BorderManager PROXY.CFG and PROXY.NLM Options

  • 3988333
  • 05-Dec-2007
  • 26-Apr-2012

Environment

Novell BorderManager 3.5
Novell BorderManager 3.6
Novell BorderManager 3.7
Novell BorderManager 3.8
Novell BorderManager 3.9

Situation

BorderManager PROXY.CFG and PROXY.NLM Options

Resolution

Proxy Command Line options:

LOAD PROXY -? - Gives available options for production build
LOAD PROXY -cc - Clears Cache
LOAD PROXY -m - Enables SMTP Retries when multiple MX entries exist
LOAD PROXY -el[xxxx] - Sets The Event Log Size - Only available in debug builds with special flag set
LOAD PROXY -nl - No license check performed - again, only available on debug builds


PROXY.CFG File and explanation of options:

[Buffer Tracking] (Debugging stuff from Engineering. Do not enable unless instructed to do so)
Enable=0
Hot_Cache_Size_in_K=8192
Pool_32_Size_in_K=0
Pool_64_Size_in_K=8192
Pool_96_Size_in_K=0
Pool_128_Size_in_K=0
Pool_160_Size_in_K=0
Pool_192_Size_in_K=0
Pool_224_Size_in_K=0
Pool_256_Size_in_K=0
Pool_288_Size_in_K=0
Pool_320_Size_in_K=0
Pool_352_Size_in_K=0
Pool_384_Size_in_K=0
Pool_416_Size_in_K=0
Pool_448_Size_in_K=0
Pool_480_Size_in_K=0
Pool_512_Size_in_K=0

************************************************************************

[Internal Error]
EnterDebugger=1 (0 to disable)
// anytime proxy detects an internal error, the server is put straight into the debugger rather than continuing with normal processing. This parameter should on be applied at the request of NTS engineers. A typical symptom of when to turn this on would be a fatal error message after which PROXY.NLM unloads and re-loads. Turn this parameter on, then get a coredump when the server enters the debugger.

CheckHotNodeLists=1
//enables hot node list checking. Works with PXY012_***SBS***_Debug_2 (PROXY.NLM dated 3/15/01 and later). Use with discretion as it is CPU intensive. Whenever the lists are checked and an error condition is detected, the function will call InternalConsistencyError, which is why the EnterDebugger needs to be set to 1. A new '61' screen counter has been added: Check Lists complete.

************************************************************************

[Extra Configuration]

SendHTTP11Request=1 (0 to disable) (Default=0)
//Will pass thru HTTP 1.1 content with out touching it. Because BorderManager is not fully http1.1 compatible, this switch may fix issues you are having with http 1.1 sites.
After bm38sp5 support pack, it is recommended to have this switch set to 1.

TransparentProxySupportsVirtualServers=1 (0 to disable) (Default=0)
//Allows access to virtual servers / hosts when using transparent proxy, not use IP address, works better with Surfcontrol. Requires PXY014 build or later.

DoNotCacheWhenCookieFound=1 (0 to disable) (Default=1)
// Proxy would split replies if two incoming request, going to the same site, contained a cookie and the requests were processed at the same time by the proxy. Enabled by default in PXY012 build and later.

DoNotSaveMemoryCacheDuringUnload=1 (0 to disable) (Default=0)
// Proxy does not write nodes in memory to disk at unload time thereby speeding up unload time. Requires PXY015 or later.

SCacheDestroyYieldInterval=200
//In some cases proxy causes an abend while unloading. The issue was with proxy not yielding CPU for a long interval, while the cache destroy function is clearing up the cache at proxy unload time. Increase this value in proxy.cfg file if proxy takes a long time to unload. Unload and releoad proxy to see the changes taking effect.

ResBadAddressLoopBreak=1 (0 to disable) (Default=0)
//Unload proxy.nlm hang or ABEND @ PROXY.NLM|RES_BadAddressListCleanUp

IgnoreDuplicateChill=1 (0 to disable) (Default=1)
//Prevents many abends. Enabled by default in PXY012 build and later.

EnableNoCachePassThru=1 (0 to disable) (Default=0)
// Certain Web sites e.g. www.streamer.com not working through our HTTP Proxy because requested pages are not applying the content length header on non-cachable pages. Requires PXY015 or later.

SaveProxyPerformanceData=1 (0 to disable) (Default=0)
// For development information gathering only.

TurnOffPersistantPassThru=1 (0 to disable) (Default=1)
// Predecessor to EnableICSPassThruFix=1. Enabled by default in PXY012 build and later.

