The following settings apply to all reverse proxies, unless the option is overwritten by an advance proxy service setting (see Section 4.4.2, Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service). The advanced options are disabled by default and will be enabled when they are added.
Perform the following steps to configure Access Gateway global advanced options:
Click Devices > Access Gateways > Edit > Advanced Options.
To activate these options, configure the value, save your changes, then update Access Gateway. To deactivate these options, add the pound (#) symbol.
Table 4-1 Access Gateway Global Advanced Options
|
Advanced Option |
Description |
|---|---|
|
NAGGlobalOptions FlushUserCache=on |
Specifies whether cached credential data of the user is updated when the session expires or the user changes an expiring password. This option is equivalent to PasswordMgmt in the 3.1 SP4 Access Gateway Appliance.
|
|
NAGGlobalOptions UserAgent=<Microsoft Product1>, <Microsoft Product1> |
Different versions of Microsoft Office applications come with different user agents. Using this option, you can configure multiple user agents with comma separator to enable users to perform single sign-on (SSO) to these applications. For example, you can configure this option as follows to enable SSO to Microsoft Office Word 2013 Windows NT 6.1, Microsoft Office Word 2016, and Microsoft Office Excel 2013: NAGGlobalOptions UserAgent=Microsoft Office Word 2013 (15.0.4420) Windows NT 6.1,Microsoft Office Word 2016,Microsoft Office Excel 2013 |
|
NAGGlobalOptions DebugHeaders=on |
When this option is enabled, an X-Mag header is added with debug information. The information can be seen in sniffer traces and with plug-ins such as ieHTTPHeaders, Live HTTP Headers, and FireBug. This option must only be enabled when you are working with NetIQ Support and they instruct you to enable the option. |
|
NAGGlobalOptions DebugFormFill=on |
When this option is enabled, additional debug information related to the processing of a Form Fill policy is added to the Apache error log files (error_log file under /var/log/novell-apache2 and to the X-Mag header in the response to browser. The Form Fill entries generated by this option begin with a FF: marker. For example, Oct 23 12:38:29 mag326 httpd[29345]: [warn] AMEVENTID#36: FF:fillSilent: kfh5ummigbq6uGeneral_SS_non_SS_autosumit_Page_13310, referer: https://www.idp.com:8443/nidp/idff/sso?sid=0 Oct 23 12:38:29 mag326 httpd[29345]: [warn] AMEVENTID#36: FF:fillInplaceSilent: kfh5ummigbq6uGeneral_SS_non_SS_autosumit_Page_13310, referer: https://www.idp.com:8443/nidp/idff/sso?sid=0 |
|
NAGGlobalOptions EnableWebsocket=off |
When this option is set to off, the WebSocket protocol is disabled for all proxy services. By default, this option is set to on. |
|
NAGGlobalOptions ESP_Busy_Threshold=<value> |
Proxy starts sending errors to the browser if ESP's average response time in the last one minute is more than the specified value (time in milliseconds). |
|
NAGGlobalOptions noTOPR |
Disables the activity based time-out in proxy. The proxy redirects browser requests after soft timeout of configured timeout value. This option is equivalent to disabletoppr in the 3.1 SP4 Access Gateway Appliance. |
|
NAGGlobalOptions InPlaceSilent=on |
This enables single sign on to certain websites that require the login page to remain as is without any modifications to its structure. If you are using this advanced option for a Form Fill on a page with multiple forms, by default, the first form is posted. If you want to post forms other than the first form, use NAGGlobalOptions InPlaceSilentPolicyDoesSubmit=on. For more information, see TID 7011817. This option is equivalent to .enableInPlaceSilentFill in the 3.1 SP4 Access Gateway Appliance. |
|
NAGGlobalOptions ForceUTF8 |
When this option is enabled, Access Gateway uses the UTF-8 character set to serve the Form Fill page to the browser. This option is equivalent to forceUTF8Charset in the 3.1 SP4 Access Gateway Appliance. |
|
NAGGlobalOptions AllowMSWebDavMiniRedir=on |
This option helps the user to disable the following functionality, which is enabled by default. If a Microsoft Network Places client sends an OPTIONS request with MS-WebDAV-MiniRedir useragent to Access Gateway, then it receives 409 conflict response. The client uses this response to change the user agent to MS Data Access Internet Publishing Provider DAV. This option is equivalent to AllowMSWebDavRedir in the 3.1 SP4 Access Gateway Appliance. |
|
NAGGlobalOptions noURLNormalize=on |
When this option is enabled, it disables the URL normalization protection for back-end web servers. This option resolves issues in serving web content from web servers that have double-byte characters such as Japanese language characters. By default, this option is set to off and URL is normalized before sending it to back end web server. |
|
NAGAdditionalRewriterScheme <scheme> |
When this option is enabled, the rewriter rewrites URLs that have the scheme you have specified with the option. For example, if you want to enable this option for the webcal:// scheme, specify NAGAdditionalRewriterScheme webcal://. The default rewriter configuration rewrites URLs with a scheme of http:// or https://. |
|
NAGGlobalOptions AppendProviderID=on |
When this option is enabled, it displays the ESP Provider ID in Access Gateway authorization audit logs. This option helps to know the issues related to ESP provider ID in the audit log file. |
