"Craig Johnson" <craigsj@ix.netcom.com> wrote in message
news:<VA.000030b4.15648ff0@ix.netcom.com>...

> In article <ti1db.87$681.83@prv-forum3.provo.novell.com>, John Rice

wrote:

> > This network is behind both a Pix and a Router.


OK.

All desktops printers and servers are running class C public
addresses.

Odd, these days. Yes but thats the way it is

This is a large network all public that is school and government. Of
course
I am working on the government and hence they wish to create this
border
even though they are behind a Pix and a Cisco Router. They of course
do not
own that equipment which is why they want there network protected.

The current servers are Novell server running groupwise, webaccess,
apache,
imanage, netscape enterprise server, windows 2000 running nothing
funky,
and a second novell server on the same network different location
but in
the same tree as the first novell server.

> OK. One network, two locations, one tree


> > Of course there are approx 100 desktops 20 or more printers all

with
public IP addresses.

>


> Odd, again.


See first comment. They have been using a entire class C address

> >


> > To secure this network from the other 2 networks what would be the


recommended border manager setup?

>


> What 'other 2 networks'?


The two schools. They also share the same fibre optic highspeed
connection
to the internet which is protected by the PIX and the cisco router



If you want to put a firewall between networks, you need one nic pernetwork and filters. That might cause you to have to implement an
addressing
change if you are thereby introducing another network hop.

> Filtering traffic within the same tree would cause an NDS issue,

while
allowing NDS traffic sort of defeats the purpose of firewalling
between the
networks.



The border manager will have two nic one will be their public ( new
subnet
created on router for this purpose) The other nic will be their
private
however their private is also a public address which I will need to
secure
with Border Manager. It was decided this was the easiest approach as
this
network has been setup for a few years and trying to change Novell,
apache,
groupwise ect to use private Ip addresses could have issues. The other
two
networks are not my concern. I am only interested in ensuring that all

traffic destined to this network will arrive. This traffic would
include
http traffic for their website, Groupwise, ftp, possible VPN to
windows
server and Novell server. I also need to insure that this subnet can
use the
internet, and of course get email. At the present time there is a
route
created on the router for this network. Once the border manager is
setup
this route will be removed and all traffic must arrive via the new
route
created for Border Manager. I am also concerned about the PIX and the
router
configuration due to the fact that are serviced by other tech and I
have to
make sure that my Border Manager is configured correctely from the get
go
and does not have routing issues with the current Pix and router
configuration as it will be heard to convince other tech that there is
an
issue.

There will be no routing in the same tree.

Thanks John Rice

PS Craig I am reading your book. It was a good buy with lots of useful
info

>


> Craig Johnson


> Novell Support Connection SysOp


> *** For a current patch list, tips, handy files, books and

consulting

> services for BorderManager, go to http://nscsysop.hypermart.net ***
>