Nov. 10, 2004: - Added example for BorderManager 3.8 server. (A 3.7 server would be the same.).
This example is from a NetWare 5.1 (SP7) BorderManager 3.8 server which is a site-to-site VPN master, has both LinkWall and SurfControl loaded, and is used for proxy services.
This server has eDirectory 8.7.3.3 installed. This example should be usable on BorderManager 3.7 as well. A BorderManager 3.0-3.6 example is shown below.
#The Support Pack install has moved timesync configuration to sys:\system\timesync.cfg
SET TCP DEFEND SYN ATTACKS = ON
SET TIME ZONE = PNT7
#
TUNEUP.NCF
#
# Note: The Time zone information mentioned above
# should always precede the SERVER name.
FILE SERVER NAME BORDER1
# If you change the name of this server, you must update
# all the licenses that are assigned to this server. Using
# NWAdmin, double-click on a license object and click on
# the Assignments button. If the old name of
# this server appears, you must delete it and then add the
# new server name. Do this for all license objects.
SERVERID 33C7850
#
Load NLSTRAP
Load NLSFLAIM
Load NLSLSP
#
# Load BTRIEVE options before INITSYS so defaults are not used.
?bstart
#
MOUNT ALL
#
SYS:\SYSTEM\NMA\NMA5.NCF
load conlog maximum=100
; Network driver LOADs and BINDs are initiated via
; INITSYS.NCF. The actual LOAD and BIND commands
; are contained in INITSYS.NCF and NETINFO.CFG.
; These files are in SYS:ETC.
sys:etc\initsys.ncf
#secondary IP addresses
second.ncf
#
SEARCH ADD SYS:\JAVA\BIN
load nile.nlm
load httpstk.nlm /SSL /keyfile:"SSL CertificateIP"
load portal.nlm
LOAD NICISDI.XLM s
LOAD SASDFM.XLM
LOAD SAS.NLM
LOAD PKI.NLM
#
LOAD NLDAP.NLM
#
load ndsimon.nlm
#
#RCONAG6.NLM is required by RConsoleJ
#LOAD SPXS
#LOAD RCONAG6 xxxxxxxx 2034 16800
#
Load AFREECON
#
Monitor
#
load embox.nlm
#
# Load BorderManager Services
SYS:\ETC\CPFILTER\CPFILTER
?STARTBRD
?rem
LINKWALL
CRON
1. TUNEUP.NCF - This NCF file (from tip #23 on the main page here) runs many SET commands to tune the server for better proxy performance.
2. LOAD NLSPTRAP, LOAD NLSPFLAIM, LOAD NLSLSP - These commands are put in here in an attempt to get licensing services to initialize more quickly,
so that proxy can eventually load without a licensing error.
3. ?BSTART - BTRIEVE, with any optional custom command line options, is loaded with this NCF file. The ? in front of the file adds a 10-second
delay before the command runs, to give licensing services more time to finish initializing. performance.
4. SECOND.NCF - This NCF file adds secondary IP addresses. I like to add them this way because it is more flexible to call them all out in a
single NCF file. I can run the NCF file itself manually when I need to. I also put in a DISPLAY SECONDARY IPADDRESS command in that file to show what addresses are present.
5. SYS:\ETC\CPFILTER\CPFILTER - This command launches SurfControl. SurfControl engineering told me it was better to launch it before proxy was
launched.
6. ?STARTBRD - This NCF file launches BorderManager, including VPN services (if VPN is configured), and RADIUS (if RADIUS is configured). Note
that there is a corresponding STOPBRD file. In my STOPBRD file, I put in commands to unload LINKWALL and SurfControl.
7. ?rem - This line is put in to add another 10-second delay before LINKWALL launches.
8. LINKWALL - This NCF file launches Connectotel's LINKWALL product.
8. CRON - The CRON file starts CRON, which looks for SYS:\ETC\CRONTAB for commands to execute on a schedule. I have a CRONTAB entry to start the
SurfControl update process each night at midnight. (Examples for SurfControl and LinkWall are shown in my book on BorderManager 3.x).
See the Mail Proxy note later on this page if you are having problems with delivering mail to a second MX record.
This example is from a NetWare 4.11, BorderManager 3.0 server which is a site-to-site VPN master, and is used for proxy services. This example should be usable on BorderManager 3.5 and 3.6 as
well. A BorderManager 3.8 example is shown above.