|
NAGGlobalOptions InPlaceSilentPolicyDoesSubmit=on |
This option must be used to fill forms with complex JavaScript or VBScripts. This option is equivalent to .enableInPlaceSilentFillNew in the 3.1 SP4 Access Gateway Appliance. |
|
NAGGlobalOptions NAGErrorOnIPMismatch=off (Deprecated) |
In Access Manager 4.3, this option has been merged with Advanced Session Assurance and called as Client IP. For more information, see Section 12.0, Setting Up Advanced Session Assurance. |
|
NAGGlobalOptions NAGDisableExternalRewrite=on |
Access Gateway does not insert the path for the links with external published DNS when you enable this option. This option is equivalent to .disableExternalDNSRewrite in the 3.1 SP4 Access Gateway Appliance. By default, this option is set to off and Access Gateway inserts the path on published DNS URL references. |
|
DisableGWSHealth on |
When this option is enabled, Access Gateway does not check health of the web server with the back-end server. This option is equivalent to .disableWSHealth in the 3.1 SP4 Access Gateway Appliance. |
|
NAGStackTraceDump off |
This option disables logging of stack trace in the /tmp/debug000.log file when Access Gateway crashes. By default, when Access Gateway crashes, the file /tmp/debug000.log is created automatically and the stack traces are logged in it. If there is memory corruption because of operating system, there is a possibility of apache process getting hung or crashed indefinitely because of stack dumping. So, when you observe that the apache process is getting piled up, it is recommended to use this option. |
|
NAGIchainCookieVersion on |
When this option is enabled, Access Gateway sends the proxy session cookie to the back-end server as IPCZQX01<clusterid>. |
|
IgnoreDNSServerHealth on |
When this option is used, Access Gateway does not send the DNS server health status when Access Gateway health is reported to Administration Console. When you set the option to IgnoreDNSServerHealth off <lookupname>, Access Gateway sends a DNS query with the specified <lookupname>. Access Gateway sends a successful message to Administration Console if it connects to the DNS server, else it will send an unable to connect message. By default if you have not specified any option, Access Gateway sets the option as IgnoreDNSServerHealth off www.novell.com. This option is equivalent to ignoreDnsServerHealth in the 3.1 SP4 Access Gateway Appliance. |
|
NAGGlobalOptions NAGRenameCookie=on |
Set this option to off to prevent the session ID from getting changed automatically.By default, this option is set to on. |
|
EnableWSHandshake on |
Setup a firewall between Access Gateway and the backend web server. When Access Gateway performs heartbeat check with a simple TCP connect to the web server, the web server may throw a TLS handshake error. This may cause the firewall, after a certain threshold, to block the connection.This option enables Access Gateway to perform a SSL handshake while performing a heartbeat check on the back-end SSL-enabled web server so that the web server does not respond with a TLS handshake error. By default, Access Gateway performs a simple TCP connect while performing a heartbeat check on the back-end web server. This option is set to off by default. |
|
NAGGlobalOptions IIRemoveEmptyHeaderValue |
This option enables the Identity Injection policy to not send an empty header with null value when a value is not available. By default, Access Gateway sends an empty header with a null value if a value is not available. For example, applications may have a public and a protected resource configured. Both resources may use an identity injection policy such as to inject an USERID. The public resource uses the user name if authenticated. If the user accesses the public resource (before authentication), Access Gateway sends an empty header variable USERID. Web servers may not handle an empty header and may respond with an error. In such a scenario use the advanced option to stop Access Gateway from sending an empty header with null value. |
|
DumpHeaders on DumpHeadersFacility user |
These options ensure that the proxy logs the user headers to /var/opt/novell/nam/logs/mag/apache2/error_log file . |
|
SSLProxyVerifyDepth=3 |
Specifies how many certificates are available in a web server certificate chain. When you activate the verification of the web server certificate with Any in Reverse Proxy Trust Store and the public certificate is part of a chain, you need to specify the number of certificates that are in the certificate chain. For more information about configuring web servers for SSL, see Section 18.5, Configuring SSL between the Proxy Service and the Web Servers. If the number of certificates in a web server certificate chain is greater than 1, then the SSLProxyVerifyDepth option must be enabled and must be assigned to the respective value (equal to the number of certificates in the chain). |
|
SSLHonorCipherOrder |
This option enables you to customize the SSLCipherSuite used by Access Gateway. This helps you in taking preventive measures when new vulnerabilities are published. To avoid Browser Exploit Against SSL/TLS (BEAST) attacks, use the advanced option as follows: SSLHonorCipherOrder on SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL |
|
ProxyErrorOverride |
