4.4 Access Gateway Advanced Options

Access Gateway provides the following two types of advanced options:

4.4.1 Configuring Global Advanced Options

Perform the following steps to configure Access Gateway global advanced options:

  1. Click Devices > Access Gateways > Edit > Advanced Options.

  2. To activate these options, configure the value, save your changes, then update Access Gateway.

    To deactivate these options, add the pound (#) symbol.

    Table 4-1 Access Gateway Global Advanced Options

    Advanced Option

    Description

    NAGGlobalOptions FlushUserCache=on

    Specifies whether cached credential data of the user is updated when the session expires or the user changes an expiring password. This option is equivalent to PasswordMgmt in the 3.1 SP4 Access Gateway Appliance.

    • When this option is on, which is the default setting, the credentials and the Identity Injection data are refreshed.

    • When this option is turned off, the cached user data can become stale.

    For example, if your password management service is a protected resource of Access Gateway and this option is turned off, every time a user changes an expiring password, the user’s data is not flushed and Access Gateway continues to use stale data for that user.

    NAGGlobalOptions DebugHeaders=on

    When this option is enabled, an X-Mag header is added with debug information. The information can be seen in sniffer traces and with plug-ins such as ieHTTPHeaders, Live HTTP Headers, and FireBug.

    This option must only be enabled when you are working with the Product Support and they instruct you to enable the option.

    NAGGlobalOptions DebugFormFill=on

    When this option is enabled, additional debug information related to the processing of a Form Fill policy is added to the Apache error log files (error_log file under /var/log/novell-apache2 and to the X-Mag header in the response to browser. The Form Fill entries generated by this option begin with a FF: marker.

    For example, Oct 23 12:38:29 mag326 httpd[29345]: [warn] AMEVENTID#36: FF:fillSilent: kfh5ummigbq6uGeneral_SS_non_SS_autosumit_Page_13310, referer: https://www.idp.com:8443/nidp/idff/sso?sid=0 Oct 23 12:38:29 mag326 httpd[29345]: [warn] AMEVENTID#36: FF:fillInplaceSilent: kfh5ummigbq6uGeneral_SS_non_SS_autosumit_Page_13310, referer: https://www.idp.com:8443/nidp/idff/sso?sid=0

    NAGGlobalOptions ESP_Busy_Threshold=<value>

    Proxy starts sending errors to the browser if ESP's average response time in the last one minute is more than the specified value (time in milliseconds).

    NAGGlobalOptions noTOPR

    Disables the activity based time-out in proxy. The proxy redirects browser requests after soft timeout of configured timeout value.

    This option is equivalent to disabletoppr in the 3.1 SP4 Access Gateway Appliance.

    NAGGlobalOptions InPlaceSilent=on

    This enables single sign on to certain Web sites that require the login page to remain as is without any modifications to its structure.

    If you are using this advanced option for a Form Fill on a page with multiple forms, by default, the first form is posted. If you want to post forms other than the first form, use NAGGlobalOptions InPlaceSilentPolicyDoesSubmit=on. For more information, see TID 7011817.

    This option is equivalent to .enableInPlaceSilentFill in the 3.1 SP4 Access Gateway Appliance.

    NAGGlobalOptions ForceUTF8

    When this option is enabled, Access Gateway uses the UTF-8 character set to serve the Form Fill page to the browser.

    This option is equivalent to forceUTF8Charset in the 3.1 SP4 Access Gateway Appliance.

    NAGGlobalOptions AllowMSWebDavMiniRedir=on

    This option helps the user to disable the following functionality, which is enabled by default. If a Microsoft Network Places client sends an OPTIONS request with MS-WebDAV-MiniRedir useragent to Access Gateway, then it receives 409 conflict response. The client uses this response to change the user agent to MS Data Access Internet Publishing Provider DAV.

    This option is equivalent to AllowMSWebDavRedir in the 3.1 SP4 Access Gateway Appliance.

    NAGGlobalOptions noURLNormalize=on

    When this option is enabled, it disables the URL normalization protection for back-end Web servers. This option resolves issues in serving Web content from Web servers that have double-byte characters such as Japanese language characters.

