Connecting to the Internet from a Novell Network
Articles and Tips: article
Product Marketing Engineer
Novell Internet Access Division
01 Dec 1996
Outlines a basic procedure for choosing the right Novell product. WAN hardware, and Internet Service Provider to plug your network into the Internet.
The most common application for Novell's IntranetWare is building private company intranets. However, the wide-area routing software included with IntranetWare can also be used to connect to an Internet Service Provider (ISP) to provide LAN users access to the Internet. By taking advantage of the IPX/IP Gateway in IntranetWare, you won't have to go through the hassle of loading a TCP/IP stack and configuring an IP address on each workstation.
This AppNote describes a basic procedure for connecting a Novell network to the Internet. It covers the following eight steps:
Decide which Novell product to use for Internet connectivity.
Decide what type of WAN suits your needs.
Choose an Internet Service Provider.
Select a WAN card.
Configure IntranetWare or the NetWare MultiProtocol Router.
Configure the workstations.
Decide how many IPX/IP gateways you need, and assign users.
Implement the necessary security.
The AppNote discusses each step in detail, providing the information you'll need to make good decisions.
For a discussion of capacity planning for the IPX/IP Gateway, see "Capacity Planning for the Novell IPX/IP Gateway" on page XX in this issue.
For an overview of IPX/IP Gateway features, components, and configuration options, see "An Introduction to Novell's IntranetWare IPX/IP Gateway," Novell Application Notes, September 1996, p. 29.
Step 1: Decide Which Novell Product to Use for Internet Connectivity
Novell offers several products that can be used to connect LAN users to the Internet. This section discusses the differences between these products and provides information to help you decide which one is best for your network.
The Novell Internet Product Lineup
Following is a brief description of the various products Novell offers for connecting to the Internet.
IntranetWare. IntranetWare combines all of the components needed to connect your company's IPX or IP NetWare network to the Internet:
NetWare 4.11 network operating system
Novell IPX/IP Gateway
NetWare MultiProtocol Router 3.1
NetWare Web Server
IntranetWare is generally the best choice for Internet connectivity because it includes the latest version of NetWare and the Novell IPX/IP Gateway. This gateway allows IPX workstations on the LAN to access the Internet without having to have a TCP/IP stack on each workstation. It also provides a natural firewall to your IPX LAN from the Internet, providing protection against hackers. The access control features in the IPX/IP Gateway give you control over who can access the Internet and when. User access control can be configured by TCP port number, by IP address of the target host, and/or by time of day. You can use IntranetWare to connect to an Internet Service Provider via leased lines, Frame Relay, or ISDN.
NetWare MultiProtocol Router. The NetWare MultiProtocol Router 3.1 is a wide area router that routes the IP, IPX, and AppleTalk protocols. It supports Point-to-Point Protocol (PPP), Frame Relay, X.25, and ISDN as wide area media, and also performs source route bridging. The NetWare MultiProtocol Router allows outbound access to an Internet Service Provider, and will route packets destined to the Internet to the ISP over the WAN connection.
The NetWare MultiProtocol Router 3.1 is included in IntranetWare. All of the WAN routing functions and routing capabilities in IntranetWare are resident in the MPR 3.1, and vice-versa.
NetWare Connect. NetWare Connect 2.0 is a product that enables remote dial-in connectivity to your Novell network, or dial-out connectivity to an ISP. It allows modems to be pooled to minimize your hardware investment. NetWare Connect supports only asynchronous dialing via the dialer on the LAN workstation. It does not provide any access control, so users will be able to access any site on the Internet as often as they like.
Factors to Consider When Choosing a Product
Here are the questions you need to ask in order to make the right choice of Novell product for connecting to the Internet.
Will you use IPX or TCP/IP on your workstations?
IPX. If you run IPX on your workstations, the IPX/IP Gateway in IntranetWare will translate the TCP/IPX packets created by Winsock 1.1-compliant applications on the LAN workstation into TCP/IP packets on the Internet. If you use the IPX/IP Gateway, you do not have to load and configure a TCP/IP stack on each workstation, or manage IP address assignments and changes.
The IPX/IP Gateway in IntranetWare currently supports only Windows 3.1 and Windows 95 workstations. If you have DOS, OS/2, Macintosh, or Windows NT workstations on your network, you will have to run IP on these workstations in order for them to access the Internet.
