Novell ZENWORKS NETWORK ACCESS CONTROL Installation Guide
Novell®
www.novell.com
Installation Guide
ZENworks® Network Access Control
novdocx (en) 24 March 2009
AUTHORIZED DOCUMENTATION
5.0
September 22, 2008
Novell ZENworks Network Access Control Installation Guide
Legal Notices
Novell, Inc., makes no representations or warranties with respect to the contents or use of this documentation, and
specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose.
Further, Novell, Inc., reserves the right to revise this publication and to make changes to its content, at any time,
without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc., makes no representations or warranties with respect to any software, and specifically disclaims
any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc.,
reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under this Agreement may be subject to U.S. export controls and the
trade laws of other countries. You agree to comply with all export control regulations and to obtain any required
licenses or classification to export, re-export or import deliverables. You agree not to export or re-export to entities on
the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in the U.S. export laws.
You agree to not use deliverables for prohibited nuclear, missile, or chemical biological weaponry end uses. See the
Novell International Trade Services Web page (http://www.novell.com/info/exports/) for more information on
exporting Novell software. Novell assumes no responsibility for your failure to obtain any necessary export
approvals.
novdocx (en) 24 March 2009
Copyright © 2008 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied,
stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell, Inc., has intellectual property rights relating to technology embodied in the product that is described in this
document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S.
patents listed on the Novell Legal Patents Web page (http://www.novell.com/company/legal/patents/) and one or
more additional patents or pending patent applications in the U.S. and in other countries.
Novell, Inc.
404 Wyman Street, Suite 500
Waltham, MA 02451
U.S.A.
www.novell.com
Online Documentation: To access the latest online documentation for this and other Novell products, see
the Novell Documentation Web page (http://www.novell.com/documentation).
Novell Trademarks
For Novell trademarks, see the Novell Trademark and Service Mark list (http://www.novell.com/company/legal/
trademarks/tmlist.html).
Third-Party Materials
All third-party trademarks are the property of their respective owners.
This Novell software product includes open-source software components. Novell conforms to the terms and
conditions that govern the use of the open source components included in this product. Users of this product have
the right to access the open source code and view all applicable terms and conditions governing opens source
component usage. Visit http://www.novell.com/products/zenworks/networkaccesscontrol/opensource to access
open source code, applicable terms and conditions, and related information.
novdocx (en) 24 March 2009
novdocx (en) 24 March 2009
4 Novell ZENworks Network Access Control Installation Guide
Contents
What You Need to Get Started 7
1 Deployment Flexibility 9
1.1 Deploying Novell ZENworks Network Access Control Inline . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.2 Deploying Novell ZENworks Network Access Control Using DHCP . . . . . . . . . . . . . . . . . . . . 12
1.3 Deploying Novell ZENworks Network Access Control Using 802.1X. . . . . . . . . . . . . . . . . . . . 15
1.4 Installing the Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.1 Inline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.2 DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1.4.3 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.4.4 Determining eth0 and eth1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
1.5 Deploying Novell ZENworks Network Access Control in VPN Mode on a Different Network . 19
2 System Requirements 23
novdocx (en) 24 March 2009
2.1 General System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 Important Browser Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.1 Pop-up Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.2 Active Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.2.3 Minimum Font Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.2.4 Page Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.2.5 Temporary Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3 Installing Novell ZENworks Network Access Control 31
3.1 Installing Novell ZENworks Network Access Control for the First Time . . . . . . . . . . . . . . . . . . 31
3.1.1 Downloading the New Install ISO Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
3.1.2 Creating the Installation CD from the Novell ZENworks Network Access Control
Download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
3.1.3 Installing Novell ZENworks Network Access Control. . . . . . . . . . . . . . . . . . . . . . . . . 33
4 Configuring Novell ZENworks Network Access Control 53
A Installation and Configuration Check List 55
A.1 Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
A.2 Installation Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.3 Installation Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.4 IP Addresses, Hostname, Logins, and Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.4.1 Single-server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
A.4.2 Multiple-server Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
A.4.3 Proxy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
A.5 Agentless Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
A.6 Quarantine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
A.6.1 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
A.6.2 802.1X Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
A.6.3 DHCP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
A.6.4 Accessible services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
A.7 Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Contents 5
A.8 Test Exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
novdocx (en) 24 March 2009
6 Novell ZENworks Network Access Control Installation Guide
What You Need to Get Started
You need the following prior to installing and running Novell® ZENworks® Network Access
Control:
Minimum system (hardware and software) requirements – See Chapter 2, “System
Requirements,” on page 23
IP addresses you will enter during the set up process – See Appendix A, “Installation and
Configuration Check List,” on page 55
Install CD – See Chapter 3, “Installing Novell ZENworks Network Access Control,” on
page 31
This Installation Guide helps you install and set up Novell ZENworks Network Access Control. The
Novell ZENworks Network Access Control Users Guide (available on the CD in the /docs
directory and through the online help links in Novell ZENworks Network Access Control) provides
Novell ZENworks Network Access Control configuration information and task-based instructions.
