transparent proxy times out; manual proxy gives 403

Hello all,

I'm on BM39SP1, NW65SP7 although the problem started much earlier ... 
<g>. I *think* it began with 3.9 upgrade, but it is just inconvenient, 
not a disaster, so I put off doing anything about it and kept on doing 
that until now!

Some time ago, we switched over to Moz FF browser and transparent proxy. 
In doing so, some stations wound up with IE still set up for manual proxy.

What happens is that if one then tries to use IE, it returns 403 
forbidden on all pages, including those on the LAN.

The second issue is that even when authenticated and running CLNTRUST, 
the proxy times out and one has to log in again through the BM login 
page. (Actually, the login page only appears for an HTTPS page, 
otherwise it returns certificate errors and otherwise won't load the 
page, depending on which browser one uses.)

I'd appreciate any help anyone could give me on these two issues.

-- Ken
0
Ken
8/27/2008 2:28:06 PM
novell.bordermanager.proxies 3217 articles. 0 followers. Follow

4 Replies
736 Views

Similar Articles

[PageSpeed] 51

In article <Wvdtk.1731$gS5.88@kovat.provo.novell.com>, Ken McLeod wrote:
> Some time ago, we switched over to Moz FF browser and transparent proxy. 
> In doing so, some stations wound up with IE still set up for manual proxy.

OK.
> 
> What happens is that if one then tries to use IE, it returns 403 
> forbidden on all pages, including those on the LAN.

The forbidden message has to be coming from access rules.  Should NOT be 
coming if you allow URL's (as opposed to port 80).  But the message should 
give a bit more information as to WHY it was forbidden.  (Access rule, user 
not logged in?)
> 
> The second issue is that even when authenticated and running CLNTRUST, 
> the proxy times out and one has to log in again through the BM login 
> page. 

This sounds like something is misconfigured or there is a serious 
communication error.

(Actually, the login page only appears for an HTTPS page, 
> otherwise it returns certificate errors and otherwise won't load the 
> page, depending on which browser one uses.)

Certificate errors can be bypassed, or fixed, but should not stop you from 
actually getting authenticated.
> 
> I'd appreciate any help anyone could give me on these two issues.
>
Need more info.

Note: A couple of months ago I found a pretty serious bug in BM 3.9 (I think 
SP1) with Transparent Proxy on port 443.  Soon as you sent it 443 traffic, 
the server abended.  Ended up using a stateful exception for that port for 
the time being (and 3.8 on the backup cluster node).

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***


0
Craig
8/29/2008 6:03:18 AM
Hi Craig,

Thanks. Sorry about the delay replying ...

>> What happens is that if one then tries to use IE, it returns 403 
>> forbidden on all pages, including those on the LAN.
> 
> The forbidden message has to be coming from access rules.  Should NOT be 
> coming if you allow URL's (as opposed to port 80).  But the message should 
> give a bit more information as to WHY it was forbidden.  (Access rule, user 
> not logged in?)

Our message just says "403 Forbidden" but we do have custom pages so I 
could probably add what is missing to the page, but I thought I had 
included everything from the default error page ... ?

>> The second issue is that even when authenticated and running CLNTRUST, 
>> the proxy times out and one has to log in again through the BM login 
>> page. 
> 
> This sounds like something is misconfigured or there is a serious 
> communication error.
> 
> (Actually, the login page only appears for an HTTPS page, 

Yes. In fact, when I start getting the certificate errors, I simply 
invoke the BM login page and log in; the certificate errors go away.

> Certificate errors can be bypassed, or fixed, but should not stop you from 
> actually getting authenticated.

It seems that when the timeout occurs, the browser thinks that the proxy 
is delivering the certificate and can't match the internal BM server 
details with the actual host that presented the certificate. ONce you'e 
authenticated, this problem goes away.

So it is probably, as you say, a misconfiguration - but what? There's 
not really a lot of setting in the iMgr interface.

