Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: BM 3.9 ACL errors/questions

4 views
Skip to first unread message

Craig Johnson

unread,
Sep 25, 2009, 3:49:58 PM9/25/09
to
In article <jpeteet...@no-mx.forums.novell.com>, Jpeteet wrote:
> 1. It is my understanding that Imanager and NWadmin work differently -
> or better stated that Nwadmin is no longer supposed to work for this and
> I am supposed to use only Imanager. Why did it seem to work with Nwadmin
> and not with Imanager and, should I just not enter any in Nwadmin and
> keep trying to get Imanager working?

BM 3.9 should use iManager, though it will still read old rules. (You
can't really edit them easily, but they should be migrated to 3.9 format
with FILLATTR.NCF).

> 2. Is there a way, once you have an access rule defined -as in my case
> with 50 or more websites, to disable a single ACL without deleting the
> whole rule for testing purposes (so you don't have to go and enter all
> the websites again)?

Apply the rule to a non-existant source IP address?


Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***


Craig Johnson

unread,
Sep 25, 2009, 3:49:58 PM9/25/09
to
This sounds like you have selective proxy authentication enabled,
coupled with some incorrect access rules. (The 'authenticate only
when...' Option).

Rules based on user, group are container are skipped at first, while
rules based on ip address or Any are looked at. If no match there, the
other rules are looked at.

If you deny a site, the authentication will kick in. After that,
user/group/container rules may be kicking in as well, depending on the
rule structure and the exact rule syntax. (However, I'm still trying
to think of a situation where the all-by-IP would not still override
the NDS source rule, so I may be wrong here.)

For sure, something is up. It may be a combination of inherited rules
and old 3.8 rules? If it were me, I'd simplify the rules and build
them back slowly, bit-by-bit.

Craig Johnson

unread,
Sep 25, 2009, 6:05:30 PM9/25/09
to
In article <jpeteet...@no-mx.forums.novell.com>, Jpeteet wrote:
> If I were to use the FILLATR.NCF I would first backup the filters from
> the old server and then just use that file to pull them back into the
> new server correct?
>
No, not at all.

FILLATTR.NCF (which is a bit tricky to get the syntax correct), is
designed to migrate NDS components of BM 3.8 to 3.9 format. It does
proxy and access rules, but not filters. Filters haven't changed format
in NDS - same in 3.7, 3.8 and 3.9.

No risk to using FILLATTR, but you might struggle a bit to get it to
work. My thinking is that maybe you get things migrated, and they show
up in iManager. And then you might consider deleting the old NDS
entries using ConsoleOne, leaving only the newer format behind. This
all requires a good understanding of what is going on, along with
matching this to specific problem symptoms.

Filters are put (back) into NDS from a filters.cfg file using a filtsrv
migrate process. The sequence of events is critical, or you wipe out
all your filters and filter exceptions. (Hence the need to be sure you
have a good backup of filters.cfg).

0 new messages