    By default, this option is set to off and URL is normalized before sending it to back end Web server.

    NAGAdditionalRewriterScheme webcal://

    When this option is enabled, the rewriter rewrites URLs that have a scheme of webcal://. The default rewriter configuration only rewrites URLs with a scheme of http:// or https://.

    NAGGlobalOptions AppendProviderID=on

    When this option is enabled, it displays the ESP Provider ID in Access Gateway authorization audit logs. This option helps to know the issues related to ESP provider ID in the audit log file.

    NAGGlobalOptions InPlaceSilentPolicyDoesSubmit=on

    This option must be used to fill forms with complex JavaScript or VBScripts.

    This option is equivalent to .enableInPlaceSilentFillNew in the 3.1 SP4 Access Gateway Appliance.

    NAGGlobalOptions NAGErrorOnIPMismatch=off

    In Access Manager 4.3, this option has been merged with Advanced Session Assurance and called as Client IP.

    For more information, see Section 11.0, Setting Up Advanced Session Assurance.

    NAGGlobalOptions NAGDisableExternalRewrite=on

    Access Gateway does not insert the path for the links with external published DNS when you enable this option.

    This option is equivalent to .disableExternalDNSRewrite in the 3.1 SP4 Access Gateway Appliance.

    DisableGWSHealth on

    When this option is enabled, Access Gateway does not check health of the Web server with the back-end server.

    This option is equivalent to .disableWSHealth in the 3.1 SP4 Access Gateway Appliance.

    NAGIchainCookieVersion on

    When this option is enabled, Access Gateway sends the proxy session cookie to the back-end server as IPCZQX01<clusterid>.

    IgnoreDNSServerHealth on

    When this option is used, Access Gateway does not send the DNS server health status when Access Gateway health is reported to Administration Console.

    When you set the option to IgnoreDNSServerHealth off <lookupname>, Access Gateway sends a DNS query with the specified <lookupname>. Access Gateway sends a successful message to Administration Console if it connects to the DNS server, else it will send an unable to connect message. By default if you have not specified any option, Access Gateway sets the option as IgnoreDNSServerHealth off www.novell.com.

    This option is equivalent to ignoreDnsServerHealth in the 3.1 SP4 Access Gateway Appliance.

    NAGGlobalOptions NAGRenameCookie=on

    Set this option to off to prevent the session ID from getting changed automatically.By default, this option is set to on

    EnableWSHandshake on

    Setup a firewall between Access Gateway and the back-end Web server. When Access Gateway performs heartbeat check with a simple TCP connect to the Web server, the Web server may throw a TLS handshake error. This may cause the firewall, after a certain threshold, to block the connection.This option enables Access Gateway to perform a SSL handshake while performing a heartbeat check on the back-end SSL-enabled Web server so that the Web server does not respond with a TLS handshake error. By default, Access Gateway performs a simple TCP connect while performing a heartbeat check on the back-end Web server.

    NAGGlobalOptions IIRemoveEmptyHeaderValue

    This option enables the Identity Injection policy not to send an empty header with null value when a value is not available. By default, Access Gateway sends an empty header with a null value if a value is not available.

    For example, applications may have a public and a protected resource configured. Both resources may use an identity injection policy such as to inject an USERID. The public resource uses the user name if authenticated. If the user accesses the public resource (before authentication), Access Gateway sends an empty header variable USERID. Web servers may not handle an empty header and may respond with an error. In such a scenario use the advanced option to stop Access Gateway from sending an empty header with null value.

    DumpHeaders on

    DumpHeadersFacility user

    These options ensure that the proxy, logs the user headers to /var/opt/novell/nam/logs/mag/apache2/error_log file.

    SSLProxyVerifyDepth=3

    Specifies how many certificates are in a Web server certificate chain. When you activate the verification of the Web server certificate with the Any in Reverse Proxy Trust Store and the public certificate is part of a chain, you need to specify the number of certificates that are in the certificate chain.

