Bypassing Login because of gateway
happygolucky
one thing. If you install a client and with it also install the IP
gateway, users can access the gateway without hitting a proxy
authorization (disable proxy and port in browser). I would like to
deny access to the gateway ONLY by allowing proxy authorization. Is
there a way to prevent this?
* Sent from Novell Discussion Forums http://novell.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!
CSL
you can enforce the usage of the proxy and the gateway only if you
enable the transparent proxy.
Do youhave SSO authentication enabled for the gateway?
Frankly, I would get rid completely of the IPx/IP gateway, and just
install IP on every client.
--
Cat
Novell Support Connection Volunteer
happygolucky
wrote:
If you enable transparent proxy with the ipx/ip gateway, will they get
a proxy logon? In the transparent config in nwadmin, i have the
private address configured on the right and on the left is the service
port of 8080. Is this not correct?
I am running the SSL configuration with the certificates and keys and
people can not get out without going through the proxy. They CAN get
out if the ip gateway service is installed in the network configuration
on the client p.c. The client running the gateway services is not
forced to use an authentication mechanism, however, I can see them on
the server as listed as using the gateway.
If I go to a IP/IP gateway, when people vpn into the network, will they
still be able to get to an IPX server?? I would think that the gateway
would need to run the IPX services to know how to route the IPX
packets. The 4.2 servers are running IP but not the Netware domain
tcp/ip services that allow your client to connect to a server with the
tcp/ip over ipx protocol or what ever it is called.
One last thing. The logging for the proxy services does not seem to
work like B.M. 2.1 Sometimes it will and most of the time it will not.
I can see the logs being generated in the etc\proxy\logs directory but
the B.M. snap-in will not let me view the logs. When you give a date,
it says that the record does not exist..?
Thanks for the reply..
CSL
>
> If you enable transparent proxy with the ipx/ip gateway, will they get
> a proxy logon?
no, you can only use SSO (clntrust.exe) when you use the IPX/IP gateway.
> In the transparent config in nwadmin, i have the
> private address configured on the right and on the left is the service
> port of 8080. Is this not correct?
So, you have two IP addresses on your server? One private and one public? Are you running IP on your
network?
The transparent proxy config in NWadmn32 is practically irrelevant when you use the gateway. You can
just check the checkbox to enabled it. Anyway, you should have 80, not 8080.
> I am running the SSL configuration with the certificates and keys and
> people can not get out without going through the proxy. They CAN get
> out if the ip gateway service is installed in the network configuration
> on the client p.c. The client running the gateway services is not
> forced to use an authentication mechanism, however, I can see them on
> the server as listed as using the gateway.
that's right. You can't really enforce the IPX client to use the proxy if they are using the gateway,
unless you use the transparent proxy.
You will have to enable SSO authentication in the IP gateway page in NWadmn32, as well.
> If I go to a IP/IP gateway, when people vpn into the network, will they
> still be able to get to an IPX server??
yes. The gateway and the VPN are two separate product.
I feel through that you should drop the gateway completely. Why do you want to use the IP/IP gateway?
It is unstable and slow. You can just have your clients use a standard IP stack for browsing and
intrnet access while you still use IPX for client/server communication. you don't need the gateways
at all.
> I would think that the gateway
> would need to run the IPX services to know how to route the IPX
> packets.
no, actually the gateway can only complicate your setup.
> One last thing. The logging for the proxy services does not seem to
> work like B.M. 2.1 Sometimes it will and most of the time it will not.
> I can see the logs being generated in the etc\proxy\logs directory but
> the B.M. snap-in will not let me view the logs. When you give a date,
> it says that the record does not exist..?
The logging for BM3.x do NOPT work as in BM2.1, indeed.
did you enable indexed logging for the proxy in NWadmn32, bm setup, HTTP proxy details, in the
logging page?
BTW> if you use the transparent proxy you will not be able to see the url of the sites, just the IP
addresses.
happygolucky
wrote:
Hi Cat.
I feel through that you should drop the gateway completely. Why do
> you want to use the IP/IP gateway?
> It is unstable and slow. You can just have your clients use a
> standard IP stack for browsing and
> intrnet access while you still use IPX for client/server
> communication. you don't need the gateways
> at all.
If I run a PRIVATE VPN between servers at corprate sites, would I not
need to use a ipx/ip or ip/ip gateway? If that is the case, what is
the gateway for?
If I drop the gateways, I am guessing that ALL of the client p.c.s,
regardless if they had the gateway installed, would be FORCED to use
the SSL certificates that I have set up now and hit a proxy
authentication screen. Is this correct?
