How to Configure Terminal Server Authentication for BorderManager

  • 3559419
  • 20-Dec-2007
  • 16-Mar-2012

Environment

Novell BorderManager 3.7
Novell BorderManager 3.8
Novell NetWare 6.0
Novell NetWare 5.1

Situation

xecHow to Configure Terminal Server Authentication for BorderManager

Resolution

Novell BorderManager EE 3.6 proxy solved the problem of authenticating users from the same-address clients "Cookie Based Authentication" including clients such as these:

Clients behind NAT
Clients from a Citrix server
Clients from any other Terminal server
However the solution was not complete and could not work with HTTPS sites. Since then, this feature has often been requested from customers. As the first step in solving this problem, Novell BorderManager 3.7 SP1 will include the capability to differentiate between users from same-address clients and those from different addresses. Users coming from same-address clients will be shown a different authentication scheme.

Configurations in Proxy.cfg

The following switches have been added to facilitate the enabling and disabling of the feature.

Switch

Section

Values Integer

EnableTerminalServerAuthentication

Extra Configuration

1 Enable this feature

0 Disable the feature

Default Disabled

RedirectHTTPSRequest

Extra Configuration

1 Enable redirect through Javascript for redirecting HTTPS site

0 Disable redirect through javascript

Default Disabled



For example, the PROXY.CFG would look like:

[Extra Configuration]
EnableTerminalServerAuthentication=1
RedirectHTTPSRequest=1

The following switches are used to configure the source subnets, IP address ranges and IP addresses of the BorderManager clients.
Here are the configuration parameters:


[Authentication Subnets]
PrivateSubnet1=10.0.0.0/255.0.0.0
PrivateSubnet2=10.4.5.100/255.255.252.0
PrivateSubnet3=164.99.145.98/255.255.252.0
...

[Authentication Ranges]
PrivateRange1=100.25.4.5-100.25.4.60
PrivateRange2=20.1.1.1-20.4.5.25
...


[Authentication Addresses]
PrivateAddr1=24.0.4.5
PrivateAddr2=45.3.45.6
PrivateAddr3=44.5.6.8


All clients identified from the above subnets/addresses/address ranges will need to undergo a separate authentication scheme, described in the following section. This configuration needs to be kept as small as possible to avoid performance overhead. Optimum performance is gained if each entry in the above section occurs in a separate Network ID of CLASSed internet addresses. Do NOT overlap configuration i.e. if you have a addresses already included in the [Authentication Subnets] section you do not define it again in [Authentication Addresses]. Nor are all three Authentication sections necessary in the PROXY.CFG file. If "Subnets" covers all the BorderManager clients then just use it.

Finish the configuration:

1. Download and apply PXYAUTH.EXE plugin from BM37FP3b.exe (from support.novell.com). The .dll within can be installed to the Workstation or Terminal server. (Without this .dll, the user will get a second prompt for information). The typical configuration would be to install the .dll to the Windows Terminal/CITRIX server. If CITRIX is not installed to the C: drive you may need to manually copy them to the correct location. Installing the .EXE only works to C:.

2. Enable/configure Proxy SSL Authentication under NwAdmin | BorderManager Setup | Authentication Context | Authentication

3. Make sure to set Browser config to use Proxy Server IP address, use same port 8080 for all Protocols. Transparent Proxy is NOT supported with this configuration.

4.Make sure to set Browser Disable the"Bypass proxy server for local addresses". If needed, enter local web server IP addresses in the Exception List in Advance button.

Using the configuration above, the user will be prompted for a normal BorderManager SSL Authentication. If PXYAUTH.EXE is NOT used the user will receive another prompt to cut-and-paste information that is presented. If PXYAUTH.EXE has been installed and the user is still receiving the additional prompt, check the following:

1. Make sure that the PXYAUTH.EXE are in the Windows | System32 directory. If CITRIX did not install to C: they will not be...and must be manually copied to the install directory.

2. If there is a NAT device between the Client and the Citrix/Terminal server, PXYAUTH.EXE must be installed on each client.

3. Make sure that the Clients IP Address is specified in the PROXY.CFG file in the "Authentication" section of choice.

4, Some Anti-Virus protection software(such as McAfee ) can stop PXYAUTH.EXE/IPHELPER.DLL working. Ensure to setup a exception policy for it to work.


.

Additional Information

Also see the Terminal Server Authentication document on the Cool Solutions web page that includes detailed screen shots

Formerly known as TID# 10078047

Feedback service temporarily unavailable. For content questions or problems, please contact Support.