    For more information about configuring Web servers for SSL, see Section 17.5, Configuring SSL between the Proxy Service and the Web Servers.

    The default search level that is when the attribute SSLProxyVerifyDepth is commented to1, if the number of certificates in the Web server certificate chain is greater than 1, then the SSLProxyVerifyDepth option must be enabled and must be assigned to the respective value (equal to the number of certificates in the chain).

    ProxyErrorOverride

    Allows you to specify which errors you want returned to the browser unchanged by the Gateway Service. The default behavior of the Gateway Service is to replace Web server errors with Gateway Service errors.

    However, some applications put more information, such as keys and JavaScript in the message. If this information is critical, specify an override and allow the error message to be returned to the browser without any modifications.

    For example, NetStorage requires an override for the 401 error because it includes a key in the 401 error. The portal page for the Novell Open Enterprise Server requires an override for error 403 because it includes JavaScript.

    You can use the following syntax to set this option:

    • ProxyErrorOverride on -401 -403:Allows all errors to be changed to Gateway Service errors except errors 401 and 403, which are sent unchanged.

      This syntax allows you to list the few errors you want to forward without change while allowing all the others to be changed to Gateway Service errors.

    • ProxyErrorOverride off +401 +403:Disables the changing of Web server errors to Gateway Service errors except for errors 401 and 403, which are changed to Gateway Service errors.

      Use this option when you have only a few errors that you want changed to Gateway Service errors.

    NOTE:Enable the error codes 401 and 403 for override if you are using Identity Manager 4.0 with Role Mapping Administrator.

    NAGErrorOnDNSMismatch

    If SSL is not enabled in reverse proxy, an error message stating Host Name Does Not Match is displayed.

    SSLHonorCipherOrder

    This option enables you to customize the SSLCipherSuite used by Access Gateway. This helps you in taking preventive measures when new vulnerabilities are published.

    To avoid Browser Exploit Against SSL/TLS (BEAST) attacks, use the advanced option as follows:

    SSLHonorCipherOrder on

    SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

    NAGGlobalOptions onFormFillPolicyRedirUseHttp=on

    This option enables Access Gateway to redirect based on HTTP status code 302 along with the location header when Form Fill policy requires redirect.

    By default, Access Gateway uses JavaScript to trigger redirect in Form Fill policy. You can use this advanced option when there are issues with JavaScript redirects.

    NAGGlobalOptions NoAuthHdrWithoutPwd=on

    This option restricts sending the authorization header with Identity Injection policy when a password is unavailable. For example, When users authenticate with Kerberos contract.

    This option is set to off by default.

    NAGLAGCompatiability on

    This option enables sharing of session information between the 3.1 SP4 Access Gateway Appliance and the 4.0 Access Gateway Appliance during the process of migration.

    This option is added by default during the process of migration to ensure communication between the two appliances. You can disable or remove this option after the migration is complete.

    NAGSendURLinErrorResponses on

    This option will not include a href when you access a protected resource and a 302 redirect occurs.

    AllowEncodedSlashes NoDecode

    When this option is enabled, URLs are accepted, but encoded slashes are not decoded.

    For example, the server accepts the encoded URL www.example.com%2Ffinance, but does not try to decode the encoded slash (%2F for /).

    NAGGlobalOptions ExcludeDNSFull on

    When this option is set to on, the DNS name is excluded from being rewritten by that domain. The HTML Rewriting does not happen when the backend DNS name is included in the Exclude DNS Name list.

    NAGGlobalOptions NoAuthHdrWithoutPwd=on

    This option restricts sending the authorization header with Identity Injection policy when a password is unavailable. For example, When users authenticate with Kerberos contract.

    This option is set to off by default.

    SetStrictTransportSecurity off

    NOTE:This option is available in Access Manager 4.3 Service Pack 1 and later versions.

    Set this option to off if you want to disable HTTP Strict Transport Security. By default, it is set to on.

    NAGGlobalOptions SetHashedCookiesInResponse=on

    NOTE:This option is available in Access Manager 4.3 Service Pack 1 and later versions.

