Current BorderManager Patches –Mar. 5, 2010

If you want to skip all the notes, you can skip directly to the patch lists below with these links.

LATEST UPDATE:

Mar. 5, 2010 - Updated BorderManager 3.8 and 3.9 patches with the post-NetWare 6.5 sp8 patch for TCPIP: TCPIP--NW65SP8_Patch.zip.

See any recent warnings I have listed here

See recent update notices I have listed here

Click here for BorderManager 3.9 patches

Click here for BorderManager 3.8 patches

Click here for BorderManager 3.7 patches

Click here for BorderManager 3.6 patches

Click here for BorderManager 3.5 patches

Click here for BorderManager 3.0 patches

Click here BorderManager 2.1 patches

Click here to jump to the General Notes section

*** CHECK THE PATCH README FILE BEFORE INSTALLING ANY OF THESE PATCHES! ***

Lots of people wonder what the current patches are for BorderManager, and in what order should they be installed. Here is what the Novell Sysops consider the best combination of NetWare and BorderManager patches. Not all of these patches are listed on the Minimum Patch List, and you may have to use FileFinder to get them, or even pull some of them from links at this website.

These are NOT the only patches out there for NetWare and a BorderManager server! There are many other patches which might be a good idea to have on your server, depending on version of NDS, other installed products, etc. I am trying to list the ones specific to BorderManager here.

Finally, I list the latest available patches that I know of here - including some that are beta and field test versions. (One reason you will often see patches listed here that are not on the Minimum Patch List). I typically do not list patches available only internally within Novell as a) it is hard for you to get them, and b) those patches are quite risky, and c) those patches are sometimes changing by the day. The versions I list here should be available through a download, although some older patches may no longer be on Novell's site.

Recent Warnings: (Updates - not warnings - are listed below)


Oct 25, 2007 - Warning 1. A number of people have complained of multiple abends with BorderManager proxy after installing NW65SP7. The issue *might* be related mostly to the TCPIP stack, and also to SSL Proxy Authentication. It appears that NW65SP& has older TCPIP files than in the TCP680B.EXE.ZIP patch. If you are seeing abends after applying NW65SP7, please try manually installing the TCP680B.EXE.ZIP patch, and also the latest Winsock patch for NetWare (WSOCK6M.EXE or later).

Oct 25, 2007 - Warning 2. A vulnerability has been found with CLNTRUST.EXE. Download and install the CLNTRUST.EXE patch from Oct 24, 2007 (or any later version). Check the readme.

Feb 3, 2007 - Warning. A number of people have had some issues with the NW65SP6 patch, and there are post-SP6 winsock and clib updates that should be added after NW65SP6. The winsock patch may not fix all the issues though, so if you want to hold steady at NW65SP5 for a while, it will be fine. There is a known bug in NW65SP6 that breaks iPrint, and you should read tid 3233501. For a list of NW65SP6 issues, see the Novell wiki entry at http://wiki.novell.com/index.php/Nw65sp6.

Sept. 12, 2006 - Warning. There are currently two available post-SP4 BorderManager 3.8 beta patches: BM38SP4_IR3 and BM38SP4_IR5. A number of people have reported problems with the IR5 version and have back-revved to IR3. The most common symptom seems to be that certain web sitess become unavailable through proxy, but start workin again for some period of time if you unload proxy and clear cache by reloading proxy with the -cc option. You can choose to install either one. If you do back-rev from IR5, it seems sufficient to only backrev the proxy.nlm module.

June 26, 2006 - Warning. The BM38SP4_IR4.EXE patch for BorderManager 3.8 has been pulled due to an issue with PROXY.NLM. A replacement patch is expected soon.

The problem symptom is that you start to be unable to access certain web sites, unless you unload and reload proxy. At the same time, every time you access a problem site, the 'requests in progress' statistic in the proxy console Current Activities screen increases, but never reduces. I have seen servers with 3000 requests in progress (while only 10-12 fills were in progress) as a result of this issue. The problem can occur with both forward and reverse proxy.


July 20, 2005 - Warning. The edir8736.exe patch has been pulled by Novell due to a potential issue that can result in corruption in NDS and loss of data. See this TID: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098331.htm


July 5, 2004 - Warning. Nothing definite yet, but there have been several Novell public forum users reporting ABENDs after applying BorderManager 3.8 SP2. Some reports say that the problem exists if you install SP2 before installing NW65SP2. One user reported that the problem went away after re-applying BM38SP2 after NW65SP2 and telling the patch to overwrite newer files. The problem seems to be related to ACLCHECK. Another report says the problem may appear if the beta SP2 was installed first. Finally, another report has the problem happening when a user browses to an HTTPS site. Personally, I have installed beta 1, and beta 2, and then BM38SP2 and still have not seen any abends. If you have problems after installing BM38SP2, backrev to BM38SP, or try backrevving just ACLCHECK to BM38SP1. If you do not have access to BM38SP1, I suggest you might want to wait a few days before installing SP2 and check back here.


April 28, 2004 - If you are using Mail Proxy, and have suddenly started seeing ABENDs, it may be related to a new spam or virus issue. Apparently certain emails with many addresses in the header can cause a problem with Mail Proxy. Novell is aware of the problem and a patch has been developed. You need to contact Novell with BorderManager version and valid email address. Ask Gonzalo (nicely) at morera@globalxs.nl for the patch. I suspect the patch will be publicly available soon, if it solves the problem without creating new issues.

Jan 11, 2003 - I added a note for some bugs below this section. I also wanted to finally tell people what the NW6RCONJ2A.EXE patch was all about. I had avoided telling about the bug until now to give people enough time to go about patching their servers before making it obvious what the bug was about. However, I keep getting new clients who have read my patch list here and just skipped that patch because they didn't think it was applicable to them. They are quite surprised when I connect to their BorderManager server over the Internet using RCONAG6 without a password! The version of RCONAG6 shipped with NW6SP2.EXE included a flawed version of RCONAG6. The bad version does not look at the password entry for the 'secure' (encrypted) port (2036 by default). Consequently, you can connect to a server without a password if that version of RCONAG6 is loaded, and the usual Novell default filter exceptions are in place. The NW6RCONJ2A patch fixes this problem. Also, if you want to know how to tighten up the default filter exceptions considerably, to avoid this issue in the first place as well as to prevent most spam relay issues, I urge you to get my book on BorderManager filtering, and read the advanced chapter.

WARNING - Your BorderManager 3.7 licenses may have expired! Please check the policy on your BorderManager license files (using NWADMN32) and see if you have licenses set to expire on December 8, 2002. If you purchased an English Red Box copy of BorderManager, you may have this situation, and you need to read this tip (#67) for a way to get your free replacement license.

********* RECENT UPDATE NOTES (There are more notes below the patch lists) *********

Dec. 18, 2009 - Updated BorderManager 3.9 patches with the post-BM39SP2 patch BM39SP2_IR1.zip.

2, 2009 - Updated BorderManager 3.9 patches with IKE_20090302.zip patch. See Novell TID 7000778

Feb 28, 2009 - Updated BorderManager 3.9 patches with BM39SP2 patch.

Jan 24, 2009 - Updated BorderManager 3.8 & 3.9 patch lists for NetWare 6.5 with service pack 8.

Aug. 8, 2008 - Updated security services patch from SS205_NW.TGZ to SS206_NW.TGZ. Updated NetWare 6.5 patch list with new NAMED.NLM to fix security vulnerability, in case you are running NAMED on your server.

Apr. 24, 2008 - Updated winsock patch from wsock6n.zip to wsock6o.zip. Updated NWLIB patch to nwlib6l.zip. Updated BM 3.9 patch list with released version of BM39SP1.ZIP. Note that 'soon' an ISO image of 3.9 with the SP1 patch included is supposed to be released from Novell. Also, the non-Vista VPN client 3.8.16 is supposed to be included in the ISO image, instead of the 3.8.15 version in SP1. (You can download the 3.8.16 VPN client - it's listed under BorderManager 3.8 patches.)

Mar. 23, 2008 - Updated BM 3.9 patch list with released version of BM39SP1.EXE. Note that in a couple weeks an ISO image of 3.9 with the SP1 patch included is supposed to be released from Novell. Also, the non-Vista VPN client 3.8.16 is supposed to be included in the ISO image, instead of the 3.8.15 version in SP1.

Mar. 5, 2008 - Posted link to beta copy of BM39SP1 patch. This patch has bug fixes, and includes iManager 2.7 snapins. It does not yet include the SurfControl-slow-rule-reading issue fix, but the non-beta final release will. For now, if you are on the Novell newsgroups (support-forums.novell.com) you should see a message from Mysterious in the BorderManager install-setup group telling you to email him for a beta copy of a new aclcheck.nlm to fix that problem.

Feb. 29, 2008 - Updated TCP version for NetWare 6.5 from TCP681J to TCP681K.

Special Note! BorderManager 3.9sp1 (beta) is due for release today (Feb 29). I have updated my proxy.cfg file in tip #63 with new parameters for this patch. The beta version of this patch does not include a fix for certain SurfControl issues yet, but the final version is supposed to include fixes.

Jan. 15, 2008 - Updated Winsock patches for NetWare 6.5, 6.0 and 5.1; changed from wsock6m.exe to wsock6n.exe.

Dec. 9, 2007 - Updated BorderManager 3.8 patches with post-SP5 patch BM38SP5_IR1.ZIP. Apply this patch after installing BM38SP5.

Oct 30, 2007 - Updated NetWare 6.5 patches with TCP681J.EXE replacing TCP680B.EXE.ZIP.

Oct 25, 2007 - Added warning about abends with NW65SP7 and proxy. Added warning about CLNTRUST.EXE vulnerability. Added mention of applying TCP680B.EXE.ZIP after NW65SP7. Updated NetWare patches with WSOCK6M.EXE. Updated Security Services patch 2.04 to 2.05. Added NW65SP7.ZIP. Added CLNTRUST.EXE patch.

Sep 12, 2007 - Updated BorderManager 3.9 patch list. Updated NetWare 6.5 patches with wsock6k.exe replacing wsock6l.exe.

Aug 15, 2007 - Added new TCPIP patch tcp680b for NetWare 6.5.

Apr 28, 2007 - General clean up of patch lists for all versions, including removing patches no longer available from Novell for older versions of NetWare. Updated BorderManager 3.9 patches.

Feb. 6, 2007 - Updated 6.5 patch lists with reference to Novell WIKI for patch NW65SP6. Added patch section on 3.9 (beta).

Feb. 5, 2007 - Updated NetWare 5.1, 6.0 and 6.5 patch lists with patch NWLIB6J.EXE.

Feb. 3, 2007 - Updated NetWare 5.1 and 6.0 patch lists with updated information on downloading eDirectory 8.7.3. Added wsock6k.exe patch to NetWare 5.1, 6.0 and 6.5 patch lists. Added a warning on potential NW65SP6 issues.

Nov. 11, 2006 - Updated BorderManager 3.8 patches with released vesion of BM38SP5. Updated BorderManager patches with VPN client 3.8.15. Updated NetWare 6.5 patches with NW65SP6. Updated NW 6.5, 6.0 and 5.1 patches with eDirectory 8.7.3.9 patch.

Oct. 23, 2006– Updated BorderManager 3.8 patches with beta 2 vesion of BM38SP5.)

Sept. 12, 2006– Updated NetWare 6.5 post-SP5 patches with the beta patch nw65sp5upd1.exe (contains a winsock fix, a memory management fix, etc.)

June 29, 2006– Updated BorderManager 3.8 post-SP4 interim patches - BM38SP4_IR5 (beta) has been released.

June 26, 2006– Updated BorderManager 3.8 post-SP4 interim patches - BM38SP4_IR4 has been pulled due to a problem with the PROXY.NLM version included. Use BM38SP4_IR3 for now. If you have installed BM38SP4_IR4 already, simply backrev the PROXY.NLM to the BM38SP4_IR3 version and reload proxy. The IR4 version has a problem that results in being unable to access certain web sites while the 'requests in progress' statistic in the proxy console current activity screen shows an increase each time you try to access the problem sites. The statistic never reduces until you reload proxy.

Also updated the VPN client from BM3XVPN11.EXE to BM3XVPN12.EXE.

May 24, 2006– Updated BorderManager 3.8 post-SP4 interim patch, from BM38SP4_IR3.EXE to BM38SP4_IR4.EXE. Added NetWare 6.5 patch NW65OS5A.EXE.

Apr. 17, 2006– Added note about copying scm.jar file in regard to bm38sp4_ir3.exe patch.

Apr. 16, 2006– Replaced BorderManager VPN client with BM3XVPN11.EXE. Updated eDirectory patch from edir8737.exe to edir8738.exe.

Mar. 3, 2006– Replaced BorderManager 3.8 patch BM38SP4_IR2A.EXE with BM38SP4_IR3.EXE.

Feb. 2, 2006– Updated the NetWare 6.5 patches with NW65SP5.EXE. I have put it on all my NW 6.5 servers without incident, and have not heard much of anything bad about it, except that one of my clients reported an SMS problem backing up GroupWise with Veritas software. He backrevved some SMS modules to get around that one. For now, I will post both the SP5 and the SP4a patch sequences until I have a good comfort level with SP5.

Feb. 3, 2006– Update in regard to NW65SP5 issues. I know this is not a particularly good way/place to try to post defects in the latest service pack, but it's what is easily available to me! There have been reports, apparently duplicated by Novell, that downloading large files over SSL through Apache will eat up RAM in NILE and cause an abend. The easiest workaround is to backrev WSPSSL.NLM to the NW65SP4a version. A patch is in the works.

Jan. 17, 2006– Updated the BM38SP4_IR2.EXE patch to BM38SP4_IR2A.EXE.

Note: I know that NW65SP5 is out, and I am still evaluating it before updating my patch list here. (I've been a bit behind on my updates since Christmas.)

------- THERE ARE ADDITIONAL COMMENTS BELOW THE LIST OF PATCHES! -----


BorderManager 3.9 (public beta) Installation / Patch Sequence

On OES NetWare (NetWare 6.5sp6)

Get BorderManager 3.9.

BorderManager 3.9 available since May 1, 2007.

Install OES (Netware) SP3 or NetWare 6.5 sp6 or later

I recommend installing no additional products other than iManager 2.6/2.7 and Apache2 (required for iManager). OES NetWare SP3 is the equivalent of NetWare 6.5 with service pack 6. You *must* use iManager 2.5, 2.6 or 2.7 to configure BorderManager 3.9, though you do not have to run iManager from the BorderManager server. If you started with an earlier version of NetWare 6.5 that has iManager 2.5 installed, you should be able to apply NW65SP6 to get iManager automatically upgraded to 2.6. NW65SP7 should upgrade iManager to version 2.7, and the BorderManager plugins for iManager 2.7 are in the BorderManager 3.9 SP1 patch. NW65SP8 should update iManager 2.7 to 2.7.2, and iManager should then find updates to itself to take it to 2.7.3.