> Need more info.
> 
> Note: A couple of months ago I found a pretty serious bug in BM 3.9 (I think 
> SP1) with Transparent Proxy on port 443.  Soon as you sent it 443 traffic, 
> the server abended.  Ended up using a stateful exception for that port for 
> the time being (and 3.8 on the backup cluster node).
> 
We're not seeing any abends on the server - in fact NW65SP7/BM39SP1 
might just be the most stable BM server I've ever had! Nothing much 
seems to go wrong - except this, which is fortunately more inconvenience 
than life-threatening! <g>

Cheers,
Ken
0
Ken
9/1/2008 5:38:41 PM
As an additional note, I have the manual proxy working to the extent 
that it allows http traffic, but all https is blocked.

No rules apply for https except the final "deny any any." Does this mean 
I have to make a rule to allow ALL https traffic in order to get any 
https traffic?

This seems to be a change in behavior - it seems to me that earlier 
versions to 3.7 (?) treated https pretty much the same as http. In fact, 
I used to be able to add rules using the NWAdmin if like:

*://*someurl*/*

but 3.9 forces me to add the same rule as

http://*someurl*/*

so it would seem that the rules do not apply to https except the initial 
default to deny everything.

If so, how is this addressed to provide filtering on https as well?

Tia,
Ken

Ken McLeod wrote:
> Hi Craig,
> 
> Thanks. Sorry about the delay replying ...
> 
>>> What happens is that if one then tries to use IE, it returns 403 
>>> forbidden on all pages, including those on the LAN.
>>
>> The forbidden message has to be coming from access rules.  Should NOT 
>> be coming if you allow URL's (as opposed to port 80).  But the message 
>> should give a bit more information as to WHY it was forbidden.  
>> (Access rule, user not logged in?)
> 
> Our message just says "403 Forbidden" but we do have custom pages so I 
> could probably add what is missing to the page, but I thought I had 
> included everything from the default error page ... ?
> 
>>> The second issue is that even when authenticated and running 
>>> CLNTRUST, the proxy times out and one has to log in again through the 
>>> BM login page. 
>>
>> This sounds like something is misconfigured or there is a serious 
>> communication error.
>>
>> (Actually, the login page only appears for an HTTPS page, 
> 
> Yes. In fact, when I start getting the certificate errors, I simply 
> invoke the BM login page and log in; the certificate errors go away.
> 
>> Certificate errors can be bypassed, or fixed, but should not stop you 
>> from actually getting authenticated.
> 
> It seems that when the timeout occurs, the browser thinks that the proxy 
> is delivering the certificate and can't match the internal BM server 
> details with the actual host that presented the certificate. ONce you'e 
> authenticated, this problem goes away.
> 
> So it is probably, as you say, a misconfiguration - but what? There's 
> not really a lot of setting in the iMgr interface.
> 
>> Need more info.
>>
>> Note: A couple of months ago I found a pretty serious bug in BM 3.9 (I 
>> think SP1) with Transparent Proxy on port 443.  Soon as you sent it 
>> 443 traffic, the server abended.  Ended up using a stateful exception 
>> for that port for the time being (and 3.8 on the backup cluster node).
>>
> We're not seeing any abends on the server - in fact NW65SP7/BM39SP1 
> might just be the most stable BM server I've ever had! Nothing much 
> seems to go wrong - except this, which is fortunately more inconvenience 
> than life-threatening! <g>
> 
> Cheers,
> Ken

-- 
Ken McLeod
The Delphian School
http://www.delphian.org
0
Ken
9/3/2008 4:01:28 PM
Sorry for the slow response.

BMgr should not have changed in how it handles http or https from 
earlier versions.  If you have an allow URL, the URL match should be 
flexible to handle more than port 80.

Specifically blocking or allow https sites has to be done with a 
port-based rule (443) though - you cannot make a URL rule with https in 
it and get it to work.   Tunneling control also comes into play here, 
if https is used on ports other than 443.



Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on 
BorderManager, go to http://www.craigjconsulting.com ***

0
Craig
9/22/2008 7:38:39 PM
Reply:

Similar Artilces:

proxy to proxy
We will connect with our Bordermanager to an other proxy. but there is a syntax-problem our BM-Proxy will build the connection with(Trace) ....cyberbanking.bankkoop.ch:443/ HTTP/1.0..... but there should not be / according to RFC there is no "/" Slash allowed. Beat Brunner <<...cyberbanking.bankkoop.ch:443/ HTTP/1.0..... that has been fixed in the latest patches Gonzalo > <<...cyberbanking.bankkoop.ch:443/ HTTP/1.0..... > > that has been fixed in the latest patches > > Gonzalo > what do you meen with lastes patches ...

