Bug Fixes included in BorderManager 3.7
Novell Cool Solutions: Feature
Digg This -
Posted: 24 May 2002
Version: BorderManager 3.7
1. The following proxy configuration switches are enabled by
2. There is no option to block HTTP CONNECT requests to the proxy modules. Some of these requests can be configured to bypass important security checks.
To block HTTP CONNECT requests, the following changes must be
implemented in the ETC/PROXY/PROXY.CFG file:
(Stops all types of HTTP Connect Request, including SSL tunnel.)
3. Because the HTTP proxy does not support HTTP range headers, it is difficult to view PDF files through the Netscape browser. This issue requires the user to use the reload button frequently, but only occurs with version 4.05c of the Acrobat plug-in.
To enable viewing of PDF files through the Netscape browser,
implement the following changes to the ETC/PROXY/PROXY.CFG file:
DiscardAcceptRanges=1 (Default = 0)
4. When one of the DNS Servers in use by the proxy goes into the down state, a request to resolve certain hosts may periodically be made to the DNS server in the down state. This periodic request cause issues such as invoking an on demand ISDN line, which will increase telecom costs.
To disable the persistent DNS checks that are made when a DNS
server is down, implement the following changes to the
5. When using the Real Audio Internet from the Winamp application, the radio stream does not stop when it should. This issue is caused by the proxy continuing to hold on to a disabled connection until the cache is full.
To configure the proxy module to release a disable connection to
allow streaming, the following changes must be implemented in the
6. The HTTP Transparent proxy does not fetch the correct page when accessing pages on virtual servers.
To enable the proxy module to correctly access pages on virtual
servers, the following changes must be implemented in the
7. Microsoft Internet Explorer (IE) 5.x is unable to open PDF (Adobe Acrobat) files.
To enable IE to open PDF files, implement the following change in
the ETC/PROXY/PROXY.CFG file:
PassContentLength=1 (Default = 1)
8. When the SMTP proxy encounters two SMTP 220 commands in succession, it attempts to quit. Therefore, you cannot access sites that have not fixed this problem.
To enable the SMTP proxy to encounter two SMTP 220 commands, the
following changes must implemented in the ETC/PROXY/PROXY.CFG
AllowSecond220Respond=1 (Default = 0)
9. In many cases, when an application or web site has problems, BorderManager displays an error page implying that BorderManager is causing the problem. This occurs in many cases where the problem is in a different product.
To selectively turn off error pages, implement the following
changes to the ETC/PROXY/PROXY.CFG file:
10. The forward proxy fails to reconnect to pages provided with a content-length. When initiating a non-persistent connection BorderManager should ignore a wrong content-length and continue to maintain a persistent connection to the Origin Web Server.
To enable a forward proxy to reconnect to a page provided with a
content-length, implement the following changes to the
11. Internet Explorer 5.x failed to display a 403 error when accessing a blocked protocol.
To enable Internet Explorer 5.x to display 403 errors when
accessing blocked protocols, implement the following changes to
the ETC/PROXY/PROXY.CFG file:
(By default, it is = 0.)
12. To improve performance, there is a configuration switch that enables persistent connection pass-through.
To enable persistent connection pass-through, implement the
following changes to the ETC/PROXY/PROXY.CFG file:
13. There is now a switch to change the delimiter within the common logging format.
To change the delimiter within the common logging format,
implement the following in the ETC/PROXY/PROXY.CFG file:
The word "space" can be changed to "tab" or any single character.
1. If the VPN master is renamed after the initial configuration and you attempt to import a slave server, NWADMN32 may cause an invalid page fault in the VPN.DLL module.
2. When using the Client-to-Site VPN from certain client addresses, the VPN server reports a format error. The VPN Client32 plug-in causes this by sending the IP address in the wrong packet. When the client fails, the VPN server reports a "GetCH: Parse failed" error message in the log file.
3. Because the HTTP Proxy doesn't log user-agent information, WebTrends is unable to analyze the log file from the HTTP Proxy. For example, reports list "Other" for platform and browser because there is no valid information available. If necessary, the Netscape Enterprise web server can be configured to log user- agent information, which can be analyzed correctly by WebTrends. Therefore, the logging done by the HTTP Proxy is limited to common, extended, and indexed (audit) format logging for a proxy service.
Common format logs the following:
* remote host name
* user's remote log name
* authenticated user name
* request line from client
* length of data in bytes
Extended format logs the following:
* cached status
* client IP address
* URL method
Indexed format logging is presented in Novell* audit-log format.
4. In some cases, the Proxy module abends with a hot node issue.
5. Accessing certain sites is extremely slow with Internet Explorer.
6. A performance monitoring capability should be added to the Proxy module to better estimate the maximum number of client connections.
7. When adding deleting, or modifying rules in NWADMIN, the
following error appears: Unable to update server
This problem results when the ACLCHECK.NLM module is loaded prior to the BRDSRV.NLM module.