TCP/IP. If you choose to run TCP/IP on the workstations, you will have to install and configure a TCP/IP protocol stack for each workstation. You will also have to manage IP address assignments and changes for the entire IP network. IP addresses assigned by an ISP will probably have to be returned whenever you change to another ISP.
Caution: If you use TCP/IP on your network and the ISP has a static route to your network or isperforming IP routing over the link, you create a security hole for network hackers.With this setup, you need a proper firewall to deter hackers. Running only IPX on yourworkstations in combination with the IntranetWare IPX/IP Gateway creates a naturalfirewall. Since there are no IP addresses on the workstations and no IP routing acrossthe WAN link, there is no way for a hacker's packets to access your LAN.
Will you upgrade to IntranetWare?
You can use the NetWare MultiProtocol Router or NetWare Connect for Internet access on any NetWare 3.12 or higher server. If you are not upgrading to IntranetWare and need an add-on product that will provide access to the Internet on an existing NetWare 3.12 or NetWare 4.10 server, you can use NetWare Connect or the NetWare MultiProtocol Router. The access control in IntranetWare's IPX/IP Gateway is controlled via the NDS login. If you have access control enabled, only users with NDS logins can use the IPX/IP Gateway to get access to the Internet. Users without NDS logins will have no access to the Internet via the IPX/IP Gateway if access control is enabled. Disabling access control allows both NDS and non-NDS users access to the Internet via the IPX/IP gateway, but they can get anywhere on the Internet at any time.
Therefore, if you install a 5-user version of IntranetWare (to use the 250-user version of the IPX/IP Gateway) in a non-NDS environment, and these five IntranetWare logins are the only NDS logins available in your network, only these five users can use the IPX/IP gateway to access the Internet. Users without NDS logins would be denied use of the IPX/IP Gateway in this scenario.
Do you already have NetWare Connect?
If you already have NetWare Connect set up on your network, you can use it to gain inexpensive access with asynchronous dial-up accounts to the Internet, provided you also have:
Windows 95 or Windows 3.1 LAN workstations running TCP/IP
Modems and phone lines
Refer to the NetWare Connect documentation for instructions on how to configure NetWare Connect.
Do you already have a NetWare MultiProtocol Router?
If you already have NetWare MultiProtocol Router 3.1 and already have (or are willing to implement) TCP/IP running on LAN workstations that need access to the Internet, but you are not yet planning to upgrade to IntranetWare, the MPR is a good choice to connect to the Internet. Compared to NetWare Connect, the MPR supports higher capacity media such as Frame Relay, ISDN, or PPP leased line. With NetWare Connect 2.0, you can only use asynchronous dial from the workstation.
Earlier versions of the NetWare MultiProtocol Router can be used, but some functionality is lacking. For example, in the NetWare MultiProtocol Router 3.0 there is no login script support. In the NetWare MultiProtocol Router 2.x there is no support for login scripts, on-demand calls, or asynchronous PPP dial-out.
So Which Novell Product Should You Choose?
You can use either MPR or NetWare Connect if:
You already have MPR or NetWare Connect, and
You will run TCP/IP at LAN workstations.
You must use the MPR or NetWare Connect if:
You are not upgrading to IntranetWare.
You must use IntranetWare if:
You will run IPX at the LAN workstations, and
You do not have an IPX/IP Gateway, or
You want access control for intranet and Internet usage.
If you choose the MPR 3.1, download the mpr31b.exe patch. If you choose IntranetWare, download the IntranetWare Support Pack v1.0. These patches contain important changes to how login scripts are handled.
Figure 1 is a flowchart that summarizes the questions to ask in deciding which Novell product will be best for your Internet connection. Figure 1: Deciding between IntranetWare, MultiProtocol Router, and NetWare Connect.
Step 2: Decide What Type of WAN Suits Your Needs
Many different types of wide area network connections can be made to Internet Service Providers. To decide what type is best for your network, you must examine issues such as how you will use the Internet, the number of users who will concurrently use the link, bandwidth needs, the availability of different WAN services and lead times, the costs involved, and the flexibility that the different choices offer.
