Terminal Server Authentication

Novell Cool Solutions: Feature
By Jerry Brower

Reader Rating from 12 ratings

Digg This - Slashdot This

Posted: 5 Feb 2003

Introduction

Novell BorderManager EE 3.6 proxy solved the problem of authenticating users from the same-address clients "Cookie Based Authentication" including clients such as these:

Clients behind NAT
Clients from a Citrix server
Clients from any other Terminal server

However the solution was not complete and could not work with HTTPS sites. Since then, this feature has often been requested from customers. As the first step in solving this problem, Novell BorderManager 3.7 SP1 includes the capability to differentiate between users from same-address clients and those from different addresses. Users coming from same-address clients will be shown a different authentication scheme.

Configurations in Proxy.cfg

The following switches have been added to facilitate the enabling and disabling of the feature.

Switch

Section

Values -- Integer

EnableTerminalServerAuthentication

Extra Configuration

1 -- Enable this feature

0 -- Disable the feature

Default Disabled

RedirectHTTPSRequest

Extra Configuration

1 -- Enable redirect through Javascript for redirecting HTTPS site

0 -- Disable redirect through javascript

Default Enabled

[Extra Configuration]
EnableTerminalServerAuthentication=1
RedirectHTTPSRequest=1

The switches are used to configure the source subnets, IP address ranges and IP addresses.

Here are the configuration parameters:

[Authentication Subnets]

PrivateSubnet1=10.0.0.0/255.0.0.0

PrivateSubnet2=10.4.5.100/255.255.252.0

PrivateSubnet3=164.99.145.98/255.255.252.0

...

[Authentication Ranges]

PrivateRange1=100.25.4.5-100.25.4.60

PrivateRange2=20.1.1.1-20.4.5.25

......

[Authentication Addresses]

PrivateAddr1=24.0.4.5

PrivateAddr2=45.3.45.6

PrivateAddr3=44.5.6.8

......

All clients identified from the above subnets/addresses/address ranges will need to undergo a separate authentication scheme, described in the following section. This configuration needs to be kept as small as possible to avoid performance overhead. Optimum performance is gained if each entry in the above section occurs in a separate Network ID of CLASSed internet addresses.

Proxy Authentication Scheme for Same-Address Clients

The authentication steps are as shown in the following screen shots

1. Login to the BorderManager proxy dialog

2. The prompt is obtained on successful login completion. The Number displayed in the Script prompt must be copied into clipboard (copy), and OK must be clicked.

3. The copied number must be pasted in the username or the password field of the browser's proxy authentication dialog.

4. This completes the login to BorderManager proxy. Any web access from the same window or a window launched using the Ctrl-N, will not require you to authenticate again.

Future

The next support pack of Novell BorderManager 3.7, SP2 will have a client plug-in that will automate the double login for Citrix clients using Netscape or Internet Explorer.

Reader Comments

Awesome! About time!
A step in the right direction. Still waiting for the functionality in SP2...
Step 4 is incorrect. It will make you log in again as soon as the idle timeout takes effect.

Like what you see?
Sign up for our weekly newsletter.

Want to contribute?
It could earn you a nano! Learn more.

Like Wikis?
Join the Cool Solutions Wiki.

Interested?
Request a sales call

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com