There are a number of modules that can be loaded in special ways for best effects when starting BorderManager 3.x services. I have listed part of my BorderManager 3.0 test server's autoexec.ncf file
here, and I explain the reasons for certain Load statements and command line options below. I have listed the pertinent statements in bold red color..
FILE SERVER NAME BORDER1
IPX INTERNAL NET 1234
#
load conlog MAXIMUM=100
; Network driver LOADs and BINDs are initiated via
; INITSYS.NCF. The actual LOAD and BIND commands
; are contained in INITSYS.NCF and NETINFO.CFG.
; These files are in SYS:ETC.
sys:etc\initsys.ncf
LOAD NETDB /N <--- This is where it should be. Try to load it before CONLOG
load conlog MAXIMUM=100
SET NAT DYNAMIC MODE TO PASS THRU=ON <--Use DISABLE NAT IMPLICIT FILTERING in INETCFG instead
# STATIC NAT FOR PCANYWHERE, FTP SERVER, CITRIX
ADD SECONDARY IPADDRESS 4.3.2.253
# REVERSE PROXY ACCELERATION FOR BJHOME WEB SERVER
ADD SECONDARY IPADDRESS 4.3.2.252
# STATIC NAT TO MAIL SERVER
ADD SECONDARY IPADDRESS 4.3.2.251
#
Search Add SYS:\JAVA\BIN
Load NLSLSP
Mount All
Load CSAUDIT
#
# BEGIN SAS/PKI (ADDED BY SASI)
Load CCS
Load PKI
# END SAS/PKI (ADDED BY SASI)
#
? Load MONITOR
#
? Load RDATE /P 240 /V 2 /U /M 999999999 192.168.10.254
#
# Load BorderManager Services
? Load BRDSRV.NLM /noload <--WARNING, this option may cause ABENDs!
? Load ACLCHECK /S
Load IPXF <-- Load this before proxy.nlm to prevent an ABEND
? Load Proxy -M
Load SYS:ETC\CPFILTER\CPFILTER
Load AUTHGW
Load VPMASTER
1. Load NETDB /N - This command, which needs to be early in the autoexec.ncf file (before CONLOG loads at least), uses the /N option to speed
up a number of things, and is supposed to make ACLCHECK read the rules from NDS faster. The command line option /N tells NETDB not to check for the UNIX services handler. See TID 10018669 for more
information.
Note: Feb 22, 2001: The version of NETDB that is implicated in serious TCP/IP communications problems if loaded manually before INITSYS in AUTOEXEC.NCF is 4.09. That version is apparently
contained in (at least) NW51SP1 and NW4SP9. There is also a version 4.10a in some support packs (NW51SP2a for instance), but I do not know if it causes problems. The problem may also be interrelated
to the version of TCPIP.NLM being used. I have heard from Novell on Feb. 22 that loading it manually after INITSYS should work fine.
2. ? Load MONITOR - The ? tells NetWare to stop for 10 seconds and ask (on the server console) if the module should be loaded. After 10 seconds, the module
is loaded if you do nothing. I simply use the ? to introduce a 10-second delay in the load sequence to give NLS licensing services a chance to complete so BorderManager Proxy will load without an
error. This is also explained on my web page about licensing issues.
3. ? Load RDATE /P 240 /V 2 /U /M 999999999 192.168.10.254 - Once again, I introduce a 10-second delay to give NLS services time to
complete the startup sequence so that Proxy.nlm will load without an error later. RDATE is used to set the clock on the server to an internet time source. In this case, 192.168.10.254 is another
proxy server connected to the internet directing RDATE (UDP port 37) traffic to the IP address 171.64.7.77, a time server at Stanford. The RDATE options are: /P 240 (check time every 240
minutes), /V 2 (allow up to 2 second variance on the clock before time is changed), /U (use UDP protocol), /M 9999999999 (a large number of seconds, the time the clock can be off and still be reset
by RDATE), and the IP address of the target server. You can get RDATE.NLM for free from http://www.murkworks.com.
Note: RDATE should not be used on NW 6.x servers - use Timesync set up for NTP, or XNTP instead. Also, the server address given in the example here is no longer functioning. For alternatives, see tip #65 here.
4. ? Load BRDSRV.NLM /NOLOAD - Once again, I introduce another 10-second delay with the ? command. (Did I mention that this test server is
quite slow? It needs a lot of time for NLS services to start completely!). With all the delays I put in, proxy.nlm now loads without giving me a licensing error message. You may need to introduce
more, or fewer, delays than I have shown for my server.