I am going to go to a total VPN solution next year with B.M. at each
site serving each private LAN. I will be droping p.v.c's that we are
using now. When I get the servers talking to each other over the ipsec
tunnel, if a client p.c. accesses a server in a remote location over
the tunnel, please tell me that I will not have to set up the vpn
client for remote access on every p.c. I mean, when you do a browse
network neighborhood, you should be able to see the remote servers over
the ipsec tunnel without doing any kind of dial up. Is this correct?
happygolucky
> you want to use the IP/IP gateway?
> It is unstable and slow. You can just have your clients use a
> standard IP stack for browsing and
> intrnet access while you still use IPX for client/server
> communication. you don't need the gateways
> at all.
If I run a PRIVATE VPN between servers at corprate sites, would I not
need to use a ipx/ip or ip/ip gateway? If that is the case, what is
the gateway for?
If I drop the gateways, I am guessing that ALL of the client p.c.s,
regardless if they had the gateway installed, would be FORCED to use
the SSL certificates that I have set up now and hit a proxy
authentication screen. Is this correct?
I am going to go to a total VPN solution next year with B.M. at each
site serving each private LAN. I will be droping p.v.c's that we are
using now. When I get the servers talking to each other over the ipsec
tunnel, if a client p.c. accesses a server in a remote location over
the tunnel, please tell me that I will not have to set up the vpn
client for remote access on every p.c. I mean, when you do a browse
network neighborhood, you should be able to see the remote servers over
the ipsec tunnel without doing any kind of dial up. Is this correct?
And yes we will be using a frame relay internet connection (local loop).
CSL
previous message. If there are differences, plase point them out to me!
Thanks.
CSL
> If I run a PRIVATE VPN between servers at corprate sites, would I not
> need to use a ipx/ip or ip/ip gateway?
absolutely not. You don't need the gateways at all.
> If that is the case, what is
> the gateway for?
good question. The IPX/IP gateway was used whrn the clients had IPX only, and allowed them to access
the internet. The IP/IP gateway allows the access to the internet without having to configure defautl
gateway and DNS resolver in the client, and gives a bit higher level of control other than the
proxies, but this is it.
> If I drop the gateways, I am guessing that ALL of the client p.c.s,
> regardless if they had the gateway installed, would be FORCED to use
> the SSL certificates that I have set up now and hit a proxy
> authentication screen. Is this correct?
no, you can use SSO authentication. This would be completely trasnparent to the users logged into the
NDS provided that they are running the clntrust.exe program in the login script.
> I am going to go to a total VPN solution next year with B.M. at each
> site serving each private LAN. I will be droping p.v.c's that we are
> using now. When I get the servers talking to each other over the ipsec
> tunnel, if a client p.c. accesses a server in a remote location over
> the tunnel, please tell me that I will not have to set up the vpn
> client for remote access on every p.c. I mean, when you do a browse
> network neighborhood, you should be able to see the remote servers over
> the ipsec tunnel without doing any kind of dial up. Is this correct?
yes, it's correct. If you use the site to site VPN you don't need any extra software (other than the
netware client) on the workstations.
happygolucky
wrote:
Man, all this time I have been running the gateway using up
resources..gees!
If I drop the gateways, I am guessing that ALL of the client
> p.c.s,
> > regardless if they had the gateway installed, would be FORCED to
> use
> > the SSL certificates that I have set up now and hit a proxy
> > authentication screen. Is this correct?
> no, you can use SSO authentication. This would be completely
> trasnparent to the users logged into the
> NDS provided that they are running the clntrust.exe program in the
> login script.
But I want to have ALL of the clients hit the authentication proxy so
that people have to enter their log in credentials everytime they go to
the internet. Not have them login in the background. I had to put a
time limit on the proxy so that if people forget to logout in the
evening, the proxy and certificate would expire. Also for keeping up
with whom went where in the proxy logs. I guess what I am looking for
is if I disable the gateways AND the transparent login so that EVEN if
the clients have the gateway installed in network config, they would
not be able to hit the internet WITHOUT being prompted for a proxy
login. I have set up NOW the SSL and certificates that will prompt
people to login when they hit the internet. That is what I WANT to
happen. I do not want them to hit the internet WITHOUT a login.
One last thing. Right now, all of our corp. sites are coming to one
gateway and DNS to go out to the internet. When I go TOTAL private vpn
and set up BM 3.5 at each private LAN, I know the gateway address for
each site will change respectively. The thing that I am thinking about
is that when they go out to the internet, they will ALL have to come
into the existing site set up NOW with DNS to resolve. Do you think
that this will be ok? I know that each B.M. server will eventually get
the cache filled with DNS entries so that it would not hit the existing
DNS EVERYTIME. This would save me from having a DNS server at each
location. Do you think that this would work efficently?