    Access Manager 4.3 and later prints only the hashed values of all IPC and AGIDC cookies in the log files. When this advanced option is set to on, Access Gateway sets these hashed values of IPC and AGIDC cookies into browsers with the name IPCZQX0354154289-Hash and AGIDC0354154289-Hash.

    For more information, see Section 30.15.3, Adding Hashed Cookies into Browsers.

    NAGGlobalOptions TempUserTTL=<value in minutes>

    NOTE:This option is available in Access Manager 4.3 Service Pack 3.

    You can add this option to extend the time limit in minutes for validating a web server cookie even when the IPC cookie (used by Access Manager to mangle the cookies after authentication) is not validated.

    Consider a scenario where a user is trying to access a protected resource for the first time and has to register user details before authenticating to Access Manager. In this scenario, as the Access Manager authentication is unsuccessful the IPC cookie gets invalidated resulting in invalid web server cookie. Hence, the user cannot access the registration page. If you enable this option with the required time limit, user can complete the registration process.

    NAGSessionKey Default

    For additional security in case of cross-domain authentication, Access Gateway session cookie is encrypted before sending it as a URL query parameter.

    For example:

    In earlier releases of Access Manager, the URL is: https://novell.blr.com:9443/ -CIPCZQX03218a425f=01000300a463892f582b51722510f334a4223149

    In Access Manager 4.1, the URL is: https://novell.blr.com:9443/%20-CECCjdOOBPIqZZNtF+dRlAyDfTFvOPwnO0xzOQTcnrubNzJ6GFe6FF8dWRzzg7RY9iZJYxNLaU80KnJOoqtqf6u2g==

    You can use NAGSessionKey to specify the password as per the administrator's needs. Passwords with more characters increase the strength of it and increases the security. By default, the password is set to default.

    For example, NAGSessionKey NAM-CROSS-DOMAIN-SESSION-KEY-ENCRYPTION-PASSWORD.

    For the list of proxy service level advanced options, see Table 4-2.

Options to Clean Up Thick Client State At Browser

When Access Gateway detects the idle timeout, the user is redirected to Identity Server for authentication. If the content type and URL pattern used by the client (as defined in the advanced options NAGUrlPattern and NAGContentType), the user must be redirected to a pre-defined timeout as defined in the NAGAuthFrontChannel advanced option.The redirected URL also contains additional information such as ESP login URL, the contract name, and the landing page URL as defined in the advanced options. The following advanced options must be used together to clean up the thick client:

Advanced Option

Description

NAGLauncher

URL that launches the client.

NAGUrlPattern /messagebroker/*

URL pattern that identifies if a specific request came from a client.

NAGContentType application/x-amf

Content type in the Request header that is used to identify if the request is a client.

NAGAuthBackChannel /namtimeout/timeoutamf

Timeout handler on the server.

NAGAuthFrontChannel

Timeout handler on the server which includes the published DNS name of the server.

Enabling Cookie Mangling

When you log out of Access Manager, the Access Manager session cookies is invalidated on all Identity Servers and Access Gateway servers. However, the application session cookie is left unchanged on the browser and on the origin web server. If a different user authenticates to Access Manager again on the same browser and accesses the proxied web server, the browser may resume the previously established HTTP session with the web server so that the new user inherits the old logged out users session. The Cookie Mangling feature in Access Gateway prevents this scenario by manipulating the application cookies set by the web servers, and invalidating these cookies when a user logs out of Access Manager.

The two advanced Access Gateway options required to enable this functionality are NAGHostOptions mangleCookies and NAGWSMangleCookiePrefix. By default, the option NAGHostOptions mangleCookies is disabled.

To enable this feature, add the options NAGHostOptions mangleCookies=on and NAGWSMangleCookiePrefix <AnyString> in the Global Advanced Option.

Use the NAGWSMangleCookiePrefix <AnyString> option to specify the string added to the application cookie after manipulation. You can replace <AnyString> with a string of your choice. For example, adding the NAGWSMangleCookiePrefix AGMANGLE results in the Set-Cookie: AGMANGLEa50b_DzkN=5a8G0 application level cookie set in the browser.

