Fact:

3 Compaq Servers 2GB RAM RAID 5
All have on board Compaq nic + compaq fibre card installed
3 Sites (hub and spoke linked via ISDN with PIX firewall at hub)
Netware 5.1 with SP6e
Border Manager 3.7 with SP2


INTERNET
|
PIX
|
Server1
/ \
/ \
SERVER2 SERVER3




How they were built (in order)
-Compaq Smart Start 5.0
-Joined Tree
-Installed Proliant Service Pack 6.41a
-Installed Novell SP6e (Did not replace LAN drivers)
-Created Read/Write Replica for partition on server
-Installed Border Manager 3.7
-Installed Border Manager 3.7 SP2
-Installed SurfControl 5.0 SP1 for BM
-Configured Border Manager Servers with Hierarchical Caching
-Configured basic rule (allow port any any)

Problem.

When the 2 spoke servers were configured as hierarchal clients and
forced
to go through parent for internet access there was no internet
connectivity for one of the spoke offices.

Server1
Enable Cache Hierarchy Server - enabled
Enable ICP Port 3130 - enabled
Access Control List - Spoke server IP addresses added

Server2/Server3
Configured as Cache Hierarchy Clients

When viewing information on hub and spoke servers ICP connectivity
seemed
fine and reported the correct addresses for their respective
connections
but still no internet access for the clients at the spoke office.I
opened
the firewall for the spoke server and disabled ICP. Internet
connectivity
now was working, so now I know it is ICP.

Enabled server as hierarchy client and lost internet connectivity
again.

Installed updated tcp drivers(tcp583jrev2.exe) no luck
Tried new version of clttrust - no luck
Installed Border Manager Field Service Pack (bm37fp3c.exe) no luck
Kicked side of server with size 10. No luck, but made me feel better.
Then I remembered I had problems when installing Netware. During the
early
part of the install when you are asked for the server name, after
entering
the name and hitting next the server would hang(left in for 1.5 hours
- no
luck.This happened on all servers). The only way I got around this was
to
disconnect the NIC cable before hitting next and when the next screen

appeared plug the NIC cable back and no problems after that. Joins
tree no
worries.

All servers were built initially on the copper card (N100.LAN) and
moved
into the rack which was then configured to work on fibre (N1000.LAN)
there
was only one server that couldn't be moved onto fibre at this point
and
this was the server not working as a hierarchy client. Moved the
server to
fibre when the rack was installed and what do you know it now works.
The
copper LAN drivers were working in all aspects except for ICP. Even
worked
when BM was given internet access.

Version of N100.LAN is what came in the PSP6.41a compaq Proliant
Service
Pack

Cool we have hierarchical caching working now. Now to surfcontrol what
a
pain.

Now you would think that this should be easy.

Created a rule - Allow URL "NDS Object" "3rd Party Rule" "Select some

categories"

No matter what I did it would not work correctly. Tried back reving
AClCheck to SP1 - no luck
After 4 days server starts soft abending in Cpfilter.nlm (cpu hog
timer)
Short Term Memory Allocater messages on server.

This was with
"CPFILTER.NLM v5.00a Mar. 20, 2002 SurfControl Content
Database"

Now it is interesting that on
http://nscsysop.hypermart.net/surfctrl.html
craig says that SP1 of surfcontrol is April 12, 2002 (ver. 5.00d). I
don't
know how you can have the same service pack with different versions of
the
nlm. I love consistency.

So anyway I took the advice of the above web site and deleted the
files.
Installed Surfcontrol SP2 and re-registered it. The rules now work
better
and surprisingly the DB size has reduced after the updates were
download.
SP2 also provides better loging.

My 2c I think the surfcontol product is good but only when used
standalone. Not on a BM server.

What I had to do is reverse ruling as I found it inconsistent.

So instead of
Allow URL "NDS Object" "surf C" "category news"
Default deny any any

I had to do this
Deny URL "NDS Object" "surf C" "category porn"
Allow URL "NDS Object" ANY
Default deny any any

Found this to work much easier and less maintenance

After all this rambling I hope my 2 weeks of pain will help someone
else.

Bye.

PS: And yes the servers were booted to make sure certain changes would
be
in effect