Thanks Cat, you have been a big help!
P.s. I accidently sent the post twice last time. Sorry..
CSL
> But I want to have ALL of the clients hit the authentication proxy so
> that people have to enter their log in credentials everytime they go to
> the internet. Not have them login in the background.
Ah, ok. In this case you can use SSL as well, no problem. I thought you didn't want to use SSL. *My*
clients would hate to have to type in username and Pwd every time!
> I had to put a
> time limit on the proxy so that if people forget to logout in the
> evening, the proxy and certificate would expire. Also for keeping up
> with whom went where in the proxy logs.
This would be possible with SSO as well....
> I guess what I am looking for
> is if I disable the gateways AND the transparent login so that EVEN if
> the clients have the gateway installed in network config, they would
> not be able to hit the internet WITHOUT being prompted for a proxy
> login.
It the IP gateway is installed on the client this will not work because the client will try to
contact the IP gateway component on the server, that will not respond. You must disable the IP
gateway on the server and remove it from the clients.
> I have set up NOW the SSL and certificates that will prompt
> people to login when they hit the internet. That is what I WANT to
> happen. I do not want them to hit the internet WITHOUT a login.
SSO doesn't mean that they get to the internet wihout the login. It just means that their ID is
transferred to the server, but the level of control is the same. Anyway, if you want to use SSL, it's
fine, as well.
> One last thing. Right now, all of our corp. sites are coming to one
> gateway and DNS to go out to the internet. When I go TOTAL private vpn
> and set up BM 3.5 at each private LAN, I know the gateway address for
> each site will change respectively. The thing that I am thinking about
> is that when they go out to the internet, they will ALL have to come
> into the existing site set up NOW with DNS to resolve. Do you think
> that this will be ok? I know that each B.M. server will eventually get
> the cache filled with DNS entries so that it would not hit the existing
> DNS EVERYTIME. This would save me from having a DNS server at each
> location. Do you think that this would work efficently?
It will work, but not efficiently. The DNS response will be quite slow (it has to travel everytime
through the VPN) and if by any chance the VPN is down your clients will not be able to access the
internet.
>
> Thanks Cat, you have been a big help!
you are welcome.
> P.s. I accidently sent the post twice last time. Sorry..
no problem, I just thought you wanted to add something, but I couldn't find what!
happygolucky
> Ah, ok. In this case you can use SSL as well, no problem. I
> thought you didn't want to use SSL. *My*
> clients would hate to have to type in username and Pwd every time!
Yea, mine do also but the CEO's want this because of legality issues.
People try to go to sites that are not suitable. We have people that
clean the buildings and if the person does not log out then the
cleaning people can access the internet by whom is aready logged in.
This would make you think that the employee hit the site. I do have
Cyber Patrol but the C.P. people can not block EVERY site.
> > I had to put a
> > time limit on the proxy so that if people forget to logout in the
> > evening, the proxy and certificate would expire. Also for
> keeping up
> > with whom went where in the proxy logs.
> This would be possible with SSO as well....
How can SSO check to see if a person is or is not a trusted client
accessing the internet? I mean you are logged in as the client and the
login to the internet is transparent, does it not check the existing
NDS login credentials of the client that is logged in at that time and
then grant him or her access?
> > I guess what I am looking for
> > is if I disable the gateways AND the transparent login so that
> EVEN if
> > the clients have the gateway installed in network config, they
> would
> > not be able to hit the internet WITHOUT being prompted for a
> proxy
> > login.
> It the IP gateway is installed on the client this will not work
> because the client will try to
> contact the IP gateway component on the server, that will not
> respond. You must disable the IP
> gateway on the server and remove it from the clients.
Alas! That is what I have set up yesterday and it works. If the IP
gateway client is installed it will prompt the gateway for credentials.
IF the gateway is not installed, it will NOT let someone through
because it is not there. So in turn, that person WILL have to go to
the PROXY authentication or not get out at ALL. Having the gateway
installed has been what was messing me up, CAT, in trying to force
clients to the PROXY.
> > I have set up NOW the SSL and certificates that will prompt
> > people to login when they hit the internet. That is what I WANT
> to
> > happen. I do not want them to hit the internet WITHOUT a login.
> SSO doesn't mean that they get to the internet wihout the login.
> It just means that their ID is
> transferred to the server, but the level of control is the same.
> Anyway, if you want to use SSL, it's
> fine, as well.
This is what I want..