Note: Feb 22, 2001: The /NOLOAD option loads BRDSRV without autoloading any other modules. This is necessary in order to make sure that you can manually load other modules with command line
options as needed without having them autoloaded first.
Note: June 29, 2001: I have found that using this option in AUTOEXEC.NCF is causing several ABENDs on my BorderManager 3.6 server when it starts up now. It did
not use to do that, so I think one of the later BorderManager Proxy/ACL patches may be related to the issue, as may be the Site-Site VPN. I have seen this problem on BorderManager 3.6 with the
BM3XC01 and PXY017 patches, at least. My BMOFF.NCF and BMON.NCF files do not cause a problem if used after BorderManager has been started up without using the /NOLOAD option. This problem seems to
occur only when LOAD BRDSRV /NOLOAD is the first BorderManager module loaded in AUTOEXEC.NCF.
Note: July 8, 2001: A forum user reports that you need to LOAD IPXF after LOAD BRDSRV /NOLOAD and before LOAD PROXY -M to keep the server from ABENDing, in AUTOEXEC.NCF.
5. ? Load ACLCHECK /S - This command loads ACLCHECK with an option (introduced in one of the later proxy/ACL patches) to suppress display of IP addresses which
can't be resolved. See TID 2956486 for more information.
6. Load IPXF - You need to manually load this NLM if the /NOLOAD option is used for BRDSRV, or you will probably get an ABEND when PROXY loads.
7. ? Load PROXY -M - This command line option should allow the Mail Proxy to try additional MX records if the first mail server in a domain does not respond. At this
point, other necessary modules should autoload, except AUTHGW (used in Client-Site VPN) and IPXF (used for fragmenting IPX packets).
Note: Feb. 22, 2001 If you are having Mail Proxy problems not forwarding mail proxy properly to any but the first MX record for a domain using BorderManager 3.5, you need to LOAD PROXY -M. To
be honest, I don't know if this switch a) is needed with BorderManager 3.0, or b) does anything at all with BorderManager 3.0. But it doesn't seem to be hurting anything on my 3.0 test server. Be
sure to see the warning about using the BRDSRV /NOLOAD statement in AUTOEXEC.NCF.
Have a look at my BMOFF and BMON NCF files, described at this link. If you are experimenting with getting the delays introduced so that you can get past 'sufficient units of
license not installed' issues, you may want to stop and restart BorderManager services several times. These files can be used to stop/restart BorderManager 3.0 - 3.6 without having to reboot the
server. 3.7 and 3.8 servers come with a STARTBRD.NCF and STOPBRD.NCF file to do the same thing.
Feb. 6, 2004: - Small note here. If you apply NW51SP7, NW6SP4, or NW65SP2 and you use a ? in front of your load commands in autoexec.ncf to delay start of a command, the command
will fail if there is a space after the ?. You must now remove the space. In addition, if the first letter of the command is a 'n', the ? will assume that to be a 'No' response when you hit that
command, so be sure you use ?LOAD Nxxxx instead of ?Nxxx for your command.
Mar. 27, 2002 - Removed some old options that can cause problems. For BorderManager 3.5 and 3.6, it is probably best to simply put a ? LOAD BRDSRV command at the bottom of AUTOEXEC.NCF,
followed by LOAD SYS:ETC\CPFILTER\CPFILTER and the LOAD VPMASTER (or VPSLAVE) and leave it at that.
July 7, 2001: - corrected several typographical errors where I had mistakenly said LOAD PROXY /NOLOAD instead of LOAD BRDSRV /NOLOAD.
WARNING! June 29, 2001 - Using the LOAD BRDSRV /NOLOAD option in AUTOEXEC.NCF may cause ABENDs. See the note below explaining the LOAD BRDSRV /NOLOAD option for more
information.
July 8 - Added a new note below that the ABEND should be prevented by loading IPXF before PROXY.NLM loads.
WARNING! Feb 8, 2001 - A recent change to NETDB.NLM, version 4.09, dated 4/13/2000, introduced in a later NetWare Support pack, is resulting in various serious TCPIP
communications issues if you manually load NETDB before INITSYS. The symptoms include loss of communications on one or more interfaces. The solution, load NETDB after INITSYS, or let NETDB
autoload instead of calling it out manually as was recommended here, and in Novell TID's 10018669, "BorderManager Cache Performance and Tuning," and 2937176, "Netdb Library Loaded Without Logging
into NDS."