Novell's CNE Study Set -- IntranetWare/NetWare 4.11IPX/IP Gateway

A supplement to Novell's CNE Study Set -- IntranetWare/NetWare 4.11
by David James Clarke, IV

Featuring

The IPX/IP Gateway is the first of three global village products built into IntranetWare. The IPX/IP Gateway acts as a transition point between local IntranetWare IPX LAN traffic and Internet IP WAN traffic. This allows your IPX-based clients to access the Internet and other IP-based resources without having to install TCP/IP on the workstations themselves. As shown in the Figure 540-5, this functionality is provided at the IntranetWare server using IPXGW.NLM. 

Figure 540-5Figure 540-5: The IPX/IP Gateway 

With the IPX/IP Gateway, outside Web servers view all requests coming through the Gateway as having originated from the IntranetWare server's IP address. Then, all TCP/IP traffic returning to the Gateway can be forwarded to the appropriate Novell client using IPX rather than IP. This second phase of Figure 540-5 is accomplished using a special version of WINSOCK.DLL installed on the client. 

For example, suppose a Novell client using Netscape Navigator requests a host name such as www.cyberstateu.com. The Navigator requests WINSOCK.DLL to resolve and open a connection to the host name. The IPX/IP Gateway uses DNS to convert www.cyberstateu.com to the appropriate IP address (206.127.205.131). The Gateway then exchanges data between Novell's Web server and the requesting client, adding and stripping IPX headers as necessary to ensure reliable IP communications. Because the IPX/IP Gateway uses only a single IP address, the private network is safe from outside interference. This creates a natural "firewall." 

WINSOCK is an interface between Microsoft Windows and the TCP/IP protocol stack. It isn't actually part of TCP/IP, although we've been using it for so long that it seems as though it is. 

IP connectivity provided by Novell's IPX/IP Gateway offers many benefits. First and foremost, it avoids the need to install and manage IP addresses on each user's workstation. This removes many of the individual management hassles that occur when maintaining TCP/IP workstations -- for example unique IP addresses, subnet mask data, default router addresses, and Domain Name Servers. 

Second, the IPX/IP Gateway avoids using additional memory on workstations for each TCP/IP stack. Third, it integrates seamlessly with the existing IPX and NDS WAN infrastructure. And finally, the IPX/IP Gateway provides simplified security by "fire-walling" all incoming and outgoing IP communications through a single gateway address. 

In this section, we're going to explore a variety of IPX/IP Gateway installation and management tasks. Here's a quick preview: 

Installing the IPX/IP Gateway 
Configuring the IPX/IP Gateway 
Adding IPX/IP Gateway Tools to NWADMIN 
Controlling Access to the IPX/IP Gateway 
Using the IPX/IP Gateway Client 
Troubleshooting the IPX/IP Gateway
Let's learn more about how to use Novell's IPX/IP Gateway as a bridge from our small IPX-based village to the high-speed information superhighway. 

Installing the IPX/IP Gateway

The IPX/IP Gateway is part of Novell's Internet Access Server (NIAS). NIAS is the foundation of our global electronic village. In addition to IPXGW.NLM, NIAS includes two related IP connectivity solutions: NetWare MultiProtocol Router 3.1 (MPR) and WAN Extensions 3.1. With these products, your IPX/IP Gateway can communicate with the outside world using Frame Relay, Integrated Services Digital Network (ISDN), Leased Lines, and/or X.25. 

If you plan to use the IPX/IP Gateway as part of an outbound WAN connection to an ISP, you must have a WAN interface board and Customer Premise Equipment (CPE). Of course, the faster your WAN connection, the faster you'll speed along the Internet superhighway. 

 
REAL WORLD
You can install driver support for any of the above WAN options by selecting the WAN Extensions option during the NIAS installation. For more information regarding WAN connectivity options, check out Novell Education Course 740 -- Internetworking with NetWare MultiProtocol Router. 
As I mentioned earlier, the IPX/IP Gateway is installed automatically as part of Novell's Internet Access Server (NIAS). For detailed installation instructions, consult Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1147-1150. 
 
