BorderManager 3.9 Support Pack1
This document (5022120) is provided subject to the disclaimer at the end of this document.
patches this patch supersedes
patches that supersede this patch
patch attributes
document
abstract
The BorderManager 3.9 Support Pack1 contains updates for services contained in the BorderManager 3.9 release.
details
Novell BorderManager 3.9 SP1
1.0 System Requirements
2.0 New Features
3.0 Defect Fixes
3.1 VPN
3.2 Proxy
4.0 Install
5.0 Uninstall
6.0 New Configuration Settings
6.1 Customizing Grace Login dialog box
6.2 Authentication to proxy bypassed when coming
through another proxy
6.3 Increase in ECB used by proxy
6.4 Memory leak in proxy.nlm
6.5 Enabling Cache for version downgrading
6.6 Enabling Accept-Encoding
7.0 Known Problems and Limitations
8.0 Technical Support Information
9.0 Legal Notices
1.0 System Requirements
Make sure that NetWare 6.5 SP6 or SP7 with Novell
BorderManager 3.9 is installed in your system, before
you install Novell BorderManager 3.9 SP1.
The Support Pack and patch files are available at
Novell support (http://support.novell.com).
For more information on the latest Support Pack and
patches see Novell products
(http://support.novell.com/produpdate/patchlist.html).
2.0 New Features
- iManager 2.7 plug-ins are supported in Novell
BorderManager 3.9 SP1.
- Novell BorderManager 3.9 SP1 is supported on XEN
Virtualized NetWare on OES.
- VPN client 3.9.1 is supported on 32-bit Windows
Vista.
- 128 categories are supported for third-party URL
filters.
3.0 Defect Fixes
3.1 VPN
A defect resolved for Site-to-Site in this
release is given below:
Site-to-Site
- Site-to-Site connection with CheckPoint
firewall.
3.2 Proxy
A list of defects which have been resolved for
proxy is given below:
Enhancements
- Customizing Grace Login popup:
The advantages are:
- Administrators can customize the existing
grace login notification alert
- Administrators can configure change
password link and allow users to decide
whether to continue using the proxy or
change their password
- User is forced to change the password when
only one grace login is remaining
- Login page for FTP over HTTP
Security Vulnerability Fixes
- Novell Client Trust Vulnerability: The remote
attackers could execute vulnerable code on
Novell Software with Novell Client Trust.
- Proxy authentication bypassed: Proxy
authentication and access controls to Novell
BorderManager are bypassed when requests come
through another proxy.
- Bypass %uff encoded data in HTTP POST method:
Attackers could bypass security controls of
Novell BorderManager using %uff (Full-width
and Half-width unicode) encoded data with HTTP
POST method.
Defect Fixes
- Migration from Novell BorderManager 3.8 to
Novell BorderManager 3.9 might fail.
- Object selector window might not pop up when
NDS object is selected for configuring a port
rule.
- Linkwall rules might not work for category
mode when Connectotel is slected for
third-party filters.
- Creation of Access Rules at OU level might
fail.
- Server might abend in aclcheck.nlm.
- Adding new rules might fail with ~ character
in URL.
- Transparent Proxy does not work after update
to tcp680b.exe.zip on NetWare 6.5 SP6 or SP7.
Please refer to TID3784870 for resolution.
- Proxy might abend in one of these functions:
- oc_requestStart()
- LogServerConnection()
- ProcessRequest()
- Server might abend in aclcheck.nlm when rules
are modified in a cluster setup
- News Proxy cannot be disabled if it was
enabled while migrating Novell BorderManager
3.8 to Novell BorderManager 3.9.
- Novell BorderManager proxy might lock hard
with 200 or more connections, if Terminal
Server Authentication is enabled.
- Server might see an increase in ECBs used by
proxy due to the rescheduling of scheduled
WorkToDo's.
- Server might see memory leak when proxy
receives streaming packets.
- Novell BorderManager will abend when mail
proxy has lost communication with a POP3
server.
- SSL authentication randomly fails with the
Safari 2.0 browser.
- Option 17 in Proxy Console screen displays a
blank screen.
- Proxy might abend when PRTG tool is used for
SNMP monitoring.
- DNS proxy continues to listen on TCP port 53
even though DNS over TCP is disabled in
iManager.
- Proxy server takes a long time to read ACL
rules when Surfcontrol 6.1 is selected for
third-party filters.
- When the browser sends Accept-Encoding in the
HTTP header to the proxy, the proxy is not
forwarding this Accept-Encoding to the web
server and the bandwidth usage goes high.
4.0 Install
The following sections provide the steps necessary to
install this version:
BorderManager 3.9 SP1 is english only release and if
you run the server in a different language, please
refer to item 1 of 7.0 Known Problems and
Limitations.
On NetWare 6.5 SP6 or SP7
1. Download the BorderManager 3.9 SP1 build from the
Novell support (http://support.novell.com) and
copy to the server and extract it to a directory.