8. In some cases, an ICP setup will produce continuous inconsistency errors on the server.
9. The "Search Again" feature is extremely slow at familysearch.org.
10. In some cases, when a NetWare 5 server is connecting using NAT, the server abends after several hours.
11. There is no persistent connection to the origin server when the client uses a pragma: no-cache parameter. This means that BorderManager must be able to support persistent connections for requests that are missing the keep alive.
12. Some customers, who set up their access control rules with wildcards, often need to generate huge numbers of DN PTR requests when ACLCHECK is processing URLs passed in by the proxy, IPXGW, VPN, and so on. Many such requests cannot be resolved and the delay required to time out the requests is often so high that it impacts performance. The proxy module needs an option that allows you to disable these DNS PTR requests in ACLCHECK.
13. BorderManager fails to display the full forbidden error when accessing blocked protocols.
14. In some cases, the proxy module abends with a double-linked node issue that causes a CPU Hog condition.
15. The /R load switch should be removed from PROXYCFG file because it is causing errors with other modules such as VPN.
16. An Internal inconsistency error causes the proxy module to reload every hour.
17. The IIS server should accelerate on port 80 and 443. Currently, accelerated 443 traffic can cause a proxy module abend with the following error:
Novell Proxy encountered a fatal error: TCPGetSendCallBack cannot locate send fragment"
18. BorderManager addresses the CERN proxy for configured domain restrictions, but does not chain the DNS requests to the parent. Instead, BorderManager attempts to resolve the DNS queries. This fails because only the CERN parent can address the DNS server to resolve hosts in two private domains. Therefore, users fail to contact to (private) servers behind the CERN Proxy.
19. When using the Client-to-Site VPN, the VPN Login displays the fully distinguished name in the Dial-Up tab when the "Use NetWare Name" box is checked. However, when calling the RAS code to initiate the dialup, the VPN client only passes the common name to the Radius authenticator.
20. In some cases, the proxy module abends in the following routine: RFtpPTServerDataAbort
21. When attempting to access web sites using an alias hostname, the request may fail because the proxy attempts to create a fully-qualified host name using the RESOLV.CFG file. This is done without taking alias names into account.
22. Extra requests are included in certain routines thereby causing a Page abend to occur in the proxy module.
23. In some cases, the proxy module abends with CPU hog error associated with a DNS lookup issue.
24. In some cases, the proxy module abends when downing NetWare.
25. In some cases, the proxy module abends when run on the latest version of NetWare.
26. In some cases, the DNS Proxy displays a memory leak that uses up all the resources.
27. An OutputToScreen call must be removed from the proxy module.
28. When HTTP authentication through SSL is attempted, the server abends.
29. The Code Red Virus is impacting proxy server performance.
30. The proxy server goes into debug mode at Int 3 because of a breakpoint.
31. In some cases, the proxy module abends in the following routine: FormatBadRequestLineForLogging
32. In some cases, reverse proxy authentication fails when users attempt to go through the proxy using an ISP that only forwards HTTP:80 requests.
33. In some cases, the proxy module abends in the following routine: ProcessHTTPReplyHeader
34. The proxy module requests data from origin server after moving from hot to cold node status. In addition, some HTTP GET requests are resent to the origin server despite not having a cache control header stating that the object should not be cached.
35. Some Telnet sessions close after 20 minutes.
36. When BorderManager attempts to pass credentials when authenticating to an upstream, parent CERN proxy, a generateChecksum abend occurs in the proxy module.
37. In some cases, there are memory allocation issues because the proxy module is not releasing cache buffers.
38. In some cases, an unknown address issue causes a Page Fault Processor Exception abend in the proxy module.
39. In some cases, an unknown issue causes a WriteEntityDataToCache abend in the proxy module.
40. When accessing a site requiring authentication through BorderManager, the Single Sign-On authentication does not function properly when cookies are enabled.
41. Because the ACLCHECK.NLM is loaded by the AUTOEXEC file before the BRDSRV.NLM, the following proxy module error appears on the server console:
HTTP Proxy at TCP/IPX address 10010063: 000000000001:1F90 ??** Error ** Register error 42 ??(possible fix: load ipxf.nlm)
This issue does not cause any loss of functionality.
42. If you access an empty directory during an FTP session through the proxy, the proxy resets the TCP connections to the client and browser after receiving a POST command from the browser.
43. In some cases, the proxy module abends with an INT 3 Breakpoint Processor Exception. This issue may be related to a CPU memory issue.
44. In some cases, the proxy module abends with a TCPGetSendCallBack 397 error.
45. InternalConsistencyError triggered when using the Telnet Transparent proxy.
46. When BRDSRV.NLM is loaded with the /NOLOAD option and ACLCHECK.NLM is then loaded with /S before loading the proxy, the server eventually abends with a CPU hog. ACLCHECK must relinquish the thread so that other modules do not wait indefinitely before the abend.
