|
Question : vpn-client with security-tokens and BM3.8 with or withhout rsa-e server?
|
|
Hello,
We are planning the purchase of a complete new network setup. New novell netware6.5 servers, BorderManager 3.8, groupwise ....
We want to give some (max 25) users the possibility to work from home via broadband as though they were on the network. This must be secure: vpn-client with rsa-token authentication and NDS-verification.
Besides BM3.8 what do we need?
Do we need a rsa-e server, or can BM handle the tokens on his own?
What do we need on the BM side?
Is there a special vpn-client for this?
The planned setup is:
home <--> internet <--> Cisco PIX <--> BM <--> LAN
RSA and Novell don't give us the consistent answers. Both give different answers on different occasions. When it's yes on one occations than it's no on another occasion.
Who has the hands-on experience and can tell me what we will need at last.
Thanks in advance ...
John Destreel
|
Answer : vpn-client with security-tokens and BM3.8 with or withhout rsa-e server?
|
|
All VPNs use a client of some sort. Novell's VPN client is actually pretty slick.
Here are some properties of the client, and the different authentication methods it can use (from TID# 2967770). The X509 certificate mode can use a service or the certificate server that comes with NetWare. NMAS authentication mode requires you to use NMAS (Novell Modular Authentication Services) which might require you to purchase additional NMAS products, if you want to use smart-cards or biometrics or such like. NICI is Novell International Cryptographic Infrastructure. PKIS has been part of NetWare for years. Hope this helps you to understand.
========
The following features are available in the VPN client
software.
2.1 X509 Certificate Authentication Mode
The NBM 3.8 VPN Client has to provide user x509
certificate and server's trusted root to perform
IKE main mode of authentication. These two should
be copied to the local workstation
(:\novell\vpnc\certificates\users or
:\novell\vpnc\certificates\trustedroot)
from where VPN is to be executed.
2.1.1 Certificate Retrieval
The VPN Client provides a feature to
retrieve the user certificate from Novell
eDirectory. It requires Novell client as
dependency for the same. If Novell client
is installed this option will be enabled
for the user to retrieve his/her
certificate. To retrieve user certificate
you have to provide username, password,
context, tree and IP address (optional),
user certificate name (only name, that is
adminCert). This will retrieve user
certificate and store under
:\novell\vpnc\certificates\users as
AdminCert.pfx. If the number of
certificates for a user are more it will
store them as AdminCert(n).pfx (n = 1..n)
2.1.2 Local Policy
In IKE mode of authentication the user can
provide IKE and IPSEC parameters by
clicking the policy editor on the VPN tab.
This policy will mandate to the VPN server
if the server is not imposing any policy.
2.2 NMAS Authentication Mode
Novell VPN client is integrated with Novell
Modular Authentication service (NMAS). NMAS works
with Novell Client. Install the Novell Client to
benefit from the NMAS functionality.
Select NMAS option in the configuration tab and
provide NMAS user information and credentials in
the eDirectory tab. In the VPN tab provide VPN
server IP address and NMAS sequence (for example,
NDS/eDirectory, Universal Smart Card, Simple
Password and so on). For credentials the method
will pop up a dialog box if the same is not
already entered.
2.3 NMAS LDAP Authentication Mode
Select NMAS and check the LDAP box in the
Configuration tab. Go to VPN tab and enter VPN
server IP address and LDAP user DN (for example,
CN=Admin,O=Novell). The LDAP method will pop up a
dialog box for the credential.
2.4 Backward Compatibility Mode
Select Backward Compatibility mode in the
Configuration tab. Provide eDirectory credentials
in the eDirectory tab. In this mode NBM 3.8
Client will talk to NBM server (BMEE 3.6, NBM
3.7, NBM 3.8) in SKIP mode. The ActiveCard token
authentication will be enabled if NMAS is
installed on the client. The ActiveCard token
authentication method will work if the ActiveCard
token method is configured for the user in
eDirectory. The VPN tab requires credentials for
ActiveCard token method.
2.5 Pre-shared Authentication Mode
Select Pre-shared Authentication mode in the
Configuration tab. Go to VPN tab and provide
password for the pre-shared key configured in the
VPN server.
2.6 VPN Client Integrated with Novell Client
This version of the Novell VPN Client will
integrate into the Novell Client for Windows 98,
Windows NT, Windows 2000, or Windows XP Home.
Re-start the machine after installing the new VPN
client. During re-start the VPN client will
integrate with Novell Client. Once the system
comes up the Novell Login screen will have a
Location drop-down list. The list will contain
the default entry as well an entry for the VPN
capabilities. You can select any of the
locations, depending on the operation to be
performed.
Four new tabs are available that can be
configured in a Service Instance by selecting
Novell Client32 Properties. The four tabs do the
following:
- Configuration: To provide authentication
mechanism for VPN client as well as dial-up,
Novell login, IPX option and launcher to
launch application after VPN connection.
- VPN: To provide credentials for the
authentication type mentioned in the
Configuration tab.
- Dial-Up: To perform dial-up operation. This
tab will appear in the configuration tab if
dial-up is enabled.
- VPN Status: Displays the status of the VPN
dial-up and/or authentication.
2.7 All VPN Clients for Windows Platforms use NICI
for Encryption
This version of VPN client for Windows 98,
Windows Me, Windows NT, Windows 2000 and Windows
XP uses NICI (128-bit) encryption because there
is no export restriction with NICI.
2.7.1 NICI Versions
If NICI 1.7.0 (128-bit version) is not
installed, the VPN Setup program installs
it. This version of NICI overwrites NICI
1.5.7 (56-bit) or NICI 1.5.3 (56/128-bit),
but not NICI 2.6.0. If NICI 2.6.0 is
installed, NICI 1.5.7 and 2.6.0 will
co-exist.
|
|
|
|
|