TIP
Novell recommends that in addition to the standard IntranetWare server requirements, you add 4MB of memory for NIAS and an additional 500KB for each set of 100 additional TCP/IP connections using the IPX/IP Gateway. 
Once you've installed NIAS and the IPX/IP Gateway, you're ready to hop onto the information superhighway. This is accomplished by configuring the Gateway for your specific needs. Let's take a closer look. 

Configuring the IPX/IP Gateway

The IPX/IP Gateway is initially disabled by default. You can enable the Gateway by using the INETCFG.NLM utility at the IntranetWare console. Check out Figure 540-6 for a peek at the IPX/IP Gateway Configuration screen within INETCFG.NLM. Keep in mind, this screen is available only after you've installed Novell's Internet Access Server (NIAS). 

Figure 540-6Figure 540-6: IPX/IP Gateway Configuration in INETCFG.NLM 

For detailed steps on configuring the IPX/IP Gateway, read Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1151-1153. 

Adding IPX/IP Gateway Tools to NWADMIN

Once you've enabled and configured the IPX/IP Gateway, an NDS Gateway Server object appears in the NDS tree. By default, it is created in the same context as the server on which it was installed. The Gateway object's name is the same as the server's name, with a "-gw" appendage. For example, ACME's Gateway object in the LABS container is called "LABS-SRV1-GW" 

From a user's standpoint, the IPX/IP Gateway object allows clients to easily find and use active IP tunneling servers. More importantly, from a CNE perspective, it allows you to manage the Gateway Server from within NDS. However, first you'll need to add the Gateway's Snap-In utility to NetWare Administrator (NWADMIN). 

The IPX/IP Gateway Snap-In utility only works with the 16-bit version of NetWare Administrator -- NWADMN3X.EXE. This utility is designed for Windows 3.1x workstations and stored in the SYS:PUBLIC subdirectory. Windows 95 users can still use the utility, but they are limited to 16-bit functions. To add IPX/IP Gateway support to the 16-bit NWADMIN utility, complete the steps in Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1153-1154. 

Once NWADMN3X.EXE has been configured for IPX/IP Gateway services, the "Unknown" Gateway object will appear as an Internet Server icon. You can view details about the object by double-clicking on the icon or by selecting Object and Details from the main menu. 

The Snap-In utility also adds two new user attributes to NDS: IPX/IP Gateway Service Restrictions and IPX/IP Gateway Host Restrictions. These attributes can be used by CNEs to designate which Internet services or hosts are available through the IPX/IP Gateway. 

 
REAL WORLD
Once you install and configure the IPX/IP Gateway, you actually extend the NDS Schema. This extended schema allows you to manage the Gateway icon and create custom user properties. This is an example of the management flexibility inherent in to IntranetWare NDS. 
Controlling Access to the IPX/IP Gateway 

Once the IPX/IP Gateway server has been fully installed and configured, you can use NetWare Administrator to restrict Internet access to appropriate NDS objects only -- such as users, groups, and/or containers. As a protocol translator, the IPX/IP Gateway is perfectly suited to enforce restrictions on traffic between the local IPX network and the IP-based Internet. 

For more information on controlling access to the IPX/IP Gateway, check out Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1154-1155. 

Of the two IPX/IP Gateway access restrictions, Service Restrictions are by far more powerful. They instruct the Gateway object as to which applications may be used and when. IntranetWare supports four different types of Service Restrictions: 

  • Inherited default access 
  • Unlimited access to all services 
  • No access to any service 
  • Access to specified service only during certain times of the day 
Additionally, the IPX/IP Gateway restricts services according to ten different port numbers. Refer to Table 540SG-3 for a list of these Internet services and their corresponding port numbers. This is your blueprint for a cool Internet roadster. 