47. In some cases, the proxy module abends with an InternalConsistencyError : GetAmountUntilECBEnd error when the connection is in an invalid state.
48. In some cases, the proxy module abends with a TCPGetSendCallBack error.
49. The proxy module should check ICP status before checking DNS name resolution.
50. In order to better track Maximum Concurrent Usage, the proxy module needs additional logging statistics on current usage.
51. In some cases, the proxy module abends with an RFtpCacheError InternalConsistencyError : GetAmountUntilECBEnd error.
52. When accessing some search engines, the proxy displays an error message and is unable to display the correct page. This issue is caused by a problem with persistent connections through the proxy.
53. When attempting to send mail to subdomains of the primary domain, the mail proxy fails if the subdomains match the primary domain name up to a certain number of characters.
54. Realplayer 8 does not work with the Real Audio and RTSP proxy.
55. In some cases, the proxy module abends with the following error: Novell Proxy encountered a fatal error: Ran out of file extensions in FileCreate.
56. In some cases, the proxy module abends with the following error: Internal Consistency Error: AbortConnectionCanDelay was waiting for data.
57. The delayed ACK functionality should not be automatically enabled by the proxy module unless the Telnet proxy is being used.
58. In some cases, the proxy module displays the following error message when unloading:
Novell Proxy encountered a fatal error: Request 0x10106004 won't
State = DNS Waiting For UDP Send Complete on a DNS Name Server Status Check
59. All compile time debug flags that should be disabled in the shipping product.
60. In some cases, the proxy module abends in the following routine: RAClientFinishedDNSLookup
61. The mail proxy abends when a mail message contains a single quote.
62. In some cases, the proxy module abends when the mail proxy is enabled. If this occurs, ensure that you do not load PROXY.NLM with the -m switch, which enables SMTP retries when multiple MX entries exist. If this does not stop the abend, load PROXY.NLM with the -cc switch. The last solution is to delete the SYS:ETC\PXYHOSTS and SYS:ETC\PXYHOSTS.SAV files and then reload PROXY.NLM.
If none of these solutions correct the problem, you can configure the SMTP server and BorderManager server to use NAT and disable the mail proxy.
63. When the proxy requests authentication via SSL and the first page being requested is an HTTPS page, the proxy does not display the correct page.
64. SSL authentication always redirects to an IP address instead of hostname, but should be able to redirect to a hostname also.
65. During the initial attempt to log in using the VPN LAN client the server abends.
66. In some cases, the proxy module abends in the following routine: FinishPassThruThenReset
67. In some cases, when unloading, the proxy module abends in the following routine: CloseConnections 1B1
68. In some cases, the proxy module abends in the following routine: SendUDPMessage +5D
69. In some cases, the proxy module abends in the following routine: IPQueryUDPTimerCallOut DC
70. In some cases, the proxy module abends in the following routine: CReGetCache 42
71. In some cases, the proxy module abends in the following routine: oc_requestStart
This issue seems to cause a CPU Hog condition.
72. In some cases, the proxy module abends in the following routine: RsStateNotImplemented
73. In some cases, the proxy module abends in the following routine: PROXY.NLM|DNSProxyGetARecord A2
74. To ensure that the proxy hosts file has the latest information, the PROXY -CC command should clear the file and recreate it using the most recent information.
75. In some cases, the proxy module abends with the following error: RftpCacheError.
76. When new users are added to a BorderManager group, the access control module does not recognize the new users. Therefore, new users receive a -403 error on the browser when trying to access web sites through the proxy module.
77. In some cases, the proxy module abends in the following routine: RftpDetermineReplyAgeAndExpiration.
78. In the most common configuration, BorderManager will not work if installed in a tree with NMAS. Additional attributes are required for the BorderManager Login Policy Object.
79. Proxy authentication using Java applet fails when no default context is configured.
80. In some cases, the proxy module fails to release ECBs.
81. In the most common configuration, BorderManager will not work if installed in a tree with NMAS. Additional attributes are required for the BorderManager Login Policy Object.
82. In some cases the proxy module abends in the following routine: TCPGetSendCallBack
83. In some cases, there is a CPU Hog abend in the proxy module that is related to DNS Lookup issues.
84. There is an internal consistency error in the proxy module.
85. A denial of service attack should not be possible on TCP port 353.
86. There is DNS name support for proxy authentication page.
87. SSL authentication supports Netscape 6.
88. There is a Codered and Nimda virus request blocking faclility available.
89. The response to the RFTP proxy for the SITE command has been fixed to work with the Microsoft Internet Explorer.
90. The failure in Authentication to Proxy and Vpn on Netware 6 has been fixed. There is no more requirement of mandatory configuration of login policies for user objects.
91. The Abend in SSL during authentication on upgradation to eDirectory 8.61 has been fixed.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com