3.4.1 Configuring Global Advanced Options

The following settings apply to all reverse proxies, unless the option is overwritten by an advance proxy service setting. See Configuring Advanced Options for a Domain-Based and Path-Based Multi-Homing Proxy Service).

Perform the following steps to configure Access Gateway global advanced options:

  1. Click Devices > Access Gateways > Edit > Advanced Options.

  2. To activate these options, configure the value, save your changes, and update Access Gateway. To deactivate these options, add the pound (#) symbol.

    Table 3-1 Access Gateway Global Advanced Options

    Advanced Option

    Description

    NAGGlobalOptions FlushUserCache=on

    Specifies whether cached credential data of the user is updated when the session expires or the user changes an expiring password. By default, it is set to on.

    • When this option is set to on, credentials and the Identity Injection data are refreshed.

    • When this option is set to off, the cached user data can become stale.

      For example, if your password management service is a protected resource of Access Gateway and this option is set to off, every time a user changes a password, the user’s data is not flushed and Access Gateway continues to use stale data for that user.

    NAGGlobalOptions UserAgent=<Microsoft Product1>, <Microsoft Product1>

    Different versions of Microsoft Office applications come with different user agents. Using this option, you can configure multiple user agents with comma separator to enable users to perform single sign-on (SSO) to these applications.

    For example, you can configure this option as follows to enable SSO to Microsoft Office Word 2013 Windows NT 6.1, Microsoft Office Word 2016, and Microsoft Office Excel 2013:

    NAGGlobalOptions UserAgent=Microsoft Office Word 2013 (15.0.4420) Windows NT 6.1,Microsoft Office Word 2016,Microsoft Office Excel 2013

    NAGGlobalOptions DebugHeaders=on

    When this option is set to on, an X-Mag header is added with the debug information. You can see the information in sniffer traces and with plug-ins such as ieHTTPHeaders, Live HTTP Headers, and FireBug. You must enable this option with the assistance of NetIQ Support.

    NAGGlobalOptions DebugFormFill=on

    When this option is set to on, additional debug information related to the processing of a Form Fill policy is added to the Apache error log files and to the X-Mag header in the response to browser.

    Linux: /var/log/novell-apache2/error_log

    Windows: \Program Files\Novell\Apache\logs\error.log

    The Form Fill entries generated by this option begin with a FF: marker.

    For example, Oct 23 12:38:29 mag326 httpd[29345]: [warn] AMEVENTID#36: FF:fillSilent: kfh5ummigbq6uGeneral_SS_non_SS_autosumit_Page_13310, referer: https://www.idp.com:8443/nidp/idff/sso?sid=0 Oct 23 12:38:29 mag326 httpd[29345]: [warn] AMEVENTID#36: FF:fillInplaceSilent: kfh5ummigbq6uGeneral_SS_non_SS_autosumit_Page_13310, referer: https://www.idp.com:8443/nidp/idff/sso?sid=0

    NAGGlobalOptions EnableWebsocket=off

    When this option is set to off, the WebSocket protocol is disabled for all proxy services. By default, this option is set to on.

    NAGGlobalOptions ESP_Busy_Threshold=<value>

    Proxy starts sending errors to the browser if ESP's average response time in the last one minute is more than the specified value (time in milliseconds).

    NAGGlobalOptions noTOPR

    Disables the activity based time-out in proxy. The proxy redirects browser requests after soft timeout of configured timeout value.

    NAGGlobalOptions ForceUTF8

    When this option is set to on, Access Gateway uses the UTF-8 character set to serve the Form Fill page to the browser.

    NAGGlobalOptions InPlaceSilent=on

    This enables SSO to websites that require the login page to remain as is without any modifications to its structure.

    If you are using this advanced option for a Form Fill on a page with multiple forms, by default, the first form is posted. If you want to post forms other than the first form, use NAGGlobalOptions InPlaceSilentPolicyDoesSubmit=on. For more information, see TID 7011817.

    NAGGlobalOptions AllowMSWebDavMiniRedir=on

    This option helps the user to disable the following functionality, which is enabled by default. If a Microsoft Network Places client sends an OPTIONS request with MS-WebDAV-MiniRedir useragent to Access Gateway, then it receives 409 conflict response. The client uses this response to change the user agent to MS Data Access Internet Publishing Provider DAV.

    For example, to access Vibe WebDav folders from My Network Places or Map Network Drive on Windows 7, perform the following steps:

    1. Set the advanced option NAGGlobalOptions AllowMSWebDavMiniRedir to on.

    2. On the client server, perform the following steps:

      1. Add the Vibe and Access Manager URLs to the browser’s trusted site and add the certificates to the Trusted Root Certification Authorities.

      2. Restart the client and access Vibe Webdav URLs either by using Add a network location option or Map network drive option.

    NAGGlobalOptions noURLNormalize=on

    When set to on, this option disables the URL normalization protection for backend web servers. This option resolves issues in serving the web content from web servers that have double-byte characters such as Japanese language characters.

    By default, this option is set to off and URL is normalized before sending it to a backend web server.

    NAGAdditionalRewriterScheme <scheme>

    When this option is enabled, the rewriter rewrites URLs that have the scheme you have specified with the option. For example, if you want to enable this option for the webcal:// scheme, specify NAGAdditionalRewriterScheme webcal://.

