Updated June 26, 2006
"Quick Guide to Configuring NetWare RADIUS (NMAS Version)"
Corrections to the First Edition, Beta 1 (September 7, 2005)
"A Beginner's Guide to BorderManager 3.x"
Corrections to the Third Edition, Beta 1 (June 6, 2006)
- On page 425, In the Cons section for FTP Reverse Acceleration, the book says that you
cannot post data to an internal FTP server. This is incorrect - you can indeed upload data to
internal FTP servers through the FTP Accelerator (Reverse FTP Proxy).
- On page 732, In regard to configuring an NMAS authentication rule, you should use 'Logged', not 'Password' as shown in the example and text. If you use 'Password', you may get the
infamous 'Failed receiving server DH public value' error when attempting to connect with the VPN client. A curious set of circumstances happened that hid this fact from me in my testing. I had a
workaround for this error, which involved moving the authentication rule order around with another rule. While that worked, it apparently worked because when moving the rule around, 'Password'
changed back to 'Logged' as a result!
Corrections to the Second Edition (January 15, 2003)
- On page 40, the graphic for Scenario 3 shows the Internet router's LAN subnet mask as 255.255.255.252. The subnet mask should be 255.255.255.248, matching the BorderManager
- On page 66, I state that you can not put two BorderManager 3.7 servers into the same container as each 3.7 server needs its own NBMRuleContainer. This is partially incorrect (and depends
on patch level), but was based on personal experience where I was unable to get the second server in the container to work with filtering. You can share one NBMRuleContainer between multiple
BorderManager 3.7 servers, and I am not sure why my (repeated) attempts were unsuccessful. (I do NOT recommend you to put two 3.7 or 3.8 servers in the same OU!)
- On page 276, it says that you do not need a Read access rule to use NNTP Proxy when not using an internal NNTP server. This is incorrect. If you are using the NNTP Proxy to go to a public
NNTP server (Novell's public forums for instance), you need a Read access rule simply to read any of the forums. You need a Write access rule to post to the forums.
- On Page 542, the crontab example is incorrect. The example shown will launch CSP_LIST at midnight, but also once per minute after that during the hour from midnight to 1:00am. The correct
syntax should be:
0 0 * * * SYS:\ETC\CPFILTER\CSP_LIST.NLM (note the leading zero).
- On page 566, the registration file should be called LINKWALL.KEY, not LINKWALL.REG
****** older version errata listed below ****
Significant Errors or Corrections for Beta 1.0 (First Edition)
- Page 399 - The Access Rule example screenshot to Deny Any for SMTP Mail Proxy traffic is incorrect. That figure should match the one on page 200. The text description is correct.
Significant Errors or Corrections for Beta 2.0
- Page 194 - The public IP address in the text should be 188.8.131.52, not 192.168.10.254. The graphic is correct.
- Page 207 - The graphic for RealPlayer G2 setup for the RealAudio/RTSP Proxy incorrectly shows port 1092 for the HTTP Proxy port. It should show port 8080. (It should match the port used on
your BorderManager HTTP Proxy settings.)
Significant Errors or Corrections, and Additions for Beta 3.0 (final beta release)
- Updated descriptive test for Generic TCP and UDP proxy examples for pcANYWHERE.
- Added example for WS_FTP in FTP Proxy section
- Numerous small wording changes and several corrections to typographical errors.
- Added mention of BorderManager 3.6 throughout.
- Added sections for Client-to-Site VPN using pure IP login and VPN over NAT.
- Corrected mention of Portal where Web Manager was meant.
- Updated section on patches to reflect more recent patches.
- Updated BMON.NCF and BMOFF.NCF examples
- Updated troubleshooting section with additional information.
Corrections to the Beta 3.0 release, changes for First Edition
- Page 35, “TCP port 8080 traffic will come to the BorderManager server HTTP proxy, and the BorderManager server will then use standard HTTP (TCP port 80) to access web browser.”
should be “TCP port 8080 traffic will come to the BorderManager server HTTP proxy, and the BorderManager server will then use standard HTTP (TCP port 80) to access web servers.” (Change
browsers to servers).
- Page 39, Figure, lower right corner. ‘Site A BorderManager server protects network 192.168.11.0…” should have been ‘Site B BorderManager server protects network
- Several changes were made to the both the Site-to-Site and Client-to-Site VPN chapters to clarify meaning.
- Notice about the ability for BorderManager 3.6 to handle NAT on the client side of Client-Site VPN was added to a few pages in the Client-to-Site VPN chapter.
- Some duplicate wording was removed in the Client-to-Site VPN chapter.
- Added mention of the use of the HOSTS file in addition to the NWHOST file for replacing SLP information with Client-to-Site VPN.
- Chapter 19, added VPN debug options.
- The headers were changed to include the chapter / section titles, and the book title was moved to the footer.
Corrections to the First Edition - to be included in First Edition, Revision 1.01
- Page 260, paragraph two, sentence three reads “You will have to specific source and destination values to limit inbound and outbound traffic as desired.”. It should have read
“You will have to specify source and destination values to limit inbound and outbound traffic as desired.”
- Page 427, the first sentence of the paragraph titled “Deny All Ports for Troubleshooting Purposes “ reads “In the same way that the last rule logged URL denials, this
rule logs Port denials to the Access Control Log “, and it should have read “In the same way that the next rule logs URL denials, this rule logs Port denials to the Access Control
"Novell BorderManager: A Beginner's Guide to Configuring Filter Exceptions"
Significant Errors or Corrections for the Third Edition, Revision 2 (November 27, 2002)
- Page 147, I show a new dns-st filter exception that specifies source ports 1024-65535. I don't know how this got by my testing, but the source ports listed will not generally work.
Either use the built-in dns/udp-st definition, or build a custom definition specifying UDP source port 53. (In the second edition, this figure is on page 110).
- Page 238. The Lotus Notes client port number on the page and in Figure 7-14 is incorrect. It says port 1325, but the port number should really be 1352.
Significant Errors or Corrections for the Third Edition, Beta 1
- Corrected several small typos
- Figure 3-9 called out a static NAT address that did not match figure 2-1
- Figure 3-11 text changed from '...blocks all traffic to the public IP address' to '...blocks all traffic to the public interface'.
- Figure 7-14 screenshot showed port 110 when it should have shown port 25. Descriptive text was correct.
- Figures 10-5 and 10-6 had the source and destination ports reversed. Descriptive text was correct.
- Chapter 5 had the header for Chapter 6.
****** older version errata listed below ****
Significant Errors or Corrections for the Second Edition, Beta 1
- Corrected several small typos and misspellings (nothing major)
- Removed extra PDF bookmarks
- Added notes regarding issue with TCP IP DEBUG logging in NetWare 6.0. (This is the main update from beta 1 to the released version of the Second Edition).
Significant Errors or Corrections for the First Edition
- Page 3 - The Novell public forums have been changed to support-forums.novell.com (was forums.novell.com) for NNTP access.
- Page 90 - The RDATE example shows a screenshot of a non-stateful filter exception, and it should show stateful being enabled. The text is correct.
Return to the Main Page