> > One last thing. Right now, all of our corp. sites are coming to
> one
> > gateway and DNS to go out to the internet. When I go TOTAL
> private vpn
> > and set up BM 3.5 at each private LAN, I know the gateway
> address for
> > each site will change respectively. The thing that I am
> thinking about
> > is that when they go out to the internet, they will ALL have to
> come
> > into the existing site set up NOW with DNS to resolve. Do you
> think
> > that this will be ok? I know that each B.M. server will
> eventually get
> > the cache filled with DNS entries so that it would not hit the
> existing
> > DNS EVERYTIME. This would save me from having a DNS server at
> each
> > location. Do you think that this would work efficently?
> It will work, but not efficiently. The DNS response will be quite
> slow (it has to travel everytime
> through the VPN) and if by any chance the VPN is down your clients
> will not be able to access the
> internet.
> >
Yea, that is what I thought you would say. Ok. I am registered on
internic, duh, for the main entry point to the DNS saying mail server
is bla bla etc.. The thing is that all request from the outside are
going to come to the EXISTING DNS IP. Like mail for instance. We are
using G.W. 5.5 and the mail server is bla bla IP address. The main DNS
IP is registered with Internic and all request come to that IP which in
turn looks to find the MX record for G.W.. I am confused with the DNS
and the MULTIPLE gateways for DNS resolution both IN and OUT of the
network..
The proxy is working just as planned now!
CSL
> Yea, mine do also but the CEO's want this because of legality issues.
> People try to go to sites that are not suitable. We have people that
> clean the buildings and if the person does not log out then the
> cleaning people can access the internet by whom is aready logged in.
> This would make you think that the employee hit the site. I do have
> Cyber Patrol but the C.P. people can not block EVERY site.
I see. We have the same problem here, and we solved it enforcing the screensaver with the password.
Once people realize that if someone uses their workstation and ID to do something "illegal" *they*
are responsible, stop complaining about the screensaver.
> How can SSO check to see if a person is or is not a trusted client
> accessing the internet? I mean you are logged in as the client and the
> login to the internet is transparent, does it not check the existing
> NDS login credentials of the client that is logged in at that time and
> then grant him or her access?
sure, that's exactly what SSO does.
> Alas! That is what I have set up yesterday and it works. If the IP
> gateway client is installed it will prompt the gateway for credentials.
> IF the gateway is not installed, it will NOT let someone through
> because it is not there. So in turn, that person WILL have to go to
> the PROXY authentication or not get out at ALL. Having the gateway
> installed has been what was messing me up, CAT, in trying to force
> clients to the PROXY.
that's right. The gateway and the proxy authentication don't work together.
> Yea, that is what I thought you would say. Ok. I am registered on
> internic, duh, for the main entry point to the DNS saying mail server
> is bla bla etc.. The thing is that all request from the outside are
> going to come to the EXISTING DNS IP. Like mail for instance. We are
> using G.W. 5.5 and the mail server is bla bla IP address. The main DNS
> IP is registered with Internic and all request come to that IP which in
> turn looks to find the MX record for G.W.. I am confused with the DNS
> and the MULTIPLE gateways for DNS resolution both IN and OUT of the
> network..
I am not sure I understand.
Once your sites will be connected in one single VPN they will be able to reach the devices in the
different locations through their Private IP addresses. The public IP addresses will be used only
from and to the internet.
> The proxy is working just as planned now!
excellent!
happygolucky
> on
> > internic, duh, for the main entry point to the DNS saying mail
> server
> > is bla bla etc.. The thing is that all request from the outside
> are
> > going to come to the EXISTING DNS IP. Like mail for instance.
> We are
> > using G.W. 5.5 and the mail server is bla bla IP address. The
> main DNS
> > IP is registered with Internic and all request come to that IP
> which in
> > turn looks to find the MX record for G.W.. I am confused with
> the DNS
> > and the MULTIPLE gateways for DNS resolution both IN and OUT of
> the
> > network..
> I am not sure I understand.
> Once your sites will be connected in one single VPN they will be
> able to reach the devices in the
> different locations through their Private IP addresses. The public
> IP addresses will be used only
O.K. Bare with me.. What I am going to try to explain will be just
for the client connections at EACH location going out through EACH
location's local internet connection,(T1). Each of these will be tied
together with B.M. 3.5
I know that each location will be tied together via VPN and that all
B.M. servers will allow all clients to see each others LAN's resources
because of the IPSEC tunnel.
What I am thinking about is when the clients at each location hits the
internet. Not the tunnel. When they hit the internet, they will need
a resolver for DNS. I had talked about using the EXISTING DNS server
for resolution. Because of high dns traffic from ALL locations having
to go to ONE point for resolution, we had thought that this would not
be good. NOW I need to put a DNS server at each LAN's gateway for just
internet traffic and resolution. This is how I am a little confused..
