An Introduction to Novell's IntranetWare IPX/IP Gateway

Articles and Tips: article

HENRY J. SPRAFKIN
Product Marketing Engineer
Information Access Division

TIM HUNTLEY
Software Engineer
Information Access Division

01 Sep 1996

Discusses how to connect a NetWare LAN to the Internet or to a corporate intranet using the IntranetWare IPX/IP Gateway.

• Introduction
• Internet-Related Concepts
• Why Use the IntranetWare IPX/IP Gateway?
• Configuring IntranetWare for Internet Access
• Conclusion

Introduction

The number of networks connected to the Internet is growing exponentially. Far greater growth is predicted for the use of Internet technology in private local area networks, or "intranets." An estimated two-thirds of existing LANs use Novell NetWare and an increasing number of these LANs will be connected to the Internet or to corporate intranets. To help customers capitalize on Internet/intranet technology while preserving their investment in NetWare, Novell is introducing IntranetWare. This product combines NetWare 4.11 with wide area routing using leased line, ISDN, or Frame Relay; Novell's Web Server; Netscape's Navigator web browser; and an IPX/IP gateway that is integrated with Novell Directory Services (NDS). This gateway allows a NetWare network to connect transparently to an intranet or to the Internet without deploying IP at each desktop.

This Application Note introduces the Novell IPX/IP Gateway and covers the following points:

• An overview of Internet-related concepts

• A discussion of the need for the Novell IPX/IP gateway, describing how the use of such a gateway alleviates the difficulties involved in administering Internet connectivity

• A description of the product components and configuration options

This information is intended for NetWare administrators who want to add Internet connectivity to their LAN but may not have experience with Internet technology. A follow-up AppNote will go into more detail on specific aspects of configuring the IntranetWare gateway for connectivity with an Internet service provider.

The Novell IntranetWare IPX/IP gateway supports NDS clients on existing NetWare 4.1 and NetWare 4.11 networks and can be configured to support bindery clients. To use the Novell IPX/IP gateway, clients must be upgraded to the version of NetWare Client 32 included with IntranetWare. IntranetWare will available in October 1996.

Internet-Related Concepts

To understand our discussion of the IntranetWare IPX/IP gateway, it is helpful to have a basic familiarity with concepts such as IP addressing, Domain Name System (DNS), and UNIX sockets. This section provides a quick overview of these concepts. If you are already familiar with these concepts, skip to the section "Why Use the IntranetWare IPX/IP Gateway?".

IP Addressing

Computers connected to the Internet communicate using the TCP/IP protocol suite. This is a collection of protocols, the most prominent of which are TCP and IP. A connection to a TCP/IP network is identified by an IP address and a port number.

An IP address is expressed in the form of four numbers separated by dots, such as 130.65.2.6. A packet sent between computers is marked with a source and destination IP address in the IP header.

In addition to an IP address, packets are directed to a specific port number on the destination machine. This number doesn't correspond to anything physical, but instead serves to identify the type of packet. For example, web browsers send messages to port number 80 (HTTP), whereas news readers use port number 119 (NNTP).

To use a postal analogy, think of the IP address as the street address (such as 1234 Main Street). As letters are marked with the street addresses of both the sender and the intended recipient, so do TCP/IP packets contain both source and destination IP addresses. To continue this analogy, a TCP port number might correspond to a department within a corporation at that address. Thus the postal equivalent of initiating a web browser session might be a letter addressed to:

Novell, Inc. Dept. 80 (Web browsing) 130.65.2.6 Internet St.

Domain Name System

The IP address is the basic identifier of a system on the Internet. However, humans find strings of numbers difficult to remember. We much prefer an identifier such as "www.novell.com" over "130.57.2.6". The Domain Name System (DNS) acts as a translator between the familiar names that humans prefer and the numeric addresses that IP requires.