Allows you to specify which errors you want returned to the browser unchanged by the Gateway Service. Some applications add more information, such as keys and JavaScript in the message. If this information is critical, specify an override and allow the error message to be returned to the browser without any modifications. For example, NetStorage requires an override for the 401 error because it includes a key in the 401 error. The portal page for the Micro Focus Open Enterprise Server requires an override for error 403 because it includes JavaScript. You can use the following syntax to set this option:
|
|
NAGGlobalOptions onFormFillPolicyRedirUseHttp=on |
This option enables Access Gateway to redirect based on HTTP status code 302 along with the location header when a Form Fill policy requires redirect. By default, Access Gateway uses JavaScript to trigger redirect in the Form Fill policy. You can use this option if any issue occurs with JavaScript redirects. |
|
NAGGlobalOptions NoAuthHdrWithoutPwd=on |
This option restricts sending the authorization header with Identity Injection policy when a password is unavailable. For example, When users authenticate with Kerberos contract. This option is set to off by default. |
|
NAGLAGCompatiability on |
This option enables sharing of session information between 3.1 SP4 Access Gateway Appliance and 4.0 Access Gateway Appliance during the process of migration. This option is added by default during the process of migration to ensure communication between two appliances. Disable or remove this option after the migration is complete. |
|
NAGSendURLinErrorResponses on |
This option does not include a href when you access a protected resource and a 302 redirect occurs. |
|
NAGSessionKey Default |
For additional security in case of cross-domain authentication, Access Gateway session cookie is encrypted before sending it as a URL query parameter. For example, in earlier releases of Access Manager, the URL is https://novell.blr.com:9443/ -CIPCZQX03218a425f=01000300a463892f582b51722510f334a4223149 In Access Manager 4.1, the URL is https://novell.blr.com:9443/%20-CECCjdOOBPIqZZNtF+dRlAyDfTFvOPwnO0xzOQTcnrubNzJ6GFe6FF8dWRzzg7RY9iZJYxNLaU80KnJOoqtqf6u2g== You can use this option to specify the password as per the administrator's needs. It is recommended to use passwords with more characters to increase security. For example: NAGSessionKey NAM-CROSS-DOMAIN-SESSION-KEY-ENCRYPTION-PASSWORD. By default, the password is set to "default". |
|
NAGGlobalOptions TempUserTTL=<value in minutes> NOTE:This option is available in Access Manager 4.4 Service Pack 1 and later. |
The IPC cookie (temporary cookie), which is set by Access Gateway is valid for only 2 minutes for a user accessing Access Manager for the first time. You can use this option if you require increasing the time limit for the validity of IPC cookie. Consider a scenario where a user is trying to access a protected resource for the first time and has to register user details before authenticating to Access Manager. In this scenario, if the registration process takes longer time (more than 2 minutes), the IPC cookie gets invalidated and hence demangling of the cookie fails. If you enable this option with the required time limit (2 to 30 minutes), the user can complete the registration process and access the protected resource. Here, value in minutes can be 2 to 30. If this option is not added, Access Manager uses the default value, 2 minutes. For example, NAGGlobalOptions TempUserTTL=10. For more information about using this option, see TID 7022368. |
|
AllowEncodedSlashes NoDecode |
When this option is enabled, URLs are accepted, but encoded slashes are not decoded. For example, the server accepts the encoded URL www.example.com%2Ffinance, but does not try to decode the encoded slash (%2F for /). For more information about this option, see AllowEncodedSlashes Directive. |
|
NAGGlobalOptions ExcludeDNSFull=on |
When this option is set to on, the DNS name is excluded from being rewritten by that domain. The HTML Rewriting does not happen when the backend DNS name is included in the Exclude DNS Name list. |
|
SetStrictTransportSecurity off |
Set this option to off if you want to disable HTTP Strict Transport Security. By default, it is set to on. |
|
NAGGlobalOptions SetHashedCookiesInResponse=on |
Access Manager 4.3 and later prints only the hashed values of all IPC and AGIDC cookies in the log files. When this advanced option is set to on, Access Gateway sets these hashed values of IPC and AGIDC cookies into browsers with the name IPCZQX0354154289-Hash and AGIDC0354154289-Hash. For more information, see Section 31.15.3, Adding Hashed Cookies into Browsers. |
|
NAGGlobalOptions OverwriteWithIICookie=on (This option is available in Access Manager 4.4 Service Pack 3 and later versions.) |
This option overwrites any browser cookie if Access Gateway creates a cookie with the same name by using the Identity Injection policy. By default, this option is set to on. For example, an Identity Injection policy injects TestCookie with the value <cn>, where cn=foo, and the browser sends a cookie with the same name TestCookie with the value bar. This option overwrites the value bar to foo and the cookie TestCookie=foo is sent to the backend web server. If you set this option to off, then both the cookies are sent to the backend web server. |
For the list of proxy service level advanced options, see Table 4-2.
