 3.7 software, you must meet the prerequisites described in this section. This section contains the following topics:
Before you set up a site-to-site VPN, your network must meet the following requirements:
The NetWare® routing software must be installed and configured on each VPN server. Configuring the routing software includes, but is not limited to, setting up the LAN or WAN links to the other VPN members, and configuring static or dynamic routing for Internet Packet ExchangeTM (IPXTM) and IP packets. Verify connectivity between your VPN servers as required by your selected VPN topology. Any associated firewall software should be configured and connectivity should be verified before the VPN software is installed and before each VPN server is attached to the private networks it will protect.
If your VPN sites are not on the same intranet, each VPN server must have a connection to the Internet, either directly or indirectly. If your VPN server is connected directly to the Internet, obtain the public IP address provided by your Internet Service Provider (ISP) to use when connecting to the Internet. Each VPN server uses the public IP address to exchange encrypted information with other VPN servers. Obtain the public IP address before you set up the VPN. The ISP connection should also be tested before the VPN software is installed and before the VPN server is attached to any private networks. In the case of an intranet VPN, an ISP connection is not required.
If your VPN server is connected directly to the Internet, you must obtain a permanent IP address for the ISP connection. The IP address cannot be dynamically assigned by the ISP.
The VPN server must have only one connection to the Internet. Otherwise, you risk sending and receiving your confidential data unencrypted if your data is routed to the other connection.
If you are configuring a VPN server for the first time in an NDS® or Novell eDirectoryTM tree, you must be able to log in to the server's NDS or eDirectory tree with administrative rights in order to extend the Server object schema.
If the VPN server is also the firewall machine that protects your private network from the Internet, select the Setup Novell BorderManager 3.7 for Secure Access to the Public Interface option during the initial Novell BorderManager 3.7 installation and configuration. Otherwise, load BDRCFG to configure the required filters.
If your VPN server is behind a firewall, be sure to configure the firewall with the proper packet forwarding filters, as determined by your security policy. If the firewall is also running the Novell BorderManager 3.7 software, select the Setup Novell BorderManager 3.7 for Secure Access to the Public Interface option during the initial Novell BorderManager 3.7 installation and configuration to automatically configure firewall filters. These firewall filters must then be altered as determined by your security policy. In general, the filters must be altered to allow VPN members to communicate with each other and allow encrypted packets to pass through. The filters listed in Table can be used as a guideline for how the firewall filters should be altered for VPN. The filters might also have to be altered to allow communication with other Novell BorderManager 3.7 services.
The firewall filters can also be configured after installation by loading BDRCFG. If the firewall is not running the Novell BorderManager 3.7 software, you must configure these filters manually as described in the documentation provided with the third-party firewall product.
Table 2. VPN Filters
Description of Filter
Protocol
Source Address
Source Port
Destination Address
Destination Port
Exception filters for the VPN master server to allow incoming traffic
TCP (ID=6)
Any
213
VPN public address
Any
SKIP (ID=57)
Any
Any
Any
Any
UDP (ID=17)
Any
2010
VPN public address
2010
Exception filters for the VPN master server to allow outgoing traffic
TCP (ID=6)
VPN public address
Any
Any
213
SKIP (ID=57)
Any
Any
Any
Any
UDP (ID=17)
VPN public address
2010
Any
2010
Exception filters for the VPN slave server to allow incoming traffic
TCP (ID=6)
Any
Any
VPN public address
213
SKIP (ID=57)
Any
Any
Any
Any
UDP (ID=17)
Any
2010
VPN public address
2010
Exception filters for the VPN slave server to allow outgoing traffic
TCP (ID=6)
VPN public address
213
Any
Any
SKIP (ID=57)
Any
Any
Any
Any
UDP (ID=17)
VPN public address
2010
Any
2010
If you have set up two VPN servers on the same network, or the hop count between the two VPN servers is one, you must use FILTCFG to prevent all private network routes from being advertised through the public interfaces. Complete this process for both IPX and IP as described in the packet filtering online documentation.
If your network uses Open Shortest Path First (OSPF) dynamic routing, your VPN server must be located on a pure OSPF backbone area.
Client-to-Site VPN Prerequisites
Before you install the VPN client software, verify that the following prerequisites have been met:
The workstation must be running Windows 98*, Windows* 2000, Windows* XP, Windows* Me or Windows NT*.
If the VPN client will be using a dial-up connection, Microsoft* Dial-Up Networking must be installed before installing the VPN client software.
If you are using the VPN client with the Novell ClientTM software, Novell Client version 3.3 or later is recommended.
If you are using the VPN LAN client, you must have an Ethernet adapter.
If you are using Windows NT, you must use an Intel*-based workstation. The VPN client does not support Alpha workstations.
If you are using Windows NT, the Windows NT Service Pack 3 (SP3) or later version must be installed before installing the VPN client software. Note that the SP3 must be reinstalled whenever you install a feature from the Windows NT CD-ROM, such as Networking or Remote Access Services, that was not already on the system when you installed SP3.
If you are using Windows NT, you must log in to Windows NT as a user with administrative rights in order to install the VPN client.
The VPN server must have only one connection to the Internet. Otherwise, you risk sending and receiving your confidential data unencrypted if your data is routed to the other connection.
If your VPN server is behind a firewall, be sure to configure the firewall with the proper packet forwarding filters, as determined by your security policy. If the firewall is also running the Novell BorderManager 3.7 software, select the Setup Novell BorderManager 3.7 for Secure Access to the Public Interface option during the initial installation and configuration to automatically configure firewall filters. These firewall filters must then be altered as determined by your security policy. In general, the filters must be altered to allow VPN clients to communicate with the server and allow encrypted packets to pass through. The filters listed in Table can be used as a guideline for how the firewall filters should be altered. The filters might also have to be altered to allow communication with other Novell BorderManager 3.7 services.
The firewall filters can also be configured after installation by loading BDRCFG. If the firewall is not running the Novell BorderManager 3.7 software, you must configure these filters manually as described in the documentation provided with the third-party firewall product.
Table 3. Filters Required for Client-to-Site VPNs
Description of Filter
Protocol
Source Address
Source Port
Destination Address
Destination Port
Exception filters for the VPN master or slave server to allow incoming traffic
TCP (ID=6)
Any
Any
VPN public address
353
SKIP (ID=57)
Any
Any
Any
Any
UDP (ID=17)
Any
353
Any
353
Exception filters for the VPN master or slave server to allow outgoing traffic