2. Enter NWCONFIG at the server console.
3. Select Product Options > Install A Product not
Listed.
4. Specify the path where the spack.ips file is
extracted from the BorderManager 3.9 SP1 build
file.
5. Select Installation Options, then press F10 to
accept.
6. Press Enter after the installation is complete.
7. Restart the Server after installation.
Install VPN Client 3.9.1 on Windows Vista
1. Turn off the UAC before installing VPN client on
Windows Vista
2. Copy the
sys:\public\brdrmgr\vpn\Vista_clinst\setup.exe
file to the client machine
3. Disable the NetBIOS from the Network Properties,
before using the VPN client
Install VPN Client 3.9.1 on non-Vista Windows machine
Copy the
sys:\public\brdrmgr\vpn\windows\exes\setupexe.exe file
on the Windows client and run the exe.
5.0 Uninstall
You can select the back up option to backup your
system while installing Novell BorderManager 3.9 SP1.
The backed up files are saved to the following
location: sys:\system\BM39SP1.BAK.
If you want to uninstall Novell BorderManager 3.9 SP1
and to restore your system to its previous state, do
the following:
1. Enter NWCONFIG at the server console.
2. Select Product Options > Install A Product not
Listed.
3. Specify the file path \sp\backup\backout.ics from
the root directory where the extracted files are
located.
4. Press Enter, then press Yes to uninstall.
5. After uninstallation restart the server.
The BorderManager 3.9 SP1 entry will then be removed
from the products database.
6.0 New Configuration Settings
6.1 Customizing Grace Login dialog box
The Grace Login feature must be configured in the
proxy.cfg file:
[Extra Configuration]
GraceLoginNotification=1
GraceLoginText=Enter a customization grace login
text here
PwdChangeURL=Enter the URL for changing the
password
The URL is a redirect link to the software used
for changing password in eDirectory.
BorderManager lacks the capability to change the
password in eDirectory. For example, The software
can be a Novell IDM or any similar 3rd party
software.
6.2 Authentication to proxy bypassed when coming
through another proxy
his setting must be configured in the proxy.cfg
file to enable proxy to skip the authentication
when the request is coming through another proxy.
[Extra Configuration]
skipAuthForViaHeader=1
By default, proxy will request for
authentication.
6.3 Increase in ECB used by proxy
This setting must be configured in the proxy.cfg
file:
[Extra Configuration]
fixSecondTimeScheduling=1
6.4 Memory leak in proxy.nlm
This setting must be configured in the proxy.cfg
file:
[HTTP Streaming]
ResetOriginServerConnAfterClientReset=1
6.5 Enabling Cache for version downgrading
Proxy caching is done when browser send requests
with HTTP version 1.1 and Webserver responds with
HTTP version 1.0. To enable caching, this setting
must be configured in proxy.cfg file:
[Extra Configuration]
enableCacheInVersionDowngrade=1
6.6 Enabling Accept-Encoding
To enable proxy to send Accept-Encoding in the
HTTP header to the web server this setting must
be configured in proxy.cfg file.
[Extra Configuration]
EnableAcceptEncoding=1
7.0 Known Problems and Limitations
Novell BorderManager 3.9 SP1 has the following known
problems and limitations:
1. If you get an error while installing non-english
BorderManager 3.9 SP1, copy the MSGVAR.RCF,
SPACK.ILS, and SPACKA.ILS files from \sp\4
directory located at the root of the extracted
build, to the language directory of the server
that is being used. For example, directory \sp\4
for English, \sp\6 for French, \sp\7 for German,
\sp\9 for Japaneese, \sp\12 for Portuguese
Brazilian, and \sp\14 for Spanish.
2. Turn off UAC before installing VPN client on
Windows Vista. This is one of the security
features.
3. Name resolution fails during connection
establishment for a VPN client. Disabling of
NetBIOS over TCP/IP in LAN settings resolves the
problem. The problem is because during Vista
installation NetBIOS over TCP/IP is enabled. This
is part of the Vista bug list, which they intend
to fix with some hot fix, we require the
administrator to disable the NetBIOS option.
4. Stop the IKE and IKEEXT service in vista before
running VPN Client.
5. The filtsrv.nlm file will be downgraded if you use
the NetWare 6.5 SP6 or SP7 overlay CDs or DVD to
upgrade the server that already has Novell
BorderManager 3.9 installed. To resolve this, copy
the filtsrv.nlm file manually to the sys:\system
directory in the path SYS:\SYSTEM. The correct
file is filtsrv.nlm version 1.61.13 dated
Thursday, November 24, 2005.