BorderManager 3.9

Install BorderManager 3.9. Novell has working on a ISO image (out since April 2008 for customers with maintenance) that includes 3.9SP1, and you definitely want to use that instead of the non-patched 3.9 version, as it fixes some installation issues. If you can't wait, try installing 3.9 and immediately install the 3.9SP1 patch. If you installed eDir 8.8.x before installing NBM 3.9, then you also need to hack the products.dat file to pretend you have an earlier eDir version installed - fortunately that is quite easy if you follow Novell TID 7002279.

BM39SP1.zip

Service Pack 1 for BorderManager 3.9, with bug fixes and both iManager 2.6 and 2.7 snapins. The snapins will also work for BM 3.8 VPN. Also includes Vista VPN client. Slightly older 3.8.15 non-Vista VPN client included by mistake, instead of the 3.8.16 version. Install this if you did not use the SP1 ISO image to start at 3.9sp1. You must install this before patching to SP2.

BM39SP2.zip

Service Pack 2 for BorderManager 3.9, with bug fixes and new features. Must have 3.9sp1 installed first.

BM39SP2_IR1.zip

Set of patches to fix various problems and abends after Service Pack 2 for BorderManager 3.9. Must have 3.9sp2 installed first.

OPTIONAL (recommended) - NW65SP8

The latest support pack for NetWare 6.5. Note that if you had iManager 2.5-2.6 installed on your server, it will be upgraded to 2.7, and you may then need to install new plugins. SP8 will also then put a tomcat5 statement in AUTOEXEC.NCF even if you has one in there already.

TCPIP--NW65SP8_Patch.zip

If you have installed NetWare 6.5sp8, and BorderManager 3.9sp2 IR1, then you should also install this TCPIP patch.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches. NOT NEEDED IF NW65SP8 IS INSTALLED.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches. NOT NEEDED IF NW65SP8 IS INSTALLED.

OPTIONAL - NW65SP7

An earlier support pack for NetWare 6.5. If you install this patch, be sure to reinstall the TCP 681k (or later) patch, and the NWLIB6l and WSOCK6O patches, to address an abend issue.

Security Services 2.0.6.

There is a patch available for download that should update the server to NICI 2.7.3, NMAS 3.2.1 and NTSL 2.0.2 called ss206_NW.tgz. You can use WinRAR to open it. This patch can be installed after NW65SP6 or NW65SP7. If you cannot configure VPN ("PKI libraries are not available" error message in iManager), you probably need to install this patch. NOT NEEDED IF NW65SP8 IS INSTALLED.

TCP681K.EXE

Post-NW65SP6 and post-NW65SP7 patch for TCPIP. Fixes a number of abends and issues with BorderManager. If your transparent proxy is not working, you probably need to update TCPIP with this patch. NOT NEEDED IF NW65SP8 IS INSTALLED.

RECOMMENDED - NAMED.NLM

To fix a serious vulernability in DNS servers, download the latest NAMED.NLM for NetWare 6.5 server. This is a *must* if you happen to be providing DNS services to the Internet, and recommended if you are just running NAMED internally. It's an easy patch - just download NAMED.NLM, copy it to sys:system, and UNLOAD NAMED, then LOAD NAMED. I do not think this patch can be used on a NetWare 6.0 or 5.1 server, but I haven't tried it.

INETCFG

LOAD INETCFG at least once to transfers settings from autoexec.ncf. Reboot.

iManager note

If you have issues seeing the new Proxy Services and Access Rules menu entries for BorderManager 3.9, you need to be sure that you a) have the BorderManager.npm module installed, b) you have role-based services installed, and c) you have installed the BorderManager module into Role Based Services 2. If something went wrong in the installation, it is possible you may have to run the FILLATR.NCF utility to set up the needed schema extensions for the new iManager options for Access Control and Proxy Services to work. Be aware the iManager 2.7 needs BorderManager plugins from BM39SP1 or later to work.

BorderManager installation problems

There are some known issues with iManager and BorderManager 3.9.
-First, if you get a warning about FILLATTR in both Access Rules and Proxy tasks, you need to rerun FILLATTR.NCF (with proper settings). FILLATTR needs LDAP working to function.
-Second, if you have more than 9 SSL Authentication contexts defined, the installation may fail. Novell has some updated java files to fix this issue, and you may have to contact Novell to get them, but they should be in the ISO image of 3.9 with 3.9sp1 included.
-Third, if you ran FILLATTR and it fixed a problem with access rules not working, but you still get FILLATTR messages in the Proxy task in iManager, try reinstalling NBM 3.9 (in-place upgrade option).
-Fourth, there are some issues with 3rd-party filtering products (SurfControl, LinkWall, N2H2/SmartFilter) in the Access Rules task. If you cannot get the rules to 'stick', be sure you have installed BM39SP1 and later.
-Fifth, NBM 3.9 didn't take into account eDir version 8.8.x in the installation routine. It will tell you that the eDir version doesn't meet requirements. See Novell TID 7002279 for an easy way to change the products.dat entry to call out eDir 8.7.3, install NBM 3.9, and then change the entry back.

BorderManager 3.8 Installation / Patch Sequence

On NetWare 6.5 or OES NetWare

Get BorderManager 3.8 CD. Optional: Get BorderManager Companion CD if you want.

You will need BorderManager 3.8 CD (or downloaded image, about 170MB). The companion CD about 450MB) is not needed with NetWare 6.5. A little note here - the shipping license for BorderManager 3.8 is ON THE PRODUCT CD in the LICENSES directory. If you have an EVAL COPY, you will NOT have the regular license, but will have only a trial license.

Install NetWare 6.5

I recommend installing no additional products other than iManager and Apache2 (required for iManager). Warning! If you are in-place upgrading an existing BorderManager 3.8 server, from NW 6.0 for instance, the NW65 install will back-rev your filtering modules. In this scenario, you want to repeat the BorderManager patch installation after you get NetWare installed. You normally should install 3.8 before the NetWare upgrade, since older versions of BorderManager are not supported on NetWare 6.5. Once you have installed NetWare 6.5, reinstall the latest BorderManager patch to be sure the filtering modules have been updated. For example, NetWare 6.5 puts FILTSRV.NLM dated 1998, while BorderManager 3.8SP4 installs one from 2005. The older version of FILTSRV.NLM does not support NDS-based filtering, and you can get abends on the server trying to manipulate filters in FILTCFG with the wrong version of FILTSRV.NLM installed.

INETCFG

LOAD INETCFG at least once to transfers settings from autoexec.ncf. Reboot.

OPTIONAL - NW65SP8

The latest support pack for NetWare 6.5. Note that if you had iManager 2.5-2.6 installed on your server, it will be upgraded to 2.7, and you may then need to install new plugins. SP8 will also then put a tomcat5 statement in AUTOEXEC.NCF even if you has one in there already.

TCPIP--NW65SP8_Patch.zip

If you have installed NetWare 6.5sp8, then you should also install this TCPIP patch.

NW65SP6.EXE

If you are nervous about installing NW65SP7 or SP8, you can still install the older NW65SP5.EXE and the post-SP5 patch NW65SP5UPD1.EXE patches. For a list of NW65SP6 issues, see the Novell wiki entry at http://wiki.novell.com/index.php/Nw65sp6.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

OPTIONAL - NW65SP7

An earlier support pack for NetWare 6.5. If you install this patch, be sure to reinstall the TCP 681k (or later) patch, and the NWLIB6l and WSOCK6O patches, to address an abend issue.

NW65SP5.EXE

Only if you did not install NW65SP6 or NW65SP7!.

NW65SP5UPD1.exe

Only if you did not install NW65SP6 or NW65SP7, and did install NW65SP5! This patch contains several Post-SP5 beta patches rolled into one. Includes the former stand-alone patches nw65os5a.exe, n65nss5a.exe, nwlib6h.exe, and wsock6i.exe.

EDIR8739.EXE

Only if you did not install NW65SP6 or NW65SP7, which contains this patch already. Latest eDirectory patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0.

RECOMMENDED - NAMED.NLM

To fix a serious vulernability in DNS servers, download the latest NAMED.NLM for NetWare 6.5 server. This is a *must* if you happen to be providing DNS services to the Internet, and recommended if you are just running NAMED internally. It's an easy patch - just download NAMED.NLM, copy it to sys:system, and UNLOAD NAMED, then LOAD NAMED. I do not think this patch can be used on a NetWare 6.0 or 5.1 server, but I haven't tried it.

Install BorderManager 3.8

GUI installation routine in STARTX. Point to the root of the BorderManager CD files. By the way, I have seen two issues recently that caused me problems installing 3.8, though only (so far) on NW 6.0. The first was a failure to launch the GUI (STARTX). That problem was fixed with the GUIFIX patch from Novell. The other problem was a fatal error early in the install process. There is a TID on that, but the problem was fixed with the latest NICI patch.

BM38SP5.EXE

BorderManager 3.8 Service Pack 5. Does not require previous BorderManager 3.8 service packs to be installed first.

BM38SP5_IR1.ZIP

This interim patch contains updates to apply after installing BM38SP5.EXE. The updates include a new CLNTRUST.EXE, new AUTHCHK, ACLCHECK, PROXY and PROXYCFG modules. Some new options to PROXY.CFG are included, which I have added to my version in tip #63.

TCP681K.EXE

Post-NW65SP6 and post-NW65SP7 patch for TCPIP. Fixes a number of abends and issues with BorderManager.

Security Services 2.0.6.

There is a patch available for download that should update the server to NICI 2.7.3, NMAS 3.2.1 and NTSL 2.0.2 called ss206_NW.tgz. You can use WinRAR to open it. This patch can be installed after NW65SP6 or NW65SP7. If you cannot configure VPN ("PKI libraries are not available" error message in iManager), you probably need to install this patch.

Configure Proxies, etc.

Configure all legacy settings as before. Not much there has changed, but you can use multi-domain support with Mail Proxy now, using PROXY.CFG settings.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

Configure legacy VPN (optional)

The legacy VPN is unchanged, and is set in the same manner as before. The new VPN requires iManager support.

Configure new VPN

The new VPN capabilities can only be configured using iManager 2.01 or later. You can run iManager from a NetWare 6.5 server or from a Windows PC. All you need are the new VPN snapins.

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers.

SurfControl v6.1

If you are using SurfControl, I recommend you get the latest version from www.surfcontrol.com. See tip #68 at this website for my experiences with it (all positive), and how to reconfigure your memory settings if you were using the older version.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32. Note that there are other, later Client32 patches, but I leave it to you to figure them out!

On NetWare 6.0

Get BorderManager 3.8 and the BorderManager Companion CD

You will need both the BorderManager 3.8 CD (or downloaded image, about 170MB), AND the Companion CD (or downloaded image, about 450MB).

Install NetWare 6.0

I recommend installing no additional products.

NW6SP5.EXE

Note: After installing this patch, you may have to remove a space after any ? commands in your autoexec.ncf. See tip #19. You may also need to manually load NCPL in autoexec.ncf to start certain Apache/Tomcat services.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

eDirectory 8.6 or 8.7 (required)

Most current recommended eDirectory on June 22, 2005 is 8.7.3. Download from http://download.novell.com. This file seems to have changed a bit over time, and can be a bit difficult to find. The file for NetWare is called eDir_873_nw_full.exe and is 194MB in size. There is also a CD ISO image available (eDir_873_nw_win.iso, 631MB, includes NetWare and Windows versions). BorderManager 3.8 requires at least eDirectory 8.6.2 installed on the server. (This does not mean DS version 8.82, it means DS versions in the 10,000 range. eDir 8.7.1 is DS version 10510.64). eDir 8.7.1 is supplied on the 3.8 Companion CD.

EDIR8739.EXE

Latest eDirectory 8.7.3.x patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0, though there is no support for either 6.0 or 5.1. I recommend running DSREPAIR after every eDirectory patch.

NICI 2.6.8

This NICI update is a prerequisite for the later Security and NMAS patches. This patch is no longer listed at Novell's web site, but can still be found on the Internet. The file you want is nici_u0.exe.

Security Update 9

Included within the eDir 8.7.3.7 patch directory. (Look in the Security subdirectory structure of the patch). Requires NICI 2.6.7 or later to be installed first. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is SECUPD8.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

NMAS 2.3.8 or 2.3.9

Requires NICI 2.6.7 or later and Security Update 8 or 9 to be installed first. The NMAS 2.3.9 installation files are in the Security section of the eDir 8.7.3.7 patch. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is NMSRV238.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

INETCFG

LOAD INETCFG at least once to transfers settings from autoexec.ncf. Reboot.

Install BorderManager 3.8

GUI installation routine in STARTX. Point to the root of the BorderManager CD files. By the way, I have seen two issues recently that caused me problems installing 3.8, though only (so far) on NW 6.0. The first was a failure to launch the GUI (STARTX). That problem was fixed with the GUIFIX patch from Novell. The other problem was a fatal error early in the install process. There is a TID on that, but the problem was fixed with the latest NICI patch.

BM38SP5.EXE

BorderManager 3.8 Service Pack 5. Does not require previous BorderManager 3.8 service packs to be installed first.

BM38SP5_IR1.ZIP

This interim patch contains updates to apply after installing BM38SP5.EXE. The updates include a new CLNTRUST.EXE, new AUTHCHK, ACLCHECK, PROXY and PROXYCFG modules. Some new options to PROXY.CFG are included, which I have added to my version in tip #63.

TCP610M.EXE

Latest TCP patch (post-NW6SP5).

Configure Proxies, etc.

Configure all legacy settings as before. Not much there has changed, but you can use multi-domain support with Mail Proxy now, using PROXY.CFG settings..

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

Configure legacy VPN (optional)

The legacy VPN is unchanged, and is set in the same manner as before. The new VPN requires iManager 2 support.

iManager 2.0

Although Novell has iManager 2.0 for NW 6.0, on the companion CD, there may or may not be compatibility issues with older products. Best to install iManager 2.0 from the Companion CD to a Windows PC, unless the BorderManager PC is running only BorderManager. Note that the BM38SP1 patch has some iManager snapin updates for Windows iManager. If installing iManager 2.0.1 from the Companion CD to NetWare 6.0, be sure to read tip #74 (iManager tips). My Beginner's Guide to BorderManager 3.x (both the full and the Lite version on the 3.8 product CD) has a chapter on installing iManager 2.0 on Windows.

Configure new VPN

The new VPN capabilities can only be configured using iManager 2.0. You can run iManager from a NetWare 6.5 server or from a Windows PC. All you need are the new VPN snapins.

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers.

SurfControl v6.1

If you are using SurfControl, I recommend you get the latest version from www.surfcontrol.com. See tip #68 at this website for my experiences with it (all positive), and how to reconfigure your memory settings if you were using the older version.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

On NetWare 5.1

Get BorderManager 3.8 and the BorderManager Companion CD

You will need both the BorderManager 3.8 CD (or downloaded image, about 170MB), AND the Companion CD (or downloaded image, about 450MB).

Install NetWare 5.1

I recommend installing no additional products. Make at least a 4GB legacy (not NSS) cache volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

NW51SP8.EXE

Note: After installing this patch, you may have to remove a space after any ? commands in your autoexec.ncf. See tip #19.