This section briefly discusses these issues and provides information to help you make a decision about what kind of WAN link to choose. For more information on the different types of WAN technology see:
How will you use the Internet?
If you will be using an ISP only for retrieving e-mail, a low-speed link might be appropriate. For surfing the World Wide Web (WWW) or for full Internet access, a higher speed link would better suit your needs.
How many concurrent users will be on the WAN link?
You also need to consider the number of concurrent users that will be using the WAN link. Some types of WAN links allow for easy growth, while others do not. If growth is in your future, a flexible choice might be better. Keep in mind that once you install an Internet link, user demand will probably increase, and it might be more difficult to limit use after users have become accustomed to frequent access to the Internet.
Should the WAN link be permanent or on-demand?
Both IntranetWare and the NetWare MultiProtocol Router 3.x support both permanent and on-demand connections. A permanent link is always kept up, and is retried if the connection fails. An on-demand link is only brought up when there is data to send. When the data transfer has finished, the line goes down. This keeps costs lower than for permanent links. If you expect only a limited amount of traffic or have a limited budget for Internet connectivity, an on-demand link might be appropriate for your network. ISDN or asynchronous dial-up WAN links are best used with on-demand calls when there are per-packet or per-minute charges. If you expect to have many users frequently accessing the Internet, a permanent connection might be more appropriate. A leased line offers permanent connectivity, but is also more expensive. Moreover, the monthly cost is the same regardless of the amount of data transferred. Fractional T1 services allow the bandwidth to grow with your needs. With Frame Relay, the connection is permanent, and you pay a flat rate for service. Some ISPs offer Frame Relay in a range of speeds, allowing you to adjust the speed as your needs change.
Is the WAN type you want available in your area?
Not all types of WAN connections are available in every part of the world. For example, ISDN is not as widely deployed in the U.S. as it is in Europe. It often takes several weeks to get an ISDN line, a Frame Relay connection, or a leased line installed at your premises. Installation time for an asynchronous line is typically much faster. You should consider both availability and lead time in your planning and in your choice of WAN media.
What are the fixed costs?
There will be one-time installation charges from the telephone company for installation of a WAN line. These charges vary both by the type of the line and by geograpic location. In addition, you will need to purchase a WAN card to install in the NetWare server for whatever WAN media you choose. See Step 4, "Select a WAN card", for hints on how to chose a WAN card.
What are the recurring costs?
For any type of WAN connection, you will have monthly charges for the line both from the line service provider and the Internet Service Provider. Typically, an asynchronous dial-up line has the lowest cost, whereas a leased line has the highest cost. ISDN is tarrifed differently by country, or by RBOC in the U.S. If you support sites in multiple locations, check the line charges in each location before making a decision.
Do you need flexibility to adjust bandwidth as needed?
You should also consider growth needs when choosing a WAN media. Some Frame Relay providers allow expansion from 56 Kbps to 512 Kbps in 56 Kbps-increments. Fractional T1 also allows you to increase or decrease the bandwidth as needed. If you plan to do this, be sure that the ISP you choose supports this option.
So Which WAN Type is Best for My Network?
Leased lines offer permanent connectivity and high bandwidth, but they are also the most expensive option. Fractional T1 lines offer flexibility in pricing and bandwidth. Frame Relay is a good compromise between speed and cost, but it is not always offered by ISPs. ISDN offers high bandwidth, but at a higher usage cost compared to asynchronous dial-up connections. An ISDN line is useful for on-demand connectivity, but costs must be closely monitored. Charges for ISDN access vary by region, but generally ISDN lines are more costly than analog lines. Ordering and installing an ISDN line will take some time. Many ISPs can help with this complex procedure. Asynchronous dial-up connectivity can be done with a modem on an analog phone line. You can use either a WAN card inside the server or the COM port of the PC running the MPR 3.1 software. In either case, the usage cost of an analog line can be very low, depending on the destination of the call. A connection via the COM port can offer only the rates supported by the UART chip in the PC. The following table summarizes these considerations for the various WAN types:
Must order in advance
Must order in advance
Must order in advance
Modem + WAN Card
Use existing phone lines
Modem + COM Port
Use existing phone line
Step 3: Choose an Internet Service Provider
Given the current competitiveness in the Internet access market, finding the best Internet Service Provider to fit your needs can be time consuming. Below are some factors you should consider when choosing an ISP.