6. The iManager plug-in will not be available after
upgrading the iManager from 2.6 to 2.7 during the
NetWare OS upgrade, and Novell BorderManager 3.9.1
is already installed. If you use iManager 2.6 then
Copy bm26.npm, bmpxy_2.6.npm, bmacl_2.6.npm, and
vpn26.npm and if you use iManager 2.7 Copy
bm27.npm, bmpxy_2.7.npm, bmacl_2.7.npm, and
vpn27.npm located at sys:\public\brdmgr\snapnins\
folder to the local folder where iManager is being
used and install them manually. Restart the
iManager service.
7. iManager Plug-ins will not be upgraded
automatically when BorderManager is upgraded from
3.9 to 3.9.1. Use the following steps to install
new plug-ins:
- Log in to iManager and select Configure.
- Select Plug-in installation > Available Novell
Plug-in modules.
- Choose the following plugins
NBM ACL Configuration
NBM Firewall Configuration
NBM Proxy Configuration
NBM VPN Configuration
- Install the plugins.
If any roles are configured, then the above
plugins have to be made part of the roles.
- Restart tomcat server.
8. Master and slave AuthAgents running on the same
machine use the same log file.
9. The stateful ping filter allows ping from one side
of the firewall at a time. It does not allow
simultaneous ping between a pair of hosts across
the firewall. To make ping work simultaneously,
create a static ICMP filter and disable the
filters immediately after use. This is for
security reasons.
10. Firewall with logging enabled may not work
properly after it has been stressed for a long
time.
11. Authentication may fail during Novell
BorderManager 3.9 installation, if the password
contains special characters such as % and #.
12. Self pings are filtered but not logged.
13. Easy Filter Configuration lists only the Public
interface configured on the server.This interface
list won't get updated immediately on changing the
interface status Public/Private (NetWare filtcfg >
Configure Interface Options > Tag to toggle
between Public and Private). This gets updated
every 30 seconds. To see the changes immediately,
reinitialize the system (from NetWare inetcfg >
Reinitialize System).
8.0 Technical Support Information
To contact Novell or a Novell service partner for
technical support, access the Novell Support Web site
(http://support.novell.com)
The Novell Support Connection Web site provides the
most current known issues, patches, and other
important details about the product you are
installing. You can use the KnowledgeBase to search
for technical information documents (TIDs) that
pertain to this product. Furthermore, you can access
support forums to obtain technical support information
and to exchange and discuss this information with
volunteer moderators, as well as other Novell
customers.
9.0 Legal Notices
Novell, Inc. makes no representations or warranties
with respect to the contents or use of this
documentation, and specifically disclaims any express
or implied warranties of merchantability or fitness
for any particular purpose. Further, Novell, Inc.
reserves the right to revise this publication and to
make changes to its content, at any time, without
obligation to notify any person or entity of such
revisions or changes.
Further, Novell, Inc. makes no representations or
warranties with respect to any software, and
specifically disclaims any express or implied
warranties of merchantability or fitness for any
particular purpose. Further, Novell, Inc. reserves the
right to make changes to any and all parts of Novell
software, at any time, without any obligation to
notify any person or entity of such changes.
Any products or technical information provided under
this Agreement may be subject to U.S. export controls
and the trade laws of other countries.You agree to
comply with all export control regulations and to
obtain any required licenses or classification to
export, re-export, or import deliverables. You agree
not to export or re-export to entities on the current
U.S. export exclusion lists or to any embargoed or
terrorist countries as specified in the U.S. export
laws. You agree to not use deliverables for prohibited
nuclear, missile, or chemical biological weaponry end
uses. Please refer to Novell export policies
(http://www.novell.com/info/exports/) for more
information on exporting Novell software. Novell
assumes no responsibility for your failure to obtain
any necessary export approvals.
Copyright 2008 Novell, Inc. All rights reserved. No
part of this publication may be reproduced,
photocopied, stored on a retrieval system, or
transmitted without the express written consent of the
publisher.
Novell, Inc. has intellectual property rights relating
to technology embodied in the product that is
described in this document. In particular, and without
limitation, these intellectual property rights may
include one or more of the U.S. patents listed at
Novell Patents site
(http://www.novell.com/company/legal/patents/) and one
or more additional patents or pending patent
applications in the U.S. and in other countries.
U.S. Patent No. 5,572,528; 5,719,786; 5,991,810;
6,092,200 and 6,345,266. Patents Pending.
For a list of Trademarks, see Novell Trademarks
(http://www.novell.com/company/legal/trademarks/tmlist
.html).
file contents
| Files Included | Size | Date |
|---|---|---|
| BM39SP1.zip | 268.5 MB (281588627) | 2008-03-14 19:47:39 |
| readme_5022120.html | N/A | 2008-03-20 13:22:27 |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.
Novell is a registered trademark of Novell, Inc. in the United States and other countries. SUSE is a registered trademark of SUSE Linux AG, a Novell business. *All third-party trademarks are the property of their respective owners.
© 2007 Novell, Inc. All Rights Reserved.