EnableICSPassThruFix=1 (0 to disable) (Default=1)
// Major performance enhancement that allows persistent connections to origin servers when pass through mode enabled.
Enabled by default in PXY012 build and later.

UseSimplifiedErrorPage=1 (0 to disable) (Default=0)
// IE 5.x fails to display Proxy error correctly when the error page contains more than 1kB of data. With this parameter enabled the proxy will return a separate proxy error page with less than 1kb of data. Requires PXY023 or later.

RestartTimeoutAfterEverySend=1 (0 to disable) (Default=0)
// The keep alive parameter is not being processed correctly and proxy applications are being reset prematurely. This parameter will make sure that these connection resets will not occur prematurely. Enabled by default in PXY012 build and later.

DisableConnectRequest=1 (0 to disable) (Default=0)
// Proxy will deny any HTTP CONNECT request or HTTPS connect request that is enabled by selecting the tunnel option in a MAC browser. Without this enabled a MAC browser can bypass CyberPatrol Access Control Rules by checking the "Tunnel" option. Requires PXY014 or later.

DoNotResolveNamesBeforeGoingThruHierarchy=1 (0 to disable) (Default=1)
//allows parent to do all DNS resoltuion. Requires PXY023 or later.

IcpBypassOrigin=1 (0 to disable) (Default=0)
//If an ICP hierarchy with "Must Forward Thru Hierarchy" is not enabled, the proxy does not forward CONNECT requests. To change this behaviour set to 1. Requires Bm36SP2a or BM37SP2 or later.

DiscardAcceptRanges=1 (0 to disable) (Default=0)
//enables viewing of PDF files through the Netscape browser if running AcrobatReader 4.X. ( 5.X does not have this problem.) Requires PXY023 or later.

DisableDNSCheckup=1 (0 to disable) (Default=0)
//disables the persistent DNS checks that are made when a DNS server is down. Requires PXY014 or later.

DoNotCreateFullyQualifiedHostNames=1 (0 to disable) (Default=0)
//fixes an issue where fully distinguished names are not added to the DNS cache by default. If an HTML page being accessed thru the proxy has an href to a host (not in the FQN format), it will not get redirected correctly. To get around the problem, one needs to enable the above command, and add an entry to the local etc/hosts file mapping it to a valid IP address. Requires PXY023 or later.

EnableTCPDNSProxy=1 (0 to disable) (Default=0)
//0 = Drop all DNS requests which come in via TCP.
1 = Occasionally ABEND when processing a DNS request that came in via TCP. Requires PXY023 or later.

ResolveProxyIPAddress = 1 (0 to disable) (Default=1)
//Default behaviour is to send an SSL authentication redirect to a host name instead of a IP address. 0 to disable the same.
Requires PXY023 or later.

PassContentLength=1 (0 to disable) (Default=1)
//allows Microsoft Internet Explorer (IE) 5.x to open .PDF files. Requires PXY015 or later.

AllowSecond220Respond=1 (0 to disable) (Default=0)
//enable the SMTP proxy to encounter two SMTP 220 commands. Requires PXY015 or later.
//Do not have to add this, as it is auto-detect and enforce after BM37FP3a.exe.

DoNotSendBadGatewayErrorPageToClients=1 (0 to disable) (Default=0)
DoNotSendAnyErrorPagesToClients=1 (0 to disable) (Default=0)
//To selectively turn off error pages. Requires PXY017 or later.

IgnoreContentLengthCheck=1 (0 to disable) (Default=0)
//enable a forward proxy to reconnect to a page provided with a content-length. Requires PXY017 or later.

UseSimplifiedErrorPage=1 (0 to disable) (Default=0)
//enables Internet Explorer 5.x to display 403 errors when accessing blocked protocols. Requires PXY023 or later.

HTTPSAuthenticationSwitch=1 (0 to disable) (Default=0)
//To enable PROXY to try and redirect the browser to the domain name of the web server after SSL authentication. Using HTTPS Authentication, the original uri (complete path) is not available as a "GET" request and is not sent by the browser. By default the Proxy will force the user to re-enter the URI. Requires PXY026 or later.

CodeRedWorkAround=1 (0 to disable) (Default=0)
//Proxy will drop invalid Code Red requests when enabled. Requires PXY018 or later.

ScanVirusPatterns=1 (0 to disable) (Default=0)
//Allows PROXY to scan for pre-defined, specfic patterns in a request and drop those requests. Requires PXY026 or later. Works in conjunction with the following section:

AllowGTCPProxyToUsePort25=1
// To allow generic TCP proxy to use port 25 as a replacement for mail proxy.
// Set value to 1 to allow generic TCP Proxy to use port 25. 0 to disable.

