Novell BorderManager 3.8 SP2 Issues
July 07, 2004
1.0 Known Problems and Limitations
Novell BorderManager 3.8 Support Pack 2 has the following known problems and limitations:
- Stateful ping filter allows ping from one side of the firewall at a time. It does not allow simultaneous ping between a pair of hosts across the firewall. To make ping work simultaneously create a static ICMP filter and disable the filters immediately after use. This is for security reasons.
- Firewall with logging enabled may not work properly after it has been stressed for a long time.
- This process of unloading and reloading filtsrv during install may open the system for 10-15 seconds. If you feel the system becomes vulnerable because of this hole do not expose the system during install.
- Authentication may fail during NBM 3.8 installation if the password contains special characters.
- If you downgrade Novell BorderManager 3.8 SP2 to an earlier version (NBM 3.8 or NBM 3.8 SP1), and iManager is running on the server reinstall the iManager snap-in for VPN configuration from the respective version: NBM 3.8 or NBM 3.8 SP1.
- Self pings are filtered but not logged.
2.0 Software Changes
This NBM 3.8 SP2 release contains software changes that are described in the following sections.
2.1 Software Defect Fixes with switches
Novell BorderManager 3.8 SP1 contains software changes that fix the issues described in the following sections.
2.1.1 Custom SMTP Banner
The following switch allows configuring the SMTP banner
[Extra Configuration]
BM_SMTP_Banner = "Test BM SMTP Banner. Any unauthorized use of this software would lead to legal action against the user"
2.1.2 Replacing Mail Proxy
To allow generic TCP proxy to use port 25 as a replacement for mail proxy
[Extra Configuration]
AllowGTCPProxyToUsePort25=1
Set value to 1 to allow generic TCP proxy to use port 25.
2.1.3 Restrict HTTP Proxy Tunnelling
By default, HTTP proxy allows CONNECT requests to all ports. This could be a security threat. The following switch controls the ports on which tunneling is allowed.
[Tunneling]
EnableTunnelingControl=1
EnableTunnelingControlLog=1
[HttpTunnelingAllowed]
port=<port-1>
...
port=<port-N>
Set switch EnableTunnelingControl=1 to allow CONNECT requests to listed ports and port 443. CONNECT requests on all unlisted ports will be denied.
Set switch EnableTunnelingControlLog=1 to log all denied ports in sys:\etc\proxy\tunnel.log.
When EnableTunnelingControl=0 all CONNECT requests to all ports is allowed. This could be a security threat.
2.1.4 X-Authenticated User
This enhancement enables Web Washer to be used as an upstream proxy. To effect the change modify proxy.nlm.
[X-Authenticated-User]
EnableXAuthenticatedUserHTTPHeader=1
LDAPServe=x.x.x.x
The http header that will be generated for user admin.novell will be X-Authenticated-User: base64encode( LDAP://x.x.x.x/CN=admin.O=novell )
2.1.5 Loading clntrust.exe from Batch File
Cltrust.exe works only if you add it to the login script. If you try to use clntrust.exe through a batch file prefix it with a <start>.
3.0 Software Fixes
The following software fixes are available with Novell BorderManager 3.8 SP2:
3.1 Proxy
- Proxy abends when HTTPS logging is enabled.
- Authentication redirect doesn't work properly when transparent and forward HTTP proxies are simultaneously enabled.
- Memory leaks when single sign-on is enabled for FTP proxy
- Slashdot.org bans BorderManager proxy if read ahead is enabled
- Proxy.nlm abends after BorderManager is upgraded from 3.7 to 3.8
- Proxy access succeeds even if dwntrust is run
- RTSP proxy abends while processing the transport header
- FTP password is limited to 32
- SSL authentication works even when no username or password is specified
- Novell BorderManager HTTP error page shows up invalid characters if the server language is non-English
- The SMTP console warning: Primary mail domain is not configured... comes even with mulitdomain support for incoming mails.
