Novell Documentation: Novell BorderManager 3.8

Authentication

This section covers the following:

MAC OS SSL Authentication

The MAC OS SSL authentication feature enables the first redirect to the login page to be of a small size so that it can go through and the MAC browser works fine with it. The problem was that the first redirect to the login page was big and didn't go in one packet. This caused the MAC IE browser to fail on responding to a HTTP 302 redirect.

The function is changed to SendHTMLRedirect(). To enable this set the below parameter in proxy.cfg.

[Extra Configuration] new302Redirect=1

The default value is 0. Setting it to 1 causes the Novell BorderManager 3.8 proxy to send a simplified 302 redirect page. You must set the value to1 for it to work properly with the MAC IE browser.

MAC Block HTTP Tunnel Requests

MAC Block HTTP Tunnel Requests disables the MAC IE browser from using the tunnelling mode. This prevents it from skipping the access control checks. Tunneling is disabled by default. The AllowHTTPTunneling flag has been added to the proxy.cfg file.

[Extra Configuration] AllowHTTPTunneling=1

The default value is 0. A value of 1, allows HTTP tunneling.

HTTPS Transparent Proxy

The FTTP transparent proxy feature allows transparent proxy of secure HTTP sites.

The ports in the Transparent HTTP monitored list can now be either used for plain http or https access. For Transparent HTTPS access, specify the ports in the proxy.cfg file:

[TransparentHTTPS]HTTPSPort1=<value>HTTPSPort2=<value>HTTPSPortn=<value>

If the proxy.cfg file is changed, ensure that proxy.nlm is unloaded and reloaded for the changes to take effect.

Terminal Server Authentication

The terminal server authentication feature solves the problem of authenticating users from clients with the same address, such as clients behind a NAT, from a Citrix server, or from any other terminal server. Now this solution also includes HTTPS sites. The feature provides the capability to differentiate users from client with the same address, and also from different addresses. Users coming from clients with the same address are shown a different authentication scheme.

To enable the feature, set the following parameters in proxy.cfg file on the server:

[Extra Configuration]EnableTerminalServerAuthentication=1RedirectHTTPSRequest=1

For terminal server authentication, 1 enables the feature and 0 disables the feature. The default is Disabled.

For redirecting HTTPS requests, 1 enables a redirect through JavaScript* and 0 disables the redirect through Javascript. The default is Enabled.

The authentication address sections shown below are used to limit the addresses for which the new authentication scheme applies.

[Authentication Subnets]

PrivateSubnet1=10.0.0.0/255.0.0.0

PrivateSubnet2=10.4.5.100/255.255.252.0

PrivateSubnet3=164.99.145.98/255.255.252.0

...

[Authentication Ranges]

PrivateRange1=100.25.4.5-100.25.4.60

PrivateRange2=20.1.1.1-20.4.5.25

...

[Authentication Addresses]

PrivateAddr1=24.0.4.5

PrivateAddr2=45.3.45.6

PrivateAddr3=44.5.6.8

Authenticate all clients identified from the subnets, addresses, and address ranges. Make sure you keep the configuration as small as possible to avoid performance overhead. Optimum performance is gained if each entry in the above section occurs in a separate Network ID of CLASSed internet addresses.

Proxy Authentication for Clients with the Same Address

Log in to the Novell BorderManager 3.8 proxy.
On logging in successfully, a prompt is displayed. Copy the number displayed in the script prompt, copy it to the Clipboard, then click OK.
Paste the number in the username or the password field of the browser's proxy authentication dialog box.

From now on, any Web access from the same window or from a window launched using Ctrl-N does not require you to authenticate again.
Set the browser configuration to use proxy server IP address. Use port 8080 for all protocols.
Disable the Bypass Proxy Server for Local Addresses option on the browser. If needed, specify the local Web server IP addresses in the Exception List under the Advance button.
To make the second login automatic, run pxyauth.exe (located at border/public in the product CD) on the Citrix server or on clients behind NAT. This installs browser plug-ins on the system.

Browser plugins are available only for IE on Windows XP/2000 and Netscape 6 on Windows.