Different Types of Internet Service Providers
ISPs generally fall into three categories:
Carrier-level ISPs (AT&T, MCI, Sprint). These ISPs can offer guaranteed bandwidth between Internet sites on their respective networks.
National ISPs (UUNET, PSI, Netcom). These offer high levels of service and more favorable pricing if you have multiple ISP accounts in different locations.
Regional ISPs (Earthlink, Internex). These are often cheaper than the national ISPs, but may not offer the latest services or the highest level of service.
Novell has tested that IntranetWare connects to an ISP as described in this AppNote with the following ISPs : UUNET, PSI, Netcom, Sprint, Earthlink, and Internex. In addition to choosing the type of ISP, there are some further issues to consider.
WAN Media Type and Availability. Not all types of WAN media are available in all areas, and not all ISPs in an area will support all WAN types. Make sure that the ISP you select supports the WAN media type you have chosen.
Lead Time. Inquire about the lead time until the WAN line and ISP account are active. Installation of ISDN, Frame Relay, and leased lines can have long lead times, depending on services available in your area. The ISP may also require lead time to enable a new account.
IP Addresses. If you use IPX at the workstations and will use the IPX/IP Gateway in IntranetWare to provide connectivity to the Internet, you need only one IP address from the ISP. The IPX/IP gateway in IntranetWare will provide protocol translation from the IPX workstations on the LAN to IP on the connection to the ISP.
If you use TCP/IP at the workstations, you have two options:
If the IP addresses already on your network are legal, inquire whether the ISP will include a static route to your IP networks or exchange a routing protocol with routers on your network.
If the IP addresses already on your LAN are illegal, or if the ISP will not set a static route to your network, you must reassign the IP addresses on the NetWare MultiProtocol Router and any LAN workstations that will be using the Internet via this connection with ones that the ISP assigns.
If you use the IP addresses from the ISP on your network, you will probably have to return the IP addresses if you cancel your account with that ISP. This means that you cannot change ISPs without also changing all of the IP addresses on your LAN workstations. Accounts in which blocks of IP addresses are assigned are often called "business" or "dedicated" accounts. This kind of account will be more expensive than the low-priced, single-user accounts targeted at the home user. This additional cost for IP addresses should be considered when you decide to use IP or IPX at the LAN workstation.
DNS Service. The Domain Name Service (DNS) on the Internet provides a mapping between a host name (such as www.novell.com) and an IP address (such as 18.104.22.168). You can maintain your own DNS server(s) on your network by using either the DNS server in IntranetWare or by using any other DNS server. You might choose to use the DNS server provider by the ISP. The ISP will probably charge you an additional fee to use their DNS service, but this will save you the effort and expense of maintaining your own DNS server. If you have a very limited intranet, you can choose not to use DNS and maintain the sys:etc\hosts file to allow mapping of user configured host names into IP addresses.
Other Services. Inquire about other services from the ISP, such as Web site hosting or NNTP news feeds. Paying the ISP to host your Web site on their server would reduce the bandwidth necessary to your site, and decrease capital and support costs for a Web server machine.
Price. Inquire also about prices and discounts available from each ISP. This is a very competitive market, and prices change frequently, so beware of long-term contracts.
Support Issues. The quality and level of support offered by Internet Service Providers varies. Smaller operations may not have support available 24 hours a day, 7 days a week. Typically, ISPs that have been operating for many years have more experienced support staffs. However, it is hard to prejudge the usefulness of a support staff before problems occur. Inquire now about the availability of support, and what the target time is from when a problem is called in until it is closed. If the connection to the ISP is mission-critical, the frequency of outages and resolution times are probably very important to your organization.
For a more in-depth discussion on choosing an ISP, BBN has a good tutorial on the different issues to consider. It is located at this address:
Step 4: Select a WAN Board
For any solution other than the low end choice of an asynchronous dial-up via the COM port, you will need a WAN board in the server from which the connection to the Internet Service Provider will be made. This section discusses issues to consider when selecting a WAN board.
