Implementing iFolder Server in the DMZ with
iFolder Data inside the Firewall
Novell Cool Solutions AppNote
www.novell.com/coolsolutions
JULY 2004
OBJECTIVES
The objectives of this documentation are as follows:
•
To configure iFolder server in the DMZ with the iFolder data physically stored on another server inside the
Firewall using two NetWare 6.5 servers.
•
To cluster iFolder services via inexpensive iSCSI technology using three NetWare 6.5 servers.
Background
Most customers want to implement iFolder but they are constrained by their company's security policy. Most
companies have a security policy that there is no access from the Internet directly into the internal network (if you
don't have such a policy, it is time to set up one). This implies 2 things:
•
From the Internet, users cannot directly access data in the internal network, but can access application
servers in the DMZ
•
To protect data, data cannot be placed in the DMZ
Most companies will do one of the following:
•
Set up a VPN solution. All access to applications from the Internet must be via the VPN application.
•
Set up application servers in the DMZ. All access to applications from the Internet will hit the application
servers and the application servers will then access the data via the firewall. The data is stored inside the
firewall and the firewall is configured to only allow the application servers to access the data. With this
setup, the data is secured.
•
For customers with very tight security policies, an even more secure approach can be implemented by
combining the above two methods. Customers may implement two firewalls. The first firewall blocks all
access from the Internet into the Customer's Network except VPN traffic. All application servers are
stored in the DMZ. The 2nd firewall blocks all traffic and allows only access from the application servers.
This means that users must use VPN, which gets past the 1st firewall, to access the applications in the
DMZ. However, because of the 2nd firewall, users cannot access their internal network directly. The
application servers fetch the data from the Internal network and pass it back to users.
2
THE PROBLEM
iFolder stores its data on the server. This creates two problems:
•
iFolder cannot be placed in the DMZ because data would then be in the DMZ
•
If iFolder is the Internal network, users cannot access iFolder because of the firewall. Security policy
prevents users from accessing applications directly in the Internal network from the Internet
In the past, the only way to get around this problem was to implement VPN. However, for customers who do not
have VPN, iFolder cannot be implemented. Furthermore, VPN will work only if customers allow Internet users
access directly into the internal network. For customers with extremely tight security policies who do not allow
VPN users to access directly into the internal network, even VPN is not a solution. Because of all these restrictions,
many customers cannot implement iFolder.
THE SOLUTION
NetWare 6.5 provides the solution. NetWare 6.5 allows the data to be stored remotely so that the iFolder server
can be placed on the DMZ but the data can be placed in the internal network. This allows iFolder to meet most
customers' security requirements. The key to implementing this is through iSCSI.
iSCSI is a standard for SCSI block storage protocols networked over TCPIP networks. This means that iSCSI allows a
SAN to be built over a LAN network. In the past, a SAN was built using Fibre Cables, Fibre Cards, SAN switches and
SAN storage; which was a very expensive solution. NetWare iSCSI lets you use NetWare servers to create a shared
storage and a NetWare cluster without purchasing expensive SAN equipment.
For more on ISCSI, refer to iSCSI Administration Guide for NetWare 6.5
Setup Overview
In this documentation, we are simulating the following scenarios:
1.
iFolder server is setup in the DMZ and the iSCSI storage server is setup inside the firewall.
2.
iFolder Server will be clustered and setup in the DMZ, and the iSCSI storage server is setup inside the
firewall.
ISCSI IMPLEMENTATION
1.
Setup two NetWare 6.5 servers with iFolder and iSCSI services.
One server is placed in the internal network, and the other is in the DMZ. The NetWare 6.5 server in the
internal network can join the existing tree. The NetWare 6.5 server in the DMZ, however, should be a
stand-alone server in its own tree.
In this example, the server in the DMZ shall have the following configuration:
Tree: IFOLDER-TREE
ServerName: IFOLDERSERVER1
Server Context: O=NOVELL
The IFOLDERSERVER1 will be configured as the iSCSI Initiator
The server in the internal network will have the following configuration:
3
Tree: NW65SERVER_TREE
ServerName: NW65SERVER
Server Context: .SERVER1.NOVELL
The NW65SERVER will be configured as the iSCSI Target
2.
3.
On the 'NW65SERVER' server, do the following:
o
LOAD NSSMU > Partitions
o
Press 'Insert' to create a new partition
o
Select the Free Disk space and press 'Enter'
o
Select iSCSI
o
Define the partition size (which will be the size of your iFolder data store) and create
On the NW65SERVER server, type TON.NCF
In the installation, TON.NCF is already loaded by default in the AUTOEXEC.NCF. In this case, you can type
TOFF.NCF and then TON.NCF to reload the iSCSI target NLMs.
(If you have not realized it by now, TON stands for Target ON and TOFF stands for Target OFF.)
