Blocking off segment NCP traffic causes netware authentication to slow to 60 seconds
Posted on 2005-02-24
We have a Netware 6.0 server with 4 NICs (192.168.1.5, 192.168.2.5, 192.168.3.5 and 192.168.4.5)
there are a few 4 NIC windows 2000 server boxes running SQL and other jobs, but we do not have any windows DNS (on all 4 segments for speed reasons)
All inter-segment routing is done through our firewall (internet access as well)
NCP traffic is blocked segment to segment by the firewall to prevent clients from authenticating on a different segment and therefore loosing connection if the firewall is taken off line.
Before we blocked the NCP traffic, users authenticated quickly (albeit off segment).
Once the firewall rule blocked port 524 between the 4 segments, it takes almost EXACTLY 60 seconds to log in (using different NW client versions)
The firewall logs show that NCP traffic was blocked from Client WS to the NW Server's OTHER 3 segments (for a total of about 55 seconds).
It appears that the client somehow knows about the other 3 NICs on the Netware server, but, since NCP is blocked, it can not authenticate.
My questions :
How can the client know about the other segments of the netware server if I have blocked NCP?
Is it possible that one of the other 4 NIC server boxes is passing some traffic but not the NCP?
Is there some other port I need to block on the firewall to prevent discovery of the other segments?
How can I block this knowledge or force the client only to look at it's own segment's Netware NIC?
Note: SLP had no effect on this problem. It seems to be that the knowledge of other segments on the server cause the client to try them first... No idea why!