Doing Reverse Proxy with BorderManager
Novell Cool Solutions: Question & Answer
Warren M. wrote: I am at a secondary school. Our school LAN is within a statewide network. I have BorderManager at the boundary with the Statewide network and NAT across to this. The statewide network also does plenty of NATing out to the internet. We can only access the internet through an upstream proxy at the border with the internet. BorderManager connects to this upstream CERN proxy OK. I am endeavouring to provide internet access to our onsite intranet WEB server and to student and staff folders. It is starting to happen and BorderManager seems to have the necessary tools if it wasn't for all of the caveats that come with it - I have not tested these but am worried by the documentation in the support pack 1a for 3.6. I have been able to provide access to a secure and an unsecure WEB server using reverse proxy or proxy acceleration. (the managers of the statewide WAN NAT a path through to the school from the internet). The unsecure WEB server (Enterprise) is the the intranet server for disseminating curriculum materials around the school. I only want this available from the internet after authentication. Now we seem to have problems: Because of the NATing will need to use the cookie method but we use single sign on on the LAN side. The single sign on for the BorderManager has been great, but the documentation says that if I turn on cookie based authentication it will not work with single sign on. What are the workarounds? -two BorderManagers, some other form or authentication. I tried using the secure web server but if it is pointed to the public folders it doesn't ask for authentication. I suppose all folders could be removed from 'public' but then we would lose the benefits of single sign on within the school LAN. I like the benefit of BorderManager now handling authentication to the upstream proxy. (asked for this about 1 year ago - this had been a negative after moving from Microsoft Proxy). We also have some Terminal Server Clients - so would need cookie authentication for this to work fully as well. My current solution (not really cool) is that I have set up Microsoft Proxy on the Terminal Server and point this to the BorderManager. They are then not asked for authentication by BorderManager. The BorderManager access control lists only allow users from the Terminal Server IP address very restricted access to the internet, selected educational sites. I though get no log of this for individuals. I would like to charge students who exceed certain download limits. Is this sort of accounting possible? The access control lists on BorderManger have worked very well. Students have not yet been able to download MP3s, Zips, EXEs or AVIs, certainly allowing more bandwidth for educational pursuits. Caching though does not work as well as might perhaps be possible - it would be great if we could stop in many cases the checking of the currency of web pages so often. Could possibly be more work on what can be done with HTTP headers.
You should check out Novell iChain, Warren. It can do what you're looking for. BorderManager's reverse proxy has very limited functionality compared to iChain, and as a matter of fact iChain is Novell's robust, versatile reverse proxy solution, not Border. BorderManager is best for the core competency you describe ? management of private users' activity on the public Internet, as well as VPN and firewall services.
For more info, see iChain Cool Solutions
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com