Under the heading of "No good deed goes unpunished"...

I upgraded one of our BorderManager proxy servers last night to NW 6.5 SP7 and NBM 3.9 SP1. I also put a modified version of Craig's proxy.cfg file in that I thought had all the right parameters. Included was 'DisableConnectRequest' which I got from TID 3988333. If you look at that TID, it says the following:

DisableConnectRequest=1 (0 to disable) (Default=0)
// Proxy will deny any HTTP CONNECT request or HTTPS connect request that is enabled by selecting the tunnel option in a MAC browser. Without this enabled a MAC browser can bypass CyberPatrol Access Control Rules by checking the "Tunnel" option. Requires PXY014 or later.

OK, says I, I don't want those pesky MAC clients trying to bypass my Cyberpatrol so I set it to '1'. (First Mistake.) Well this kills ANY LOGIN to an https web site!!! I could not even log in to the Novell forums site! I would immediately get:

"Novell Border Manager Alert: status 503 Status Unavailable. Requested method is not supported on this scheme type".

The TID 3988333 should be re-written so it is clear that this prevents ANY http or https connect request regardless of if it is a MAC browser or not!!!

I searched for the error in the knowledgebase and there is TID 10065841 which talks about "Disable connect request = 1" will do it. So since some of the proxy commands have spaces in them, I search through proxy.cfg for that string and of course don't find a match. (Second Mistake.) This is NOT a valid parameter (with the spaces) the TID should be re-written.

Finally by comparing old and new proxies and trying to figure out what changed, I came across DisableConnectRequest and changed its value to '0'. Problem solved!

I've got a trace of the problem taken with pktscan on the NBM server but in this case it appears it is NBM itself that rejects the request when the client tries to log in. I was looking for some error back from the Web Server the client is trying to log into but there isn't any. I guess as soon as the client tries to make the request, NBM returns the 503.

BTW, it is not listed in Craig's proxy and the default value is 0 so that is why it worked before.

So WHEN in the world would you want to set 'DisableConnectRequest = 1'? It looks like it would kill most if not all logins to any web site, regardless of if you are using a MAC browser or NOT.