novdocx (en) 24 March 2009
What You Need to Get Started 7
novdocx (en) 24 March 2009
8 Novell ZENworks Network Access Control Installation Guide
1
Deployment Flexibility
Novell® ZENworks® Network Access Control v5.0 allows you to deploy multiple Enforcement
servers (ESs) across a network and manage them from one central Management server (MS). You
create logical groups of ESs by joining them to an Enforcement cluster.
The Novell ZENworks Network Access Control MS specifies many aspects of the Enforcement
clusters; for example, the MS specifies the enforcement method (inline, DHCP, or 802.1X), how
often the endpoints are retested, the tests run on the endpoints, and how to control the endpoints’
access.
The Novell ZENworks Network Access Control ESs detect and test endpoints on the network for
compliance.
You can deploy each Novell ZENworks Network Access Control cluster in one of the following
configurations:
Inline — When deploying Novell ZENworks Network Access Control inline, Novell
ZENworks Network Access Control monitors and enforces all endpoint traffic. When Novell
ZENworks Network Access Control is deployed as a single-server installation, Novell
ZENworks Network Access Control becomes a Layer 2 bridge that requires no changes to the
network configuration settings. When Novell ZENworks Network Access Control is installed
in a multiple-server installation, you might have to configure the switch that connects the
Novell ZENworks Network Access Control Enforcement servers to use Spanning Tree
Protocol (STP) if STP is not already configured. Novell ZENworks Network Access Control
allows endpoints to access the network or blocks endpoints from accessing the network based
on their Internet Protocol (IP) address with a built-in firewall (iptables).
novdocx (en) 24 March 2009
1
DHCP — When deploying Novell ZENworks Network Access Control inline with a Dynamic
Host Configuration Protocol (DHCP) server, all DHCP requests pass through the Novell
ZENworks Network Access Control server Layer 2 bridge. For a quarantined endpoint, Novell
ZENworks Network Access Control distributes the quarantined IP address for the endpoint. If
Novell ZENworks Network Access Control allows the endpoint to have access, Novell
ZENworks Network Access Control allows your real DHCP server to distribute a nonquarantined IP address. Novell ZENworks Network Access Control assigns a DHCP IP address
based on the quarantine area parameters you define during configuration. You can place
restrictions on network access either at the gateway for the endpoint using Access Control Lists
(ACLs), or on the endpoint by removing the endpoint’s gateway and adding static routes for
accessible networks.
802.1X — When deploying Novell ZENworks Network Access Control in an 802.1X
environment, you must install it where it can communicate with the Remote Authentication
Dial-In User Service (RADIUS) server (or, Novell ZENworks Network Access Control has a
built-in RADIUS server that you can use). The RADIUS server communicates with the switch,
which performs the quarantining by moving ports or MAC addresses in and out of virtual local
area networks (VLANs).
Deployment Flexibility
9
The following figures illustrate various deployment methods:
Figure 1-1 Single-server Installation, Quarantine Method, Inline
Figure 1-2 Multiple-server Installation, Quarantine Method, Inline
novdocx (en) 24 March 2009
Figure 1-3 Single-server Installation, Quarantine Method, DHCP, Flat Network
10 Novell ZENworks Network Access Control Installation Guide
Figure 1-4 Multiple-server Installation, Quarantine Method, DHCP
novdocx (en) 24 March 2009
1.1 Deploying Novell ZENworks Network Access Control Inline
The ES’s position in the network is between the endpoints and the rest of the network; acting as a
gateway and only allowing endpoints access to network resources that have met the necessary
security requirements. Novell ZENworks Network Access Control uses two network interfaces to
bridge traffic between endpoints and the rest of the network. Novell ZENworks Network Access
Control uses a high-speed, Layer 2 bridge; network IP address changes are not required. Since
Novell ZENworks Network Access Control itself denies endpoints access to the network, policy
enforcement using internal routers, switches, or other endpoints is not required.