4.
Open up ConsoleOne, browse to the location of the NW65SERVER and you will see an iSCSI Target object
that has been created. This object is automatically created when a iSCSI partition is created on a server
and the 'TON.NCF' is loaded on that server. The object will look something like this:
5.
Create an iSCSI Initiator Object in the same context as the NW65SERVER object. You will get the following
prompt, but click OK and key in the object name. For this example, the iSCSI Initiator Object is
ifolderserver1
6.
Right Click on the iSCSI Target object created in Step 4 and choose 'Trustees of this object'. Select
ifoldserver1 Initiator Object as a Trustee and click OK to select the default Trustee rights.
4
7.
On the IFOLDERSERVER1, type 'ION.NCF"
(You may have rightly guessed that ION stands for Initiator ON)
8.
On the IFOLDERSERVER1, type 'ISCSI LIST'
You will see the following screen
9.
You need to change the initiator server's IQN to correspond to the Initiator Object that you have created
in the NW65SERVER-TREE. To do this, on the IFOLDERSERVER1, type the following:
iscsi set InitiatorName=iqn.1984-08.com.novell:.ifolderserver1.novell.nw65server-tree.
NOTE: ADD a Trailing '.' at the end of the ".ifolderserver1.novell.nw65server-tree." command, or you will
not be able to connect.
5
10. On the console screen, type => iscsinit Connect [IP Address of NETWARE 6.5SERVER]
This command will enable the iSCSI Initiator to connect to the iSCSI Target
11. Open up a browser and browse to Remote Manager on IFOLDERSERVER1 server (https://[IP address of
IFOLDERSERVER1]:8009)
12. Under the MANAGE SERVER section, choose PARTITION DISK, and you will see the following screen. Click
'Initialize Partition Table'
13. Once that is done, the disk is initialized and ready to be used.
14. On the IFOLDERSERVER1, do the following:
o
LOAD NSSMU > POOLS
o
Press 'Insert' to create a new pool. Enter Pool name (e.g. IFOLDER_POOL)
o
Choose the Free Disk space which has been created on the iSCSI Target
o
Confirm the Partition Size
6
o
Go to the Main Menu > VOLUMES
o
Press 'Insert' to create a new volume. Enter volume name (e.g. IFOLDER)
o
Select the pool (e.g. IFOLDER_POOL) and press 'Enter'
o
Select your Volume properties and press 'Create'
15. On IFOLDERSERVER1, type 'Edit AUTOEXEC.NCF' and add the following lines:
ion.ncf
iscsinit connect [IP address of NW65SERVER]
Delay 5
mount ifolder
IFOLDER IMPLEMENTATION
As with any default installation of iFOLDER, the default location of ServerRoot and UserRoot is in SYS:\iFOLDER and
the LDAP server configuration is usually pointing to itself (using DNS or IP address). The purpose of this section is
to configure iFOLDER to:
•
Use the LDAP server in the internal network to authenticate users
•
Change the ServerRoot and UserRoot to be placed on the iSCSI volume created on the iSCSI Target located
in the internal network
In this example, both the LDAP server and the iSCSI Target server in the internal network is NW65SERVER
(147.2.198.67)
1.
On the iFOLDERSERVER1 server, edit the SYS:\APACHE2\IFOLDER\SERVER\ HTTPD_IFOLDER_NW.CONF file
Modify the following parameters:
o
iFolderServerRoot: Change to IFOLDER:\iFolder
o
iFolderUserRoot: Change to IFOLDER:\iFolder
2.
From your browser, open up the iFolder management URL (i.e https://[IP address of
IFOLDERSERVER1]/iFolderServer/Admin
3.
Click 'Global Settings'. Type in the admin name and password of IFOLDERSERVER1
4.
On the left column, choose 'USER LDAPs' and delete all existing User LDAP server
5.
On the left column, choose 'USER LDAPs' and add User LDAP server.
Under the Host DNS or IP, key in the DNS or IP of your internal eDirectory LDAP server. In this example,
NW65SERVER is the internal user LDAP server.
Key in the admin name and password of NW65SERVER
7
6.
The User LDAP configuration will pop up. Check the 'Search Subcontexts' option.
7.
Restart your apache web services by typing the following commands on IFOLDERSERVER1:
ap2webdn
ap2webup
8.
Map a drive to IFOLDER volume on IFOLDERSERVER1. You will see that IFOLDER directory has been created
on the volume.
After you have completed the above configuration, the following will have been accomplished:
o
The iFolder Server in the DMZ is purely an application server that does not have user information
or user data
o
User information will be accessed from LDAP servers inside the firewall
o
iFolder user data is physically stored on an iSCSI storage inside the firewall
INSTALLING CLUSTERING SERVICES OVER ISCSI
Some customers may consider iFolder services important enough that it warrants clustering of the iFolder services.
