IMPORTANT: An additional method of authentication is available for proxy server users. Proxy server users can use security devices such as hardware tokens in addition to using an NDS or eDirectory password. Login policies defining the authentication rules and access methods required for remote users to authenticate are stored in the NDS or eDirectory Login Policy object.
The following section provides information about setting up proxy authentication:
Setting Up Proxy Authentication
Proxy authentication for HTTP proxy and HTTP acceleration (reverse and forward HTTP proxy) can be accomplished in the following ways:
Single Sign-on for Novell Client32 Clients: If a user is logged in to NetWare through the latest Novell Client software and uses the browser, the user is not prompted to authenticate again to the proxy.
SSL Proxy Authentication: The user is not prompted to authenticate to the proxy if he or she is already logged in to NDS or eDirectory.
You can enable HTTP proxy NDS or eDirectory authentication and require all users to authenticate with their browsers before they access the proxy server and the Internet.
Proxy authentication consists of a username and a password. The proxy authentication password is the same as a user's NDS or eDirectory authentication password. Any type of browser client can be authenticated: Windows 98, Windows 2000, Windows XP, Windows Me, Windows NT, UNIX, OS/2*, or Macintosh*.
If proxy authentication is enabled and both single sign-on and SSL are enabled, the proxy server will first try to authenticate the user through single sign-on. If the single sign-on attempt fails or is not enabled, the proxy server will attempt authentication using SSL.
Single sign-on is successful only when the client machine is running the Novell Client 32 software and has logged in to NDS or eDirectory. The client machine must also be running dwntrust.exe and clntrust.exe. These files are located in the sys:public directory on the server.
To set up HTTP proxy authentication:
In NetWare Administrator, select the Novell BorderManager 3.8 Setup page for the server.
Click Authentication Context.
From the Authentication tab, select the Enable HTTP Proxy Authentication check box.
Select an authentication scheme: single sign-on or SSL.
For single sign-on, specify the time to wait for a single sign-on reply.
For SSL:
SSL Listening Port: Specify the port used for authentication. You might need to change the port number to prevent reverse proxy traffic from running into SSL traffic. Both reverse proxy and SSL traffic default to port 443.
Key ID: Specify the key ID exchanged between the client and server for authentication.
Use the NetWare Administrator PKI Services to change and create key IDs in an NDS or eDirectory tree.
Notification Method: Specify whether to send authentication notification in HTML form or as a Java applet.
Idle Time: Specify the length of time a connection can remain idle before a new login is required.
Specify whether to authenticate only when the user attempts to access a restricted page.
Click the Context tab.
Click Add, then specify the user's default NDS or eDirectory context and tree name.
Specify a fully distinguished NDS or eDirectory container name (sales.my_org, for example). The NDS or eDirectory container name can have up to 256 characters. This entry is optional and makes logging in easier for users. Users in the specified container can log in by typing only their login names without the complete context string.
Click OK from the Novell BorderManager 3.8 Setup page.
This new feature allows multiple proxies to share the user's authentication information. Therefore the user need not log into different proxies whenever he switches proxies.
When multiple NBM 3.8 proxies were deployed under load balancing using L4 switches, clusters, DNS round robin etc., authenticated sessions were not shared. If authentication is enabled, switching between proxies required the user to re-authenticate himself with the new proxy server.
This problem is solved with Novell BorderManager 3.8.4 release whereby, proxy now provides session fail-over support for SSL authentication. For session fail-over, all the proxies should be in a single tree, or identical trees with common username for proxy authentication.
For Configuration details of the agent components refer Configuring Session Failover
In NetWare Administrator, select the Novell BorderManager 3.8 Setup page for the server.
Click Authentication Context.
From the Authentication tab, select the Enable HTTP Proxy Authentication check box.
Click the Context tab.
Click Add and specify the user's default NDS or eDirectory context and tree name.
Specify a fully distinguished NDS or eDirectory container name (sales.my_org, for example). The NDS or eDirectory container name can have up to 256 characters. This entry is optional and makes logging in easier for users. Users in the specified container can log in by typing only their login names without the complete context string.
Click OK from the Novell BorderManager 3.8 Setup page.
In NetWare Administrator, select the Novell BorderManager 3.8 Setup page for the server.
Click Authentication Context.
From the Authentication tab, select the Enable Transparent Telnet Proxy Authentication check box.
Click the Context tab.
Click Add, then specify the user's default NDS context and tree name.
Specify a fully distinguished NDS or eDirectory container name (sales.my_org, for example). The NDS or eDirectory container name can have up to 256 characters.
This entry is optional and makes logging in easier for users. Users in the specified container can log in by typing only their login names without the complete context string.
Click OK from the Novell BorderManager 3.8 Setup page.