Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Allow Subnet Rule + NDS Objects

4 views
Skip to first unread message

Massimo Rosen

unread,
Jul 16, 2010, 3:34:16 AM7/16/10
to
Hi,

lwelch01 wrote:
>
> So, is it possible for BM 3.9 SP1 IR2 to do what I want:
>
> - An ALLOW Access Rule at Order #1. Source: IP Subnet
> 10.220.64.0/255.255.252.0 Access: HTTP, Destination: Any URL
> - An ALLOW Access Rule at Order #2. Source NDSObject List: Any, Access
> HTTP, Destination: URL List.
> - A DENY Access Rule at Order #3. Source: ANY, Access: HTTP,
> Destination: ANY URL.

Sure.

> In my testing, adding this access rule at #1 does not work as I
> intended.

You need to enable the "authenticate only when the user attempts to
access a restricted page" option in proxys access control. Otherwise it
will request authentication before it even starts to process the rules.

CU,
--
Massimo Rosen
Novell Product Support Forum Sysop
No emails please!
http://www.cfc-it.de

Massimo Rosen

unread,
Jul 19, 2010, 3:58:40 AM7/19/10
to
Hi,

lwelch01 wrote:
>
> OK, the issue I am now seeing is that the clients I DO want to
> authenticate to proxy are not being asked for it. They can go straight
> through to browsing, clntrust.exe shows 0 Requests Succeeded/Failed.

That means you have an allow rule now that matches what these clients
do. Or, possibly, you do not have a deny rule as the last rule (which
should be the default).


> How
> is this possible when no rule allows them through?

It isn't. THere must be a rule that allows them based on IP, or "any".

> The rule that would
> be first hit is Allow any NDS Object to Any URL - this should trigger
> user authentication, correct?

No. That rule wouldn't be a match (no auth, no NDS objects), thus it
gets ignored, and proxy moves on to the next rule, until it either finds
an matching allow rule, or a matching deny rule. When it finds a deny
rule (again, this is the default the last rule would be a deny any to
any), *then* it requests authentication, and only then.

Massimo Rosen

unread,
Jul 16, 2010, 5:43:39 AM7/16/10
to
Hi,

lwelch01 wrote:
>
> Thanks. I am sure I have tested with this option set to on, but still
> wouldn't work.

It definitely should.

> I did this after reading Craig's explanation of the settings in the
> bmlite book and was still a little confused about the multiple passes of
> access rules when the option is set.

Pretty simple actually. Without the option set, *any* access to the
proxy *first* requires authentication, Rules don't and can't make a
difference. You want something, you authenticate first. *Then* proxy
determines if you are allowed to do what you want to do, based on the
auth info.

*With* the option set, proxy first runs through it's ruleset, and if it
hits an "allow" rule that matches the request, it will fulfill it.
Only when it hits a "deny" rule based on the request, it will *then*
request authentication, and after having received that, runs through the
whole ruleset again, this time based on the auth info.

0 new messages