A small intranet with few IP sites (or "hosts") can use a statically configured list associating host names with their IP addresses. For example, such a list is contained in the SYS:ETC\HOSTS file. However, since Internet sites are numerous and change rapidly, it is not practical to maintain a static list of these sites. Instead, Internet Service Providers offer Domain Name System (see Figure 1).

Figure 1: Internet/intranet clients query a DNS server to obtain the IP address associated with a site name such as "www.novell.com".

Sockets and WinSock

Sockets refers to a UNIX specification that provides a standard applications interface to TCP/IP. Windows Sockets, or WinSock, is a specification of this standard for Windows clients. The purpose of WinSock is to allow applications such as web browsers to run with any vendor's TCP/IP stack, so long as that stack is compliant with the WinSock standard.

Why Use the IntranetWare IPX/IP Gateway?

With the growing number of NetWare LANs that are being connected to the Internet and to corporate intranets, there is a need for products to make such connections easier. This section looks at some of the difficulties involved with administering a TCP/IP environment and how the Novell IPX/IP Gateway can alleviate those difficulties.

The Management Burden of Internet Technology

Computers attached to the Internet use the TCP/IP protocol suite to communicate. NetWare users have long had the ability to access the Internet by using products such as LAN WorkPlace. However, there is still a significant burden associated with managing TCP/IP at each desktop. Unlike IPX (the protocol used in NetWare LANs), TCP/IP requires that a number of items be configured individually for each workstation:

• IP address

• Subnet mask

• IP address of default router

• Domain name

• IP address of domain name server(s)

Since each workstation must have a unique IP address, administrators must keep accurate lists to avoid address duplication. If duplication does occur, it can have catastrophic effects on a network and is difficult to diagnose and resolve. Administrators must request registered network addresses before connecting to the Internet, and IP addresses themselves are in short supply. Finally, each IP address is specific to a particular network, which requires users to get different IP addresses when they move to another network.

The use of Dynamic Host Control Protocol (DHCP) alleviates these problems to some extent. However, it still requires IP to be implemented at each desktop.

Lack of Protection Against "Hackers"

As networks and the information they store become more important to business performance, so does protecting those networks from damage and intrusion. A network connected to the Internet is subject to attack by any of thousands of talented hackers whose knowledge and experience may far exceed that of the local administrator. Devices known as "firewalls" are employed to protect against network intruders, but they are often expensive and usually require a high level of expertise to configure properly.

Lack of Control Over Internet Access

Since most NetWare LANs are installed in business environments, network administrators are naturally interested in seeing network resources used to further the success of the enterprise. However, because Internet connections are expensive and much slower than LAN connections, many administrators attempt to restrict the use of the Internet to business purposes. In most cases this means filtering out certain types of traffic or excluding traffic to particular locations. But packet filtering tools are complex and maintenance-intensive.

Advantages of Using an IPX/IP Gateway

As noted above, NetWare networks and the Internet use different communication protocols. NetWare uses the IPX protocol, while the Internet uses TCP/IP. However, IPX and IP actually perform similar functions in a network. While TCP is known as an "end-to-end" or "transport layer" protocol because it concerns itself with maintaining the connection between the two endpoints of a link, both IP and IPX are "network layer" protocols that communicate between two directly-connected systems.

An IPX/IP gateway exploits the similarity between IP and IPX by replacing IP with IPX on the internal network, while using IP to communicate with the outside world. The LAN is running, in effect, over "TCP/IPX" (see Figure 2).

Figure 2: When the IntranetWare IPX/IP gateway is operating, the gateway server uses the TCP/IP protocol to communicate with the remote host, but each client uses IPX instead of IP to communicate with the gateway server.

The IntranetWare server, which hosts the gateway, runs IPX to communicate with the NetWare LAN, and TCP/IP so that it can communicate with the Internet. From the viewpoint of a remote host on the Internet, all traffic through the gateway seems to originate from the IP address assigned to the gateway server. Because the IPX/IP gateway uses only a single IP address, the private network is safe from outside interference.

