Setting Up Proxy Authentication

IMPORTANT:  An additional method of authentication is available for proxy server users. Proxy server users can use security devices such as hardware tokens in addition to using an NDS or eDirectory password. Login policies defining the authentication rules and access methods required for remote users to authenticate are stored in the NDS or eDirectory Login Policy object.

The following sections provide information about setting up proxy authentication:

• Setting Up Proxy Authentication

Setting Up HTTP Proxy Authentication

Proxy authentication for HTTP proxy and HTTP accelerator (reverse and forward HTTP proxy) can be accomplished in the following ways:

• Single sign-on for Novell Client32 clients---If a user is logged in to NetWare through the latest Novell Client software and uses the browser, the user is not prompted to authenticate again to the proxy.
• SSL proxy authentication---The user is not prompted to authenticate to the proxy if already logged in to NDS or eDirectory.

You can enable HTTP proxy NDS or eDirectory authentication and require all users to authenticate with their browsers before they access the proxy server and the Internet. Proxy authentication consists of a username and a password. The proxy authentication password is the same as a user's NDS or eDirectory authentication password. Any type of browser client can be authenticated: Windows 98, Windows 2000, Windows XP, Windows Me, Windows NT, UNIX, OS/2, or Macintosh*.

If proxy authentication is enabled and both single sign-on and SSL are enabled, the proxy server will first try to authenticate the user through single sign-on. If the single sign-on attempt fails or is not enabled, the proxy server will attempt authentication using SSL.

Single sign-on is successful only when the client machine is running the Novell Client 32 software and has logged in to NDS or eDirectory. The client machine must also be running DWNTRUST.EXE and CLNTRUST.EXE. These files are located in the SYS:PUBLIC directory on the server. For more information about these files and creating login scripts for users to be authenticated using the single sign-on feature, refer to Setting Up the Novell IP Gateway.

To set up HTTP proxy authentication:

1. In NetWare Administrator, select the Novell BorderManager 3.7 Setup page for the server.

2. Click Authentication Context.

3. From the Authentication tab, check the Enable HTTP Proxy Authentication check box.

4. Select an authentication scheme: single sign-on or SSL.

5. For single sign-on, enter the time to wait for a single sign-on reply.

6. For SSL, specify the following parameters:

   • SSL Listening Port---Specify the port used for authentication. You might need to change the port number to prevent reverse proxy traffic from running into SSL traffic. Both reverse proxy and SSL traffic default to port 443.
   • Key ID---Specify the key ID exchanged between the client and server for authentication.

     NOTE:  Use the NetWare Administrator PKI Services to change and create key IDs in an NDS or eDirectory tree.

   • Notification method---Specify whether to send authentication notification in HTML form or as a Java applet.
   • Idle time---Specify the length of time a connection can remain idle before a new login is required.

7. Specify whether to authenticate only when the user attempts to access a restricted page.

8. Click the Context tab.

9. Click Add > enter the user's default NDS or eDirectory context and tree name.

   Enter a fully distinguished NDS or eDirectory container name (sales.my_org, for example). The NDS or eDirectory container name can have up to 256 characters. This entry is optional and makes logging in easier for users. Users in the specified container can log in by typing only their login names without the complete context string.

10. Click OK > click OK from the Novell BorderManager 3.7 Setup page.

Setting Up HTTP Transparent Proxy Authentication

To set up HTTP Transparent proxy authentication:

1. In NetWare Administrator, select the Novell BorderManager 3.7 Setup page for the server.

2. Click Authentication Context.

3. From the Authentication tab, check the Enable HTTP Proxy Authentication check box.

4. Click the Context tab.

5. Click Add and enter the user's default NDS or eDirectory context and tree name.

   Enter a fully distinguished NDS or eDirectory container name (sales.my_org, for example). The NDS or eDirectory container name can have up to 256 characters. This entry is optional and makes logging in easier for users. Users in the specified container can log in by typing only their login names without the complete context string.

6. Click OK > click OK from the Novell BorderManager 3.7 Setup page.

Setting Up Telnet Transparent Proxy Authentication

To enable Telnet Transparent proxy authentication:

1. In NetWare Administrator, select the Novell BorderManager 3.7 Setup page for the server.

2. Click Authentication Context.

3. From the Authentication tab, check the Enable Transparent Telnet Proxy Authentication check box.

4. Click the Context tab.

5. Click Add > enter the user's default NDS context and tree name.

   Enter a fully distinguished NDS or eDirectory container name (sales.my_org, for example). The NDS or eDirectory container name can have up to 256 characters. This entry is optional and makes logging in easier for users. Users in the specified container can log in by typing only their login names without the complete context string.

6. Click OK > click OK from the Novell BorderManager 3.7 Setup page.