In the past, this would be an costly endeavour because it requires expensive Fibre Cables, Fibre Cards, SAN
switches and SAN storage. Now all you need is another NetWare 6.5 server.
1.
Setup a NetWare 6.5 server with iFolder and iSCSI services.
This NetWare 6.5 server will join the IFOLDER_TREE.
In this example, the NetWare 6.5 server in the DMZ shall have the following configuration:
Tree: IFOLDER-TREE
ServerName: IFOLDERSERVER2
Server Context: .SERVER2.NOVELL
2.
On the NW65SERVER_TREE, create an iSCSI Initiator Object in the same context as the NW65SERVER
object. You will get the following prompt, but click OK and key in the object name. For this example, the
iSCSI Initiator Object is ifolderserver2
8
3.
Right Click on the iSCSI Target object created and choose 'Trustees of this object'. Select ifoldserver2
Initiator Object as a Trustee and click OK to select the default Trustee rights.
4.
On the IFOLDERSERVER2, type 'ION.NCF'
5.
On the IFOLDERSERVER2, type 'ISCSI LIST'
You need to change the initiator server's IQN to correspond to the Initiator Object that you have created
in the NW65SERVER-TREE. To do this, on the IFOLDERSERVER2, type the following:
iscsi set InitiatorName=iqn.1984-08.com.novell:.ifolderserver2.novell.nw65server-tree.
NOTE: ADD a Trailing '.' at the end of the ".ifolderserver2.novell.nw65server-tree." command, or you will
not be able to connect.
6.
On the IFOLDERSERVER2 console screen, type => iSCSI Connect [IP Address of NETWARE 6.5SERVER]
7.
On IFOLDERSERVER2, type 'Edit AUTOEXEC.NCF' and add the following lines:
ion.ncf
iscsinit connect [IP address of NW65SERVER]
On IFOLDERSERVER2, type the above 2 lines on the server console screen.
If you have been following the exercise through, on IFOLDERSERVER1, use NSSMU to remove the IFOLDER
volume and IFOLDER_POOL pool. Remove the following lines from AUTOEXEC.NCF file. Remember, we
want to cluster the IFOLDER Volume and we don't want to mount the volume in the AUTOEXEC.NCF file.
delay 5
mount ifolder
8.
9.
On both IFOLDERSERVER1 & IFOLDERSERVER2, do the following:
o
NSSMU > Devices
o
Choose the iSCSI device (the name contains 'NOVELL' in it)
o
Press 'F6' to share the device
o
The device configuration becomes 'Sharable for Clustering'
Install Novell Cluster Services 1.7 on both IFOLDERSERVER1 & IFOLDERSERVER2 using Deployment
Manager.
The details to install Novell Cluster Services can be found in NetWare 6.5 - Novell Cluster Services 1.7
Administration Guide
10. After installation, type LDNCS.NCF on both server consoles, and both servers should join the Cluster. You
should see both servers having Cluster Membership Monitor with the status 'UP'.
NOTE: Now you can provide better reliability by creating an iSCSI device for the SBD partition and another
iSCSI device for iFOLDER partition.
If you have followed through the exercise, the SBD partition would have been created in the iSCSI device
that was created in the previous exercise. It is then a simple matter of repeating the steps and then
creating a larger iSCSI device for iFOLDER. Of course, you can extend this idea by creating another iSCSI
device for SBD mirroring, but these are beyond the scope of this AppNote.
9
So for this exercise, if the SBD partition is created on the same device as the IFOLDER partition, it is fine.
But you probably won't want to do this in a production environment.
o
On IFOLDERSERVER1 server, type the following:
o
NSSMU > POOLS
o
Press 'Insert'. Type in Pool Name (e.g. IFOLDER_POOL)
o
Choose the correct device and select partition size
o
The Cluster Pool Configuration Screen will appear. Type in the IFOLDER Virtual IP address
11. On IFOLDERSERVER1 server, type the following:
o
NSSMU > VOLUMES
o
Press 'Insert'. Type in Volume Name (e.g. IFOLDER)
o
Select the pool that you created in step 11 (e.g. IFOLDER_POOL)
o
Choose the Volume properties > Create
That's it. You have just clustered the IFOLDER volume. You can use Remote Manger or ConsoleOne to migrate the
IFOLDER volume between IFOLDERSERVER1 and IFOLDERSERVER2 to test whether or not it is working.
CLUSTERING IFOLDER SERVICES
1.
Loading iFolder in protected memory
iFolder does not by default load its own instance of apache in protected memory on NetWare. It will
instead create an include statement on the default apache configuration file
(SYS:\APACHE2\CONF\HTTPD.CONF) and load in the kernel address space.