Novell Labs Certification
The WAN board you use should be certified for use with Novell software. Novell Labs publishes a list of tested, certified WAN and LAN boards for IntranetWare, NetWare Connect, and the NetWare MultiProtocol Router. A list of certified LAN and WAN drivers can be found at the following address:
For WAN boards, click WAN Adapters & Communications Drivers. For LAN boards, click LAN Adapters & Drivers. The bulletins are also available from the Novell Labs Faxback at 801-861-2776, 800-414-LABS, or +441344-724444 for Europe and the Middle East. For your convenience, we have reproduced an online document from Novell Labs describing how to select WAN hardware (see "How to Select WAN Hardware for Your Novell Product" in this issue). The online version is available at the following address:
Choosing a WAN card that supports both asynchronous and synchronous WAN connections provides more flexibility for the future. You can then easily change from an asynchronous connection to a synchronous connection and still use the same WAN card. Here are some general guidelines:
An AIO-compliant card such as a DigiBoard supports only asynchronous dial-up lines, and cannot be used for any other kind of WAN media.
An ODI-compliant board, such as the Eicon PacketBlaster or the Digi Sync/570, can support either asynchronous dial-up, leased line, Frame Relay, or X.25 connections. This would allow you to change WAN media without having to purchase another WAN card.
ISDN cards are typically useful only for ISDN connections.
Several third-party companies build routing solutions that use MPR technology, and remote access solutions that use NetWare Connect technology. These solutions sometimes provide additional functionality, and are usually tightly integrated with the hardware to provide easier installation. If you choose to use the NetWare MultiProtocol Router or NetWare Connect, these types of solutions might save you time and money.
Step 5: Configure IntranetWare or the MPR
After you have chosen your ISP and WAN hardware and have your phone line installed, you must next install the WAN hardware and configure IntranetWare or the NetWare MultiProtocol Router software accordingly. To install the WAN board in the server or router, follow the instructions in the documentation that comes with the WAN board. To configure IntranetWare or the MPR 3.1 software, follow the instructions in the Novell documentation. There is an example of this configuration later in this AppNote. The general procedure for configuring a new WAN board and interface is as follows:
Configure the WAN board and network inteface.
Create a call to an Internet Service Provider and supply a login script if necessary.
Bind IP to the WAN interface.
Establish a default static route, and disable IP routing on this connection. If you disable routing on the WAN interface, the ISP must configure a static route for all of the IP networks on your LAN that will connect to the Internet.
The following considerations apply to IntranetWare or MPR configurations in general.
IP Addresses. If you are using IP at the workstations, and the ISP requires a numbered IP WAN connection, bind one of the IP addresses assigned by the Internet Service Provider to the WAN interface which will be placing the call to the ISP.
Login Scripts. Some ISPs require the calling system to provide a user name and password before sending PPP to establish a connection. This is typically true only on low-speed connections. If you use IntranetWare or the NetWare MultiProtocol Router 3.1 to make a PPP dial-up connection, a login script will provide this information.
Login scripts are defined in two stages: creating the script, and supplying the information for the login script. Creating the script is done in an ASCII editor. The script is then compiled on the server. The parameters are substituted with information defined in the WAN Call Directory screen of inetcfg.nlm. Here is a sample login script named PPPCHAT.SCR:
SCRIPT = "pppchat" ;;PARMS ="login name" ="login password" ;Wait 2 sec, send Carriage Return, wait 1 sec, send another CR CHAT = "P20O''M'J'" CHAT = "P10O''M'J'" ;Wait for login prompt, pause 2 sec, and send login name ;and a carriage return CHAT = "I'login:'P20O''M'" ; Wait for password prompt, pause 2 sec, and send password ; and a carriage return CHAT = "I'password:'P20O''M'"
Note: Be careful of the zeros (0) and Os (O), and the front quote (') and back quote (').
This script waits two seconds, sends a carriage return, waits another second, and then sends another carriage return. It then looks for the "login" prompt from the ISP's device. When this string is recognized, it pauses two seconds, and then sends the login name specified in the WAN Call Destination. It then waits for the "password" prompt, pauses two seconds once the prompt is received, and then sends the password specified in the WAN Call Destination. The two devices then establish a PPP connection. You can compile the text version of the script into a machine-readable version with the following example command:
load mdmcvt sys:system\pppchat.scr sys:system\pppchat.lsc
The parameters for the login script are then supplied in the INETCFG utility in the WAN Call Directory menu. For the WAN Call Destination that you will use to call an Internet Service Provider, press <Enter< twice on the field titled "Login Script Name". Choose your login script from the listing of login scripts that is displayed. Fill in the fields you defined with the appropriate information. Then continue with the configuration as normal. For a more detailed description of login scripts, refer to Appendix A of the NetWare MultiProtocol Router 3.1 Configuration Guide.