Proxy to proxy
Hi. We use BM 3.8 as a proxy server and the main task is to restrict which url's the users can use. In the network there is another proxy server with internet access. Is it possible to setup BM to use another proxy server to connect to internet? And if yes, how ? Magne Absolutely. Search under "Cache Hierarchy Client". Basically....enable the client on the BM box, add you upstream proxy (Neighbor Hostname) add the correct port for the type of upstream proxy, add the type of proxy, usually you can just leave the priority at "1". looks like this...

to Proxy or not to Proxy ?
Hi all, Could I ask for some opinions regarding using a proxy ? Here in the UK, I use Freeserve as my dial-up ISP. There is a web-cache proxy available for use if required, tho' IE6 works fine with or without (a small increase in page loads occurs if I use the proxy). The problem is, that if I use the proxy, then my Outpost Firewall logs only register connections to it, so I suffer from a serious lack of information about where my browser connections are going and what I could block (like adclick connections etc). I'm really not sure about the merits of with/without the pr...

to proxy or not to proxy that is the ?
ok, i had jconect on NT and my AIX Sybase database on an RS/6000, so i used the proxy...fine. i have installed jconnect on the rs/6000, installed netscape fasttrack and i STILL have to use the proxy to avoid those -1 erro messages. does this mean that jConect always has to use that proxy no matter where anything lives? i am confused.... please enlighten me This is a multi-part message in MIME format. --------------6A7C6750A66874EBD6E2677A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit If you remove the "proxy" connection property fro...

HTTP Proxy and Transparent Proxy
Dears: I have BM 3.7 and NW 6.0, i wanna a use, HTTP Proxy and Transparent Proxy together in the same machine, but use diferent IP Addresses in the same Private NIC, for the services, for example HTTP Proxy : 192.168.0.10:8080 ... for some users THTTP : 192.168.0.20:80 ... for other different users any idea ?, I look in the manual, but i did not found nothing.... Thanks in advance, Jose from Chile this cannot be done. The transparent proxy will affect all users. -- Cat NSC Volunteer Sysop ...

HTTP Proxy acting like transparent proxy
Our school district does not use transparent proxy, however, I've just noticed that students can remove the proxy settings from IE and still get out through BorderManager. We are using BorderManager 3.7 and I checked to verify that transparent proxy is not enabled. Eric Bowser Upper Valley Joint Vocational School hi Eric, it's not acting as transparent proxy - it's simply routing the traffic through NAT and your users are browsing without any proxy or control. To prevent this, you should implement packet filters in the BM server. -- Caterina Novell Suppo...

FTP proxy & Transparent Proxy setup
--____VXWHOENWUJCUWAOOUIOM____ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable I have done a fresh install of BorderManager 3.7 SP1 on a server and I am = trying to get the proxies working. I currently have the packet forwarding = filters turned off and everyone can HTTP, FTP and Telnet to their heart's = content. When I turn on the filters, I believe that the proxies are = suppose to take this traffic and work with it. But it doesn't,=20 Can anyone help me out here? --____VXWHOENWUJCUWAOOUIOM____ Content-Type: multipart/rel...

Spambo Proxy and AV Proxy
How will the two of these react together. eg Spambo and Nav as an example?? Thanks Chris ...

Proxy preferences (authenticated proxy)
Hi all, I'm using xulrunner 1.9.0.19 and trying to get web access via a proxy working. So far I have added this the preferences: pref('network.proxy.type', 1); pref('network.proxy.http', '192.168.13.254'); pref('network.proxy.http_port', 3128); and that works, but still prompts me for the proxy username/password. Is there some way I add the username/password to the preferences? Some applications allow a proxy to be specified as: http://username:password@192.168.13.253:3128/ Any plans to add something like this to xulrunne...

Mail Proxy or Generic Proxy
Hi, i will allow e-mail thru bm but what is the best way to do. Enable mailproxy on bm or create generic proxy? i know the proxy.cfg with the line: AllowGTCPProxyToUsePort25=1 and the other options from craig site. king regards thomas kreis Thomas, It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply. Has your problem been resolved? If not, you might try one of the following options: - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp - Check al...