BM_SMTP_Banner = "Test BM SMTP Banner. Any unauthorized use of this software would lead to legal action against the user"
// To allow Custom SMTP Banner

new302Redirect = 0
// MAC SSL authentication
// 302 redirects exceeding one packet are now understood by MAC IE browsers. Set the switch to 1 to resolve this issue.

AllowHTTPTunneling = 0
// MAC IE HTTP tunneling
// Proxy blocks tunneling of HTTP and FTP traffic, but HTTPS tunneling goes through. In case of an attempted HTTP or FTP tunneling, the software no longer sends back an error page asking the browser settings for HTTP proxy to be changed from tunneling to normal mode.
// Set the switch to 1 to allow HTTP tunneling.

DonotCache4ContEncoding=0
// Accept-encoding header improperly handled
// Proxy caches requests with accept-encoding headers when different browsers make the same request.
// switch prevents the proxy from caching such requests.
//Set the switch to 1 to prevent caching.

noRetryIfPragmaNoCacheHeaderPresent=0
// Prevent Proxy retry to contact origin Web server after 504 timeout.
// Proxy retries to contact origin web server when it gets a 504 error.
// Set the switch to 1 to prevent retry.

TreatLeftArrowAsHeaderBodySeparator=0 (default=0)
// Error: "Page cannot be displayed" when accessing certain web sites through HTTP Proxy, because Response from Proxy server to browser loss the location header in a 302 redirect.
// Set the switch to 1 to prevent the error.

noDummySlashUpStream=1
// Malformed CONNECT request sent to back end web server

DonotSendIPToACL =1
// 403 forbidden errors randomly generated after installing bm37sp3.

AckWithNoDataOnSYN=1
// Browser gets 504 gateway timeout error accessing web server through proxy, because Proxy use TCP connections to the origin server piggyback the final ACK from the 3 way TCP handshake, with the HTTP GET request. Which deny by some type of origin web server.
//Set to 1 to prevent the problem, Also applied updated TCPIP stack. (default=0)

Line_Terminator=CR/LF
//A switch is provided in the proxy.cfg to specify the line terminator in FTP Proxy. This can be configured as either
Line_Terminator=CR
or
Line_Terminator=LF
(CR for \r termination and LF for \n termination)

OC_IgnoreContentLengthFlag=1 (0 to disable)( Default=0)
//The proxy used to validate the content length header value with an actual value. If any mismatch was found, the proxy did not send this field to the clients. This caused some applications (for example, RiverDeep Logal Express) which expect content length to be present to hang. The following switch make the proxy send the content length header received from origin server, without any validation:

EnableIncomplete302ResponseFix =1(0 to disable)(Default=0)
//Proxy does not handle incomplete 302 responses. Set this switch to 0 to resolve this issue.

DoNotSendExtraCRLF =1(0 to disable)(Default=0)
//Gateway timeout errors are seen while browsing certain sites. Set the switch to 1 to resolve this issue.

EnableHTTPSLogging=1(0 to disable)(Default=0)
//Enables logging of https requests

EnableTerminalServerAuthentication=1
//The terminal server authentication feature solves the problem of authenticating users from clients with the same address, such as clients behind a NAT, from a Citrix server, or from any other terminal server. Now this solution also includes HTTPS sites. The feature provides the capability to differentiate users from client with the same address, and also from different addresses. Users coming from clients with the same address are shown a different authentication scheme.

For more information about how to configure Terminal Server Authentication, refer to tid10078047


RedirectHTTPSRequest=1(0 to disable)(Default=0)
//Enable redirect through Javascript for redirecting HTTPS sites

Mailproxysupportstransparency=1(0 to disable)(Default=0)
//Mail Proxy Transparency. This feature of Mail proxy works for outgoing mails. Enable the feature when the internal mail domain is public and should not be overwritten by the public domain of the proxy.

ProcessMultipleMXRecordsOfDomain=1(0 to disable)(Default=0)
//Mail proxy can now process multiple MX records. If there is a list of MX records in the DNS requests for the mail domain, proxy can now go to the next record in case of a failover at the first instance using the following parameter in proxy.cfg.
The previous proxy -m has been replaced by this switch in the proxy.cfg file.

SkipHttpReplyHeaderCaseChange=1 (0 to disable)(Default=1)
//Peoplesoft back end sends back custom HTTP headers that have names in upper case. When proxy sends these headers back to the client, then are send back in lower case, with the exception of the first char which is in upper case. This is how Proxy behaves. The end result is that the application is broken as it is case sensitive and does not recognize these headers. The rfc defines the headers as being case sensitive so theoretically Peoplesoft should change their apps. However, a proxy.cfg option has been created to allow the propagation of the headers through BorderManager to be case sensitive.