Table 540SG-3: IPX/IP Gateway Service Restrictions 
Service Port Number
HTTP (World Wide Web) 80
FTP 21
Telnet 23
NNTP (News) 119
SMTP (E-Mail) 25
POP3 110
Finger 79
SNMP 161
SNMP-Trap 162
Printer 515

Using the IPX/IP Gateway Client

Users can take full advantage of the IPX/IP Gateway by using an updated version of Client 32. You can install this special Gateway version of Client 32 from the NIAS CD-ROM or directly from an IntranetWare server. Although the Client 32 software only requires about 6MB of hard disk space, the software installation process requires 14MB because temporary files are copied during installation. 

The IPX/IP Gateway version of Client 32 adds two important features: 

  • The Gateway Switcher program -- allows you to enable and disable the IPX/IP Gateway client from within a GUI Windows interface. In Windows 95, the Switcher is GWSWITCH.EXE and in Windows 3.1, it's GWSW16.EXE. Keep in mind, the default status of the Gateway client is disabled; therefore, you must use the Switcher to enable the workstation once Client 32 has been installed. 
  • The WinPing application -- allows you to "ping" a local or remote host through the IPX/IP Gateway. Simply type the IP address or host name of the Internet machine and click Ping. This is a maintenance tool that allows you to test the reliability of any Internet/intranet connection. 
The special IPX/IP Gateway Client 32 supports both Windows 3.1 and Windows 95. Let's explore how it works. 
 
REAL WORLD
Enabling or disabling the IPX/IP Gateway causes Client 32 to automatically update the NOVWS.INI file. This file is normally found in the C:\WINDOWS subdirectory. It also stores the name of the preferred Gateway server. 
In addition, here's a quick note about Microsoft protocol support. If Microsoft TCP/IP is an installed and configured protocol, you must disable the IPX/IP Gateway before using TCP/IP for WINSOCK applications. Also, make sure you close all WINSOCK applications before using the Switcher to disable the IPX/IP Gateway. 

Installing the IPX/IP Gateway Client for Windows 3.1

IPX/IP Gateway support is installed as an option during the Client 32 workstation installation. Begin with a "Normal" Client 32 installation for Windows 3.1, as explained in Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1182-1185. 

During the Client 32 installation process, an Additional Options screen will appear. To customize the client for IPX/IP Gateway services, complete the steps in Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1155-1156. 

 
TIP
The updated Client 32 installation software for Windows 3.1 can be found in the SYS:PUBLIC\CLIENT\WIN31 subdirectory. 
Installing the IPX/IP Gateway Client for Windows 95

IPX/IP Gateway support is activated as an option during the Client 32 workstation installation. Begin by installing the "Normal" Client 32 for Windows 95 software, as shown in Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1179-1182. 

To activate the IPX/IP Gateway Client for Windows 95, you'll need to use the Customize button during Client 32 workstation installation. Complete the steps detailed in Novell's CNE Study Guide for IntranetWare/NetWare 4.11, pages 1156-1157. 

When the IPX/IP Gateway client is enabled, a Gateway Support Task is automatically run. The Gateway client uses NOVGWP16.EXE for Windows 3.1 and NOVGWPRC.EXE for Windows 95. The Gateway Support Task runs minimized in Windows 3.1 and appears in the task bar in Windows 95. This application should never be closed, as it provides valuable information about the status of the Gateway. 
 
 

 
TIP
The updated Client 32 installation software for Windows 95 can be found in the SYS:PUBLIC\CLIENT\WIN95 subdirectory. 
Speaking of Gateway status, now seems like a good time to explore some valuable troubleshooting tips . . . (in the rare event something should go wrong). Believe me, there's nothing virtual about a flat tire on the information superhighway. It hurts just as much in cyberspace as in the real world. 

Troubleshooting the IPX/IP Gateway

Even if you lead a charmed cyber-life, you're bound to have a few problems with the IPX/IP Gateway. That is the nature of our global electronic village. Get used to it! Fortunately, the IPX/IP Gateway records valuable troubleshooting information in two automated log files: 

  • GW_INFO.LOG -- records informational messages, warnings, and errors regarding the IPX/IP Gateway's daily operation. 
  • GW_AUDIT.LOG -- records information regarding which clients are using the IPX/IP Gateway, when they access the Internet/intranet, which ports and services they use, and detailed information about destination IP addresses and DNS name servers. 
Both of these of files are created automatically and stored in the root of the Gateway Server's SYS: volume. 

