Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 2 subscribers
  • Views 2373 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

eDirectory, NAT and RED

lvandijk
Hello,
Just got our first RED. To test if it is useful in our organization.
We are using a ASG 220 in a Novell Netware 6.5 network. eDirectory SSO is used to authenticate the users.
I've configured the RED. When I connect a pc from behind the RED, I am able to log in into the network. I can access the network, use Groupwise, etc.
When I try to access the internet, a loginscreen appears.

I've set up NAT between the remote network (10.140.0.0/16) and the office network (10.120.0.0/16). The remote traffic is NAT-ed to the address 10.120.240.81. 
In the authentication log this address is shown when the remote user logs in.

But the remote pc has address 10.140.252.254. And that address is used when the internet browser is started (as is shown in the http log when the users logs in with the authentication login screen).

Seems to me not really a RED issue, but anyway: can anyone tell me what I'm doing wrong?


This thread was automatically locked due to age.
Parents
  • 0
    Since I don't user eDir, I'm spitballing here, but here are the first couple of things that come to mind:
     
    Have you added a packetfilter rule on your ASG allowing traffic from the virtual RED interface network to the internet?
    Did you add this same network to the Allowed Networks list for the HTTP proxy?
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    I'm pretty sure this has to do with how e-directory SSO works ... my understanding is that e-directory stores the IP of the logged in user; when you NAT the remote IPs to one single IP, it's going to get confused, as e-directory will be returning an IP that the proxy doesn't see.

    This is something I'd start an official astaro support case on; I suggest you take this path for a swifter resolution.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    question, why using NAT?

    Astaro user since 2001 - Astaro/Sophos Partner since 2008

  • 0 in reply to maygyver
    Maygyver's question is a good one... why use NAT?  You should only need to setup packet filters... not using NAT may fix the problem.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    Thank you for your response and hints.
    The solutions was SLP. The Directory Agent had no route to the new network 10.140.0.0. That's why there was no tree visible with only packet filters active. Using NAT, the remote pc got a local ip-address. So the DA could be reached, and logging in to the Netware tree was possible. But then the described problem occured. 
    @may_gyver: you were right. NAT is not needed. A packet filter (and good routing [;)] ) will do!
Reply
  • 0 in reply to BrucekConvergent
    Thank you for your response and hints.
    The solutions was SLP. The Directory Agent had no route to the new network 10.140.0.0. That's why there was no tree visible with only packet filters active. Using NAT, the remote pc got a local ip-address. So the DA could be reached, and logging in to the Netware tree was possible. But then the described problem occured. 
    @may_gyver: you were right. NAT is not needed. A packet filter (and good routing [;)] ) will do!
Children
No Data
Unfiltered HTML