Each location will have a DNS server now. I am thinking that I just
copy the EXISTING DNS records to each respective location's DNS server.
Now, all of the local clients will be pointed to their respective DNS
I.P. that has the records from the PRIMARY EXISTING DNS, i.e. MX
records, host names, etc., that I have set up now (the records that I
have set up as of NOW I was going to point everyone to but will not
because of the traffic.).. I guess this would be considered as backup
DNS servers of the MAIN that is set up as of NOW. Would this not be
the correct way to set this up?
CSL
> What I am thinking about is when the clients at each location hits the
> internet. Not the tunnel. When they hit the internet, they will need
> a resolver for DNS. I had talked about using the EXISTING DNS server
> for resolution. Because of high dns traffic from ALL locations having
> to go to ONE point for resolution, we had thought that this would not
> be good. NOW I need to put a DNS server at each LAN's gateway for just
> internet traffic and resolution. This is how I am a little confused..
Ok. I will try to explain this.
When you get an internet connection in each location your ISP will provide also the IP addresses of
the DNS servers that you can refer to.
This will allow you to resolve IP addresses and access the internet in each location without routing
the traffic through the main office (unless this is what you want to do).
In other words, the VPN servers will know when a packet is directed to the LANs protected by the VPN
or when it is directed to the internet. If it is directed to the VPN it will encrypt it, otherwise it
will send it in clear. This is the most efficient solution.
Alternatively, you can have all the traffic directed to the Internet going through the main office
and VPN server, but in this case you will have to realize that the internet traffic in your main
office will be increased enormously.
> Each location will have a DNS server now. I am thinking that I just
> copy the EXISTING DNS records to each respective location's DNS server.
you don'tneed a DNS server in each location unless you have specific *internal* (i.e. not publicly
available) entries that need to be resolved. For the normal browsing you can just configure each BM
server to query your ISP DNS server.
> Now, all of the local clients will be pointed to their respective DNS
> I.P. that has the records from the PRIMARY EXISTING DNS, i.e. MX
> records, host names, etc., that I have set up now (the records that I
> have set up as of NOW I was going to point everyone to but will not
> because of the traffic.).. I guess this would be considered as backup
> DNS servers of the MAIN that is set up as of NOW. Would this not be
> the correct way to set this up?
Not really. You can't have multiple DNS servers configured as the primary servers for the same
domain. If this is a public domain you don't need to do this at all. Just refer to your ISP's DNS
server, and it will query your public DNS server trhough the Internet, not over the VPN.
On the other hand, if you are talking about INTERNAL DNS entries, you can just list your private DNS
server to the list of DNS resolver for each site, followed by your ISP's DNS servers.
happygolucky
> primary servers for the same
> domain. If this is a public domain you don't need to do this at
> all. Just refer to your ISP's DNS
> server, and it will query your public DNS server trhough the
> Internet, not over the VPN.
> On the other hand, if you are talking about INTERNAL DNS entries,
> you can just list your private DNS
> server to the list of DNS resolver for each site, followed by your
> ISP's DNS servers.
That was the answer I was looking for! I had forgot about the I.S.P's
DNS servers! I DO want each location to go out to the internet via
their OWN T1 and it was not my intention for ALL internet traffic to
come to one location and then out of one gateway. I was just worried
about DNS resolution for each location and using the I.S.P's DNS will
resolve all of this. We do have private host entries on our DNS but I
can add that to the B.M. server's resolve list to look at our private
DNS like you stated. There should not be that much traffic across the
link coming to one location for the private entries as it would be ONLY
for private resolution.
CAT, you have been a great help! Hope you have a Merry Christmas and a
Happy New Year!
CSL
> That was the answer I was looking for!
well, it took me a while, but I am glad I managed to provide it!! :-)
> I had forgot about the I.S.P's
> DNS servers! I DO want each location to go out to the internet via
> their OWN T1 and it was not my intention for ALL internet traffic to
> come to one location and then out of one gateway. I was just worried
> about DNS resolution for each location and using the I.S.P's DNS will
> resolve all of this. We do have private host entries on our DNS but I
> can add that to the B.M. server's resolve list to look at our private
> DNS like you stated.
yes, this is the best solution.
> There should not be that much traffic across the
> link coming to one location for the private entries as it would be ONLY
> for private resolution.
that's right.
> CAT, you have been a great help! Hope you have a Merry Christmas and a
> Happy New Year!
thanks! Best wishes to you, too!