Re: DNS Packet Filtering Within BM3.9
Massimo Rosen
Jules2003 wrote:
>
> Hi
>
> I hope you can help - now i think i know the answer to this (No!), but
> i really need some functionality within ZCM10 working ok for patches.
> See :- 'here'
> (http://www.novell.com/support/php/search.do?cmd=displayKC&docType=kc&externalId=3865256&sliceId=1&docTypeID=DT_TID_1_1&dialogID=102527748&stateId=0%200%20102529537)
>
> But as we use BM3.9 which does not allow DNS filtering am i to
> understand its not possible to follow this particular Novell TID with
> the only Novell product that does this job!.
>
> Or am i being dimm.
Maybe *I* am, but I have absolutely no idea what you're talking about,
and reading that TID which doesn't even contain the word "DNS" doesn't
help sheding some light I'm afraid. Apart from the fact that *of course*
BM allows DNS filtering (or not), I'm afraid I'm totally confused now.
CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de
Massimo Rosen
Jules2003 wrote:
>
> Hi
>
> The TID does not mention it but it is implied here :-
>
> # From the ZCM server where patch download has been enabled, ensure
> that the firewall/proxy is open to ping, traceroute, and a browser
> response on http, https from:
>
> 1. http://cdn.patchlink.com/novell
> 2. http://content.patchlink.com/novell
> 3. https://novell.patchlink.com/
> 4. http://novell.cdn.lumension.com/novell/baretta.xml
Yes, and? There's no relation to DNS here, right?
> How is this possible through bordermanager without proxy
> authentication, our ZCM server is linux, so no client trust
> authentication to use the proxy rules.
Then you either allow by source IP of your ZCM server (you can do that
throug hfiltering or in proxy authentication rules). Or you allow
unauthenticated access to the targets by their DNS name (proxy access
rules only).
> So then im guessing we need to go
> down to the filters which in our case do not allow DNS based filtering
> which aside from the above has been a problem with windows updates
> also.
Windows updates are an entirely different matter. I strongly suggest a
WSUS server, and again allow that to go through the proxy based on it's
IP. Automatic Windows updates using the proxy have never worked through
Bordermanagers Proxy. I know there are some odd reports that it works,
but that doesn't match my experience.
> So the question im asking is can i use DNS based filtering as that TID
> implies that i need it.
No you can't, and no, that TID does not imply that. You *can* of course
configure the necessary access rules by target DNS name or even allow
filter exceptions based on source IP of your ZCM servers.
Craig Johnson
> # From the ZCM server where patch download has been enabled, ensure
> that the firewall/proxy is open to ping, traceroute, and a browser
> response on http, https from:
>
> 1. http://cdn.patchlink.com/novell
> 2. http://content.patchlink.com/novell
> 3. https://novell.patchlink.com/
> 4. http://novell.cdn.lumension.com/novell/baretta.xml
>
> authentication, our ZCM server is linux, so no client trust
> authentication to use the proxy rules.
>
1. Set up selective proxy authentication by using the 'authenticate
only when user attempts to access a restricted page' option in the
authentication context menu in BMgr. Then add an allow URL rule,
destination any, source=ZCM server IP address. Also add a port 443
rule with source IP=ZCM server IP address. Then configure the ZCM
server to use proxy. This will allow it to go through proxy without
needing CLNTRUST.
2. Look up the IP addresses of the above URL's. Add filter exceptions
(www-http-st and www-https-st) from private to public interfaces, with
destination IP address = the addresses for the above. One exception
per address. You will need dynamic NAT enabled as well. The ZCM
server will also need DNS access.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***