Novell ZENworks Network Access Control utilizes a pass-through authentication feature that
allows it to work with any virtual private network (VPN), remote access server (RAS), and network
authentication protocol or directory.
By default, an onboard firewall blocks all traffic from endpoints. Novell ZENworks Network
Access Control allows network access to only successfully tested endpoints (or when there is a grace
period for failed tests). When a test or tests pass, Novell ZENworks Network Access Control inserts
rules into the onboard firewall to allow all traffic from the endpoint. Novell ZENworks Network
Access Control uses a proprietary method to uniquely identify each endpoint as it connects to the
network, and does not install cookies or software on the end-user’s endpoint.
NOTE: When the MS and ES are installed on the same server (single-server Installation), that
server’s position in the network must be between the endpoints and the rest of the network.
Deployment Flexibility 11
1.2 Deploying Novell ZENworks Network Access Control Using DHCP
When you configure Novell ZENworks Network Access Control with a DHCP quarantine area, the
Novell ZENworks Network Access Control ES must sit inline with your DHCP server. If this is not
possible, you must configure a remote host for Device Activity Capture (DAC) as described in the
User’s Guide, Remote Device Activity Capture with a quarantined endpoint, the ES responds to the
DHCP request and blocks the request from getting to the main DHCP server. When the endpoint is
allowed access, Novell ZENworks Network Access Control does not respond to the DHCP request
and lets the request through to the main DHCP server which responds with normal DHCP settings.
The Novell ZENworks Network Access Control DHCP server can respond to quarantined endpoints
with one of these two types of DHCP settings:
DHCP settings for a separate quarantine subnetwork — In this case, network access is
restricted by adding ACLs to your router between the quarantine subnetwork and all other
networks. You must also add an IP helper address for the Novell ZENworks Network Access
Control ES, and a secondary IP address for the quarantined subnetworks gateway to the router.
DHCP settings using static routes — In this case, network access is restricted by giving the
endpoint a normal IP address but not assigning a gateway. The advantage of this method is that
it requires only one router change to add an IP helper address for the Novell ZENworks
Network Access Control ES. Also, some routers do not like multi-netting, which is required by
the first method and not by this method of DHCP enforcement. The Novell ZENworks
Network Access Control ES uses the following DHCP settings:
novdocx (en) 24 March 2009
Gateway — None
Netmask — 255.255.255.255
DNS — Novell ZENworks Network Access Control ES IP address
Static routes — Configurable list of accessible IP addresses and networks
These DHCP settings effectively restrict all network access except to the IP addresses and networks
specified as static routes in the accessible endpoints and services area. A list of Web sites can also be
configured as accessible. You can access these Web sites through a proxy server, which is built into
the Novell ZENworks Network Access Control ES. The Novell ZENworks Network Access Control
ES responds to DHCP INFO requests to automatically configure the proxy server in the browser.
Once the endpoint is allowed access, the IP address is automatically renewed and the main DHCP
server assigns an IP address in the main LAN.
NOTE: When the MS and ES are installed on the same server (single-server Installation), that
server’s position in the network must be inline with your DHCP server. It is the ES that responds to
the DHCP request and blocks the request from getting to the main DHCP server.
TIP: When using DHCP mode and connecting directly to the DHCP server's network interface, be
sure to use a crossover cable.
12 Novell ZENworks Network Access Control Installation Guide
The following figure shows an example installation scenario for a simple (one LAN) setup with
enforcement using ACLs on a router:
Figure 1-5 Single-server Installation, DHCP Mode, Simple Example
novdocx (en) 24 March 2009
Deployment Flexibility 13
The following figure shows an example installation scenario for a complex (multiple LAN) setup
with enforcement using ACLs on a router:
Figure 1-6 Single-server Installation, DHCP Mode, Complex Example
novdocx (en) 24 March 2009
14 Novell ZENworks Network Access Control Installation Guide
The following figure shows an example installation scenario for a setup with enforcement with static
routes on the endpoint:
Figure 1-7 Single-server Installation, Endpoint Static Route Enforcement
novdocx (en) 24 March 2009
1.3 Deploying Novell ZENworks Network Access Control Using 802.1X
To configure Novell ZENworks Network Access Control as 802.1X-enabled, install it with one of
three different configurations, depending on your network environment (see Figure 1-8 on page 16):
1 Use the built-in Novell ZENworks Network Access Control RADIUS server to proxy to any
other RADIUS server. In this configuration, the switch performs the 802.1X authentication
against the Novell ZENworks Network Access Control RADIUS server, which proxies the
request to another RADIUS server. During the return proxy of the authentication request, the
Novell ZENworks Network Access Control ES instructs the switch in which VLAN is to place
the endpoint based on its test status.