NW51OS8A.EXE

Warning! Do NOT install this on Small Business (SBS) servers, or your SBS licenses will not be usable. Should you have installed this patch on a SBS 5.1 server, you will need to copy back the SERVER.OLD file in C:\NWSERVER to SERVER.EXE there, and reboot. Once you install NetWare 5.1 SP8, you need to install this patch to fix various issues, including memory problems.

NW51SP8NCP.EXE

Once you install NetWare 5.1 SP8, you need to install this patch to fix a possible abend issue.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

TCP587I.EXE

Latest TCP patch for NetWare 5.1.

eDirectory 8.6 or 8.7 (required)

Most current eDirectory on June 22, 2005 is 8.7.3. Download from http://download.novell.com. This file seems to have changed a bit over time, and can be a bit difficult to find. The file for NetWare is called eDir_873_nw_full.exe and is 194MB in size. There is also a CD ISO image available (eDir_873_nw_win.iso, 631MB, includes NetWare and Windows versions). BorderManager 3.8 requires at least eDirectory 8.6.2 installed on the server. (This does not mean DS version 8.82, it means DS versions in the 10,000 range. eDir 8.7.1 is DS version 10510.64). eDir 8.7.1 is supplied on the 3.8 Companion CD.

EDIR8739.EXE

Latest eDirectory 8.7.3.x patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0, though there is no support for either 6.0 or 5.1. I recommend running DSREPAIR after every eDirectory patch.

NICI 2.6.8

This NICI update is a prerequisite for the later Security and NMAS patches. This patch is no longer listed at Novell's web site, but can still be found on the Internet. The file you want is nici_u0.exe.

Security Update 9

Included within the eDir 8.7.3.7 patch directory. (Look in the Security subdirectory structure of the patch). Requires NICI 2.6.7 or later to be installed first. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is SECUPD8.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

NMAS 2.3.8 or 2.3.9

Requires NICI 2.6.7 or later and Security Update 8 or 9 to be installed first. The NMAS 2.3.9 installation files are in the Security section of the eDir 8.7.3.7 patch. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is NMSRV238.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

INETCFG

LOAD INETCFG at least once to transfers settings from autoexec.ncf. Reboot.

Install BorderManager 3.8

GUI installation routine in STARTX. Point to the root of the BorderManager CD files. By the way, I have seen two issues recently that caused me problems installing 3.8, though only (so far) on NW 6.0. The first was a failure to launch the GUI (STARTX). That problem was fixed with the GUIFIX patch from Novell. The other problem was a fatal error early in the install process. There is a TID on that, but the problem was fixed with the latest NICI patch.

BM38SP5.EXE

BorderManager 3.8 Service Pack 5. Does not require previous BorderManager 3.8 service packs to be installed first.

BM38SP5_IR1.ZIP

This interim patch contains updates to apply after installing BM38SP5.EXE. The updates include a new CLNTRUST.EXE, new AUTHCHK, ACLCHECK, PROXY and PROXYCFG modules. Some new options to PROXY.CFG are included, which I have added to my version in tip #63.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

Configure Proxies, etc.

Configure all legacy settings as before. Not much there has changed, but you can use multi-domain support with Mail Proxy now, using PROXY.CFG settings.

Configure legacy VPN (optional)

The legacy VPN is unchanged, and is set in the same manner as before, except that iManager rules are needed. The new VPN requires iManager 2 support.

iManager 2 (on Windows)

Unless you have a NetWare 6.5 server, which comes with iManager 2, or have installed iManager 2.0 on NetWare 6, you will have to install iManager 2.0 from the Companion CD to a Windows PC, and add the VPN snapins (vpn.npm file from the VPN directory on the BorderManager CD). Note that the BM38SP1 patch has some iManager snapin updates for Windows iManager. If installing iManager 2.0.1 from the Companion CD to NetWare 6.0, be sure to read tip #74 (iManager tips). My Beginner's Guide to BorderManager 3.x (both the full and the Lite version on the 3.8 product CD) has a chapter on installing iManager 2.0 on Windows.

Configure new VPN

The new VPN capabilities can only be configured using iManager 2.0.x. You can run iManager 2.0.x from a NetWare 6.5 or 6.0 server or from a Windows PC. All you need are the new VPN snapins.

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers.

SurfControl v6.1

If you are using SurfControl, I recommend you get the latest version from www.surfcontrol.com. See tip #68 at this website for my experiences with it (all positive), and how to reconfigure your memory settings if you were using the older version.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.


BorderManager 3.7 Installation / Patch Sequence

BorderManager 3.7 was officially released on April 17, 2002. There were some critical updates available by that date (or soon thereafter), which have now been included in the patches listed below. However, the first sets of CD's released included licenses that expired in December, 2002. After the licenses expired, unloading a licensed NLM (such as PROXY.NLM) or rebooting will cause that service to fail, since there will not be a valid license available when you restart the NLM. See tip #67 at this web site for instructions on how to get a replacement license from Novell.

BorderManager 3.7 is not supported and will not install on versions of NetWare prior to NetWare 5.1, or later than 6.0. This means you may need to upgrade NetWare before upgrading BorderManager. It also means you cannot install 3.7 on NetWare 6.5. Novell also recommends having the latest patches applied for older versions of BorderManager before upgrading. BorderManager 3.7 requires at least NW51SP4 or NW6SP1 to be installed first.

Note: BorderManager 3.7 has higher minimum RAM requirements than previous versions, ESPECIALLY if using SurfControl. Minimum recommended RAM for BorderManager 3.7 is 512MB. Add an additional 512 MB (1GB total RAM) if SurfControl is to be used. I will document some RAM-reducing options available when using SurfControl in my BorderManager 3.x book (Second Edition).

On NetWare 6.0

Install NetWare 6.0

Do NOT configure all disk space as NSS! Make at least a 4GB legacy CACHE volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

NW6SP5.EXE

Note: After installing this patch, you may have to remove a space after any ? commands in your autoexec.ncf. See tip #19. You may also need to manually load NCPL in autoexec.ncf to start certain Apache/Tomcat services.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

TCP610M.EXE

TCPIP modules. Use the version in the NICI folder for all servers once NW6SP4 is installed. (Otherwise use Domestic version for BM 3.7 or earlier servers with VPN). Latest TCP patch (post-NW6SP5).

eDirectory 8.6 or 8.7 (required)

Most current eDirectory on June 22, 2005 is 8.7.3. Download from http://download.novell.com. This file seems to have changed a bit over time, and can be a bit difficult to find. The file for NetWare is called eDir_873_nw_full.exe and is 194MB in size. There is also a CD ISO image available (eDir_873_nw_win.iso, 631MB, includes NetWare and Windows versions). BorderManager 3.8 requires at least eDirectory 8.6.2 installed on the server. (This does not mean DS version 8.82, it means DS versions in the 10,000 range. eDir 8.7.1 is DS version 10510.64). eDir 8.7.1 is supplied on the 3.8 Companion CD.

EDIR8739.EXE

Latest eDirectory 8.7.3.x patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0, though there is no support for either 6.0 or 5.1. I recommend running DSREPAIR after every eDirectory patch.

NICI 2.6.8

This NICI update is a prerequisite for the later Security and NMAS patches. This patch is no longer listed at Novell's web site, but can still be found on the Internet. The file you want is nici_u0.exe.

Security Update 9

Included within the eDir 8.7.3.7 patch directory. (Look in the Security subdirectory structure of the patch). Requires NICI 2.6.7 or later to be installed first. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is SECUPD8.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

NMAS 2.3.8 or 2.3.9

Requires NICI 2.6.7 or later and Security Update 8 or 9 to be installed first. The NMAS 2.3.9 installation files are in the Security section of the eDir 8.7.3.7 patch. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is NMSRV238.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

BorderManager 3.7

Note licensing issue with English-only CD's.

BM37SP3.EXE

Service Pack 3 for BorderManager 3.7.

BM37FP4E.EXE

Post-BM37SP3 patch. Be sure to update proxy.cfg as well. See tip #63 here. If you make much use of stateful filters, and the server drops packets or seems slow, backrev IPFLT31.NLM to the version in BM37SP3.EXE.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

SurfControl v6.1

If you are using SurfControl, I recommend you get the latest version from www.surfcontrol.com. See tip #68 at this website for my experiences with it (all positive), and how to reconfigure your memory settings if you were using the older version.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

NW6RCONJ2A.EXE

(Only applies to NW6SP2.EXE). This patch addressed a serious security issue in RCONAG6 from NW6SP2.EXE. DO NOT SKIP THIS PATCH! WITH NW6SP2, YOU CAN CONNECT TO RCONAG6 ON THE 'SECURE' PORT WITHOUT A PASSWORD!

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

Configure Proxy

Configure all legacy settings as before. Not much there has changed, but you can use multi-domain support with Mail Proxy now, using PROXY.CFG settings.

On NetWare 5.1

Install NetWare 5.1

Make at least a 4GB legacy (not NSS) cache volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

NW51SP8.EXE

Note: After installing this patch, you may have to remove a space after any ? commands in your autoexec.ncf. See tip #19.

NW51OS8A.EXE

Warning! Do NOT install this on Small Business (SBS) servers, or your SBS licenses will not be usable. Should you have installed this patch on a SBS 5.1 server, you will need to copy back the SERVER.OLD file in C:\NWSERVER to SERVER.EXE there, and reboot. Once you install NetWare 5.1 SP8, you need to install this patch to fix various issues, including memory problems.

NW51SP8NCP.EXE

Once you install NetWare 5.1 SP8, you need to install this patch to fix a possible abend issue.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

TCP587I.EXE

Latest TCP patch for NetWare 5.1.

eDirectory 8.6 or 8.7 (required)

Most current eDirectory on June 22, 2005 is 8.7.3. Download from http://download.novell.com. This file seems to have changed a bit over time, and can be a bit difficult to find. The file for NetWare is called eDir_873_nw_full.exe and is 194MB in size. There is also a CD ISO image available (eDir_873_nw_win.iso, 631MB, includes NetWare and Windows versions). BorderManager 3.8 requires at least eDirectory 8.6.2 installed on the server. (This does not mean DS version 8.82, it means DS versions in the 10,000 range. eDir 8.7.1 is DS version 10510.64). eDir 8.7.1 is supplied on the 3.8 Companion CD.

EDIR8739.EXE

Latest eDirectory 8.7.3.x patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0, though there is no support for either 6.0 or 5.1. I recommend running DSREPAIR after every eDirectory patch.

NICI 2.6.8

This NICI update is a prerequisite for the later Security and NMAS patches. This patch is found at downloads.novell.com, not support.novell.com. Limit the search category at the web page to NICI and you will get a link to NICI 2.6.8 files. The file you want is nici_u0.exe.

Security Update 9

Included within the eDir 8.7.3.7 patch directory. (Look in the Security subdirectory structure of the patch). Requires NICI 2.6.7 or later to be installed first. If you did not install eDir 8.7.3.7 you can download the Security Update 8 patch (SECUPD8.TGZ) separately from support.novell.com/filefinder. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file.

NMAS 2.3.8 or 2.3.9

Requires NICI 2.6.7 or later and Security Update 8 or 9 to be installed first. The NMAS 2.3.9 installation files are in the Security section of the eDir 8.7.3.7 patch. (You can download the previous version - NMAS 2.3.8, from support.novell.com in the NMSRV238.TGZ file if you do not have the eDir 8.7.3.7 patch. Use WinRAR from www.rarlabs.com to explode the .tgz file).

BorderManager 3.7

Note licensing issue with English-only CD's.

BM37SP3.EXE

Service Pack 3 for BorderManager 3.7.

BM37FP4E.EXE

Post-BM37SP3 patch. Be sure to update proxy.cfg as well. See tip #63 here. If you make much use of stateful filters, and the server drops packets or seems slow, backrev IPFLT31.NLM to the version in BM37SP3.EXE.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

TCP587I.EXE

Latest TCP patch (post-NW51SP8)

SurfControl v6.1

If you are using SurfControl, I recommend you get the latest version from www.surfcontrol.com. See tip #68 at this website for my experiences with it (all positive), and how to reconfigure your memory settings if you were using the older version.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

Configure Proxy

Configure all legacy settings as before. Not much there has changed, but you can use multi-domain support with Mail Proxy now, using PROXY.CFG settings.


BorderManager 3.6 Installation / Patch Sequence

Note: BorderManager 3.6 is now considered end-of-life by Novell, with support ending at the end of May 2003, and no further updates or patches are being written for it.

Note: BorderManager 3.6 will not install on NetWare 6.5. The only version of BorderManager that is supported on NetWare 6.5 is BorderManager 3.8.

Mar 9, 2001 - Installation of Older Files Problem: The BorderManager 3.6 installation has a problem in the install script that causes it to copy all the files in the NIAS directory from the CD on the server, even if they are older than the versions on the server! You MUST reapply the latest service pack for NetWare after installing BorderManager 3.6 to correct this issue. (This is regardless of whether you plan on using NIAS features or not).

On NetWare 6.0 (if upgrading from NW 5.x, see the BM36SP1A.EXE readme)

Install NetWare 6.0

Do NOT configure all disk space as NSS! Make at least a 4GB legacy CACHE volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

NW6SP5.EXE

Note: After installing this patch, you may have to remove a space after any ? commands in your autoexec.ncf. See tip #19. You may also need to manually load NCPL in autoexec.ncf to start certain Apache/Tomcat services.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

ADMATTRS.EXE

This patch creates NDS attributes for BorderManager relating to a Login Policy Object. NMAS may be installed by default, and installing BorderManager after NMAS can create problems! Before proceeding, see http://support.novell.com/servlet/tidfinder/2959071

BorderManager 3.6

When prompted to reboot do NOT reboot. Go on to the next step. If you cannot install BorderManager at all, see this note.

BM36SP2A.EXE

(Note: If running a small business server, you should also install the NIASSP1.EXE patch from the partner CD). See the Jan. 24, 2003 note at the top of this page.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

eDirectory 8.6 or 8.7 (optional)

The latest version of eDirectory I tested with BorderManager 3.6 was 8.7.3.x. Download from http://download.novell.com. This file seems to have changed a bit over time, and can be a bit difficult to find. The file for NetWare is called eDir_873_nw_full.exe and is 194MB in size. There is also a CD ISO image available (eDir_873_nw_win.iso, 631MB, includes NetWare and Windows versions).

EDIR8739.EXE

Latest eDirectory 8.7.3.x patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0, though there is no support for either 6.0 or 5.1. I recommend running DSREPAIR after every eDirectory patch.

NICI 2.6.8

This NICI update is a prerequisite for the later Security and NMAS patches. This patch is no longer listed at Novell's web site, but can still be found on the Internet. The file you want is nici_u0.exe.

Security Update 9

Included within the eDir 8.7.3.7 patch directory. (Look in the Security subdirectory structure of the patch). Requires NICI 2.6.7 or later to be installed first. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is SECUPD8.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

NMAS 2.3.8 or 2.3.9

Requires NICI 2.6.7 or later and Security Update 8 or 9 to be installed first. The NMAS 2.3.9 installation files are in the Security section of the eDir 8.7.3.7 patch. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is NMSRV238.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

NW6SP5.EXE

Reinstall NW6SP5 to fix problems from the BorderManager 3.6 installation routine (where it overwrites certain newer files).

