I have a changing usage scenario for BM Proxy on my network. Previously I could identify all proxy users by NDS object name using Client32 + clntrust.exe. Now I have unmanaged Mac OS X clients needing to access the proxy. My options are to use SSL Proxy Authentication to prompt them for their eDir credentials which is not that eloquent of a solution. All of these new users will be in dedicated IP subnets.

So, is it possible for BM 3.9 SP1 IR2 to do what I want:

- An ALLOW Access Rule at Order #1. Source: IP Subnet Access: HTTP, Destination: Any URL
- An ALLOW Access Rule at Order #2. Source NDSObject List: Any, Access HTTP, Destination: URL List.
- A DENY Access Rule at Order #3. Source: ANY, Access: HTTP, Destination: ANY URL.

In my testing, adding this access rule at #1 does not work as I intended. I would expect that any clients from that subnet should not be subject to user based authentication. However, anything accessing the proxy from that subnet gets a 403 Forbidden NOT LOGGED IN error. If I enable the SSL Authentication page then it prompts for user credentials.

My theory was that adding the Allow Rule for that user subnet at order #1 would mean that it would hit that rule first and then not attempt any of the user based rules??

TIA for any advice, could be saving me from banging head against the wall wondering why it isn't doing something that it apparently can't do.