2 Use the built-in Novell ZENworks Network Access Control RADIUS server and user accounts.
In this configuration, the switch performs the 802.1X authentication against the Novell
ZENworks Network Access Control RADIUS server. The Novell ZENworks Network Access
Control ES instructs the switch in which VLAN to place the endpoint, based on its test status.
3 Use the IAS plug-in to integrate with your existing radius server. In this configuration, the
switch performs the 802.1X authentication against the Microsoft Internet Authentication
Service (IAS) RADIUS server. A Novell ZENworks Network Access Control plug-in to the
IAS RADIUS server is available that instructs the switch in which VLAN to place the endpoint
based on its test status.
NOTE: With a single-server Installation, the ES instructs the switch in which VLAN to place the
endpoint.
Deployment Flexibility 15
TIP: If the ES cannot see traffic on a mirrored port on a switch, you must configure a remote host
for Device Activity Capture (DAC) as described in the User’s Guide, Remote Device Activity
Capture.
A sample deployment is shown in the following figure:
Figure 1-8 802.1X Enforcement
novdocx (en) 24 March 2009
16 Novell ZENworks Network Access Control Installation Guide
1.4 Installing the Network Interface Cards
The number of network interface cards (NICs) required depends on the installation method selected
as described in this section.
1.4.1 Inline
The inline installation of Novell ZENworks Network Access Control, where the MS and ES are
installed on a single server, requires two network interface cards (NICs) installed for Novell
ZENworks Network Access Control to operate properly.
The inline installation of Novell ZENworks Network Access Control where the MS and ES are
installed on different servers requires at least three NICs; one for the MS and two for each ES.
novdocx (en) 24 March 2009
The inline installation interfaces form a bridge from one part of your network to another as shown in
the following figure. The Linux
eth0, eth1, and so on). It is very important that you connect the eth0 interface to your local area
network (LAN) side, and eth1 to the Virtual Private Network (VPN) side (for inline mode or for
the main DHCP server in DHCP mode).
Figure 1-9 Single-server Installation, Ethernet Card Installation, Inline
®
operating system assigns each interface a name (for example,
1.4.2 DHCP
A DHCP installation requires two NICs where the MS and ES are installed on the same server (see
Figure 1-10), and at least three NICs where the MS and ES are installed on different servers; one for
the MS and two for each ES.
Figure 1-10 Single-server Installation, Ethernet Card Installation, DHCP
Deployment Flexibility 17
1.4.3 802.1X
802.1X-enabled Novell ZENworks Network Access Control installations require one NIC where the
MS and ES are installed on the same server (see Figure 1-11), and two NICs where the MS and ES
are installed on different servers. In 802.1X mode, eth1 on Novell ZENworks Network Access
Control is used to discover endpoints on the network. To discover endpoints on the local network,
eth1 can simply be plugged into a port on that subnet because it receives broadcast traffic. To
discover endpoints on other networks, eth1 must be connected to a mirrored port or a port that is
part of a tagged VLAN trunk to detect traffic from endpoints on these other networks. Usually,
mirroring the ports in which the DNS and DHCP server resides detects new endpoints sufficiently.
Figure 1-11 Single-server Installation, Ethernet Card Installation, 802.1X
novdocx (en) 24 March 2009
TIP: It is strongly recommended that you use the Intel NIC cards. If you use a different NIC card,
you might be unable to connect, or experience unpredictable results and availability.
1.4.4 Determining eth0 and eth1
To determine which interface is eth0 and which is eth1 using ethtool:
1 After installing Novell ZENworks Network Access Control, plug an Ethernet cable into only
one of the interfaces.
