Hi.

BM3.8.5 on NW6.5.6.


for some Vista64 machines I want to allow Internet Access by creating
this allow rule. Shall go below the surfcontrol deny rules, as this
didn't wor it's now placed as the topmost rule in the list:

Type: URL - allow
Source, Host-IP: 10.27.4.200-10.27.4.200
To : <any>



The http proxy log shows lines like this one for such requests:

10.27.4.200 - - [22/Oct/2008:16:15:46 +0200] "GET http://www.google.de/
HTTP/1.0" 302 1839

also tried with http/1.1, from a different WS (XPSP2 without
CLNTRUST.EXE started: The BM Login Page finally is returned), didn't
change.

Same for adding the full network (10.0.0.0/8), or even for allowing

type: URL - allow
Sorce: <any>
Destination: <any>

Rules are updated up to BM's server screen.





Looks like I've missed something really basic?



Regards, Rudi.

Hi,

Rudolf Thilo wrote:
>
> Hi.
>
> BM3.8.5 on NW6.5.6.
>
> for some Vista64 machines I want to allow Internet Access by creating
> this allow rule. Shall go below the surfcontrol deny rules, as this
> didn't wor it's now placed as the topmost rule in the list:

You need to have "authenticate only when accessing a restricted page"
enabled. Otherwise BM *always* asks for authentication.

CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

Hi.

>> BM3.8.5 on NW6.5.6.
>>
>> for some Vista64 machines I want to allow Internet Access by
>>creating this allow rule. Shall go below the surfcontrol deny
>>rules, as this didn't wor it's now placed as the topmost rule in
>>the list:
>
>You need to have "authenticate only when accessing a restricted page"
>enabled. Otherwise BM always asks for authentication.

Hm. At very first: Up to now I've only worked with CLNTRUST driven
authenticated proxying.

The option you mentioned is global. So this means, that I would loose
the user information for all those HTTP requests, that point to any non
restricted page -- right?

That's *NOT*, where I want to end up. I also don't want to (ab)use a
filter exception for the few Vista CAD PCs. Really not too nice, that a
CLNTRUST-64bit will still take quite a time to be shipped.

Can you see any approach to

1.) allow the vista boxes to use the proxy without authentication, they
have fixed IP addresses.
2.) force all other machines to use Auth.ed proxy access (CLNTRUST)
3.) to log user specific for 2.), and IP-Address-specific for 1.) in
the http logs of Bordermanager?



Regards, Rudi.

In article <fHZLk.3597$Fg1.2444@kovat.provo.novell.com>, Rudolf Thilo
wrote:
> The option you mentioned is global. So this means, that I would loose
> the user information for all those HTTP requests, that point to any non
> restricted page -- right?
>
The Allow rule or rules you put in for the Vista hosts should have source
IP addresses = Vista host addresses. In this way, those rules will only
apply to those hosts, and all other hosts will still have to authenticate
for the other rules to work.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***