SupportLargePostRequest=1 (0 to disable)(Default=0)
//To avoid data read Timeout errors (HTTP 504 Gateway Timeout), when you post large files to remote WebAccess server, set it to 1

EnableAntispamFeature=1 (0 to disable)(Default=0)
//Anti-Spam Support for Mail Proxy
It works in conjunction with the new section [Antispam Domain List].

LogUserNameInExtendedLog=1 (0 to disable)(Default=0)
//Extended log not showing user name. to shows it, enable this switch.

CustomErrorPages=1 (0 to disable)(Default=0)
//To get the Custom Logout page, when you logout through http://x.x.x.x:1959/cmd/BM-Logout.

IncomingMultiDomainSupport=1
//Enable Mail proxy to proxy multiple domains

noIcpParentDownAlert=1 (0 to disable)(Default=0)
//To disable ICP parent down alert, in the system console set the following parameters to 1. The frequency of ICP parent down alert is now displayed in the ICP statistics screen.

EnableSendListBeforeData =1 (0 to disable)(Default=0)
//Accessing remote WinFTP server using BorderManager.If FTP to a remote WinFTP server using BorderManager fails, change this settings to 1

skipAuthForViaHeader=1 (0 to disable)(Default=0)
// Authentication to proxy bypassed when coming through another proxy.This setting must be configured in the proxy.cfg file to enable proxy to skip the authentication when the request is coming through another proxy.By default, proxy will request for authentication.

fixSecondTimeScheduling=1 (0 to disable)(Default=0)
//Increase in ECB used by proxy. Set it to 1 to prevent it.

enableCacheInVersionDowngrade=1 (0 to disable)(Deafault=0)
//
Proxy caching is not done when browser send requests with HTTP version 1.1 and Webserver responds with HTTP version 1.0. To enable caching, set it to 1.


Note:

If not sure the result is correct and to verify that settings are enable or disable, go to proxy console where you'll see a screen with 24 options. Type 63 and you'll get a new screen where all the proxy.cfg settings are reflected. You can verify then if the setting has the correct value.

************************************************************************

Customizing Grace Login dialog box

With proxy.nlm 5.10.4 ( bm38sp5_ir1), a new grace login feature is present.

[Extra Configuration]

GraceLoginNotification =1

GraceLoginText="Enter a customization grace login text here”

PwdChangeURL="Enter the URL for changing the password”

NOTE:The URL is a redirect link to the software used for changing password in eDirectory. BorderManager lacks the capability to change the password in eDirectory. For example, The software can be a Novell IDM or any similar 3rd party software.

**************************************************************************************************************

[Virus Pattern Configuration]
***Add patterns under here*** (See ReadMe for Proxy Update Patch PXY026.EXE --or later -- for details.)

************************************************************************

Transparent HTTPS proxy

Proxy provides HTTPS access to clients in
a transparent proxy setup. The ports in
Transparent HTTP monitored list can now
be either used for plain HTTP or HTTPS
access.

A new switch added to resolve this issue.

[TransparentHTTPS]

HTTPSPort1=

HTTPSPort2=

...

HTTPSPortn=

**************************************************************************

X-Authenticated-User header authentication with webwasher is failing

[X-Authenticated-User]
EnableXAuthenticatedUserHTTPHeader=1
LDAPServer=X.X.X.X
LdapTypeUserName=1

**************************************************************************
[Log Format]
Delimiter-Character=space
//To change the delimiter within the common logging format. The word "space" can be changed to "tab" or any single character.

**************************************************************************

[HTTP Streaming]
ResetOriginServerConnAfterClientReset=1
//allows RealAudio & RTSP Proxy module to release a disabled"streaming" WinAmp connection. Requires PXY014 or later.

**************************************************************************
[BM Mail Proxy]
BM_Domain=xyz.com
BM_Incoming_Relay=1
BM_Proxy_Domain=mail-proxy.acctg.xyz.com

BM_Domain: The value for this keyword should be the primary domain of the BM proxy. (i.e. if your primary registered domain name is xyz.com, this value should be set to xyz.com). This keyword is used for the proxy to check incoming mail for spam relay. i.e., if the domain name in the TO: field of the message does not match the primary domain of the proxy, the proxy will reject the message. NOTE: If "Primary Domain Name" is not specified through NetWare Administrator, then this keyword and a value are required in SYS:ETC\PROXY.CFG or outbound email will not get sent. If "Primary Domain Name" *is* specified, then the BM_Domain field it is not necessary.