Using the Novell IPX/IP Gateway alleviates the difficulties of administering a TCP/IP environment by providing ease of management and centralized control over Internet access.

Ease of Management. By using Novell's IPX/IP gateway, you can run only IPX on the network workstations. Compared to IP, IPX is simple to manage. It assigns user connections dynamically, obviating the need for a registered address to be configured at each desktop. Since IPX addresses are assigned dynamically, workstation address conflicts do not occur. Users can move transparently between IPX networks, and travelling IPX users can roam between multiple networks within an enterprise.

Each Novell IPX/IP Gateway server requires only a single IP address regardless of the number of users it supports. This removes the management burden of maintaining IP on each desktop.

Centralized Control over Internet Access. The Novell IPX/IP Gateway allows you to limit access to Internet services by type of traffic (for example, web browsing or FTP) and/or by remote host. Either type of restriction can be limited to specific times during the day to reduce "rush hour" traffic on an Internet connection. Access control configuration is performed using the familiar NetWare Administrator (NWAdmin) utility. Integration with Novell Directory Services (NDS) means that access control need not be configured separately on each gateway. Restrictions are active on all gateways regardless of whether they are applied to an entire organization or created individually for each user.

How the Novell IPX/IP Gateway Works

To understand how the Novell IPX/IP Gateway works, let's look at the difference between client operation in a native TCP/IP environment versus a gateway environment.

Native TCP/IP Connectivity. Consider the events that take place when a client running the LAN WorkPlace TCP/IP stack loads Netscape Navigator to browse the Novell web site "www.novell.com". Figure 3 shows a generic depiction of this scenario.

Figure 3: A web browser application interacts with WinSock, DNS, and TCP/IP to access a site on the Internet.

1. The web browser (Netscape) asks WINSOCK.DLL to resolve the name "www.novell.com".

2. WINSOCK uses TCP/IP to resolve the name by directly contacting the nearest DNS Server.

3. Netscape receives the IP address 130.57.2.6 from WINSOCK.

4. Netscape asks WINSOCK to open a connection to port number 80 (HTTP) at IP address 130.57.2.6 (the web server at www.novell.com).

5. WINSOCK uses TCP/IP to open connection to the remote host.

A send/receive channel has now been established between the web browser application and the web server at www.novell.com. This connection remains open until the file transfer of the initial web page is complete. The process is repeated when the user clicks on a hot link or requests another URL.

Novell IPX/IP Gateway Connectivity. Compare the events described above with the operation of the client in a gateway environment. The gateway client works with an augmented WINSOCK.DLL that supports both TCP/IP and "TCP/IPX" and works in concert with a gateway server (see Figure 4).

Figure 4: The Novell IPX/IP Gateway intervenes between the web browser application on the "TCP/IPX" LAN and the TCP/IP services on the Internet.

1. The web browser (Netscape) asks the Novell WINSOCK.DLL to resolve the name "www.novell.com".

2. The Novell WINSOCK passes the name resolution request to the Novell IPX/IP Gateway server.

3. The Novell IPX/IP Gateway server resolves the name by directly contacting the nearest DNS Server.

4. The client receives the IP address 130.57.2.6 from the gateway server and returns it to Netscape.

5. Netscape asks WINSOCK.DLL to open a connection to port number 80(HTTP) at IP address 130.57.2.6 (the web server at www.novell.com).

6. The Novell WINSOCK opens a TCP/IPX connection to the gateway server and requests that the IPX/IP gateway server open a connection to port 80 at IP address 130.57.2.6.

7. The IPX/IP gateway server opens a TCP/IP connection to the remote host on behalf of the client.

A send/receive channel is now established between the web browser application and the web server at www.novell.com. In this case, however, the channel is switched through the gateway server. Note that for TCP/IP applications that use the standard WinSock API, gateway operation is transparent.