URL Attribute Filter

This feature lets you define filtering options for each proxy service. It helps in filtering out specified URLs from the ones audited as part of the URL Accessed audit event. These filtered out URLs are not displayed in the Audit Server. This is helpful where auditing every URL is not required and may increase the load on the Audit Server. Unnecessary URLs such as, public images, public javascripts, css, and favicons can be ignored from auditing. The option to set this feature is NAGFilteroutUrlForAudit <regular expression>. This option must be added to the Advanced options section of each service. The regular expression is standard perl based regular expressions. For more information, see Regular Expressions.

Each URL (path?querystring) is matched against this expression. If the match is successful, the URL will not be audited for URL access. For example, NAGFilteroutUrlForAudit ".*.jpg" and NAGFilteroutUrlForAudit ".*.gif". If these options are added to a service, all the *.jpg and *.gif files accessed will not be audited under the 'URL Accessed' audit event.

NOTE:Enabling URL Accessed audit events in Access Gateway can overload the Audit subsystem if the number of requests sent to Gateway per second is high. This may result in a delay in web pages getting loaded. It is recommended to use the http common/extended logging option for this purpose.

4.4.2 Configuring Advanced Options for Domain-Based and Path-Based Multi-Homing Proxy Services

Perform the following steps to configure the advanced options for domain-based and path-based multi-homing proxy service:

  1. Click Devices > Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.

  2. Configure the advanced option by removing the pound(#) symbol.

    To disable an option, add the # symbol in front of the option, save your changes, then update Access Gateway.

    Table 4-2 Access Gateway Advanced Options for Proxy Services

    Advanced Option

    Description

    NAGHostOptions mangleCookies=on

    This option invalidates the cookies set by the Web server when the user logs out of Access Manager. By default, Access Gateway does not mangle the cookies that are sent by the web server.

    Proxy mangles the cookies that are sent by the web server using the user information and sets these mangled cookies at the browser. When a browser sends the mangled cookies to proxy, it de-mangles them using the user information and sends the de-mangled cookies to the web server.

    For more information about this option, see Enabling Cookie Mangling.

    NAGWSMangleCookiePrefix

    Use the NAGWSMangleCookiePrefix <AnyString> option to specify the string added to the application cookie after manipulation.

    For more information about this option, see Enabling Cookie Mangling.

    NAGFilteroutUrlForAudit

    You can add this option to proxy service that filters out specific URLs from auditing (URL Accessed). For example, NAGFilteroutUrlForAudit ".*.jpg", and NAGFilteroutUrlForAudit ".*.gif".

    CacheIgnoreHeaders

    This option is available only for the domain-based proxy service.

    Prevents Access Gateway from writing any Authorization headers to disk. This option is enabled by default, because writing Authorization headers to disk is a potential security risk. You can allow Authorization headers to be written to disk by placing a pound (#) symbol in front of the option or by setting it to None.

    For more information about this Apache option, see “CacheIgnoreHeaders Directive”.

    NOTE:All the path-based services under the domain-based service will inherit the new value.

    CacheMaxFileSize

    This option is available only for domain-based proxy service.

    Configuring this option in the Advanced Options of a proxy service allows you to set the size of the file that can be stored in the cache. By default the size is set to 5 MB. Add the line CacheMaxFileSize <bytes>, for example, CacheMaxFileSize 99900000.

    NOTE:All the path-based services under the domain-based service will inherit the new value.

    NAGChildOptions WebDav=/Path

    This option is valid only for path-based multi-homing proxy service.

    Allows the proxy service to handle the specified path. Remove the pound (#) symbol and replace /Path with the path you want the proxy service to handle.

    ProxyPassIgnorePathCase on

    Use this option to make the path-based multi-homing path URL case-insensitive. For example, if you have set up a path based proxy /profile in Administration Console and the end user wants to access the URL https://www.lagssl.com/Profile/Security/login.aspx and not https://www.lagssl.com/profile/Security/login.aspx. By default, the URL path is case-sensitive.