TCP610M.EXE

TCPIP modules. Use the version in the NICI folder for all servers once NW6SP4 is installed. (Otherwise use Domestic version for BM 3.7 or earlier servers with VPN). Latest TCP patch (post-NW6SP5).

CSATPXY.NLM

Get the CSATPXY.NLM from BM37SP2.EXE and use it on your 3.6 server to fix a logging bug.

PROXY.NLM

Note: You can use the PROXY.NLM from BM37FP4A.EXE or BM37SP3.EXE. Be sure to update proxy.cfg as well to avoid an abend. See tip #63 here. Use only the PROXY.NLM file from this patch. You can use PROXY.NLM from BM37FP4E.EXE if you also replace AUTHCHK.NLM from that patch.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

NW6RCONJ2A.EXE

(Only applies to NW6SP2). This patch addressed a serious security issue in RCONAG6 from NW6SP2.EXE. DO NOT SKIP THIS PATCH! WITH NW6SP2, YOU CAN CONNECT TO RCONAG6 ON THE 'SECURE' PORT WITHOUT A PASSWORD! (This is fixed in NW6SP3.EXE)

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers.

On NetWare 5.1

Install NetWare 5.1

Make at least a 4GB legacy (not NSS) cache volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

NW51NI1.EXE

Only needed if you installed NW51SP3 or later before installing BorderManager. See TID 2960217.

ADMATTRS.EXE

Should only be needed if you have NMAS installed in your NDS tree. This patch creates NDS attributes for BorderManager relating to a Login Policy Object. Before proceeding, see http://support.novell.com/servlet/tidfinder/2959071

BorderManager 3.6

Don't install NW51SP3 first! If you installed NW51SP3 first, and have trouble here, see this tip. If you cannot install BorderManager at all, see this note. (I am not sure if this problem occurs with NW51SP4 or later).

NW51SP8.EXE

Note: After installing this patch, you may have to remove a space after any ? commands in your autoexec.ncf. See tip #19.

NW51OS8A.EXE

Warning! Do NOT install this on Small Business (SBS) servers, or your SBS licenses will not be usable. Should you have installed this patch on a SBS 5.1 server, you will need to copy back the SERVER.OLD file in C:\NWSERVER to SERVER.EXE there, and reboot. Once you install NetWare 5.1 SP8, you need to install this patch to fix various issues, including memory problems.

NW51SP8NCP.EXE

Once you install NetWare 5.1 SP8, you need to install this patch to fix a possible abend issue.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

TCP587I.EXE

Latest TCP patch for NetWare 5.1.

BM36SP2A.EXE

(Note: If running a small business server, you should also install the NIASSP1.EXE patch from the partner CD). See the Jan. 24, 2003 note on this page.

PROXY.NLM

Note: You can use the PROXY.NLM from BM37FP4A.EXE or BM37SP3.EXE. Be sure to update proxy.cfg as well to avoid an abend. See tip #63 here. Use only the PROXY.NLM file from this patch. You can use PROXY.NLM from BM37FP4E.EXE if you also replace AUTHCHK.NLM from that patch.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE.

eDirectory 8.6 or 8.7

The latest version of eDirectory I tested with BorderManager 3.6 was 8.7.3.x. Download from http://download.novell.com. This file seems to have changed a bit over time, and can be a bit difficult to find. The file for NetWare is called eDir_873_nw_full.exe and is 194MB in size. There is also a CD ISO image available (eDir_873_nw_win.iso, 631MB, includes NetWare and Windows versions).

EDIR8739.EXE

Latest eDirectory 8.7.3.x patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0, though there is no support for either 6.0 or 5.1. I recommend running DSREPAIR after every eDirectory patch.

NICI 2.6.8

This NICI update is a prerequisite for the later Security and NMAS patches. This patch is no longer listed at Novell's web site, but can still be found on the Internet. The file you want is nici_u0.exe.

Security Update 9

Included within the eDir 8.7.3.7 patch directory. (Look in the Security subdirectory structure of the patch). Requires NICI 2.6.7 or later to be installed first. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is SECUPD8.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

NMAS 2.3.8 or 2.3.9

Requires NICI 2.6.7 or later and Security Update 8 or 9 to be installed first. The NMAS 2.3.9 installation files are in the Security section of the eDir 8.7.3.7 patch. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is NMSRV238.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

CSATPXY.NLM

Get the CSATPXY.NLM from BM37SP2.EXE and use it on your 3.6 server to fix a logging bug.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits that NW51SP3 (possibly others) puts in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. The limits from NW51SP3 are too low.

On NetWare 5.0

Install NetWare 5.0

Make at least a 4GB legacy (not NSS) cache volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

NW50SP6A.EXE

Install the previous support pack, then NW50SP6A.EXE (Installing NW50SP6A, with DS 8 running on NetWare, can cause a serious problem IF a previous NetWare support pack has not been installed).

BorderManager 3.6

If you cannot install BorderManager at all, see this note.

NW50SP6A.EXE

Reinstall this patch due to the older NIAS files being installed by BorderManager 3.6. See the note above about the installation of older files problem.

NICIE157.EXE

This patch is no longer available from Novell but can be found on the Internet. Install the NICI 1.5.7 update, and reboot. See service pack issues.

BM36SP2A.EXE

BM36SP2A is not supported on NetWare 5.0, and the .IPS setup script prevents it from installing on NetWare 5.0. If you want to install this patch, use the modified install script HERE.

NIASSP1.EXE

Note: If running a small business server, you should also install the NIASSP1.EXE patch from the partner CD). See the Jan. 24, 2003 note on this page.

PROXY.NLM

Note: You can use the PROXY.NLM from BM37FP4E.EXE or BM37SP3.EXE. Be sure to update proxy.cfg as well to avoid an abend. See tip #63 here. Use only the PROXY.NLM and AUTHCHK.NLM files.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

CSATPXY.NLM

Get the CSATPXY.NLM from BM37SP2.EXE and use it on your 3.6 server to fix a logging bug.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

TCP553V.EXE

Not tested, but patch reports no compatibility issues reported. You may have to do an Internet search to find this patch. Do not install later versions of TCPIP on NetWare 5.0. See tip #6.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers.

On NetWare 4.11/4.2

Install NetWare 4.11/4.2

Make at least a 4GB legacy cache volume, with no suballocation, no compression and 8k or 16k block size. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space.

NW4SP9.EXE

Install the latest NetWare 4.11/4.2 support pack.

BorderManager 3.6

(Install it from the root of the CD!!!)

NIASSP1.EXE

(Note: If running a small business server, you should also install the patch from the partner CD). See the Jan. 24, 2003 note at the top of this page.

BM36SP2A.EXE

Last patch for BorderManager 3.6.

PROXY.NLM

Note: You can use the PROXY.NLM from BM37FP4A.EXE or BM37SP3.EXE. Be sure to update proxy.cfg as well to avoid an abend. See tip #63 here. Use only the PROXY.NLM file from this patch. You can use PROXY.NLM from BM37FP4E.EXE if you also replace AUTHCHK.NLM from that patch.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

NW4SP9.EXE

Reinstall this patch due to the older NIAS files being installed by BorderManager 3.6. See the note above about the installation of older files problem.

CSATPXY.NLM

Get the CSATPXY.NLM from BM37SP2.EXE and use it on your 3.6 server to fix a logging bug.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

TUNEUP.NCF

Run my TUNEUP.NCF file, or use your own settings. This file puts in settings as recommended in the proxy tuning tid for dedicated BorderManager servers. Add TUNEUP.NCF to AUTOEXEC.NCF


BorderManager 3.5 Installation / Patch Sequence

Note: It is possible that you could manually apply the BM37SP2 or BMMACSSL1.EXE proxy.nlm file to your 3.5 server, and gain those advantages. As an example of how close BorderManager 3.5 is to 3.7, you could use the PROXY.NLM from the latest BorderManager 3.7 patch (BM37FP4D when I wrote this), if you also use the AUTHCHK.NLM from that patch, 3.5, 3.6 or 3.7, which gives all three versions the same proxy.nlm version.

Note: BorderManager 3.5 will not install on NetWare 6.5. The only version of BorderManager that is supported on NetWare 6.5 is BorderManager 3.8.

On NetWare 5.1

Install NetWare 5.1

Make at least a 4GB legacy (not NSS) cache volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

BorderManager 3.5

(Install it from the root of the CD!!!) If you cannot install BorderManager at all, see this note.

NW51SP8.EXE

Note: After installing this patch, you may have to remove a space after any ? commands in your autoexec.ncf. See tip #19.

NW51OS8A.EXE

Warning! Do NOT install this on Small Business (SBS) servers, or your SBS licenses will not be usable. Should you have installed this patch on a SBS 5.1 server, you will need to copy back the SERVER.OLD file in C:\NWSERVER to SERVER.EXE there, and reboot. Once you install NetWare 5.1 SP8, you need to install this patch to fix various issues, including memory problems.

NW51SP8NCP.EXE

Once you install NetWare 5.1 SP8, you need to install this patch to fix a possible abend issue.

WSOCK6O.EXE

A winsock patch intended to be applied after NW65SP6 or NW65SP7. Also can be (probably) applied after NW6SP5 or NW51SP8 patches.

NWLIB6L.ZIP

A CLIB patch intended to be applied after NW65SP6. (Included in NW65SP7). Also can be applied after NW6SP5 or NW51SP8 patches.

TCPIP.NLM Note

NW51SP8 puts on TCP 5.87g/97g. Do NOT try to run TCPIP.NLM 5.5x or earlier versions after installing NW51SP4 or later. SP4 puts on TCPIP 5.80/5.90j. If you feel that you need 5.53 (any version) for some reason, you need to uninstall SP4/SP5/SP6 and stay at SP3. You can use TCP553V.EXE for NW 5.1 SP3 servers.

TCP587H.EXE

Latest TCP patch for NetWare 5.1. Read the note above!

BM35SP3.EXE

Requires at least NW51SP2. If you install the NW51 service pack after this patch, reinstall this patch. See also a discussion of BorderManager filtering modules!) Has Code Red and RealAudio/RTSP fixes.

BM36C02.EXE

Will not install, and is not supported, but should run if you copy the files manually.... Your call if you want to try this. Should address the issue of NMAS / Login Policy Object incompatibilities with BorderManager. Also fixes an issue with abends relating to eDir 8.6.2. If you have a Site-to-Site VPN that enables IPX, and you lose IPX after this patch, see this tip.

PROXY.NLM

Note: You can use the PROXY.NLM from BM37FP4A.EXE or BM37SP3.EXE. Be sure to update proxy.cfg as well to avoid an abend. See tip #63 here. Use only the PROXY.NLM file from this patch. (If is possible the pxyauth.exe file may be usable as well, but I have not tested it now heard any feedback). You can use PROXY.NLM from BM37FP4E.EXE if you also replace AUTHCHK.NLM from that patch.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

BM35ADM7.EXE

Addresses interoperability issues between the Login Policy Object created by NMAS / NetWare 6 install when BorderManager or RADIUS already exists in the tree.

RADATR4.EXE

If you are using RADIUS, install this update.

eDirectory 8.6 or 8.7 (required)

Most current eDirectory on June 22, 2005 is 8.7.3. Download from http://download.novell.com. This file seems to have changed a bit over time, and can be a bit difficult to find. The file for NetWare is called eDir_873_nw_full.exe and is 194MB in size. There is also a CD ISO image available (eDir_873_nw_win.iso, 631MB, includes NetWare and Windows versions). BorderManager 3.8 requires at least eDirectory 8.6.2 installed on the server. (This does not mean DS version 8.82, it means DS versions in the 10,000 range. eDir 8.7.1 is DS version 10510.64). eDir 8.7.1 is supplied on the 3.8 Companion CD.

EDIR8739.EXE

Latest eDirectory 8.7.3.x patch. Requires eDirectory 8.7.3 to be installed first. Should be able to install on NW 5.1 (I haven't tried it, but the 8.7.3.8 patch worked), or NW 6.0, though there is no support for either 6.0 or 5.1.

NICI 2.6.8

This NICI update is a prerequisite for the later Security and NMAS patches. This patch is no longer listed at Novell's web site, but can still be found on the Internet. The file you want is nici_u0.exe.

Security Update 9

Included within the eDir 8.7.3.7 patch directory. (Look in the Security subdirectory structure of the patch). Requires NICI 2.6.7 or later to be installed first. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is SECUPD8.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

NMAS 2.3.8 or 2.3.9

Requires NICI 2.6.7 or later and Security Update 8 or 9 to be installed first. The NMAS 2.3.9 installation files are in the Security section of the eDir 8.7.3.7 patch. This patch is no longer listed at Novell's web site, but can still be found on the Internet if you did not install eDir 8.7.3.7. The file you want is NMSRV238.TGZ. You can use WinRAR (from www.rarlabs.com) to extract the .tgz file contents.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits that NW51SP3 (possibly others) puts in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. The limits from NW51SP3 are too low.

Caution!

Running the SYS:PUBLIC\BRDRMGR\SNAPINS\SETUP.EXE program to update the NWADMN32 snapin files after installing the BM35SP2 patch does NOT help to copy snapins to another server, because the patch doesn't update that directory. (The BorderManager server itself is correctly updated by installing the patch. Instead, manually copy the updated snapins from the BM35SP2 \public\win32\snapins directory to the BM server's \public\brdrmgr\snapins\data\border\win32\snapins directory. Then rerun the snapin setup against the desired servers.

CP_SETUP.EXE

Run the CyberPatrol CP_SETUP.EXE program to extract the new files and apply them, if you are using CyberPatrol.

On NetWare 5.0

Install NetWare 5.0

Make at least a 4GB legacy (not NSS) cache volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

NW5SP2A.EXE

(This patch is present on the BorderManager installation CD under the CSP directory. Installing NW50SP6A.EXE, with DS 8 running on NetWare, can cause a serious problem IF a previous NetWare support pack has not been installed).

BorderManager 3.5

(Install it from the root of the CD!!!) If you cannot install BorderManager at all, see this note.

NW50SP6A.EXE

(Includes newer BorderManager filtering modules - Do NOT reboot yet!)

NICIE157.EXE

This patch is no longer available from Novell but can be found on the Internet. Install the NICI 1.5.7 update, and reboot. See service pack issues.

BM35SP3.EXE

(Requires NW50SP6 or later. If you install the NW5 service pack after this patch, reinstall this patch. You REALLY NEED TO read the discussion of BorderManager filtering modules if you choose to apply NW5SP5 and have not applied BM35SP1 before!) Has Code Red and RealAudio/RTSP fixes.

BM36C02.EXE

Will not install, and is not supported, but should run if you copy the files manually.... Your call if you want to try this. Should address the issue of NMAS / Login Policy Object incompatibilities with BorderManager. Also fixes an issue with abends relating to eDir 8.6.2. If you have a Site-to-Site VPN that enables IPX, and you lose IPX after this patch, see this tip.

BM35ADM7.EXE

Addresses interoperability issues between the Login Policy Object created by NMAS / NetWare 6 install when BorderManager or RADIUS already exists in the tree.

RADATR4.EXE

If you are using RADIUS, install this update.

PROXY.NLM

Note: You can use the PROXY.NLM from BM37FP4A.EXE or BM37SP3.EXE. Be sure to update proxy.cfg as well to avoid an abend. See tip #63 here. Use only the PROXY.NLM file from this patch. (If is possible the pxyauth.exe file may be usable as well, but I have not tested it now heard any feedback). You can use PROXY.NLM from BM37FP4E.EXE if you also replace AUTHCHK.NLM from that patch.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

49psp1a_netwin32.exe

This is a patch for Client32 4.9sp1a that is supposed to fix the issue where you get a -601 error when accessing the BorderManager tabs in NWADMN32.

TCP553V.EXE

Not tested, but patch reports no compatibility issues reported. Do not install later versions of TCPIP on NetWare 5.0. See tip #6.

NAT600D.EXE

Newer version of NAT which (usually) fixes an issue with Client-Site VPN pinging private IP address of the BorderManager Server.

SECUPD8.TGZ

This file is no longer available from Novell but can be found on the Internet. This is a security update for various eDirectory versions to fix a potential problem. (Winzip or WinRar can decompress this file). Check the readme carefully before applying it.

ADMN519F.EXE

(NWADMN32 update that helps with snapin issues somewhat.)

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits if the support pack puts that in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. (The limits from NW51SP3 are too low. I am not sure if NW51SP4 or later puts those settings in.)

Caution!

Running the SYS:PUBLIC\BRDRMGR\SNAPINS\SETUP.EXE program to update the NWADMN32 snapin files after installing the BM35SP2 patch does NOT help to copy snapins to another server, because the patch doesn't update that directory. (The BorderManager server itself is correctly updated by installing the patch. Instead, manually copy the updated snapins from the BM35SP2 \public\win32\snapins directory to the BM server's \public\brdrmgr\snapins\data\border\win32\snapins directory. Then rerun the snapin setup against the desired servers.

CP_SETUP.EXE

Run the CyberPatrol CP_SETUP.EXE program to extract the new files and apply them, if using CyberPatrol.

On NetWare 4.11

Install NetWare 4.11

Make at least a 4GB legacy cache volume, with no suballocation, no compression and 8k or 16k block size. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space.

IWSP6A

(Minimum, can also install NW4SP9. This patch is provided on the BorderManager 3.5 CD under the CSP directory. If you start with NW4SP9, you should re-install it after BorderManager 3.5 is installed.)

BorderManager 3.5

(Install it from the root of the CD!!!)

NW4SP9.EXE

(Includes newer BorderManager filtering modules.)

BM35SP3.EXE

(Requires NW4SP9. If you install the NW4 service pack after this patch, reinstall this patch. You REALLY NEED TO read the discussion of BorderManager filtering modules if you choose to apply NW4SP8A and have not applied BM35SP1 before!). Has Code Red and RealAudio/RTSP fixes.

BM36C01B.EXE

Will not install, and is not supported, but should run if you copy the files manually.... Your call if you want to try this. Should address the issue of NMAS / Login Policy Object incompatibilities with BorderManager. Also fixes an issue with abends relating to eDir 8.6.2. If you have a Site-to-Site VPN that enables IPX, and you lose IPX after this patch, see this tip.

BM35ADM7.EXE

Addresses interoperability issues between the Login Policy Object created by NMAS / NetWare 6 install when BorderManager or RADIUS already exists in the tree.

PROXY.NLM

Note: You can use the PROXY.NLM from BM37FP4A.EXE or BM37SP3.EXE. Be sure to update proxy.cfg as well to avoid an abend. See tip #63 here. Use only the PROXY.NLM file from this patch. (If is possible the pxyauth.exe file may be usable as well, but I have not tested it now heard any feedback). You can use PROXY.NLM from BM37FP4E.EXE if you also replace AUTHCHK.NLM from that patch.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

RADATR4.EXE

If you are using RADIUS, install this update.

NAT600D.EXE

Newer version of NAT which (usually) fixes an issue with Client-Site VPN pinging private IP address of the BorderManager Server.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

Caution!

Running the SYS:PUBLIC\BRDRMGR\SNAPINS\SETUP.EXE program to update the NWADMN32 snapin files after installing the BM35SP2 patch does NOT help to copy snapins to another server, because the patch doesn't update that directory. (The BorderManager server itself is correctly updated by installing the patch. Instead, manually copy the updated snapins from the BM35SP2 \public\win32\snapins directory to the BM server's \public\brdrmgr\snapins\data\border\win32\snapins directory. Then rerun the snapin setup against the desired servers.

CP_SETUP.EXE

Run the CyberPatrol CP_SETUP.EXE program to extract the new files and apply them.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits if the support pack puts that in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. Add TUNEUP.NCF to AUTOEXEC.NCF


BorderManager 3.0 Installation / Patch Sequence

Note: BorderManager 3.0 is not supported on NetWare 5.1, 6.0 or 6.5. BorderManager 3.0 is also EOL (End Of Life), and no new patches are being created for it. If you have abends with BorderManager 3.0 and you have the patches listed below, upgrade to the latest released version of BorderManager.

On NetWare 5.0

NetWare 5.0

Make at least a 4GB legacy (not NSS) cache volume, with no suballocation, no compression and 8k or 16k block size. BorderManager proxy will NOT work well with NSS cache volumes. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space. See this TID first: http://support.novell.com/cgi-bin/search/searchtid.cgi?/10082486.htm

BorderManager 3.0

If you cannot install BorderManager at all, see this note.

NW50SP6A.EXE

Do NOT reboot yet! -OR, install an earlier NetWare support pack BEFORE trying to install NW50SP6A.

NICIE157.EXE

This patch is no longer available from Novell but can be found on the Internet. Install the NICI 1.5.7 update, and reboot. See service pack issues.

BM30SP3.EXE

Requires at least NW 5.0 Support Pack 4 to be installed. This is a 56-bit version patch. It also includes a newer VPN client.

BM3LICFX.EXE

A licensing-related patch.

BM3CP3.EXE

This is a CyberPatrol 6/16/2000 update

ADMN519F.EXE

NWADMN32 update that helps with snapin issues somewhat.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

RADATR4.EXE

If you are using RADIUS, install this update.

TCP553V.EXE

Not tested, but patch reports no compatibility issues reported. Do not install later versions of TCPIP on NetWare 5.0. See tip #6.

NAT600D.EXE

Newer version of NAT which (usually) fixes an issue with Client-Site VPN pinging private IP address of the BorderManager Server.

CLNTRUST patch

Get the CLNTRUST.EXE file from newer BorderManager 3.x patches. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

SECUPD5.TGZ

This is a security update for various eDirectory versions to fix a potential problem. (Winzip or WinRar can decompress this file). Check the readme carefully before applying it.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits if the support pack puts that in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. Add TUNEUP.NCF to AUTOEXEC.NCF

On NetWare 4.11 / 4.20

NetWare 4.11

Make at least a 4GB legacy cache volume, with no suballocation, no compression and 8k or 16k block size. Proxy MUST have a dedicated volume for cache data (don't leave it on SYS). 4GB is typically about right for 100-250 users. Be wary of using more than 10-12GB of cache space.

BorderManager 3.0

Install BorderManager 3.0 now.

NW4SP9.EXE

Install the latest NetWare 4.11/4.2 support pack.

BM30SP3.EXE

Requires NW 4.11/4.2 Support Pack 8A to be installed. This is a 56-bit version patch. It also includes a newer VPN client.

BM3CP3.EXE

This is a CyberPatrol 6/16/2000 update.

CLNTRUST.EXE

A security-related patch to CLNTRUST which prevents a certain vulnerability. Also contains earlier bug fixes. This is newer than BM38SP5 or raw BorderManager 3.9 versions of CLNTRUST.EXE. The latest version of this file is found in the BM38SP5_IR1.ZIP patch.

RADATR5.EXE

If you are using RADIUS, install this update.

NAT600D.EXE

Newer version of NAT which (usually) fixes an issue with Client-Site VPN pinging private IP address of the BorderManager Server.

CLNTRUST patch

Get the CLNTRUST.EXE file from newer BorderManager 3.x patches.

VPN client 3.8.16

Available for download. Latest version of the BorderManager 3.x VPN client.

(Note: earlier versions of the BorderManager VPN client support Win95, but later versions do not. If you need a Win95 VPN client, use the one from the BorderManager CD or BorderManager server.) You should also look for the Intel patch described at http://support.intel.com/support/network/wireless/pro2100/vpn.htm.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits if the support pack puts that in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. Add TUNEUP.NCF to AUTOEXEC.NCF


BorderManager 2.1 Installation / Patch Sequence

Note: BorderManager 2.1 is not supported on NetWare 5.0 or 5.1! BorderManager 2.1 (also called 1.0 for some time) was EOL (End Of Life) quite some time ago, and no new patches have been produced for years. You will very likely experience problems with BorderManager 2.1 if you apply a NetWare service pack later than NW4SP6A.

Note: IPX/IP and IP/IP Gateway on BorderManager 2.1 are only supported for Novell Client32 versions 2.12 and 2.5 due to winsock issues. See TID 2918355 for IPX/IP troubleshooting regarding winsock issues.

There is also a BMADM2C.EXE patch which updates snapins for BorderManager 2.1. See TID 2950351.

On NetWare 4.2

NetWare 4.2

Install NetWare 4.2

BorderManager 2.1

Install BorderManager 2.1.

NW4SP6A.EXE

Do not install any later service packs than this for best results.

BMSP2D.EXE

BorderManager 2.1 support pack.

BACL105.EXE

BorderManager 2.1 Access Rule patch.

BMP114.EXE

BorderManager 2.1 proxy patch.

IPGSB06.EXE

IPX/IP Gateway patch, works only with Client32 versions 2.2 and 2.5

IPGC07A.EXE

This patch goes on the client side, for Novell Client32 versions 2.12 and 2.2. Not sure about later versions.

BMTCPE4.EXE

and SET TCP IP MAXIMUM SMALL ECBS=65534

BM3CP3.EXE

This is a CyberPatrol update, and I assume it will work with BorderManager 2.1, though I have not tried it.

NAT600D.EXE

Newer version of NAT

ADMN519F.EXE

Best version of NWADMN32 to use, if you also follow TID 10057834.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits if the support pack puts that in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. Add TUNEUP.NCF to AUTOEXEC.NCF

On NetWare 4.11

NetWare 4.11

Install NetWare 4.11.

BorderManager 2.1

Install BorderManager 2.1.

NW4SP6A.EXE

Do not install any later service packs than this for best results.

BMSP2D.EXE

Includes the Sep 23, 1997 CyberPatrol - don't use that

BACL105.EXE

A BorderManager 2.1 access rules patch.

BMP114.EXE

A BorderManager 2.1 proxy patch.

IPGSB06.EXE

IPX/IP Gateway patch, works only with Client32 versions 2.2 and 2.5

IPGC07A.EXE

This patch goes on the client side, for Novell Client32 versions 2.12 and 2.2. Not sure about later versions.

BMTCPE4.EXE

and SET TCP IP MAXIMUM SMALL ECBS=65534

BM3CP3.EXE

This is a CyberPatrol 6/16/2000 update, and I assume it will work with BorderManager 2.1, though I have not tried it.

NAT600D.EXE

Newer version of NAT

ADMN519F.EXE

Best version of NWADMN32 to use, if you also follow TID 10057834.

TUNEUP.NCF

Remove the Minimum and Maximum Packet Receive buffer limits if the support pack puts that in AUTOEXEC.NCF, and run the TUNEUP.NCF file, or use your own settings. Add TUNEUP.NCF to AUTOEXEC.NCF



*************************** OLD NOTES, For Reference *******************************************

Dec. 8, 2005– Added a link to a warning (tip #81) about a new feature of the FILTSRV.NLM module in the BM38SP4_IR2.EXE patch.

Dec. 7, 2005– Replaced post-BM38SP4 patch BM38SP4_IR1 with BM38SP4_IR2.EXE.

Dec. 6, 2005– Added warning on NW51OS8A.EXE patch not to use it on Small Business Servers, or you will have user license issues and have to put back the old SERVER.EXE file in c:\nwserver.

Oct. 31, 2005– Added new post-BM38SP4 patch BM38SP4_IR1.EXE to BorderManager 3.8 patch lists. This patch fixes a number of abends, and addresses a problem where proxy quits working with some PC's when proxy authentication is enabled.

Oct. 29, 2005– Updated patch lists to note that NMAS 2.3.9 is installed from the eDir 8.7.3.7 patch directories, and updated instructions about installing Security Update 9 in the same manner.

Oct. 26, 2005– Updated BM 3.8 patch lists with requirement to install BM38SP3.EXE before installing BM38SP4.EXE).

Oct. 14, 2005– Updated patch lists with new versions of TCPIP for NetWare 6.5. Replaced NW65SP4.EXE with NW65SP4A.EXE. Added note about in-place upgrade to NetWare 6.5 after installing BorderManager 3.8. (You need to reinstall BM 3.8 patches to update filtering modules).

Sep. 28, 2005– Updated BorderManager 3.8 patches with newly-released BM38SP4.EXE, replacing BM38SP3.EXE and BM38SP3_IR2.EXE. Updated VPN client (3.8.10). Updated NetWare 6.5 patch list with the (required!) post-sp4 patch N65NSS4A.EXE patch. Also added a note about getting portal.nlm updated manually.

Sep. 20, 2005– Updated NetWare 6.5 patches to include NW65SP4. Updated TCP patches (NW 6.0, TCP610M replaces TCP610L; NW 5.1, TCP587I replaces TCP587H). Updated NW 6.0 and 5.1 patch lists to include EDIR8737.EXE, NICI 2.6.8, and related security patches. Updated BorderManager 3.8 SP4 (beta) patch.

Aug. 12, 2005– Updated NetWare 6.5 post-SP3 patch NW65OS3A.EXE to NW65OS3B.EXE.

Aug. 10, 2005 – Updated the note about backrevving TCP.NLM on NW 6.5 servers. Backrevving to the TCP.NLM version from NW65SP2 (which I think is the same version as in the TCP610HA.EXE patch) causes IKE not to load on my BorderManager 3.8 server and has caused other problems on my ZENworks server. Also - updated NetWare 5.1 patch lists to include post-SP8 memory leak fix patch 51SP8SRV.EXE.

Aug. 7, 2005– 1. More in the 8736 patch saga (read the July 20 & 24 updates below) - While Novell reissued the edir8734a.exe patch, that patch does not container an updated Security patch 8 or NMAS 2.3.8, which was included in the edir8736.exe patch. Novell has since released stand-alone versions of these patched in the files secupd8.tgz and nmsrv238.tgz.

2. I have updated the BorderManager 3.8 patch lists with the new beta service pack 4 patch. You can download it from www.novell.com/beta.

3. Performance problems have been seen in later TCPIP patches. I have added a note in the NetWare 6.5 section about backrevving part of the TCPIP stack, which seems to fix the problem.

July 24, 2005– More in the 8736 patch saga - Novell reissued the edir8734a.exe patch, until a later version than 8736 is ready. The edir8734a patch contains Security Update 7 and NMAS version 2.3.6, which I think are the same versions in NW65SP3. I have updated my patch lists accordingly.

July 20, 2005 – Updated all patch lists which called out eDir 8.7.3.6 patch (edir8763.exe) due to Novell pulling that patch and issuing a warning about it in this TID.

July 2, 2005 – Updated BorderManager 3.8 patches, replacing interim patch BM38SP3_IR1.EXE with interim patch BM38SP3_IR2.EXE. Added NetWare 6.5 patch NW65OS3A.EXE, which is designed to address memory fragmentation issues. Updated TCP659I.EXE to TCP659J.EXE.

June 22, 2005 – Updated eDirectory patches (8.7.3.6) for NetWare 5.1, 6.0 and 6.5. Updated NICI, NMAS and Security patches for servers running eDirectory 8.7.3.6.

May 19, 2005 – Updated TCP patches for NetWare 6.0 and 5.1. Changed from TCP610JB.EXE to TCP610L.EXE for NetWare 6.0. Added TCP587H.EXE for NetWare 5.1.

May 2, 2005 – Correction! I misread the file name on a TCPIP patch, and am now correcting it. I have changed references from TCP659J to TCP659I.

Apr. 28, 2005 – Added TCP659J.EXE to NetWare 6.5 patches. Added BM38SP3_IR1.EXE (post-BM38SP3 patch). Added EDIR8736.EXE patch.

Apr. 11, 2005 – Added TCP659F.EXE to NetWare 6.5 patches. This patch has the same TCPIP.NLM as NW65SP3, but it has a newer BSDSOCK.NLM that is supposed to fix a memory leak and an abend condition.

Mar. 10, 2005 – This is really more of a followup to last night's changes. Removed the following files from NW 5.1 sections, as they are not needed after NW51SP8: TCP586v.EXE, JVM 1.3.1. Removed EDIR8734.EXE from NW 6.5 section as NW65SP3 updates 8.7.3 to 8.7.3.5. Removed NICI 2.6.5 patch from NW 6.5 section as NW65SP3 updates to NICI 2.6.6.

Mar. 9, 2005 – Replaced B3NBM38SP3.EXE with BM38SP3.EXE. Removed BM38SP2A and BM38FP3E patches. Changed B2NW65SP3.EXE to NW65SP3.EXE. Changed B3NW51SP8.EXE with NW51SP8.EXE. Removed TCP657JB.EXE (post-NW65SP2 patch). Removed NMSRV236.TGZ from NetWare 6.5 section (post-NW65SP2 patch). Added BM3XVPN9.EXE VPN client standalone download.

Feb. 21, 2005 – Replaced BM38FP3D.EXE with BM38FP3E.EXE. Replaced BM37FP4D.EXE with BM37FP4E.EXE. There is a corresponding update to my PROXY.CFG file (version 17 now, in tip #63 here).

Feb. 4, 2004 – Replaced B2BM38SP3.EXE with B3NBM38SP3.EXE. Replaced VPN client 3.8.8 with 3.8.9. Replaced NICI 2.6.0 with 2.6.5. Replaced B2NW65SP3.EXE with B3NW65SP3.EXE. Replaced NW51SP7.EXE with B3NW51SP8.EXE. Note: I have not yet tested the Beta 3 patches for NW 6.5 or NW 5.1, though I plan to soon.

Feb. 3, 2005 – Added EDIR8734.EXE patch for eDirectory version 8.7.3 servers. Replaced SECUPD6A.TGZ patch with SECUPD7.TGZ. Replaced NMSRV2352.TGZ patch with NMSRV236.TGZ. Clarified some notes about latest BorderManager 3.8 patch sequence with B2BM38SP3.

Jan. 18, 2005 – Note: Read yesterday's update also. Today I found out that BM38FP3C was replaced with BM38FP3D, so I updated the BorderManager 3.8 patch lists.

Jan. 17, 2005 – Noted that Beta 2 NW65SP3 patch was available. Replaced latest VPN client (3.8.7) with version 3.8.8, currently available only inside the b2bm38sp3.exe patch. Replaced B1BM38SP3 patch with B2BM38SP3 patch.

Dec. 22, 2004 – Replaced TCP610JA.EXE patch with new TCP610JB.EXE patch. Replaced TCP657J.EXE with TCP657JB.EXE patch. (Sorry TCP657JA patch was out for short a period of time that I missed it!)

Dec. 16, 2004 – Replaced NMAS NMSRV2351.TGZ patch with new NMSRV2352.TGZ patch.

Dec. 6, 2004 – Added BM38FP3C.EXE patch. Changed TCP610HA.EXE to TCP610J.EXE. Changed TCP657HA.EXE to TCP657J.EXE.

Nov. 18, 2004 – Replaced NMAS NMSRV235.TGZ patch with new NMSRV2351.TGZ patch.

Nov. 9, 2004 – Updated BorderManager 3.8 patches, with beta 1 patch for BorderManager 3.8 support pack 3 (b1bm38sp3.exe). This patch still contains the IPFLT31.NLM with the stateful filtering bug, so get the newer version out of the BM37FP4D.EXE patch for now.

Nov. 4, 2004 – Updated BorderManager 3.7 patch BM37FP4C.EXE to BM37FP4D.EXE. This patch includes updated filtering modules that may fix the stateful filtering bug.

Oct. 25, 2004 – Updated NMAS patch from NMSRV2342.TGZ to NMS235.TGZ. Updated security-related patch SECUPD5.TGZ to SECUPD6A.EXE.

Oct. 2, 2004 – Updated TCPIP versions for NetWare 6.5 and 6.0. (TCP657H to TCP657HA, and TCP610H to TCP610HA).

Sept. 13, 2004 - BorderManager 3.8 field patch 3a (BM38FP3A.EXE) moved from beta to released status. BM38FP3B.EXE released as beta

Aug. 31, 2004 - Updated NMAS server patch from NMSRV233.TGZ to NMSRV2342.TGZ.

Aug. 24, 2004 - Updated TCPIP patches: TCP657H.EXE for NetWare 6.5, TCP610H.EXE for NetWare 6.0.

Aug. 9, 2004 - Added note about TCP609A.EXE possibly causing problems with GroupWise GWIA Added BM38FP3A.EXE patch for BorderManager 3.8.

July 26, 2004 - Updated Security-related patch SECUPD5.TGZ, replacing SECUPD4.TGZ. Also updated from NW6SP4 to NW6SP5 - kind of forgot to update that earlier.

July 20, 2004 - New VPN client BM3XVPN7.EXE added to lists, replacing older versions.

July 19, 2004 - Replaced BM37FP4B with BM37FP4C in the BorderManager 3.7 patch section. Note - the IPFLT31.NLM filtering module in the BM37FP4C and BM38SP2A patches (and several earlier patches) has problems with stateful filtering under load after several hours or days. If you see slowing performance, and unloading/reloading IPFLT31 fixes the issue, you need to back-rev to a version that does not have the problem. Novell is working on a new version.

July 14, 2004 - Replaced NW65SP1A with NW65SP2. Added note about possible problems with stateful filtering module from BM37FP4B (use the IPFLT31 from BM37SP3.EXE instead).

July 7, 2004 - BM38SP2A.EXE has been released, replacing BM38SP2.EXE, which had a bad ACLCHECK.NLM.

July 6, 2004 - Warning. BM38SP2.EXE has been pulled by Novell due to ABENDs caused by ACLCHECK. Novell thinks they have found the problem, and are testing a new patch. The new patch will be available soon. In the meantime, if you have applied BM38SP2 and have an ABEND, try either backrevving ACLCHECK to the previous version you have, or uninstall BM38SP2.

July 5, 2004 - Nothing definite yet, but there have been several Novell public forum users reporting ABENDs after applying BorderManager 3.8 SP2. Some reports say that the problem exists if you install SP2 before installing NW65SP2. One user reported that the problem went away after re-applying BM38SP2 after NW65SP2 and telling the patch to overwrite newer files. The problem seems to be related to ACLCHECK. Another report says the problem may appear if the beta SP2 was installed first. Finally, another report has the problem happening when a user browses to an HTTPS site. Personally, I have installed beta 1, and beta 2, and then BM38SP2 and still have not seen any abends. If you have problems after installing BM38SP2, backrev to BM38SP, or try backrevving just ACLCHECK to BM38SP1. If you do not have access to BM38SP1, I suggest you might want to wait a few days before installing SP2 and check back here.

A similar situation may exist for BM37FP4D - if you have abends in ACLCHECK there, try backrevving it.

July 3, 2004 - Removed BM3XVPN5.EXE (VPN client version 3.8.5) from the BorderManager 3.8 patches, because version 3.8.6 is contained in the BM38SP2.EXE patch. Changed description of BM3XVPN5 patch in other BorderManager sections to note that 3.8.6 is available.

July 1, 2004 - Changed B2BM38SP2.EXE (beta SP2) to BM38SP2.EXE (non-beta BorderManager 3.8SP2). NW65SP2 is also out, but I have not listed it yet because I am not sure yet how many other patches it replaces.

June 29, 2004 - Added NMSRV233.TGZ, to address NMAS issues.

June 26, 2004 - Added SECUDP4.TGZ or updated from SECUPD4.TGZ. Changed B1BM38SP2.EXE (beta 1, SP2) to B2BM38SP2.EXE (beta2 SP2).

June 17, 2004 - BM3XVPN5.EXE released. VPN client that replaces BM3XVPN4.EXE, which was pulled for having a dependency on having Client32 installed first.

June 10, 2004 - BM3XVPN4.EXE was pulled from Novell's web site because it had a Client32 dependency and would not install if Client32 was not also installed. Use BM3XVPN3.EXE instead, but expect a BM3XVPN5.EXE patch soon.

June 9, 2004 - New versions of TCPIP have just been released for NetWare 5.1 (TCP586A.EXE), 6.0 (TCP609A.EXE) and 6.5 (TCP654J.EXE). Updated appropriate sections below..

June 8, 2004 - I have found that a BorderManager 3.6 server, and presumably a 3.5 server, can be updated with the PROXY.NLM from BM37FP4B.EXE, but you must also update the AUTHCHK.NLM file at the same time.

June 2, 2004 - Updated BorderManager 3.5 and 3.6 sections with latest proxy.nlm information. Apparently, the newest BorderManager 3.7 proxy.nlm will no longer work with 3.5 and 3.6 servers. The last version I have seen to work (PXY050, Ver. 3.72L, Feb. 19, 2004) was from the BM37FP4A.EXE patch (not the 4B patch). The version from BM37SP3.EXE version also works.

May 27, 2004 - Replaced VPN client file BM3XVPN3.EXE with BM3XVPN4.EXE.

May 21, 2004 - Updated BorderManager 3.7 patches with BM37FP4B.EXE (post-BM37SP3 patch). Added mention of VPNREGCLEAN.EXE utility for helping install new VPN client after old VPN client was installed.

May 18, 2004 Updated 3.8 patches with (beta) patch B1BM38SP2.EXE. This is a beta version of BorderManager 3.8 service pack 2. (98MB)

May 5, 2004 Updated 3.7 patches with BM37SP3.EXE in addition to BM37FP4A.EXE. (I had omitted BM37SP3, which is a prerequisite to BM37FP4A on BorderManager 3.7). Updated 3.5 and 3.6 patches with proxy.nlm from BM37FP4A instead of BM37SP3.

Apr. 19, 2004 - Replaced bm3xvpn2.exe (VPN client) with bm3xvpn3.exe

Apr. 8, 2004 - Replaced bm3xvpn1.exe (VPN client) with bm3xvpn2.exe

Apr. 1, 2004 - Added tcp585vrev2.exe, tcp608vrev2.exe, and tcp654frev2.exe.

Mar. 19, 2004 - Added BM38SP1A.EXE, TCP585V.EXE, TCP608V.EXE and TCP654F.EXE patches. Also mentioned the Client32 post-4.9sp1a patch, which should fix the -601 issue accessing NWADMN32, BorderManager tabs.

Mar. 8, 2004 - BM38SP1.EXE has been taken offline, at least temporarily. I suspect it was pulled due to an issue with IKE.NLM. If you installed this patch, and your Site-Site VPN would not work, giving you 'unknown errors' in the IKE screen, try backrevving IKE.NLM and IKE.MSG to the version on the NBM 3.8 CD.

Updated references about BM37FP3.EXE and BM37SP3.EXE to BM37FP4A.EXE.

Replaced VPN client BM38VPN1.EXE, BM38VPN1_UP1.EXE and BM37VPN4.EXE patches with the BM3XVPN1.EXE (for both BorderManager 3.7 and 3.8 VPN, but should work fine for Client-Site VPN with BorderManager 3.0 through 3.6 as well).

Mar. 4, 2004 - Re-ordered patch sequence for BorderManager 3.8. Eliminated some redundant patches (included in BM38SP1 or in latest NetWare support packs).

Mar. 2, 2004 -Removed NICI 2.6 installation from NetWare 6.5 server install since it is already included with 6.5.

Feb. 28, 2004 - Added Novell JVM 1.3.1 for NetWare (SP7) as an optional component for NetWare 5.1 servers dedicated to BorderManager 3.8. This update to Java should cure the problem where stopping VPN services abends the server when jvmlib unloads. As I do not know if it will break non-BorderManager components, I am not recommending it to be installed except on dedicated BorderManager servers.

Feb. 27, 2004 - Changed B1BM38SP1 to BM38SP1. Changed mention of BM37FP3F to BM37SP3. Note – I expect BM38SP1.EXE to be available any time now. Changed BM36C01B to BM36C02. Removed mention of PXY031.EXE patch (no longer available). Removed mention of IPFLT1.EXE patch (no longer available).

Feb. 23, 2004 - Really removed TCP654D.EXE from NetWare 6.5 section, as well as SECUPD3.EXE as it is included in NW65SP1.EXE. Added note in NW 6.0 section about TCP608T.EXE

Feb. 18, 2004 - Removed TCP654D.EXE from NetWare 6.5 section, removed NW65SP1 as a patch needed before installing BorderManager 3.8.

Feb. 12, 2004 - Added B1BM38SP1.EXE (beta 1, BorderManager 3.8 support pack 1).

Feb. 11, 2004 - Added NMAS client update, NMCLNT232.EXE, as a post-3.8 VPN client patch.

Feb. 8, 2004 - Clarified/changed TCPIP versioning required after NW6SP4.

Feb. 5, 2004 - Removed SECUPD3.TGZ patch from NetWare 6.0 patch lists, as it is not needed after installing NW6SP4.EXE.

Feb. 3, 2004 - Updated with NW51SP7.EXE, NW6SP4.EXE, BM37SP3.EXE, SECUPD3.TGZ, TCP585T.EXE, TCP608T.EXE and TCP594D.EXE patches.

Jan. 19, 2004 - Updated B3BM37SP3.EXE to B3BM37SP3.EXE.

Jan. 14, 2004 - Changed patch sequence and comments for TCPIP patch and NW65SP1 for BorderManager 3.8. Added the secupd2.tgz patch.