Managed Access Using Novell Directory Services

As the point of connection between a NetWare network and a TCP/IP network, an IPX/IP gateway is in an ideal position to enforce restrictions on traffic between the two networks. These access restrictions are stored in Novell Directory Services (NDS) objects, thus providing a single database of restrictions that all gateway servers share.

As mentioned previously, computers in a TCP/IP network communicate using two pieces of addressing information: the IP address and the port number. Access control configuration is divided into two matching parts: host restrictions (based on IP address) and service restrictions (based on port number). To restrict access to a specific Internet site, a host restriction can be created for that site. To prevent certain types of traffic from being forwarded by the server, a service restriction can be created for the appropriate port number (see Figure 5).

Figure 5: The IPX/IP Gateway Service Restrictions page in NWAdmin allows access to be controlled by application and/or by time of day.

You can configure Internet access control for User, Group, Organization and Organizational Unit objects using the standard NetWare Administrator utility. For example, a service restriction on FTP traffic might be applied to an entire organization, or a group might be granted web browser access only between 1:00 p.m. and 5:00 p.m.

Note that with this user-centric approach, access control does not need to be configured on each server separately. Since all gateway servers enforce access restrictions from the same database (NDS), users' access rights are the same regardless of which gateway their traffic passes through.

Configuring IntranetWare for Internet Access

IntranetWare includes the following features:

• Novell IPX/IP Gateway. Novell's solution for providing transparent access to TCP/IP services to NetWare IPX clients.

• MultiProtocol Wide Area Routing. Novell's routing solution for corporate-wide networks, which offers the following features:

  • WAN connectivity including support for leased-line, Frame Relay, and ISDN

  • Backup support, which ensures that permanent connections are maintained even if a primary link goes down

  • Guided configuration, which ensures that the software is easy to install

  • Netscape's Navigator. The most popular browser for the World Wide Web. Versions for both Windows 3.1 and Windows 95 are included.

Note: If you are using the WAN capabilities of this product, refer to thehardware and software requirements for MultiProtocol Router atwww.remote.novell.com. For a list of approved WAN adapters see www.labs.novell.com.

Server Configuration

The Novell IPX/IP Gateway requires minimal configuration on the server. Since gateway configuration is a subset of MultiProtocol Router (MPR) configuration, a very brief overview of MPR configuration is given here. Refer to the MPR documentation for additional details.

MPR Configuration Summary. The NetWare MultiProtocol Router is configured using INETCFG.NLM, a menu-based utility that automatically creates LOAD and BIND commands for the drivers and protocols you select.

Before configuring the Novell IPX/IP Gateway, use the following checklist to confirm that you have set up the IPX and IP connectivity necessary for the gateway to function.

IPX connectivity:

• Defined LAN board(s)

• Configured IPX protocol parameters (optional)

• Created IPX to LAN board binding(s)

• Tested NetWare clients' ability to login to server

IP connectivity:

• Defined LAN (or WAN) board(s)

• Configured WAN interfaces (if using a WAN board)

• Configured WAN call directory (if using a WAN board)

• Configured IP protocol

• Created binding of IP to LAN (or WAN) board(s)

• Set up an IP default static route to the Internet Service Provider

• Tested IP connection by PINGing Internet Service Provider

• Enable the Novell IPX/IP Gateway and define DNS client information

Novell IPX/IP Gateway Configuration. The Novell IPX/IP Gatewayconfiguration options are presented as part of the TCP/IP protocol configuration in INETCFG (see Figure 6).

Figure 6: The IPX/IP Gateway Configuration screen is displayed in two sections: Gateway Configuration and DNS Client Configuration. To access this screen, from the INTETCFG main menu select Protocols -->TCP/IP --->IPX/IP Configuration.

