Novell ZENWORKS NETWORK ACCESS CONTROL 5.0 - INSTALLATION GUIDE 09-22-2008 Installation Manual page 20

For example, for the following IP addresses:
Router IP — 10.1.90.254, on a /24
Novell ZENworks Network Access Control IP — 10.1.90.130, on a /24
VPN concentrator IP — 10.1.90.131, on a /24
VPN client IP range —10.1.105.0/24
The VPN concentrator is configured to hand out IP addresses on the 10.1.105.0/24 subnet, while
Novell ZENworks Network Access Control and the VPN concentrator itself are on the 10.1.90.0/24
subnet. Both Novell ZENworks Network Access Control and the VPN concentrator have a default
route set through 10.1.90.254 which is a router or Layer 3 switch on the LAN (eth0) side of Novell
ZENworks Network Access Control.
Because a connecting VPN endpoint is not on the same subnet as Novell ZENworks Network
Access Control, all of the packets that Novell ZENworks Network Access Control sends (in
response to HTTP requests from the endpoint) go to the router at 10.1.90.254, which knows to send
them (back through the Novell ZENworks Network Access Control bridge) to the VPN concentrator
for a next hop. For normal communication (such as testing traffic) between Novell ZENworks
Network Access Control and an endpoint, this works fine, even if it seems a bit inefficient.
However, when Novell ZENworks Network Access Control redirects an HTTP connection, it first
constructs an HTTP redirect with a source IP address corresponding to the original destination of the
connection.
For example:
1. The endpoint connects to the VPN, and the browser requests www.google.com.
2. Novell ZENworks Network Access Control intercepts the packets addressed to google.com.
3. Novell ZENworks Network Access Control constructs an HTTP redirection to the Novell
ZENworks Network Access Control IP, using packets which have a source IP address of
www.google.com.
4. Novell ZENworks Network Access Control sends the constructed redirect to the VPN endpoint
using the Novell ZENworks Network Access Control default route.
Those packets go to the LAN side router, which in our scenario is configured with best-practices
egress filtering. The router treats those packets as errors (because they are marked with a source IP
address that should not emanate from that network segment) and drops them. This is why testing
works when the endpoint connects directly to emanate—the response packets still go to the LAN-
side router, but it routes them appropriately because they have a valid source address.
The solution is to add a static route to Novell ZENworks Network Access Control so that it knows to
send packets addressed to 10.1.105 via the VPN concentrator instead of the LAN-side router, and it
will redirect correctly.
You also want to make the static route addition permanent across reboots.
To add a permanent static route to the Novell ZENworks Network Access Control
server:
1 Log in as root to the Novell ZENworks Network Access Control server using SSH or directly
with a keyboard.
20 Novell ZENworks Network Access Control Installation Guide