The Novell IP Gateway configuration options and limitations are described in the following sections:
As part of the gateway server's configuration, you must provide a valid Domain Name System (DNS) domain name and the IP address of at least one DNS name server. The gateway server uses DNS to resolve IP hostnames on behalf of gateway clients on your private network.
NOTE: If a DNS name server was specified during Novell BorderManager 3.7 product installation, this requirement has already been satisfied.
The gateway client, which maintains a control connection between the client and the gateway server, attempts to connect to a preferred gateway server if one is configured. If the specified gateway server is not available, the gateway client searches for the following:
Configuring a preferred gateway server usually reduces the amount of time required for the client to connect to the gateway server.
NOTE: If a preferred gateway server is specified for a client and a user who is not logged in to eDirectory attempts to run WinSock applications, the gateway client does not send the client's WinSock requests to the Novell IP Gateway until the user logs in.
The Novell IP Gateway supports both SOCKS 4 and SOCKS 5 clients. Before you configure the gateway's SOCKS service, you should determine the versions of SOCKS clients that need access to the Internet through the gateway.
The SOCKS 4 protocol was created to allow users of TCP/IP applications transparent access to the Internet through a SOCKS 4 firewall. However, SOCKS 4 does not support authentication, which is a required security component for a firewall solution. SOCKS 5 enhances SOCKS 4 by providing strong authentication methods.
If you need to support SOCKS 4 clients but not SOCKS 5 clients, you do not need to configure an authentication scheme for the Novell IP Gateway because SOCKS 4 does not support user authentication. You can allow SOCKS 4 users on your network to access to the Internet through the gateway by doing the following:
For the configuration procedures for these tasks, refer to the Novell IP Gateway and NAT online documentation.
If your network has SOCKS 5 clients, you can configure the gateway to authenticate these users before they can access the Internet through the gateway. If some SOCKS 5 users also use a Novell ClientTM, you can also enable single sign-on. This allows the gateway to perform SOCKS 5 authentication in the background if the user is already logged in to NDS or eDirectory with the Novell Client software. With single sign-on, the user is not aware that the authentication is occurring in the background because a prompt for a username and password does not appear. An option for no authentication is also available, allowing SOCKS 5 users to use the gateway without restriction.
You can allow SOCKS 5 users on your network to access the Internet through the gateway by doing the following:
For the configuration procedures for these tasks, refer to the Novell IP Gateway and NAT online documentation.
The following SOCKS 5 authentication options are supported:
IMPORTANT: If multiple authentication methods are selected, the client uses the strongest authentication method it is capable of using. NDS or eDirectory User/Password is the strongest method, followed by Clear Text User/Password and None. If you plan to implement access control for SOCKS 5 clients, you cannot select None.
Additional authentication options are available, but they do not constitute valid eDirectory authentication options by themselves. These options are as follows:
You should select authentication options that are consistent with your organization's security policy. Refer to the following table for a few configuration examples of SOCKS 5 authentication.
You can also configure the Novell BorderManager 3.7 proxy server as a SOCKS client to the Novell IP Gateway. In this scenario, the proxy server does not connect directly to the Internet to contact an origin server; instead, it sends requests to the Novell IP Gateway which serves as a firewall to the Internet. The proxy server and Novell IP Gateway can be configured on the same physical server.
For more information about configuring the proxy as a SOCKS client, refer to the Proxy Services online documentation.
When you use the Novell IP Gateway, all TCP and UDP traffic is funneled through one or more gateway servers. Novell IP Gateways can have complete control over user access to Internet resources. Access control information is stored in eDirectory and can be configured only by the administrator (or a user with administrative rights) using the NetWare Administrator utility. You can restrict access by TCP port (Web, FTP, Telnet, and so on), UDP port, or IP host address. You can also limit access to certain ports and IP addresses to a specific time of day. Note that access control restricts access to TCP/IP networks and services, not to directories or files on the Novell BorderManager 3.7 server running the Novell IP Gateway software.
You can specify the access control information for the Novell IP Gateway at different object levels in eDirectory: Server, Organizational Unit, Organization, or Country.
The Novell IP Gateway has the following limitations: