Q&A for Secure Access
Novell Cool Solutions: Feature
Digg This -
Posted: 8 Feb 2006
Q1 Is it possible to divide the proxy functionality? Let's say I use the http proxy from the internal interface, so the destination host will see the primary IP of the external interface on the NSM box. At the same time I want to use the socks proxy from the internal interface, so the destination host will see a secondary IP of the external interface on the NSM box.
A1 You could try an outbound NAT policy that modifies the source IP.
Q2 I have added a secondary ip and can ping it fine from both sides. I cannot get to the private address I have associated with it. Is there a good way to test what is going on? It is probably something simple but it has me baffled.
A2 1. Routing must be enabled. 2. Static NAT must be configured. 3. The internal host must have a proper default gateway configured. 4. Filter exceptions must allow/not block the traffic. If you can ping the public address even with the internal host turned off, you haven't got static NAT configured (or its not working correctly), and you are just getting a response from the server.
Q3 What is the Proxy.pac, and where can I get info to read up on how it works and configure it?
A3 See http://www.craigjconsulting.com/proxypac.html and http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html You might also take a look at http://en.wikipedia.org/wiki/Wpad
Q4 I have been trying to set up NBM 3.8 on Netware 6.5. It's a fresh load of Netware on a new Server. I have met all the requirements but right before it gets to the interfaces step of the install it displays a critical error and says to refer to the NI log for info.
A4 The solution is here:
Q5 We had problems opening the site www.globo.com, passing through the proxy. We got a 504 gateway time-out error.
Q1 We've just upgraded a 100 User BM 3.x Installation to NSM 6.102. Is it possible to change the NSM error pages (e.g., Proxy) to fulfill the customers corporate identity?
A1 It' not currently supported, but it's on the feature request list for version 7.
Q2 Is there a way to check the current traffic on the external interface and the current top traffic from/to internal IP devices?
A2 You can enable Traffic accounting in the network menu for your interfaces. In the reporting menu under accounting you can generate a daly/monthly traffic report for any network with a top 20 host list.
Q1 A customer has an intranet site where clicking the Logoff link returns you to the logon page. It's the same URL as before, and there is no intervening page that I can pick up to tell the script to end. Is there any way to prevent NSL from re-SSO-ing to the site once the logoff link is clicked?
A1 Usually you can check the text on the URL using If -Text. That way you should be able to capture something unique on the logout page. When that happens you redirect the URL with the GoToURL command.
Q2 Once NSL is installed, can we avoid using SecretStore after everything is already setup?
A2 Very simple, really. First you need to roll out the non-secretstore version of the client. You could do this by changing a registry key:
This can be set to NDS. You need to watch out for this - if it's set this way, then a new update will set it back to SecretStore. Once you have done that and all of the workstations are set to NDS mode, then you only need to turn off the SecretStore on the servers. The secrets will not be deleted - they will all be fine. NSL uses the attribute store AND SecretStore in the SS implementation. You should not lose any data.
Q3 I can't get Securelogin 3.5.1 to click the Next button on the app login screen. I tried syntax Click #1, instead of syntax Click #12324 (window finder found the # 12324 for me); I also tried syntax Type /N #1 instead of syntax Click #12324. If I run the app, then 4036, 4037, and 4039 fill correctly, and all I have to do is manually click Next. It won't do it for me.
A3 The issue is probably that the "Next" button is not in the same portion of the window as the other dialog Ctrl numbers. Use WindowFinder and make sure that you note the Parent of the relative buttons. You may find that the Next button is in the parent of the other fields. If so, you should be able to use Parent Click #12324 EndParent.
Q4 I installed SecureLogin 3.51 and get an error message "Broker_Security_Alert (-145)" on reboot.
A4 In ConsoleOne, use the Advanced tab in SecureLogin and choose to Clear the Object Data. Or, see:
Q1 Can I install the iManager modules for nSure Audit on another server and be able to manage the nSure Audit system? I have an OES SP1a, iManager 2.5, and the Audit starter pack that is included in OES.
A1 You should be able to administer the Nsure Audit environment from any server running iManager. You just need to add the db info under Auditing and Logging -> Query Options -> Databases.
Q2 I am unable to get e-mail notifications working from Audit 1.0.3 on NetWare 6.5/OES. I have created the SMTP notification channel, specified an SMTP server, etc., per the documentation. I configured an event-based notification for whenever a volume is dismounted or directories are deleted. I can query the database and find these events when they are performed, but they are not getting e-mailed at all.
A2 You may have to use a DNS name rather than an IP address for the SMTP host server.
Q3 Do you know of another way to get reports for Audit? Pre-built reports for mysql would help.
A3 The only pre-built reports Novell provides require either a full NSure Audit license or Crystal Reports. If you install the MySQL ODBC client, you can use something like MS Access or Crystal Reports to build your own reports.
Q4 I'm running nsure-audit on windows 2003, the mysql db is on the same machine. I've set up a Mysql logging channel but cannot connect to the MySQL db. in my file log I'm seeing the following error: [14:05:08] Nsure Audit\Configuration: Driver lgdmsql.dll (Path: \Program Files\Novell\Nsure Audit/lgdmsql.dll) failed to load, Error Code: -6
A4 By following this TID, you can get Audit working with MySQL 4.1:
The TID is written for NetWare, but the situation is the same on Windows.
Q1 Is it possible to have two multi-homed accelerators (i.e., the same iChain IP address) - one providing content that is http and the other providing content that is SSL?
A1 For Host-based Multi-homing you need an SSL Certificate for each Accelerator. You also need a unique IP/port for each Accelerator.
For Domain-based Multi-homing you need a "wild-card"/"star" SSL certificate that allows "*.mydomain.com". Domain-based Multi-Homing have trouble with some browsers not supporting a wild-card certificate.
For more info see:
Q2 I am having problems getting formfill/OLAC working.
A2 You can troubleshoot formfill by putting the sso.nlm in debug mode. There are some switches for it - see: http://support.novell.com/cgi-bin/search/searchtid.cgi?10095590.htm
Same thing for olac. Put the iChain proxy server in debug mode (unlock the console, type in debugm, and use "proxydebug" for the password). Type "oacint /d2" and the olac service gives you some more information on what is being passed onto the web server.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com