How to : Set up a VPN with Private IP addresses [limited knowledge] 1

[Excelerate2004]

Hello all,

I'll try to be very brief as my knowledge on this subject is somewhat limited and I've never attempted this before.

I've been instructed to set up a VPN for a client who will be using our Internet service through our router, but they will not have direct access to our Network as we use Novell Client to login.

I think the problem will come from the fact that our IP addresses are private and not public. All internet workstations are protected from the internet with the usage of NAT (Network address translation). No public addresses are used inside on the LAN.

Where do I start in trying to configure this?

Where is a useful resource for someone with very limited knowledge regarding setting up a VPN??

Is this as complicated as it seems?

Thanks for any help I can get, I feel somewhat bewildered right now.

Some additional useful Information:

Server Operating system Netware 5.1
Workstations use WIN2K and WINXP

 

[lgarner]

I'm not clear- your client wants to use your "Internet service" via VPN? They must already have an Internet connection or they wouldn't be able to connect a VPN.

Or, do you mean that they will connect to a private server on your LAN?

Also, is this a single user with a PC or are you connecting a remote office?

In any case, I'd probably start by looking at the manufacturer's web site for my existing firewall to see if and how it can support a VPN. If you're connecting two offices, then my only tip thus far is that life will be simpler if you get two of the same device (Cisco, Watchguard, whatever) than if you try to mix&match.

 

[Excelerate2004]

To answer your questions:

The client(s) will connect to a private server on our LAN that will allow them access to the internet.

In turn if the client(s) was at home or at a remote office, they would also like access to the VPN.

Client = 1 or more users

We use BorderManager as our Firewall service.

Again I'm still sort of lost as to what to do next.

Thanks for the info though, maybe its a push in the right direction.

 

[Excelerate2004]

Also worth noting:

As I "inherited" this network, there's still a lot I'm learning about it.

However, there is a
Netware (common)> BorderManager VPN Client application on my desktop computer but when I navigate to this folder it is empty. I believe the VPN had already been set up before, now I just have to find a way to access it.

Not sure if this useful but it might shed alittle more light on the situation.

Thanks

 

[lgarner]

OK. Since you're using BorderManager as your firewall, so that it is the default gateway for your network, it can easily serve as your VPN server. It's been a few years since I used BM, so you'll want to consult the documentation. My information applies to versions up to 3.6; the current version is 3.8.

Each client needs the BorderManager VPN software installed. It can be downloaded from

http://support.novell.com/filefinder/19087/index.html

In the normal configuration, your client computers will not be assigned private addresses. They'll appear to your LAN devices as having their public IP addresses. They will be able to connect to any of your private addresses, subject to packet filters.

One of the Novell forum sysops has a website with lots of tips at

http://nscsysop.hypermart.net/.

He also has a book out which I haven't read, but about which I've heard good things.

 

[Excelerate2004]

We have BorderManager 3.5 and I can see some of the setup files on the SYSUBLIC\BRDRMGR\VPN directory on the server.

My question is: Is there anything that I need to configure on the SERVER for the Client to "link" in to?

We use Netware as our Server's OS and I dont see any visible command console for Border Manager, how can I gain access to it?

I know these are difficult questions to answer as "how can you really know whats installed on my SERVER or not?" But as I have said I haven't done this before and so any info I can get as what to look for is a bonus at this point.

Thanks again.

 

[lgarner]

BM configuration is through the NWADMN32 utility located in sysublic/win32. If you don't know whether it's installed, there's no harm in installing it again. If the BM snapins are loaded with NWADMN32, then it's already installed. Also check autoexec.ncf for the load lines for BRDSVR and VPMASTER (I think they are the main ones).

I only found documentation at Novell for 3.7, but I think most everything is the same. There have been advances in the client since 3.5, noteably the 3.6 version and later will work through a NAT firewall.

Check

http://www.novell.com/documentation/nbm37/index.html

 

[Excelerate2004]

I checked to see if I had the snapins in NWADMIN32 but they dont appear to be there. I tried installing them from a border manager snapin folder but didnt have any luck as I get a message telling me that the directory where it wants to install the snap ins to (Z:SYSublic/win32) is read only. I checked the properties on that folder to make sure it wasnt read only and it isnt. Not sure how to bypass that?

The other thing worth noting is that: within the NWADMIN32 utility I can see listings of objects for BorderManager, see below:

Novell+BorderManager Client VPN +350
Novell+BorderManager Access Control +350
Novell+BorderManager Authentication Services +350
Novell+BorderManager Proxy +350
Novell+BorderManager Site to Site VPN + 350
Novell+BorderManager Gateways + 350...