Jan. 7, 2004 - Updated BorderManager 3.7 and earlier patches with TCP583L and TCP607L for NW 5.1 and NW 6.0. These patches will break BorderManager 3.8 VPN.

Dec. 24, 2003 - Updated BorderManager 3.8 patches with BM38VPN1_UP1.EXE.

Dec. 23, 2003 - Updated BorderManager 3.8 patches with NW65SP1.EXE and BM38VPN1.EXE.

Dec. 18, 2003 - Updated BorderManager 3.7 patches with BM37FP3F.EXE and BorderManager 3.8 patches with BM38FP1.EXE.

Dec. 16, 2003 - Updated BorderManager 3.7 patches with Beta 3 of BM37SP3.EXE

Nov. 19, 2003 - Updated BorderManager 3.7 patched with B2BM37SP:3.EXE and BM37FP3E.EXE

Nov. 14, 2003 - Updated BorderManager 3.8 patch listing to reflect that it is no longer a beta product. Note: The new Third Edition of my Beginner's Guide to BorderManager 3.x book covers installation and configuration of 3.8.

Oct 29, 2003 - New BorderManager 3.7 VPN client BM37VPN4.EXE released that has a fix for the Intel Centrino chipset used in new laptops. (Will work with 3.6, 3.5. and 3.0 VPN also) Also - there is a beta BorderManager 3.7 service pack 3 out (B1BM37SP3.EXE).

Oct 20, 2003 - Updated BM37FP3C.EXE patch to BM37FP3D.EXE

Oct 10, 2003 - Added an install.bat file for the BM37FP3C.EXE patch to make it easier to copy the files in that patch.

September 24, 2003 - Added SurfControl Service Pack 2 to the BorderManager 3.7 patch lists. Removed BMAS patch from 3.7 patch lists because the latest RADIUS is included in the BM37FP3C.EXE patch.

September 22, 2003 - Changed patch sequence for BorderManager 3.6 on NetWare 6.0, in regard to the TCP607K.EXE patch. Moved the TCP patch to after NW6SP3 as NW6SP3 will overwrite the TCPIP modules from the patch with an older version.

September 19, 2003 - Replaced TCP607JREV2.EXE patch with TCP607K.EXE patch. Replaced TCP583JREV2.EXE patch with TCP583K.EXE patch.

September 18, 2003 - Replaced BM37FP3B.EXE patch with BM37FP3C.EXE patch.

September 8, 2003 - Added a section for BorderManager 3.8 beta. Added more notes to BorderManager 3.7 and other sections that it is not supported and will not install on NetWare 6.5. The only version of BorderManager that will install on NW 6.5 will be BorderManager 3.8.

August 17, 2003 - Added in the NW56UP3.EXE patch for NetWare 5.1 and 6.0. This patch addresses memory fragmentation issues, and may be particularly relevant if you are using SurfControl.

August 15, 2003 - The TCP607J.EXE patch was replaced by TCP607JREV2.EXE. This patch version has a fix for a vulnerability in regard to Transparent Proxy that was present in the previous patch. Added NLS603FT for NetWare 5.1 and 6.0.

July 10, 2003 - The BM37FP3A patch has been replaced by the BM37FP3B.EXE patch. The 'B' patch has a new version of AUTHCHK.NLM which should not have the issue I found with the version in the 'A' patch.

July 9, 2003 - I experienced a problem after applying the BM37FP3A patch. I was being denied access to all sites which were supposed to be allowed based on user ID. (Access rules requiring proxy authentication were failing). SSL Proxy Authentication worked fine, but CLNTRUST authentication was not OK. In troubleshooting the issue, I found that the access rule logs were showing the wrong user ID when I was proxy authenticating using CLNTRUST. Some random character was being added on to the end of the user ID. For instance, I log in as ADMIN.DD. My access rules showed a denial for user ADMIN.DD| (note the vertical bar after 'DD'). I backrevved various modules from the patch, and finally found that backrevving AUTHCHK.NLM to the version from BM37SP2 fixed my problem. So I am recommending that BM37FP3A be tried, but backrev that module if you have any proxy authentication issues.

July 8, 2003 - Replaced BM37FP3.EXE patch with BM37FP3A.EXE patch..

July 4, 2003 - The TCP581J / TCP607J have been re-released, with a change to the readme file that you should NOT use these versions with Transparent Proxy.

July 3, 2003 - Updated tip sequence slightly in regard to the PURGE_NW.EXE patch which should be used after installing NW51SP6 or NW6SP3, if you did not use the modified install scripts. Also added note about TCP581J / TCP607J patches being pulled to fix an issue with transparent proxy.

June 30, 2003 - Updated tip sequence for 3.7, 3.6 and 3.5 in regard to BM37FP3.EXE. I also moved several of the old update notices (like this line) toward the end of the page so you would not have to scroll through them if you didn't want to.

Also finally got around to formatting the tips into a table, for easier readability. Feel free to tell me in the Novell Public Forums is the table properties do not work well with a particular screen resolution or browser. (I use Mozilla here, and a screen resolution of 1152 x 864).

June 28, 2003 - Added link to TID 2966373 for fixed install scripts for the NW51SP6 and NW6SP3 patches, and the PURGE_NW.NLM utility, which fixes a problem caused by the original install scripts. (If you have installed the patches, you need to run PURGE_NW.NLM once on each server patched.)

June 27, 2003 - Added PURGE_NW.NLM to the patch lists, in case you installed NW6SP3 or NW51SP6 without using a revised installation script. (This utility from Novell will fix an issue created by the NW6SP3/NW51SP6 install scripts.)

June 22/23, 2003 - Added a revised install script for NW6SP3 and NW51SP6 patches. If I were you, I would use these scripts instead of the ones that come with those patches. (I cannot talk about the issue.) Note: June 23 - the links in the individual BorderManager patch sections below were broken, and I have just fixed those.

June 16, 2003 - Added new BM37VPN3.EXE file (VPN client), replacing BM37VPN2.EXE and 37VPNUP1.EXE files.

June 9, 2003 - Added TCP patches TCP583J.EXE and TCP607J.EXE. (Fixed a couple of broken links on this page as well).

May 31, 2003 - added note about back-revving ACLCHECK.NLM after installing BM37FP3.

May 13, 2003 - Updated BorderManager 3.6 patch lists with note that BorderManager 3.6 is now considered end-of-life by Novell, with support ending at the end of May, and no further updates/patches being done for it.

Apr. 25, 2003 - Updated BorderManager 3.7 patch lists with BM37FP3.EXE patch. This patch includes the BMMACSSL1.EXE proxy fixes, a new setting for proxy.cfg (see tip #63), the browser plug-in for the Terminal Services cookie-based authentication feature, a fix for an N2H2 issue, and some other bug fixes.

Apr. 23, 2003 Updated NW51SP5.EXE to NW51SP6.EXE. Added BMAS37_01.EXE patch. Because of the addition of the NW6SP3 and NW51SP6 patches, I have removed the following patches from the NetWare 5.1 and 6.0 sections: Removed TCP518P.EXE patch. Removed TCP605P.EXE patch. Removed VPTFIX.EXE patch. Removed FLSYSFT7.EXE patch. Removed NW6NSS2D.EXE patch. Removed NAT600D.EXE patch.

Mar 26, 2003 - If you put in the BMMACSSL1.EXE patch, you may experience abends. At least one known abend is fixed by using a setting in the proxy.cfg file. I have added that setting (with a comment) in revision 6 and later of my proxy.cfg file in tip #63 at this web site.

Apr. 22, 2003 - Updated NW6SP2.EXE to NW6SP3.EXE.

Apr. 21, 2003 - Updated B3BM37SP2 to BM37SP2.EXE.

Apr. 3, 2003 - Updated B2BM37SP2.EXE to B3BM37SP2.EXE.

Mar. 26, 2003 - Added note about proxy.cfg in conjunction with BMMACSSL1 patch.

Mar. 24, 2003 - Added note about BM37SP2 patch being OK

Mar. 13, 2003 - TCP581P.EXE and TCP605P.EXE available (beta), replacing TCP581O and TCP605O.

Mar. 12, 2003 - B2BM37SP2.EXE patch released.

Mar 5, 2003 - New proxy patch BMMACSSL1.EXE patch released. Fixes problems with Macintosh and SSL Proxy Authentication, fixes Mac tunneling issue, and allows HTTPS through Transparent Proxy. Supported for BorderManager 3.6 and 3.7, and I suspect will work with 3.5.

Feb. 26, 2003 - A beta version of the BM37SP2 patch is available by going to http://beta.novell.com, selectingPublic Beta, and then selecting theConsolidated Support Pack 9. Next, selectView Downloads / Updates, and finally you should be at a list that allows you to select BM.ZIP, a beta version of BM37SP2.

Feb 4, 2003 - The patch lists below have not changed, but I wanted to provide this link to a discussion of B57 / Q57 driver issues, and a beta driver file to try.

Feb 3, 2003 - Changed NW6NSS2C.EXE to NW6NSS2D.EXE for NetWare 6 servers. Moved most of the recent update notes here to below the patch lists.

Jan 30, 2003 - Small update. There is a logging bug in BorderManager 3.7 (incomplete logging information) that was fixed in BM37SP1. The same bug exists in BorderManager 3.6, but you can fix it by using the CSATPXY.NLM from the BM37SP1 patch on the 3.6 server. Might work for 3.5 servers as well, but I don't know.

Jan 24, 2003 - A bug has been found with the BM37SP1.EXE version of PROXY.NLM. If you have a reverse proxy accelerator configured with SSL passthrough, the proxy may abend. Novell is aware of the issue and working on a patch. Workarounds include backrevving PROXY.NLM, uninstalling BM37SP1, and using Generic TCP proxy instead of reverse proxy acceleration.

Jan. 11, 2003 - A bug has been found in the BM36SP2A.EXE patch, causing an abend if you try to unload PROXY under certain circumstances. A new patch is in work. Also, a bug was recently discovered in snapins giving the ability to manage N2H2 (is present in BM37SP1.EXE). See tip #18.

Dec. 20, 2002 - BM37SP1.EXE released, replaces B3BM37SP1.EXE for BorderManager 3.7

Dec. 9, 2002 - B3BM37SP1.EXE released for BorderManager 3.7.

Dec. 2, 2002 - Changed NW6NSS2B to NW6NSS2C for NetWare 6.0 servers.

Nov 22, 2002 - Replaced B1BM37SP1.EXE with B2BM37SP1.EXE.

Nov 21, 2002 - Corrected typo in the patch list for BorderManager 3.7 on NetWare 6. A patch that should have been listed as BM35ADM7.EXE was mistakenly listed as BM36ADM7.EXE. Note: When the B1BM37SP1 patch comes out of beta release (should be called just BM37SP1 then), it should have the updated files from BM35ADM7 patch included.
Also - B2BM37SP1.EXE will be out soon, and will updated ADM.NLM (includes BM35ADM7 patch), updated RADIUS file, additional language support for access rules menu, and will expand to directory BM37SP1, so that it will install from NWCONFIG without having to shorten the directory name. (NWCONFIG will not 'see' an installation script if it is contained in a directory that does not follow 8.3 naming convention).

Nov 16, 2002 - Added B1BM37SP1.EXE patch.

Nov 14, 2002 - Removed IPFLT1.EXE, NAT600D.EXE, BM36NSP1.EXE, BM36SP1A.EXE, BM36C02.EXE, PXY031.EXE, BM35ADM7.EXE and RADATR4.EXE, all of which have been replaced by BM36SP2A.EXE or a service pack. Also updated TCP518K and TCP605K patches to TCP518O and TCP605O patches.

Nov 13, 2002 - Tidied up the BorderManager 3.6 patch list a bit, noting more clearly what patches are replaced by BM36SP2A. (BM36SP2A seems to be a good patch. I recommend it). Note: I expect the B1BM37SP1.EXE patch (beta version of BM37SP1) to be available next week. It's close to being done.

Nov 5, 2002 - Removed NLSLSP6.EXE from NetWare 5.1 patch list for BorderManager 3.6 because NW51SP5.EXE already has that version of NLS services.

Oct 31, 2002 - BM36SP2A.EXE patch released.

Oct 27, 2002 - Added back the IPFLT1.EXE patch to BorderManager 3.6 patch list. I had forgotten to put that back when I backed of BM36SP2.EXE. Also, I have been told that it is still necessary to reinstall the NetWare support pack after installing BM36NSP1.EXE. (The BM36NSP1 patch is supposed to make that not necessary).

Oct 24, 2002 - Once again, Novell has blind-revved a patch. This time the TCP605K.EXE patch has been re-released, and it now includes the BSDSOCK.NLM that I told them was missing yesterday... See the Oct. 23 note below. Novell still did not fix the readme, which tells you to select either the 5.91k (encrypted) or 5.81k (null) version of the files. Oh yes - this time the patch did not kill my server!

Oct 23, 2002 - A personal warning about TCP605K.EXE. I haven't put it on a BorderManager server yet, but it killed my main runs-everything-but-BorderManager server. Back-revving to TCP605H.EXE brought everything back. The 'K' patch doesn't have a BSDSOCK.NLM, although the 'H' version did, so maybe there was a file missing, just like TCP581K, before Novell blind-revved it and added back in a BSDSOCK.NLM there.

Oct 22, 2002 - Added TCP581K.EXE patch. Note: Novell blind-revved the TCP605K patch and added an updated BSDSOCK.NLM to it.

Oct 19, 2002 - Added TCP605K.EXE patch

Oct 18, 2002 - Updated patch list in case you did not install BM36SP2, which was pulled by Novell. Just an FYI. There will be a new BM36SP2A patch out at some point, hopefully soon, which fixes the issues noted above. I don't know if you will have to modify the installation script to make it run on a NetWare 5.0 server or not, but you can use the one from this web site if it isn't included in the patch.

Oct 11, 2002 - Due to issues with the IPFLT31.NLM contained in the BM36SP2 patch, the patch has been pulled. It will be reissued as BM36SP2A when the filtering issue is fixed. If you already downloaded and installed the patch, you can either back-rev the filtering modules to those in the IPFLT1.EXE patch, or you can try SET FILTER DEFEND PUSH ATTACKS = OFF.

The Warning on the BM36SP2.EXE patch: One of the sysops reports that stateful filtering broke on his server after installing the BM36SP2 patch. I have also experienced problems with some of my stateful filter exceptions when using the IPFLT31.NLM from the SP2 patch. Those problems disappeared when I went back-revved the filtering modules to the IPFLT1.EXE versions. As an aside, the BM36SP2 patch does not install on a NetWare 5.0 server, and that is by design, but I have a modified install script HERE you can use.

Oct 11, 2002 - Added additional warnings about the IPFLT31 module in the BM36SP2.EXE patch, and provided a modified, unsupported install script to allow the patch to be installed on NetWare 5.0.

Oct 10, 2002 - Added BM36SP2.EXE. Removed other patches obsoleted by this patch.

Sep 24, 2002 - Added the NW6NSS2A.EXE patch, and the warning below.