When Access Gateway detects the idle timeout, the user is redirected to Identity Server for authentication. If the content type and URL pattern used by the client (as defined in the advanced options NAGUrlPattern and NAGContentType), the user must be redirected to a pre-defined timeout URL as defined in the NAGAuthFrontChannel advanced option.The redirected URL also contains additional information such as ESP login URL, the contract name, and the landing page URL as defined in the advanced options.
The following advanced options must be used together to clean up the thick client:
|
Advanced Option |
Description |
|---|---|
|
NAGLauncher |
URL that launches the client. |
|
NAGUrlPattern /messagebroker/* |
URL pattern that identifies if a specific request came from a client. |
|
NAGContentType application/x-amf |
Content type in the Request header that is used to identify if the request is a client. |
|
NAGAuthBackChannel /namtimeout/timeoutamf |
Timeout handler on the server. |
|
NAGAuthFrontChannel |
Timeout handler on the server which includes the published DNS name of the server. |
When you log out of Access Manager, the Access Manager session cookie is invalidated on all Identity Servers and Access Gateway servers. However, the application session cookie is left unchanged on the browser and on the origin web server. If a different user authenticates to Access Manager again on the same browser and accesses the proxied web server, the browser may resume the previously established HTTP session with the web server so that the new user inherits the old logged out users session. The Cookie Mangling feature in Access Gateway prevents this scenario by manipulating the application cookies set by web servers, and invalidating these cookies when a user logs out of Access Manager.
The following two advanced options are required to enable this functionality:
NAGHostOptions mangleCookies
NAGWSMangleCookiePrefix.
By default, NAGHostOptions mangleCookies is disabled.
To enable this feature, add the options NAGHostOptions mangleCookies=on and NAGWSMangleCookiePrefix <AnyString> in the Global Advanced Option.
Use the NAGWSMangleCookiePrefix <AnyString> option to specify the string added to the application cookie after manipulation. You can replace <AnyString> with a string of your choice.
For example, adding the NAGWSMangleCookiePrefix AGMANGLE results in the Set-Cookie: AGMANGLEa50b_DzkN=5a8G0 application level cookie set in the browser.
This feature lets you define filtering options for each proxy service. It helps in filtering out specified URLs from the ones audited as part of the URL Accessed audit event. These filtered out URLs are not displayed in the Audit Server. This is helpful where auditing every URL is not required and may increase the load on the Audit Server. Unnecessary URLs such as, public images, public javascripts, css, and favicons can be ignored from auditing. The option to set this feature is NAGFilteroutUrlForAudit <regular expression>. This option must be added to the Advanced options section of each service. The regular expression is standard perl based regular expressions. For more information about regular expressions, see perlre.
Each URL (path?querystring) is matched against this expression. If the match is successful, the URL will not be audited for URL access. For example, NAGFilteroutUrlForAudit ".*.jpg" and NAGFilteroutUrlForAudit ".*.gif". If these options are added to a service, all the *.jpg and *.gif files accessed will not be audited under the 'URL Accessed' audit event.
NOTE:If you enable 'URL Accessed' audit events in Access Gateway, it can overload the Audit subsystem if the requests sent to Gateway per second is high. There maybe a delay in web pages getting loaded. NetIQ recommends to use the http common/extended logging option for this purpose.