Are these the licenses for BorderManager and the VPN?

Slowly but surely with your help I'm figuring more out about all of this.

I'll need to start going thru that documentation now.

Thanks

 

[lgarner]

First, I assume that you have supervisor privileges for the tree. The folder isn't read-only to you in that case.

Did you really mean "Z:SYSublic/win32"? That's not a valid directory; it could be interpreted as read-only since you can't write to it.

The actual directory is \public\win32 on volume SYS:. SYS: is typically mapped as drive Z for DOS. You would then use "z:\public\win32", or any letter that you have mapped to SYS:.

Yes, those are the licenses. They indicate that the product is installed and the directory schema is extended, but you won't know for sure until you get the snapins loaded and can see the BM attributes for users & servers.

 

[lgarner]

I have to add one thing: In your original post, you said "they will not have direct access to our Network as we use Novell Client to login." Well, guess what. These users will have NDS login accounts. Although the VPN client doesn't, by itself, allow connections to internal servers, they would only need to install the NW client to have that access, at least to "public" directories. If your server directories are properly secured, this isn't a big issue, but it's something that you need to be aware of.

 

[Excelerate2004]

One obvious question that I stil don't really have a grasp on yet is:

When I do eventually get this VPN set up, just what features does a Virtual Private Network actually allow for?

Is it similar to FTP where there is a FTP server where a user logs into a secure site and can download or upload files or is it like terminal services where a user can use programs off of another server?

Or is it more like a user dials in and can see all the other users and any shared folders within their private network? Do they actually login seperately to their own unique accounts, hence the NDS accounts?

Thanks for your postings

 

[Excelerate2004]

To refer back to your previous posting...

You are correct, this is the actual drive path:

z:\public\win32

However, I am still unable to get the snapins installed as I continue to get the message that this directory is read only.

I've checked the rights to this directory simply by right clicking on it and adding myself to it with FULL access rights logged in as Admin.

Presumably, when I inherited this network all network access was transferred to me as the user "bam".

Is there some overriding setting I can change to ensure that I can get access to this directory via NWADMIN32?

 

[lgarner]

The VPN is like dialup. It creates a connection with your internal network. Think of walking into an office and plugging in your laptop. Assuming that you get a dynamic IP address, you'll then have access to network devices. You may not be able to sign onto their servers, but you'll have the connection.

Since Novell's VPN authentication (like some others) is integrated with their main authentication directory (NDS), your remote users will use the same userids & passwords as they would if they were logging in at your office. They won't necessarily be able to see server volumes without installing the NetWare client, but they could do that. If someone is sharing a Windows PC directory without protection, the VPN user can see that, also.

Back to my analogy about plugging into the network... From a security perspective, you need to consider what steps you would take if some external person were to plug into your LAN, and they had a Novell user account.

As for the admin issue: There's nothing special about "admin" except that it has supervisory privileges at "[Root]". I recommend not giving yourself those rights, but create a separate user and explicitely grant it "S" to the root of your NDS tree. This protects you if Admin should somehow be deleted (remember, it's not a special account). Also, it's generally not a good idea to log in with admin privileges on a regular basis.

To continue the NetWare administration issues, I'd suggest that you visit Forum75 (NW 5) or Forum871 (NW 6). There are other helpful people there who might not frequent this forum.

 

[Excelerate2004]

Unfortunately, I'm still unable to change my directory from being read only. So I'm stuck at this point.

I've tried posting in the other forum that you listed, no response yet....

If I ever get past this issue of being unable to install teh snapins are Read Only than I'll post again and go from there.

Thanks

 

[zorex]

Ex2004,

You would need to setup the VPN on your BMGR server and install the vpn client on each workstation that need to connect to your vpn server (BMGR).

You would need a public ip address, an administrator rights to setup the BMGR vpn configuration in NWADMIN, and an internal DNS and DHCP server.

Buy Craig Johnson's Beginners Guide to BMGR and it will walk you through on how to setup your VPN server. You may want to get his guide for configuring filter exceptions.

You can also post your message to Novell's forum for BMGR. That is the best place to get answers to all your questions regarding BMGR.

I used BMGR 3.5-3.8 and it is a great product. It is just too complex from the start but with CJ's book it will ease your journey on setting up your BMGR. If you need an easy solution, get a sonicwall tz170 appliance (expensive but it is a great product too).

Enjoy.

Zorex