If (or when) you run across any problems using the IPX/IP Gateway, it would help to have access to a virtual cyberspace toolbelt. As an IntranetWare CNE, you'll be on the hot seat should the global electronic villagers have any problems accessing the outside world. To help out, here's a list of common Gateway problems and solutions: 

IPX/IP Gateway does not respond to clients attempting to use it. 
If users attempt to use an Internet service through the IPX/IP Gateway, but it doesn't respond, consider checking the status of the Gateway Server. Check the server modules and make sure IPXGW.NLM is running properly. Next, make sure that users have appropriate access rights. Use NWADMIN to check Host and Service Restrictions. Finally, verify that they are using the correct Gateway client and that the Switcher has been enabled. 

IPX/IP Gateway fails to connect to or locate a given IP address. 
If the IPX/IP Gateway fails to locate a requested IP address, make sure it is listed properly in the Host Table. Also, check DNS services. As you recall from our earlier discussion, DNS tracks logical host names according to their appropriate IP address. If there are problems with DNS, you may want to verify the reliability of your ISP. 

One of the most obvious problems is the validity of the IP address itself. You can use WinPing to test the address and reliability of Internet connectivity. This includes cabling, routers, filtering, and the existence of intermediate firewalls. Finally, if the IPX/IP Gateway tries to connect but times out, it may be due to a high level of traffic congestion to and from the Gateway. Or it's quite possible that the Internet itself is "clogged." It happens! 

IPX/IP Gateway connects to a host but fails to support an application or service. 
If the IPX/IP Gateway connects to the appropriate host but fails to support the application or service, you may want to check the application's TCP compatibility. Some applications expect to use a UDP connection, and our Gateway uses only TCP. If that's not the problem, you may want to check the Gateway client to make sure it has the appropriate supporting software including plug-ins. In this case, the Gateway is not the cause of the problem. 

Finally, a lack of Gateway application support may be a symptom of a larger problem. In many cases, too much data traffic can cause bandwidth bottlenecks between the client and the Internet host. 

IPX/IP Gateway provides unreasonably slow service. 
If the IPX/IP Gateway seems to act unreasonably slow, it could be caused by one of three bottlenecks: 

  • Local IPX-based LAN traffic 
  • Remote IP-based Internet traffic 
  • IPX/IP Gateway utilization 
In the first two cases, you'll have to make architectural changes to the way users communicate locally and remotely. For example, if ten or more users are simultaneously accessing the Internet over a single 56KB link, you may want to upgrade the Internet connection. 

The final problem, however, is your responsibility. If the IPX/IP Gateway is not performing optimally, you may want to consider increasing its internal resources. For example, the quality of the server CPU can have a dramatic impact on the performance of IPX/IP translation. More commonly, a lack of memory causes users' requests to be queued. Remember, the NIAS server requires an additional 4 MB of memory and 500 KB for each set of 100 TCP/IP connections. 

Finally, you may want to set the users' expectations appropriately. They may not be aware that the Gateway's translation of IPX/IP packets causes a slight performance penalty. This problem is enhanced when the Gateway is heavily used. 

This completes our discussion of IntranetWare's IPX/IP Gateway. Hopefully, you've gained an appreciation for the immense value of a single translation point between you and the global electronic village. Most importantly, all your villagers can access the information superhighway without the added overhead of TCP/IP workstation software. This provides you with security, centralized management, and general peace of mind. 

So far, we've installed Novell's Internet Access Server, learned all about the architecture of TCP/IP, and created an on-ramp to the information superhighway -- in the form of Novell's IPX/IP Gateway. 

Of course, once you're cruising down the information superhighway, you need a place to go. That's the purpose of Novell's Web server. Check it out . . . 

Forward to The Novell Web Server

Back to Understanding IntranetWare TCP/IP

Back to Cramsession