Sep 24, 2002 - Heads Up! There is an issue involving SAS errors on a BorderManager server. If you should see Error: SAS Initialization: Waiting for NDS" on your BorderManager proxy console screen (and SSL Proxy authentication doesn't work), you may need to download the NICI 2.4.0 patch again. Novell blind-revved the nici_uo.exe patch on or about September 23, 2002, fixing an issue with BorderManager. The patch is found by going to download.novell.com, searching all products, and selecting the option "Novell International Cryptographic Infrastructure", "2.4 on NetWare".

Sep 24, 2002 - Heads Up! (warning note): There is an issue I want to mention with the TCP605H (and possibly TCP581H) patch. With these patches, you may see issues if running a DHCP server on the same server, and you might see problems with stateful UDP filter exceptions. As an example, should you find that workstations are not getting IP addresses from a DHCP server running NW6SP2 and patched to the TCP605H version of TCPIP, you may need to back-rev TCPIP. And if internal hosts, especially GWIA servers, are suddenly having issues with DNS lookups after you put TCP605H on a BorderManager server (with a stateful DNS/UDP exception), you may need to back-rev TCPIP. See http://support.novell.com/servlet/tidfinder/10074067. (You might be better off simply pointing internal hosts to DNS Proxy running on BorderManager). A new TCP patch is expected to be released within a couple of weeks.

Sep 17, 2002 - Added BM37N2H2.EXE patch for N2H2 content filtering capability.

Sep 16, 2002 - Added TCP605H.EXE patch

Sep 15, 2002 - Added TCP581H.EXE patch.

Sep 7, 2002 - Added IPFLT1.EXE patch. Sorry I missed this one earlier as it has been out a month!

Sep 3, 2002 - Added note about back-revving IPXIPGW.NLM from the BM36C02.EXE patch for BorderManager 3.6.

Aug 26, 2002 - Added TCP581E.EXE and TCP605E.EXE patches.

Aug 20, 2002 - Added NW6RCONJ2A.EXE patch, to address a serious security issue in RCONAG6 from NW6SP2.EXE.

Aug 19, 2002 - Added backrev of RCONAG6 if NW6SP2 is applied due to a serious security issue that has been found. Added provisional OK to use TCP580T after NW51SP5.

Aug 15, 2002 - Pending some additional experience, or clarification from Novell, I'm pulling back on recommending using the TCP580T.EXE patch after installing NW51SP5, or the TCP604T.EXE patch after installing NW6SP2. I've gotten conflicting information. I do know one person who had some TCPIP issues after NW51SP5 that solved those issues by using the TCP580T patch. Anyway, I'm told that Novell is working on a new TCP patch that should make the T patches obsolete. If you have TCPIP issues after using the SP5/SP2 patches, you can try the 'T TCPIP patch at your risk. Should be easy enough to backrev if you need to.

Aug 14, 2002 - Added TCP580T.EXE patch, to be installed after NW51SP4 or NW51SP5. Added TCP604T.EXE patch, to be installed after NW6SP1 or NW6SP2..

Aug 12, 2002 - Updated list for NetWare 6.0, regarding NAT, as I thought NAT 6.00d was included in NW6SP2, but it is not. I am also looking into a number of TCPIP issues with the patches, and suspect I will make another update later today or tomorrow. It appears there are newer versions than included in the support packs, but revision numbers and dates are not as expected.

Note: I removed NAT 6.00d from the BorderManager 3.7 patch list. NAT 6.00e is contained on the BorderManager 3.7 CD (in the FILTSERV\SYSTEM directory), and it should not need to be updated. I am looking into why that version is not available for download, and trying to get it to be downloadable, and trying to get it added to the NetWare support packs in the future..

Aug. 11, 2002 - Updated for NW51SP5 and NW6SP2 patches.

Aug. 7, 2002 - Added BM35ADM7.EXE. The patch is for BorderManager 3.5, 3.6 and 3.7..

Aug. 6, 2002 - Patch for the VPN client available.

June 24, 2002 - Added BM37VPN2.EXE.

June 20, 2002 - Updated most versions of NetWare with NAT600D.EXE patch (which I had forgotten on 6.0 and 5.1 servers), and added the VPTFIX.EXE patch for NetWare 5.1 SP4 and NetWare 6.0 SP1 servers.

June 5, 2002 - Updated patch FLSYSFT5.EXE to FLSYSFT7.EXE

May 31, 2002 - Added PXY031.EXE (3.5) and BM36C02.EXE (3.6) patches. The PXY031 patch includes an updated CLNTRUST.EXE which can be used with BorderManager 3.0.

May 12, 2002 - Added TCP604S and TCP590S patches.

Mar 7, 2002 - Problem with eDir 8.6: There seems to be a problem with ABENDS occurring if you install eDirectory 8.6 and have BorderManager patches at or later than about BM35SP2. For now, do not install eDirectory 8.6 on BorderManager 3.5 or 3.6 servers. The problem seems to be related to invalid NICI handles, and a new proxy patch is under development to fix this. The new patch should be available quite soon.

May 5, 2002 - New BM36C01B patch replaces old 'A' version. Only change is a back-revved IPFLT31.NLM to address a couple of problems until a new version is created.

Apr. 18, 2002 - Problem with IPX disappearing from Site-Site VPN is now pinned down to INETLIB.NLM in NW5SP4.EXE and NW6SP1.EXE. Changed note to that effect. (See tip #66 here for more information and a fix).

Apr. 17, 2002 - Updated patch list for NW5.1 and NW 5.0 with TCP553V.EXE patch. Added new BorderManager 3.7 VPN client with WindowsME and XP support. Added FILTSRV patch for BorderManager 3.7.

Apr. 13, 2002 - I have temporarily made a field test version of CLNTRUST available that should fix issues with Windows XP. See tip #15 here. Note: This version is replaced with an official release in PXY031.EXE or BM36C02.EXE.

Apr. 8, 2002 - Added note about possible bug in NW51SP4 and NW6SP1 patches, and link to a workaround. Also added TCPCFG.NLM note for NetWare 6.0 servers. (Note: This bug was fixed with the VPTFIX.EXE patch)
Mar. 25, 2002 - Added TCP 5.90N patch for NW 5.1 servers, and 5.53R for NW 5.1 SP3 or NW 5.0 SP6a servers. Added FLSYSFT5.EXE beta patch for NW 6.0 and 5.1 servers. Added note on NWASPI.CDM.

Mar. 7, 2002 - Added warning about TCP 5.5x and NW51SP4. Also added a warning about eDir 8.6 and later versions of proxy.

Mar. 5, 2002 - RADATR4.EXE patch (updated RADIUS files) added.

Mar. 1, 2002 - Bug in TCPCFG.NLM in NW51SP4.EXE. Result is that NAT Implicit Filtering gets enabled every time you start INETCFG. This will cause inbound traffic to reverse proxies, and (probably) to static NAT to fail. Until a patch/fix is available, be sure to SET NAT DYNAMIC MODE TO PASS THRU=ON, and you should probably do that after any Reinitialize System command.

Feb. 17, 2002 - IMPORTANT! If you are installing BorderManager on a NetWare 6 server, or NetWare 5.1 with NMAS installed, see this TID first: http://support.novell.com/servlet/tidfinder/2959071

Feb. 13, 2002 - .Install Problem after ZFD 3.2?

There might be a bug in the installation routine for ZENworks for Desktops 3.2. If you installed ZFD 3.2 before BorderManager, and the BorderManager GUI installation routine will not run, look in the SYS:\NI\UPDATE\LIB directory for any 0-byte files, and delete them. It appears that the ZFD 3.2 installation leaves them there, which causes the BorderManager installation to abort.

Sep. 24, 2001 - WARNING Do not install TCP542Y.EXE on a BorderManager server. It will break PROXY.NLM. If you have installed it, go back to a previous version, such as the one in the TCP542U.EXE patch.

Aug 27, Nov 8, 2001 - TCPIP 5.52r (from NW51SP3) has dead gateway detection built in, but the needed support modules for it are missing from SP3. If you have the WEBREL1.EXE version of TCPIP.NLM (available for some time from www.novell.com/download), and copy over TCPCFG.NLM and TCPCON.NLM to SYS:SYSTEM, you should be able to configure dead gateway detection afterwards. You can also get the two files from tip #1A here. The latest version of tcpip for NetWare 5 and later *should* have the correct version of tcpip.cfg included.

May 1, 2001, updated June 1, 2001.
VPN Denial of Service attack - patch available

A denial of service attack against the Client-Site VPN authentication NLM has recently been published. It is possible to launch an attack against BorderManager that can result in preventing VPN client connections. Novell has revised the AUTHGW.NLM for BorderManager 3.5 and 3.6, and made it available for download. See this TID:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/2959062.htm

You can download the patch from that URL.

While the attack may or may not work against BorderManager 3.0, Novell is not developing or testing any more BorderManager 3.0 patches. I have no idea if the new AUTHGW.NLM works on BorderManager 3.0 or not.

Updated Dec. 10, 2001 - VPN Client-Site Software Update

For client-to-site VPN, the newest VPN client software seems to work best. Get the VPN36D.EXE (128-bit) or VPN36E.EXE (56-bit).

Also, there is a patch 260268.EXE which contains a newer SRVLOC.DLL for Novell Client32 which can help with pure IP client connections in a Client-Site VPN connection. See the readme for this file HERE. My book on BorderManager 3.x has a fair amount of detail on working with pure IP logins over Client-Site VPN.

Install Problem after ZFD 3.2 (Feb. 13)

There seems to be a bug in the installation routine for ZENworks for Desktops 3.2. If you installed ZFD 3.2 before BorderManager, and the BorderManager GUI installation routine will not run, look in the SYS:\NI\UPDATE\LIB directory for any 0-byte files, and delete them. It appears that the ZFD 3.2 installation leaves them there, which causes the BorderManager installation to abort.

Newer TCPIP.NLM Available - (Jan. 25, 2001)

You can download a newer version of TCPIP.NLM (128-bit or 56-bit) from WWW.NOVELL.COM/DOWNLOAD in the TCPIP Enhancement Pack.

*********** General Notes ********************

Options for Loading BorderManager Modules

Several BorderManager NLM's have command line options that may be of use to you, particularly ACLCHECK. Have a look at this example.

Tuning BorderManager for Performance

Also documented in my book "A Beginner's Guide to BorderManager 3.x" (with some tips and comments added), you should definitely read through Novell TID 10018669 to get your BorderManager server performance up where it should be. The default NetWare settings do not tune a BorderManager server for good performance. You can download my TUNEUP.NCFfile to change the settings easily, but be sure to review it and make any changes appropriate for your environment.

Licensing and TCPIP Issues

No discussion of BorderManager patches can be quite complete without mentioning licensing issues and tcpip issues. Be sure you have checked out the other pages on this web site that discuss those issues.

Dial-Up Users - COMX update

If you are running a (test) server using a dial-up connection with a standard modem, get the COMX218.EXE patch, which allows for more reliable communications at speeds above 19,200 baud.

Service Pack Issues - August 4, 2001

There often seem to be a number of new issues that pop up after each NetWare support pack installation. For now, I will add some comments below regarding particularly prevalent issues with service packs. Thanks to SysOp Marcel Cox for most of these tips.

1. See TID 10057717, ", “NetWare 5.1 Support Pack 2 Addendum for additional information applying to servers patched to NW51SP2A.
2. High utilization / applications receive "There has been a network or file permission error. The network connection may be lost." This problem occurs on NetWare 5.0 and 5.1 servers and has a workaround:SET CLIENT FILE CACHING ENABLED=OFF. Various patches update the version of filesys.nlm built into server.exe, but most of the versions are broken, including NW5SP6a and NW51SP2a. I believe NW51SP3 now sets this option (in AUTOEXEC.NCF by default).
3. NW50SP6a has an installation bug when trying to update NICI, at least for world-wide versions (56-bit). "The problem: the initial NW 5.0 did not put the NICIW0 key in the product database. The result is that if you have a server with NICI 1.0.0 and you install NW50SP6a, it will update the NICI product record to 1.5.3 *without* actually copying any NICI file." The work-around: a) first install Nw50SP6a, b) then *before* restarting your server, install the latest NICI update (1.5.7), and c) only now reboot your server." You need to go to http://www.novell.com/download/#NDS and download the NetWare Server NICI 1.5.7 (strong encryption) patch. (Later patches may be available when you read this).
4. Before installing a NetWare support pack, flag ALL the files on the SYS: volume as normal, to remove any Read Only attributes. Several Novell patches will not write over Read Only files, and you will not get an error message about it. Also, if you ever copied any files from CD to the DOS partition (server.exe is a particular concern), they will probably be marked as Read Only, and you will need to drop to DOS and remove the Read Only attributes from all the files in the NWSERVER directories.


NetWare for Small Business 5.1 Issue - January 16, 2001

If you install NetWare for Small Business (SBE) 5.1, it ships with a less-than-optimal IDEATA.HAM driver. If you are using an IDE drive in your server (best to use SCSI!), you may run into all sorts of issues trying to get the server installed. For instance, the seemingly unrelated "SLP UA Warning: Unable to contact directory agent." error coming up at install is related, and may be because some files did not copy properly. The fix is to get a better version of IDEATA.HAM (as in the IDEATA5A.EXE patch from support.novell.com, or a version from a new support pack for NetWare), and use it. To install an updated driver like this to be used during the installation process, create a C:\NWUPDATE directory and put the new drivers in there. When NetWare installs, it should look for files in that directory and use them.

Note: Mar 13, 2001 - The best version of IDEATA so far seems to be version 3.10g, and is currently available at http://developer.novell.com/devres/sas/driver/ideata.exe

4/22/01: Encryption levels on your server

There are a number of files related to encryption levels available on your server. A VPN connection basically uses of the version of TCPIP.NLM installed when the VPN is configured, and does not use certificates. Certificates (used for SSL connections, in SSL Proxy Authentication, or HTTPS to the web manager or an installed Novonyx web server, LDAP server, etc.) use other files. I have found that I could upgrade my 56-bit version of NetWare 5.0 (running BorderManager 3.5 at the time) to 128-bit by installing the NICID157.EXE patch, and using the 128-bit ('domestic') version of TCPIP.NLM from the latest NetWare support pack or TCPIP patch. Following the installation of NICID157.EXE, I could create 128-bit certificates in ConsoleOne. In order to get 128-bit VPN encryption, I had to wipe out the VPN configuration and redo it with VPNCFG.NLM with the new TCPIP.NLM in use.

4/22/01: Finding Older Patches On-line

If someone knows where the older NetWare patches can be found on-line, please let me know in the public forums, and I will see about putting up a link to that site here.

Feedback to the Author of this Web Site

If you think this patch sequence is in error or obsolete, please let one of the sysops know in the BorderManager public forums (NNTP: support-forums.novell.com, HTTP: http://support.novell.com/forums/) EACH PATCH SEQUENCE IS ONLY ONE POSSIBLE WAY TO PROCEED - THERE MAY BE OTHER SEQUENCES THAT WORK JUST AS WELL..

Craig Johnson
Novell Support Connection SysOp
(and available for hire!)


Return to the Main Page