BM proxy via other proxy
Hi. How can BM 3.8 connect to another proxy server (non BM) to get access to internet? Magne Magne, you've to configure a proxhy hierarchy. this is done in NWadmn32, Bm setup, HTTP proxy, details, cache hierarchy client. You've to configure a PArent proxy (this would be the proxy that your BM has to access to get to the internet). If you don't have access to the Internet AT ALL, unless you go through this upstream proxy, you should configure a CERN parent. -- Caterina Novell Support Connection Volunteer Sysop ...

Proxy
--____JKLSGNJWRNBUMXCVJFMC____ Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Hi, Can one see which proxy user has sent/read message/s? Mike. --____JKLSGNJWRNBUMXCVJFMC____ Content-Type: multipart/related; boundary="____HERLXXSSHDSASFILEGVA____" --____HERLXXSSHDSASFILEGVA____ Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1"= > <META content=3D"MSHTML 6.0...

Proxy users listed multiple times in Proxy Access List
I have a user who has proxy rights to several user's mailboxes. Each user that has granted her proxy rights is listed 5- 10 times in her Proxy Access List. I've tryed deleting all proxy access name. We've taken proxy rights away and granted them again. I patched GW to 6.51. I applied TID 10055717 (the proxyfix) GWCheck option and we can't get rid of the multiple entries. The Proxyfix is suppose to come up with an error code 87 in the GWcheck log, but it doesn't, so it's like it didn't run. I'm using GW6.5 patch 1. GWcheck 6/30/03. Any ...

BM 3.8 transparent proxy ignores firewall/proxy
I'm trying to get the transparent proxy working correctly, but it seems to be ignoring the firewall settings in FILTCFG. I am using the regular HTTP proxy, with an 8e6-filter proxy cache client, and that all works fine. It properly filters all sites with the 8e6 filter, whether or not "Must forward through hierarchy" is enabled. Meanwhile the server has two NICs, and FILTCFG is set up to deny direct access to port 80 and 443 through the BM firewall. This is also all working correctly with transparent proxy disabled. Direct access with no proxy configured just si...

Web resources about - transparent proxy times out; manual proxy gives 403 - novell.bordermanager.proxies

Almost Transparent Blue - Wikipedia, the free encyclopedia
Narrated by the main character Ryū, the novel focuses on his small group of young friends in the mid-1970s. Living in a Japanese town with an ...

Should EU Governments Be More Transparent, Flexible When Requesting Facebook User Data?
Facebook received about 8,500 requests for user data from governments of countries in the European Union during the first six months of 2013, ...

Transparent (@transparent_tv) on Twitter
Log in Sign up You are on Twitter Mobile because you are using an old version of Internet Explorer. Learn more here Transparent @ transparent_tv ...

CutOut Studio - Background Eraser, Cut Out Photo : Chop photo and Erase the background to be transparent ...
Get CutOut Studio - Background Eraser, Cut Out Photo : Chop photo and Erase the background to be transparent on the App Store. See screenshots ...

Transparent Computer Monitors [explore #38]
Follow Me: Facebook - Twitter - Louish·com (Photography Tutorials & More) Two Dell 30" Computer Monitor Screens with transparency Another pic ...

CES 2012: The Transparent, Touch-Reactive Samsung LCD Display - YouTube
We check out Samsung's transparent display, a 46-inch, 9mm-thick TFT LCD display that reacts to your touch.

Father's transparent obituary about daughter Molly Parks and her heroin addiction hits nerve
There were promising signs, her family says, that Molly Parks had begun to reclaim her life.

Expect a budget full of transparent fudging - Business Spectator
There is just as much massaging of the numbers in Joe Hockey’s recent comments as in any of the budgets that Labor claimed were a 'pathway to ...

Labor vows to block less-transparent government tendering and credit card proposals
Tens of millions of dollars in govt contracts would escape public scrutiny under changes sought by Finance Minister Mathias Cormann.

Transparent house - Real Estate - Property and Real Estate - - Perth Now
IT&#8217;s not the type of house where you can do a quick nude rush from the bedroom to the bathroom, in fact it&#8217;s not the kind of house ...

Resources last updated: 1/11/2016 9:21:00 PM