Hi,

(Caution - this is being written under extreme duress caused by BM,
Transparent Proxy, Proxy.cfg, lack of sleep and lack of time...)

(To any Novell engineers lurking : AAAARRRGGGGHH! Please get
Transparent
Proxy working, please..)

There, I feel a little bit better now.

Okay now maybe you, gentle reader, can help me - even if it is only to
tell
me that the situation is truly beyond hope. I am trying to get
Transparent
Proxy to work with SSO and SSL and a couple of basic rules.

First the specifics of our setup (hardware, software, wetware), then
the
symptoms/behaviour with this setup and finally I'll paste in the
proxy.cfg
as it currently exists in case there is something(s) wrong with the
settings.

I. The Setup
A. Software
NetWare 6sp3 (overlay CD install) + BM3.7 + BM3.7sp2 + BM3.7fp3 +
TCP607jBeta (using Domestic stack). IE 5.5 and 6.0

B. LAN Layout
3 NICS, 3 Subnets as follows: Public subnet 142.x.x.x connects to a
Cisco
Router and thus to the internet; Private Subnet 206.x.x.x for
staff/admin
logging into network with Client32 and running clntrust.exe; Private
Subnet
10.x.x.x for clientless workstations/laptops.

C. BM Configuration
1. Effective Access Control Rules
What I am trying to accomplish is to let anyone, without
authenticating,
full access to the websites at OUC. These websites are all on the
Public
side of the BorderManager server. The second goal is to require
authentication, either via SSO (ie clntrust.exe) or SSL, to access any

other page, which is currently limited to www.novell.com.

Allow, Any, Specified URL List
http://*.ouc.bc.ca/*
http://*.ouc.bc.ca:443/*
https://*.ouc.bc.ca/*
https://*.ouc.bc.ca:443/*
Allow, admin.ouc, URL http://www.novell.com/*
Deny, Subnet 10.0.0.1/255.0.0.0, URL Any
Deny, Any, any, Any (default rule)

2. Sys:\etc\hosts (hostname file is identical)
206.x.x.x bm-test bm-test.ouc.bc.ca
10.0.0.1 bm-test

3. BorderManager Setup Pages from NWAdmin32
DNS Proxy - Enabled, DNS servers on the Public network
Transparent HTTP Proxy - Enabled, Port Monitored 80, 443
Authentication Settings
SSO Enabled
Time to Wait : 5 Seconds
SSL Enabled
Listening Port : 444
Key ID : SSL CertificateIP (created during NW6 install)
Notification Page : HTML
Authenticate Only When Restricted Page Accessed Enabled
Enforce Access Rules Enabled

4. Proxy.cfg Settings
[TransparentHTTPS]
HTTPSPort1=443

[BM Cookie]
BM_Forward_Cookie=0

[HTTP Streaming]
ResetOrginServerConnAfterClientReset=1

[Extra Configuration]
HTTPSAuthenticationSwitch=0
ResolveProxyIPAddress=0
new302Redirect=1
AllowHTTPTunneling=0
SCacheDestroyYieldInterval=200
DoNotSendExtraCRLF=1
EnableIncomplete302ResponseFix=1
DoNotCacheWhenCookieFound=1
PassContentLength=0
IgnoreContentLength=1
IgnoreContentLengthCheck=1
OC_IgnoreContentLengthFlag=1
AckWithNoDataOnSYN=1
IgnoreDuplicateChill=1
RestartTimeoutAfterEverySend=1
TurnOffPersistantPassThru=1
EnableNoCachePassThru=1
TransparentProxySupportsVirtualServers=1
DiscardAcceptRanges=1
ResetOrginServerConnAfterClientReset=1
CodeRedWorkAround=1
DoNotCreateFullyQualifiedHostNames=1
DoNotSaveMemoryCacheDuringUnload=1
UseSimplifiedErrorPage=1
TreatLeftArrowAsHeaderBodySeparator=0


II. The Symptoms/Problems
A. Clientless, not Authenticated
WORKING
- Permitted HTTP sites, eg www.ouc.bc.ca
- Permitted HTTPS sites, eg https://mail.ouc.bc.ca/exchange

BROKEN
- Restricted HTTP sites, eg www.novell.com, yield a "Page Not Found"
after
a long timeout.

I've determined that this is due to a problem with the TransparentHTTP

Proxy using the Public IP in the redirect. If I disable filters then
the
Authentication page comes up fine. However using the regular HTTP
Proxy (on
port 8080) with Filters enabled the Authentication page comes up just
fine
- even though it is pulling it from the Public 142.x IP address....

- ONE PERMITTED HTTP site, http://pipeline.ouc.bc.ca. This site uses
a
javascript function via an https url
(SRC="https://pipeline.ouc.bc.ca/js/emptySecure.js"). The end result
is
that the proxy then attempts to perform authentication, which should
not be
needed if I got my rules right -right?

- Denied HTTPS sites, eg solutions.sirsi.com, yield Authentication
page
with the private 206.x address in the browsers Address field and the infamous 206.x:1959/data/bmaok.html address in the html form
Destination
field.

I understand from my copious reading of Novell TID's (must be about
200)
that this is standard behaviour for the HTTP and TransparentHTTP
Proxies -
to not supply the real URL for the Destination when the initial site requiring Authentication is an HTTPS site. But I'd be really happy if
I
was wrong and there is a fix/workaround.

B. CLIENT32, Authenticated via SSO/clntrust.exe - logged in as admin.WORKING
- Everything that is working and broken in the clientless setup.

BROKEN
- Allowing access to Denied HTTPS sites, eg solutions.sirsi.com.
This
should be denied by the default deny any rule.

So anyone have any explanation as to why this is happening - or better
yet
how to get it to work. I'd really like to get the TransparentHTTP
working.

Thanks for your help, and for reading all the way thru this long dry
post
(151 lines!).

Ron Neilly
Okanagan University College