WAN Call Destination: Permanent or On-Demand? This choice depends on the WAN media you are using. If you have permanent connectivity via a leased line or Frame Relay, select permanent for this WAN Call Destination. If you have a WAN type which charges by the connection or by the packet, select on-demand for this WAN Call Destination.
Example of Configuring IntranetWare's Novell Internet Access Server 4 or the MPR 3.1 for ISDN
The following is an example of how to configure an outbound WAN call on an ISDN line using an Eicon ISDN card. Configuration procedures for other boards vary. If you have chosen a different WAN card or media, modify these instructions as needed, or refer to the IntranetWare or MPR manuals. For an on-demand outbound call using ISDN, complete the following steps:
Answer Yes if you receive the following prompt:
Transfer LAN driver, protocol and remote access commands?
Under Boards, press <Ins< to add a new board, then select WHSMCAPI.
Enter a name for the new board (for example, ISDNBOARD).
Select CAPI Board Options, then select Yes in response to the following prompt:
Should INETCFG automatically load the CAPI driver?
Select the appropriate driver from the displayed list.
From the CAPI Board Configuration screen, configure any displayed parameters, if necessary, then press <Esc<.
Select Driver Specific Configuration, press <Ins< to add a new adapter, then configure the following parameters:ParameterValue
Name of the board from Step 4 (forexample, ISDNBOARD)
Vendor-specific information (optionsare Quadro, S2M, SX,andSCOM)
I/O addressof the ISDN adapter (forexample, D0000)
Interrupt request level (IRQ) used by the board
ISDN protocol requiredfor your ISDN switch
Terminal end-point identifier (usually Automatic)
Enabled if your ISDN switch expects the ISDN adapter to respond as NT2
Service Profile ID
Select to modify
Select Service Profile ID and press <Enter< to specify the service profile IDand organization address provided by your ISDN service provider, then configure the following parameters.ParameterValue
Service profile ID
From the main INETCFG menu under Network Interfaces, select the desired interface (for example, ISDNBOARD_1), press <Enter<, then select PPP from the Select a Medium menu and configure the following parameters, if applicable:ParameterValue
Telephone number of this ISDN interface
ISDN subaddress from the provider
ISDN (AT controlled)
From the main INETCFG menu under WAN Call Directory, press <Ins< to configure a new WAN call destination, then configure the following parameters:ParameterValue
New WAN Call Destination Name
Name consisting of up to 37 alphanumeric characters (for example,CALLOUT)
Supported Wide Area Medium
Under PPP Call Destination Configuration, configure the following parameters:ParameterValue
Name of theinterface you configuredpreviously (for example,ISDNBOARD_1)
Telephone number of your ISP used foroutbound calls
As required by your ISP
As provided by your ISP
Your local system ID
Name you chooseto identify the ISP connection
From the main INETCFG menu under Bindings, press <Ins< to add a new binding, then select TCP/IP from the list of configured protocols.
Select a Network Interface from the "Bind to?" menu, then choose the network interface you configured previously (for example, ISDNBOARD_1).
Under Binding TCP/IP to a WAN Interface, configure WAN Network Mode to unnumbered point-to-point. To use unnumbered mode, at least one LAN or WAN interface on your router must have an IP address.(Numbered mode is not supported for ISDN in this release ofIntranetWare.)
Select WAN Call Destinations, press <Ins<, press <Enter<, select the WAN call destination created previously (for example, CALLOUT), then set Type to Static On Demand.
Select Static Routing Table, press <Ins< to add a new entry, then set the IP Address of the Network/Host to 0.0.0.0.
Choose Reinitialize system from the INETCFG main menu.
