Environment
Novell BorderManager 3.8
Novell NetWare 6.0
Novell NetWare 5.1
Situation
Resolution
Novell BorderManager EE 3.6 proxy solved the problem of authenticating users from the same-address clients "Cookie Based Authentication" including clients such as these:
Clients behind NAT
Clients from a Citrix server
Clients from any other Terminal server
However the solution was not complete and could not work with HTTPS
sites. Since then, this feature has often been requested from
customers. As the first step in solving this problem, Novell
BorderManager 3.7 SP1 will include the capability to differentiate
between users from same-address clients and those from different
addresses. Users coming from same-address clients will be shown a
different authentication scheme.
Configurations in Proxy.cfg
The following switches have been added to facilitate the enabling and disabling of the feature.
Switch | Section | Values Integer |
EnableTerminalServerAuthentication | Extra Configuration | 1 Enable this feature 0 Disable the feature Default Disabled |
RedirectHTTPSRequest | Extra Configuration | 1 Enable redirect through Javascript for redirecting HTTPS site 0 Disable redirect through javascript Default Disabled |
For example, the PROXY.CFG would look like:
[Extra Configuration]
EnableTerminalServerAuthentication=1
RedirectHTTPSRequest=1
The following switches are used to configure the source
subnets, IP address ranges and IP addresses of the BorderManager
clients.
Here are the configuration parameters:
[Authentication Subnets]
PrivateSubnet1=10.0.0.0/255.0.0.0
PrivateSubnet2=10.4.5.100/255.255.252.0
PrivateSubnet3=164.99.145.98/255.255.252.0
...
[Authentication Ranges]
PrivateRange1=100.25.4.5-100.25.4.60
PrivateRange2=20.1.1.1-20.4.5.25
...
[Authentication Addresses]
PrivateAddr1=24.0.4.5
PrivateAddr2=45.3.45.6
PrivateAddr3=44.5.6.8
All clients identified from the above subnets/addresses/address
ranges will need to undergo a separate authentication scheme,
described in the following section. This configuration needs to be
kept as small as possible to avoid performance overhead. Optimum
performance is gained if each entry in the above section occurs in
a separate Network ID of CLASSed internet addresses. Do NOT overlap
configuration i.e. if you have a addresses already included in the
[Authentication Subnets] section you do not define it again in
[Authentication Addresses]. Nor are all three Authentication
sections necessary in the PROXY.CFG file. If "Subnets" covers all
the BorderManager clients then just use it.
Finish the configuration:
1. Download and apply PXYAUTH.EXE plugin from BM37FP3b.exe (from support.novell.com). The .dll within can be installed to the Workstation or Terminal server. (Without this .dll, the user will get a second prompt for information). The typical configuration would be to install the .dll to the Windows Terminal/CITRIX server. If CITRIX is not installed to the C: drive you may need to manually copy them to the correct location. Installing the .EXE only works to C:.
2. Enable/configure Proxy SSL Authentication under NwAdmin | BorderManager Setup | Authentication Context | Authentication
3. Make sure to set Browser config to use Proxy Server IP address, use same port 8080 for all Protocols. Transparent Proxy is NOT supported with this configuration.
4.Make sure to set Browser Disable the"Bypass proxy server for local addresses". If needed, enter local web server IP addresses in the Exception List in Advance button.
Using the configuration above, the user will be prompted for a normal BorderManager SSL Authentication. If PXYAUTH.EXE is NOT used the user will receive another prompt to cut-and-paste information that is presented. If PXYAUTH.EXE has been installed and the user is still receiving the additional prompt, check the following:
1. Make sure that the PXYAUTH.EXE are in the Windows | System32 directory. If CITRIX did not install to C: they will not be...and must be manually copied to the install directory.
2. If there is a NAT device between the Client and the Citrix/Terminal server, PXYAUTH.EXE must be installed on each client.
3. Make sure that the Clients IP Address is specified in the PROXY.CFG file in the "Authentication" section of choice.
4, Some Anti-Virus protection software(such as McAfee ) can stop PXYAUTH.EXE/IPHELPER.DLL working. Ensure to setup a exception policy for it to work.
.
Additional Information
Formerly known as TID# 10078047