    NAGPostParkingSizeInKiloBytes

    This option allows you to change the post data parking size limit if an error occurs after you post large data (more than 56 Kilobytes in size) after a session timeout.

    SSLProtocol

    This option is supported by Access Gateway when listening as a server to clients (typically browsers). This directive specifies SSL protocols for mod_ssl to use when establishing the server environment. Clients can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and all of these.

    The syntax for this is SSLProtocol [+-]protocol. For example, SSLProtocol +SSLv3. For more information about configuring the SSL versions, see Apache documentation.

    SSLProxyProtocol

    This option is supported by Access Gateway when the reverse proxy is connecting to the backend web servers. This directive specifies SSL protocols for mod_ssl to use when establishing a proxy connection in the server environment. Proxies can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and all of these.

    The syntax for this is SSLProxyProtocol [+-]protocol. For example, SSLProxyProtocol +SSLv3. For more information about configuring the SSL versions, see Apache documentation.

    For Windows: SSLProxyCACertificateFile "C:\Program Files\Novell\apache\cacerts\myserver.pem"

    For Linux: SSLProxyCACertificateFile /opt/novell/apache2/cacerts/myserver.pem.

    This option prevents failure in SSL connection between Access Gateway and webserver, when a self-signed certificate is used. To prevent this, import the webserver certificates to the proxy trust store. After importing, the webserver certificates, use this advanced option.

    FailOnStatus error code1,error code 2,error code3

    Back-end servers may return an error code instead of being timed out. Access Gateway keeps sending requests to a web server, even if the web server returns error codes.

    To prevent sending Access Gateway requests to such web servers, you can use this advanced option.

    AdditionalBalancerMemberOptions

    The proxy server checks the web server for each new session request at an interval of one minute by default. You can configure this advanced option to specify a different interval.

    For example, specify AdditionalBalancerMemberOptions retry=180, where 180 is in seconds.

    You can set the following parameters for this option:

    • min

    • max

    • smax

    • acquire

    • connectiontimeout

    • disablereuse

    • flushpackets

    • flushwait

    • ping

    • loadfactor

    • redirect

    • retry

    • status

    For more information about these parameters, see Apache Module mod_proxy.

    The following parameters are not supported:

    keepalive, lbset, route, timeout, and ttl

    RWOutboundHeaderQueryString on

    This option enables outbound header query string rewriting.

    NAGAddProxyHeader on

    When this option is set to off, Access Gateway will not send the XForwarded Headers to the back-end web server.

    By default, this option is set to on.

    NAGHostOptions DisableIDC on

    This disables Advance Session Assurance for small lived session IDs.

    Set to off to enable Advance Session Assurance for session ID.

    For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.

    NAGHostOptions DisableSFP on

    This disables server-side fingerprinting Session Assurance.

    Set to off to enable server-side fingerprinting Session Assurance.

    For more information, see Disabling Advanced Session Assurance for Access Gateway Proxy Services.

    NAGHostOptions primaryWebdav=<path of pbmh service>

    This option is valid only for the path-based multi-homing proxy service.

    This option enables users who use the Microsoft Network Places client to connect to the WebDAV folders of a SharePoint server when the SharePoint server has been configured as a path-based multi-homing service on Access Gateway. This must be added to master proxy service Advanced Options whose path based child services accelerates webdav resources with remove path on fill option enabled.

    This option is equivalent to .modifyRequestURI in the 3.1 SP4 Access Gateway Appliance.

    NAGHostOptions webdavPath=/_vti_bin

    This option is valid only for the path-based multi-homing proxy service.

    This can be added to master proxy service Advanced Options which path based child services with remove path on fill option enabled accelerating webdav resources.

    NAGChildOptions WebDav=<path of pbmh service>

    This option is valid only for the path-based multi-homing proxy service.

    This option can be added to any path based service that accelerates webdav resources with remove path on fill enabled.

    This option is equivalent to .modifyRequestURI in the 3.1 SP4 Access Gateway Appliance.

    For the list of global advanced options, see Table 4-1.