Step 6: Configure the Workstations
If you will be using IPX on the workstations and IntranetWare to connect to the Internet, load NetWare Client 32 from the IntranetWare CD-ROM on the Windows 3.1 or Windows 95 workstations. Follow the instructions on the Novell Internet Access Server Quick Reference Card to properly configure the Windows 95 and Windows 3.1 workstations.
If you will be using TCP/IP on the workstations, you will need to install and configure a TCP/IP stack on each workstation. Use the IP addresses assigned by the Internet Service Provider for the workstations.
Using the Dynamic Host Configuration Protocol (DHCP) to administer IP addresses can greatly simplify the administration of IP addresses. NetWare/IP 2.2, which is included in IntranetWare, has support for DHCP. With DHCP, you can manage short term "leases" of IP addresses or assign addresses permanently. You can also download NetWare/IP 2.2 from the following location:
The files you need are nip22b.exe for the server software, nipw22.exe for the workstation software, and tcp16.exe for the 4/30/96 update to tcpip.exe.
Step 7: Decide How Many IPX/IP Gateways, and Assign Users
Every stratification of IntranetWare includes a 250-user version of the Novell IPX/IP gateway and a one-WAN-port version of the NetWare MultiProtocol Router. Additional MPR licenses can be purchased to increase the number of WAN ports. If you need more capacity to access the Internet, look first at the type of WAN media you are using to connect to the Internet. If users complain of slow performance, upgrading to a higher capacity line may be the best solution. If the WAN line is of sufficient capacity, monitor the performance of the IPX/IP Gateway. If the Utilization is too high (viewed through the MONITOR.NLM), consider moving the IPX/IP gateway to a lightly loaded file server. You should regularly monitor the CPU utilization on the IntranetWare server, and adjust the number of IPX/IP Gateway users or other processes as needed. If a gateway is overloaded, you can assign confiigure users to prefer specific gateways as follows.
For Windows 3.1 workstations, set the preferred gateway by double-clicking on the IPX/IP Gateway Switcher icon in the NetWare Tools program group. Enter the name of your preferred gateway in the "Preferred Server" box.
For Windows 95 workstations, click Start, Settings, Control Panel. Click Network, highlight Novell NetWare IPX/IP Gateway in the box and click Properties. Click the tab titled "IPX/IP Gateway, and enter the name of your preferred gateway server in the "Preferred gateway server" box.
Note: If you are mixing and intranet and Internet access, be sure to specify the preferredgateway which has Internet access for users that will access the Internet.
Will you have both an intranet and access to the Internet?
If you have multiple IPX/IP Gateways on the same network, you must specify the IPX/IP Gateway with outbound access to the Internet as the preferred gateway for any workstations needing outbound access. If one of these workstations needs intranet access, IntranetWare will know to route the traffic to the TCP/IP service on the intranet.
Step 8: Establish the Necessary Security
If you chose to run IPX on your workstations, the IPX/IP Gateway in IntranetWare will act as a natural firewall for your LAN. Hackers cannot send packets into your LAN because there are no IP addresses on your LAN other than those on the Novell Internet Access Server. If you chose to run IP on the workstations, and you have legal IP addresses on your network, and the ISP has a static route to your network or is performing IP routing over the link, there is a security hole. With this setup, it is essential that you install a proper firewall to deter hackers.
Authentication and Access Control
Users must authenticate through the NDS login process before using the IPX/IP gateway if access control is enabled. This helps to keep unauthorized LAN users from using your company's Internet access resources. Access control for the Novell Internet Access Server is made possible through the NDS login; it is tree-wide and not tied to a specific gateway. This means a user has the same access control restrictions regardless of which IPX/IP gateway is being used.
It's easier than you think to connect directly to the Internet from your Novell network. This AppNote has described a simple, eight-step procedure you can follow. The first step is to decide which product to use: IntranetWare, NetWare MultiProtocol Router 3.1, or NetWareConnect 2. If you use the IPX/IP Gateway in IntranetWare, you won't even have to load a TCP/IP stack at each workstation. Once you've decided on the product, you just select the appropriate WAN media type and WAN hardware, choose an Internet Service Provider, install your WAN card in the server, get your WAN line installed to your premises, configure the IntranetWare server and workstations, establish the necessary security, and voilà! Your NetWare network is connected to the Internet.
* Originally published in Novell AppNotes
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.