BM_Proxy_Domain: This field should contain the fully qualified DNS name of the BM proxy. This field is used by the proxy to advertise its correct host name when it sends the HELO command to an SMTP server. This is useful in cases when the target SMTP server is doing a DNS lookup on the hostname advertised in order to avoid spam relay. Though this keyword is optional, if this keyword is not specified, outbound email from the mail proxy may be rejected by the destination SMTP servers. The reason for this is that some SMTP servers do reverse a DNS lookup on the SMTP origin during SMTP session establishment as an anti-spam measure. The recommendation is to specify this keyword with a value.

BM_Incoming_Relay: This field takes integer values of 0 and 1. If this field is set to 1, then the mail proxy will relay email containing a % sign. For example, if it receives a message with TO ADDRESS: johndoe%abc.com@xyz.com, it will relay the message to johndoe@abc.com. If the BM_Incoming_Relay is set to 0, then the proxy will reject all incoming relay requests. By default, it is set to 0 to avoid a spam relay attack.

*************************************************************************

Additional POP3 Server
With this feature, the proxy's secondary IP address is added as a secondary IP address (automatically bound) to the server and the POP3 servers listen in all the mentioned addresses at port 110. This means that multiple POP3 servers can be proxied at the same time. To enable this feature, add the following to proxy.cfg.

[POP3 Additional Servers]
server1=31.0.0.2/164.99.146.124
server2=31.0.0.3/10.0.0.2
server3=31.0.0.4/10.0.0.3
server4=31.0.0.5/10.0.0.4
server5=31.0.0.6/10.0.0.5
server6=31.0.0.7/10.0.0.6
server7=31.0.0.8/10.0.0.7
server8=31.0.0.9/10.0.0.8
server9=31.0.0.10/10.0.0.9

*************************************************************************
The following are the trusted domains when using EnableAntispamFeature=1

[Antispam Domain List]
AntispamDomain1=domain1.com
For Example:
AntispamDomain1=www.cnn.com
AntispamDomain2=www.bbc.com
*************************************************************************
This feature enables the Novell BorderManager 3.8 Mail proxy to proxy multiple domains when IncomingMultiDomainSupport=1. Enabling this feature of mail proxy protects networks with multiple mail domains. The feature works for both incoming and outgoing e-mails. For incoming e-mail you can have multiple internal mail servers proxied by the mail proxy retaining their respective public domains, while outgoing e-mail from private internal domains is proxied with the respective public domains.
For mail proxy multi-domain support the first primary domain is taken from the NWAdmn Mail proxy primary domain. Other primary domain names and corresponding mail server names are added in the sys:\etc\proxy\proxy.cfg file under the section.

[Multiple Domain Support]
MultiDomain1=InternalMailServerName1/PrimaryDomain1
MultiDomain2=InternalMailServerName2/PrimaryDomain2
MultiDomainN=InternalMailServerNameN/PrimaryDomainN
*************************************************************************
[Proxy-Authorization]
UserName=administrator
Password=admin
ProxyReAuthorization=1 (0 to disable)
AlwaysSendAuthorizationToCERNParent=1 (0 to disable)
// PROXY will always send the Proxy-Authorization header when it forwards a request to a CERN parent.
*************************************************************************

[Object Cache]
cut thru no CLH length=0
This setting tells the proxy not to wait for a FIN from the origin server on a non-persistent connection.

*************************************************************************

Restrict HTTP Proxy Tunneling

By default, HTTP proxy allows CONNECT
requests to all ports. This could be a
security threat. The following switch
controls the ports on which tunneling is
allowed.
[Tunneling]
EnableTunnelingControl=1
EnableTunnelingControlLog=1

[HttpTunnelingAllowed]
Port1=
Port2=
...
Portx=

Set switch EnableTunnelingControl=1 to
allow CONNECT requests to listed ports and
port 443. CONNECT requests on all unlisted
ports will be denied.

Set switch EnableTunnelingControlLog=1 to
log all denied ports in
sys:\etc\proxy\tunnel.log.

When EnableTunnelingControl=0 all CONNECT
requests to all ports is allowed. This
could be a security threat

*************************************************************************

HTTP Proxy logging on NsureAudit server

To enable HTTP Proxy logging on Nsure Audit
Server, set the following configuration in the
proxy.cfg file

[Nsure Audit]

Enable=1
EnableUserAgentLogging=1
EnableErrorMessageDisplay=1

Description of the above flags:

Enable=1: Enables the Nsure Audit logging

EnableUserAgentLogging=1: Logs the UserAgent
information.

EnableErrorMessageDisplay=1: Displays Nsure Audit
initialization error messages on the server console.




Additional Information


Formerly known as TID# 10059667