The problem with this is that when you are not loading iFolder, you are unable to use all the NetWare 6.5
services that load on top of apache. To solve this problem, iFolder can be loaded in its own address space
so that the apache services are not affected by iFolder. iFolder will be configured to be loaded up by
cluster services only.
Below are the steps to load iFOLDER into its own memory space. These steps have to be done on all
cluster nodes.
a.
The following changes were made to SYS:\APACHE2\IFOLDER\SERVER\HTTPD.CONF file
ƒ
Change from Listen 80 to Listen [iFOLDER Virtual IP address]:80 (e.g. Listen
147.2.198.77:80)
ƒ
Change from SecureListen 443 "SSL CertificateDNS" to SecureListen [iFOLDER Virtual IP
address]:443 "SSL CertificateDNS" (e.g. Listen 147.2.198.77:443 "SSL CertificateDNS")
ƒ
Change from DocumentRoot "sys:/apache2/htdocs" to DocumentRoot
"sys:/apache2/ifolder/DocumentRoot"
10
b.
ƒ
Change from <Directory "sys:/apache2/htdocs"> to <Directory
"sys:/apache2/ifolder/DocumentRoot">
ƒ
Change from JkWorkersFile "conf/mod_jk/workers.properties" to JkWorkersFile
"sys:/adminsrv/conf/mod_jk/workers.properties"
ƒ
Change from JkLogFile "/logs/mod_jk.log" to JkLogFile "sys:/adminsrv/logs/mod_jk.log"
In the SYS:\APACHE\CONF\HTTPD.CONF file, remarked off the include statement containing
SYS:\Apache\iFolder\Server\httpd_ifolder_nw.conf. The following changes were made as follows:
#include sys:\apache2\ifolder\server\httpd_ifolder_nw.conf
c.
In the SYS:\APACHE\CONF\HTTPD_IFOLDER_NW.CONF file
ƒ
Change iFolderServerDNSorIP from [server IP address] to [cluster virtual IP address]
ƒ
Change iFolderUserServerDNSorIP from [server IP address] to [cluster virtual IP address]
d.
Copy SYS:\PUBLIC\ROOTCERT.DER to SYS:\APACHE2\IFOLDER\SERVER\LDAP\_MASTER.DER
e.
Cut STARTIFOLDER.NCF AND STOPIFOLDER.NCF from SYS:\SYSTEM and paste them to
SYS:\APACHE\IFOLDER\SERVER.
Make the following changes to STARTIFOLDER.NCF
LOAD ADDRESS SPACE = IFOLDER APACHE 2 -f
SYS:\APACHE\IFOLDER\SERVER\HTTPD.CONF
# LOAD APACHE2 -f SYS:APACHE2\CONF\HTTPD.CONF
Remarked off 'UNLOAD APACHE' from STOPIFOLDER.NCF
f.
Edit AUTOEXEC.NCF file and add the following line:
SEARCH ADD SYS:\APACHE2\IFOLDER\SERVER
Type the above command in the server console as well
2.
Modify iFolder Configuration
Open up the iFolder Management URL, under Global Settings > iFolder Server, change the IP address to
the Virtual Cluster IP address
11
3.
Modify Cluster Script Configuration
Add startifolder in the Cluster Load Script and stopifolder in the Cluster Unload Script as shown below. In
the Cluster Unload Script, you may like to add a delay for iFolder to completely unload before proceeding
with the rest of the script.
Cluster Load Script
Cluster unload Script
4.
Restart your Apache Web Services by typing the following commands
ap2webdn
ap2webup
You will notice that iFolder service has not been loaded. Load the iFolder service by loading the Cluster
service.
Ports to be open in the Firewall
Finally, to get all these to work, the administrator has to open up the firewall. Below are the lists of ports
required to be open at the firewall:
12
Source IP
Destination IP
Destination Port
Description
IFOLDERSERVER1
IFOLDERSERVER2
NW65SERVER
3260
iSCSI port
IFOLDERSERVER1
IFOLDERSERVER2
NW65SERVER
389
LDAP port
IFOLDERSERVER1
IFOLDERSERVER2
NW65SERVER
636
LDAP with SSL port (if configured)
CONCLUSION
With NetWare 6.5, you are able to configure a high availability iFolder solution that is both secure and
inexpensive. It is secure because your data is protected inside the firewall. It is inexpensive because you only need
three NetWare 6.5 servers without the costly SAN equipment. The best thing about NetWare 6.5 is that since
licenses are based on per user, you can install as many NetWare 6.5 servers as you want.
References
iSCSI Administration Guide for NetWare 6.5
NetWare 6.5 - Novell Cluster Services 1.7 Administration Guide
Novell iFolder 2.1 Installation and Administration Guide
TID 10082707: How to run iFolder 2.1 in Protected Memory
TID 10087321 - How do I configure iSCSI when the iSCSI Target and Initiators are in different eDirectory Trees