The Gateway Configuration section contains the following options:

Option	Valid Values(Default is underlined)	Description
IPX/IP Gateway	Enabled, Disabled	Enable this option to activate the IPX/IP gateway.
Client logging	Enabled, Disabled	Enable this option to record client access in a log file. The log identifies the client, the service, and the time period over which the service was accessed. The log is stored in SYS:\GW_AUDIT.LOG.
Console Messages	Informational, warning and errors Warnings and errors onlyErrors only	This option controls the type of messages that are logged to the gateway logging screen and the gateway status log file. Thestatus log file is SYS:\GW_INFO.LOG.
Access Control	Enabled, Disabled	Enable this option to cause the gateway server to enforce access restrictions. (Configuration of user access restrictions is done through the client utility NWADMIN). Disable this option to allow all users unrestricted access to services through the gateway.

The DNS Client Configuration section consists of the following options:

Option	Valid Values	Description
Domain Name	Any valid domain name(no default)	Allows you to indicate the name of the domain in which the gateway resides, for example, "Novell.com". Your Internet Service Provider often supplies this value.
Name Server #1-3	IP address of any active name server(no default)	Allows you to specify the IP addresses of domain name servers. Your Internet service provider often supplies domain name resolution services.

After the IPX/IP gateway is enabled, you will be prompted to login as Admin from the server console. After you login, a gateway server object is automatically created in the same context as the file server. The name of the gateway server is the file server name with "-GW" appended to it (seeFigure 7). An access control attribute is also added to the User, Group, O and OU classes of objects.

Figure 7: The IPX/IP Gateway Configuration process creates a gateway server object in the same context as the host file server.

The Novell IPX/IP Gateway Client

The Novell IPX/IP Gateway client is based on the NIOS architecture and is supported through an updated version of NetWare Client 32 supplied on the IntranetWare CD-ROM. IPX/IP gateway client support is not provided in earlier versions of Client 32.

During IntranetWare installation, any existing Client 32 files under the \WIN95 and \WIN31subdirectories of SYS:\PUBLIC\CLIENT are updated. There are thus three options available to update the client:

• Install the updated client directly from the product CD-ROM.

• Install the client from SYS:\PUBLIC\CLIENT on a server that has IntranetWare installed.

• Run the Automatic Client Update from a user login script or profile. (For more information, refer to "ACU - Automatic Client Update DOS/WIN Summary" and "ACU - Automatic Client Update Win95 Summary" at http://support.novell.com.

Figure 8 shows the architecture of the Novell IPX/IP Gateway client for Windows 95 machines.

Figure 8: The Novell IPX/IP Gateway client architecture for Windows 95.

Gateway Client Components. Novell IPX/IP Gateway client support is provided through the following components:

Windows 95	Windows 3.1	Module Description
WINSOCK.DLL	WINSOCK.DLL	Novell Gateway Client version of the standard WinSock API for 16-bit applications
WSOCK32.DLL	Not Present	Novell Gateway Client version of the standard WinSock API for 32-bit applications
WLIBSOCK.DLL	WLIBSOCK.DLL	WINSOCK support library Note: This DLL performs name resolution when using native TCP/IP in the Windows 3.1 environment. Although this function is not usedin Windows 95, the file must be present.
NOVGWP16.EXE	NOVGWP16.EXE	Gateway task for 16-bit WINSOCK applications, used to maintain the control connection between the client and gateway server
NOVGWPRC.EXE	Not present	Gateway task for 32-bit WINSOCK applications, used to maintain the control connection between the client and gateway server
GWSWITCH.EXE	Not Present	Used to switch the client between the Windows 95 TCP/IP stack (if installed) and the gateway client using TCP over IPX.
Not Present	GWSW16.EXE	Used to switch the client between Novell TCP/IP and TCP over IPX for use with the gateway server. This program is also used to define the preferred gateway server.
WINPING.EXE	WINPING.EXE	Provides ping functionality through the gateway. (This application is included as a substitute for Ping, a very useful utility for testing connectivity to IP hosts and doing name resolution. Ping uses the Internet Control Message Protocol (ICMP), which is not supported bythe gateway client.)
IPXGW3X.DLL	IPXGW3X.DLL	Extends the NetWare 4.11and IntranetWare NetWareAdministrator utility (NWADMN3X.EXE) to allow access control configuration.
IPXGW.DLL	IPXGW.DLL	Extends the NetWare 4.1 NetWare Administrator utility(NWADMIN.EXE) to allow access control configuration.
NOVWS.INI	NOVWS.INI	Windows initialization file for the gateway client.

