Bypassing Authentication for Remote Users in BorderManager
Novell Cool Solutions: Tip
By Craig Johnson
Digg This -
Posted: 3 Oct 2007
A Forum reader recently asked:
"I have Client Trust set up for all my users for Bordemanager. Is there any way to exclude certain users? I want all users in-house to have to login to Novell and download the keys, but for my remote users it is not necessary. Is there anyway I can accomplish this?
Currently, if they connect to the VPN and do not login to Novell, then they launch IE, it will prompt them for a BorderManager authentication dialog box. How do I make it so when they connect to the VPN they can launch IE and go straight to the Internet without having to authenticate? Is there a setting in for Bordermanger that needs to be set?"
And here's the response from Craig Johnson ...
Yes. You will need to have an if/then in the login script to branch away when you see a client coming from a non-local address.
Have a look at tip #44 at http://www.craigjconsulting.com
There are two parts to this project.
The first is to avoid pushing CLNTRUST to the VPN users from the login script by using if/then logic to skip parts of the login script you don't need for VPN users.
Once you are connected, it is entirely up to the browser whether or not it uses the proxy or not. If it is configured to use a proxy, it will try to, regardless of whether or not CLNTRUST is running, proxy authentication is enabled, etc.
If these are laptops that go between your network and home, and so need to have the proxy configured at some times and not others, you have a couple of choices.
1. Have users manually enable/disable proxy settings in the browsers. This is usually not acceptable.
2. Have users use a different browser (Firefox, IE, Opera, Safari, etc.) when connected to the network. One browser is configured for proxy, is one not. Again, this is usually not acceptable.
3. Put a local proxy.pac file on the laptops and point the browsers to them. The proxy.pac file tests the network address and tells the browsers to use a proxy only when connected to the corporate LAN. This works well and is recommended, as long as you have a good LAN subnet address that isn't duplicated in everyone's home network. (This is a big reason to avoid 192.168.0.0 and 192.168.1.0 for corporate network addresses.) I have sample proxy.pac files at tip #64 at my web site (see the URL above).
In any case, the VPN traffic rules have to be configured to allow users to connect directly to non-corporate network addresses when the VPN is connected, or all traffic will be sent into the tunnel (or denied).
I have examples of setting all of this up in my BMgr 3.x book - see the URL above.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com