2 Log into the Novell ZENworks Network Access Control MS as root and enter one of the
following commands:
2a ethtool eth0
2b ethtool -p ethn x
Where:
n is the number of the Ethernet interface, for example 0
18 Novell ZENworks Network Access Control Installation Guide
x is the number of seconds to allow the lights to blink
3 The return values are similar to the following, which also indicates that the connected interface
is eth0:
# ethtool eth0
Settings for eth0:
Supported ports: [ MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Half 1000baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: d
Current message level: 0x000000ff (255)
Link detected: yes
novdocx (en) 24 March 2009
TIP: In normal operation, Novell ZENworks Network Access Control does not respond to Internet
Control Message Protocol (ICMP or ping) echo requests.
1.5 Deploying Novell ZENworks Network Access Control in VPN Mode on a Different Network
When Novell ZENworks Network Access Control is deployed in VPN mode, the eth1 interface on
Novell ZENworks Network Access Control is usually connected directly (either by way of a
crossover cable, isolated switch, or VLAN) to the LAN-facing side of the VPN concentrator. If the
same logical subnet (such as, 10.10.0.0/16) is used for Novell ZENworks Network Access Control,
the concentrator, and the VPN clients, no modifications need be made.
However, problems can arise if the following conditions are all true:
Novell ZENworks Network Access Control is in a different logical subnet than that used by the
VPN concentrator OR the VPN client endpoints.
The router on the LAN (eth0) side of Novell ZENworks Network Access Control is configured
for best-practices egress filtering, and will not route packets that have a source IP address
outside the network segment from which they appear to originate.
See the SANS Egress Filtering FAQ (http://www.sans.org/reading_room/whitepapers/
firewalls/1059.php) for a more thorough discussion of egress filtering.
The most obvious symptom of this situation is that Novell ZENworks Network Access Control will
not be able to redirect endpoint clients (they will get a blank browser page that appears to take
forever to load) but the endpoint browser is able to browse directly to https://<Novell
ZENworks Network Access Control_IP_Address>:89/ and get tested.
Deployment Flexibility 19
For example, for the following IP addresses:
Router IP — 10.1.90.254, on a /24
Novell ZENworks Network Access Control IP — 10.1.90.130, on a /24
VPN concentrator IP — 10.1.90.131, on a /24
VPN client IP range —10.1.105.0/24
The VPN concentrator is configured to hand out IP addresses on the 10.1.105.0/24 subnet, while
Novell ZENworks Network Access Control and the VPN concentrator itself are on the 10.1.90.0/24
subnet. Both Novell ZENworks Network Access Control and the VPN concentrator have a default
route set through 10.1.90.254 which is a router or Layer 3 switch on the LAN (eth0) side of Novell
ZENworks Network Access Control.
Because a connecting VPN endpoint is not on the same subnet as Novell ZENworks Network
Access Control, all of the packets that Novell ZENworks Network Access Control sends (in
response to HTTP requests from the endpoint) go to the router at 10.1.90.254, which knows to send
them (back through the Novell ZENworks Network Access Control bridge) to the VPN concentrator
for a next hop. For normal communication (such as testing traffic) between Novell ZENworks
Network Access Control and an endpoint, this works fine, even if it seems a bit inefficient.
novdocx (en) 24 March 2009
However, when Novell ZENworks Network Access Control redirects an HTTP connection, it first
constructs an HTTP redirect with a source IP address corresponding to the original destination of the
connection.
For example:
1. The endpoint connects to the VPN, and the browser requests www.google.com.
2. Novell ZENworks Network Access Control intercepts the packets addressed to google.com.
3. Novell ZENworks Network Access Control constructs an HTTP redirection to the Novell
ZENworks Network Access Control IP, using packets which have a source IP address of
www.google.com.
4. Novell ZENworks Network Access Control sends the constructed redirect to the VPN endpoint
using the Novell ZENworks Network Access Control default route.
Those packets go to the LAN side router, which in our scenario is configured with best-practices
egress filtering. The router treats those packets as errors (because they are marked with a source IP
address that should not emanate from that network segment) and drops them. This is why testing
works when the endpoint connects directly to emanate—the response packets still go to the LANside router, but it routes them appropriately because they have a valid source address.
The solution is to add a static route to Novell ZENworks Network Access Control so that it knows to
send packets addressed to 10.1.105 via the VPN concentrator instead of the LAN-side router, and it
will redirect correctly.
You also want to make the static route addition permanent across reboots.
To add a permanent static route to the Novell ZENworks Network Access Control
server:
1 Log in as root to the Novell ZENworks Network Access Control server using SSH or directly
with a keyboard.
20 Novell ZENworks Network Access Control Installation Guide
Loading...