Gateway Client Operation

To provide TCP applications with transparent access to Internet services, the gateway client uses an enhanced version of WINSOCK.DLL that uses TCP/IPX in addition to TCP/IP. The Novell IPX/IP Gateway client task (NOVGWP16.EXE or NOVGWPRC.EXE) supports WINSOCK by establishing and maintaining a connection with a Novell IPX/IP Gateway server. UDP applications will be supported in the next release, and will be available early 1997.

Multiple Novell IPX/IP Gateway servers may be installed on a network to support large numbers of gateway users or to provide fault tolerance. The gateway client also supports the concept of a "preferred" gateway server. This is configured as part of the IPX/IP gateway properties (see Figure 9). Figure 9: Users can configure a preferred IPX/IP gateway server if there are multiple gateways installed on the network. The Windows 95 method is shown here.

If a preferred gateway server is configured, the gateway task will attempt to attach to that gateway server. If the specified gateway server is not available (down or all licensed connections used), the gateway client will search for other gateway servers using the following logic:

1. Starting with the current NDS context, search downwards in the tree for a Novell IPX/IP Gateway server object.

2. Search the bindery of the attached file server.

3. Query for Service Advertising Protocol (SAP) broadcasts of the nearest gateway server.

Note that there is no linkage between the preferred file server and the preferred gateway server. A user may be attached to file server A while using a gateway server that resides on file server B.

Gateway Switcher Operation

The gateway client includes a switcher program for Windows 95 and Windows 3.1. The purpose of this program is to switch the client for TCP/IP to TCP/IPX. The two implementations operate differently.

Switcher for Windows 95. This Switcher (GWSWITCH.EXE) renames the WinSock DLLs in \WINDOWSand \NOVELL\CLIENT32. When the IPX/IP Gateway client is enabled, the filenames are as follows:

\novell\client32\winsock.dll

\novell\client32\wsock32.dll

\windows\winsock.n01

\windows\system\wsock32.n01

When the IPX/IP Gateway client is disabled, the filenames are:

\novell\client32\winsock.nov

\novell\client32\wsock32.nov

\windows\winsock.dll

\windows\system\wsock32.dll

The NOVWS.INI file keeps track of the extensions used in renaming the files. For Windows 95 the gateway parameter is always set to one. The following is a sample NOVWS.INIfile for Windows 95:

[stack]

gateway=x

ipxGateway=y

extension=n01

Switcher for Windows 3.1. This Switcher (GWSW16.EXE) uses the NOVWS.INIfile by changing the gateway parameter under the [STACK] heading. To enable TCP/IP the gateway parameter must be set to zero. This instructs the WINSOCK.DLL to use IP. If the gateway parameter is set to one, WINSOCK.DLL will launch the gateway task to establish a control connection using TCP/IPX. The following is a sample of the NOVWS.INIfile for Windows 3.1:

[stack]

gateway=x

ipxGateway=y

Conclusion

IntranetWare provides transparent, secure, managed access to the Internet and corporate intranets. In this AppNote, we have explained the operation of various Internet protocols and the management burdens that are associated with them, then discussed the advantages of using a Novell IPX/IP Gateway. We also provided a road map for configuring the Novell IPX/IP Gateway and preparing the IntranetWare Server for connectivity with an Internet Service Provider. More information about Internet connectivity and access control will be provided in future AppNotes.

* Originally published in Novell AppNotes

---

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.

• Feedback
• Print
  •  
  • Full
  • Simple
•  
• Request a Call
• Follow Us
  •  
  • Facebook
  • YouTube
  • Twitter
  • LinkedIn
  • Newsletter Subscription
  • RSS