- IPXIPGW.NLM fails to load with public symbol errors
- ICP multicast server fails to start
- Clntrust trust fails to load with Chinese language enabled on desktop
- Transparent Telnet proxy not working
- Stopbrd hangs the server when ACL licenses are not installed
- While installing the browser plugins that automate terminal server authentication, PXYAUTH.EXE will only look into dirve C for citrix
- Mail proxy abends while sending a response to an undelivered mail
- Nessus scan causes proxy to abend if FTP proxy is enabled
- FTP uploads are not logged in log file
- Sometimes while brdsrv.nlm is being loaded proxy abends
- SSL authentication points to wrong IP address
- Buffer overflow cause mail proxy to abend
3.2 Access Control
- N2H2 categorization does not work for secure sites
- Packet Filter LOG files gets corrupted if the roll method has been set to hours
- Aclcheck.nlm abends while processing complex access rule
- Performance goes down with large ACL lists
- There is a random server abend when you visit a https site which is set as allow in access control rules.
3.3 Firewall and NAT
- Error is seen while parsing file sys:etc\builtins.cfg when server is rebooted
- Filtsrv.nlm abends during NBM 3.8 installation
- Log in to NetWare server fails when VPN and NAT is running simultaneously
- Sometimes while FLTCFG is being modified filtsrv.nlm abends
- Stateful filters fail with ipflt31 module
3.4 VPN
- For user certificates issued by the Novell Organizational CA and stored in eDirectory, VPN certificate based authentication with the exported certificate fails if:
- The corresponding user is deleted or disabled
- The user certificate is deleted from the user object in eDirectory.
- VPN client stays alive if the user chooses to stay connected in the "disconnect time out pop-up dialog box" that appears when there is no data transmission for configured time.
- Connection using NMAS-NDS method fails if the username is not in the replica of local server.
- Installation of NetWare 6.5 SP1 on top of NBM3.8
- Incorrect debuglog.nlm packaged for loading of IPXIPGW.NLM4
- No list of commonly used methods/choices for NMAS authentication provided in the VPN client login page.
- When the VPTUNNEL address of any VPN server is changed, site-to-site communication breaks.
- VPN client-to-site authentication does not work using NMAS LDAP method when there are multiple replicas for the server. This issue is fixed in NMAS 2.3 which has to be downloaded and applied on the server. More information is available from Novell TID 2967711.
- If a member which is deleted is down or is not contactable, the master will not delete it from its member list till it becomes contactable.
- When a PSS mode-enabled third party VPN server is modified the changes are reflected in the NBM VPN server list and the VPN master server will initiate a remote call to the VPN slave server.
- Error messages are not displayed for client behind NAT.
- When authenticated in a SKIP mode, file transfer to servers results in memory leak in xmgr.nlm (in the server).
- Login using certificate results in 2 KB memory leak in xmgr.nlm (in the server).
- Server sends dh attribute even if PFS is disabled.
- Server does not provide error message if there is a mismatch in traffic rules.
- Server doesn't send INITIAL_CONTACT notify message.
- When server receives NO_PROPOSAL_CHOOSEN notify, it does not print exact reason for failure.
- Server doesn't print 8 bytes of cookies in error messages.
- The client-to-site connection might not be establshed when multiple protected networks are configured for a client-to-site traffic rule.
- Certificate-based login takes place even if the user object is expired.
4.0 Technical Support Information
To contact Novell or a Novell service partner for technical support, access the appropriate Novell Support Connection Web site:
- http://support.novell.com (Americas)
- http://support.novell.de (Europe and the Middle East)
- http://support.novell.com.au (Asia Pacific)
The Novell Support Connection Web site provides the most current known issues, patches, and other important details about the product you are installing. You can use the KnowledgeBase to search for technical information documents (TIDs) that pertain to this product. Furthermore, you can access support forums to obtain technical support information and to exchange and discuss this information with volunteer moderators, as well as other Novell customers.
5.0 Legal Notices
Novell, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.
Further, Novell, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc. reserves the right to make changes to any and all parts of Novell software, at any time, without any obligation to notify any person or entity of such changes.
You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside.
Copyright © 1999-2003, 2004 Novell, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher.
Novell is a registered trademark of Novell, Inc. in the United States and other countries.
Client32, eDirectory, Internetwork Packet Exchange, and IPX, NetWare Loadable Module and NLM, and Novell Client are trademarks of Novell, Inc.
All third-party products are the property of their respective owners.