    The default rewriter configuration rewrites URLs with a scheme of http:// or https://.

    NAGGlobalOptions SameSiteCookie=on

    Use this option to set the behavior of the SameSite attribute for cookies. By default, this option is set to off. When set to on, the default value is None and the option is applied to each Set-Cookie header coming from Access Gateway.

    After setting NAGGlobalOptions SameSiteCookie to on, you can set the value of SameSite to Strict or Lax instead of None as follows:

    • NAGGlobalOptions SameSiteOption "SameSite=Strict": The cookie is withheld with any cross-site usage. It is sent only when the site for the cookie matches the site in the browser's URL bar.

    • NAGGlobalOptions SameSiteOption "SameSite=Lax": The cookie is sent for cross-site usage when the request is top-level and is a GET request.

    In addition to setting this option, you must also set additional configuration in the web.xmlfile. For more information see, Configuring Support for Access Manager on Google Chrome Browser.

    NAGGlobalOptions AppendProviderID=on

    When set to on, this option displays the ESP Provider ID in Access Gateway authorization audit logs. This option helps to know the issues related to ESP provider ID in the audit log file.

    NAGGlobalOptions InPlaceSilentPolicyDoesSubmit=on

    This option is used to fill forms with complex JavaScript or VBScripts.

    NAGGlobalOptions NAGErrorOnIPMismatch=off

    (Deprecated)

    In Access Manager 4.3, this option has been merged with Advanced Session Assurance and called as Client IP.

    For more information, see Setting Up Advanced Session Assurance.

    NAGGlobalOptions NAGDisableExternalRewrite=on

    Access Gateway does not insert the path for the links with external published DNS when you enable this option.

    By default, this option is set to off and Access Gateway inserts the path on published DNS URL references.

    DisableGWSHealth on

    When this option is enabled, Access Gateway does not check health of the web server with the backend server.

    NAGStackTraceDump off

    This option disables logging of stack trace in the /tmp/debug000.log file when Access Gateway is crashed.

    By default, when Access Gateway gets crashed, the file /tmp/debug000.log is created automatically and the stack traces are logged in it.

    If memory is corrupted because of the operating system, the apache process might get hung or crashed indefinitely because of stack dumping. It is recommended to use this option when you observe that the apache process is getting piled up.

    NAGIchainCookieVersion on

    When this option is enabled, Access Gateway sends the proxy session cookie to the backend server as IPCZQX01<clusterid>.

    IgnoreDNSServerHealth on

    When this option is used, Access Gateway does not send the DNS server health status when Access Gateway health is reported to Administration Console.

    When you set the option to IgnoreDNSServerHealth off <lookupname>, Access Gateway sends a DNS query with the specified <lookupname>. Access Gateway sends a successful message to Administration Console if it connects to the DNS server, else it will send an unable to connect message. By default if you have not specified any option, Access Gateway sets the option as IgnoreDNSServerHealth off www.novell.com.

    EnableWSHandshake on

    Setup a firewall between Access Gateway and the backend web server. When Access Gateway performs heartbeat check with a simple TCP connect to the web server, the web server may throw a TLS handshake error. This may cause the firewall, after a certain threshold, to block the connection.This option enables Access Gateway to perform a SSL handshake while performing a heartbeat check on the back-end SSL-enabled web server so that the web server does not respond with a TLS handshake error. By default, Access Gateway performs a simple TCP connect while performing a heartbeat check on the back-end web server.

    This option is set to off by default.

    DumpHeaders on

    DumpHeadersFacility user

    These options ensure that the proxy server logs the user headers to /var/opt/novell/nam/logs/mag/apache2/error_log for Linux and \ProgramFiles\Novell\Apache\logs\error.log for Windows.

    NAGGlobalOptions IIRemoveEmptyHeaderValue

    This option prevents the Identity Injection policy from sending an empty header with null value when a value is not available. By default, Access Gateway sends an empty header with a null value if a value is not available.

    For example, applications may have a public and a protected resource configured. Both resources may use an identity injection policy to inject an USERID. The public resource uses the user name if authenticated. If the user accesses the public resource (before authentication), Access Gateway sends an empty header variable USERID. Web servers may not handle an empty header and may respond with an error. In such a scenario, use this option.

    SSLProxyVerifyDepth=3

    Use this option to specify how many certificates are available in a web server certificate chain. When you activate the verification of the web server certificate with Any in Reverse Proxy Trust Store and the public certificate is part of a chain, you need to specify the number of certificates that are in the certificate chain.

    For more information, see Configuring SSL between the Proxy Service and the Web Servers.

    If the number of certificates in a web server certificate chain is greater than 1, then you must enable this option and assign the respective value (equal to the number of certificates in the chain).

    SSLHonorCipherOrder

    Use this option to customize SSLCipherSuite used by Access Gateway. This helps in taking preventive measures when new vulnerabilities are published.

    To avoid Browser Exploit Against SSL/TLS (BEAST) attacks, use the advanced option as follows:

    SSLHonorCipherOrder on
    SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:HIGH:MEDIUM:!LOW:!EXP:!SSLv2:!aNULL:!EDH:!ECDH:!ECDSA:!AESGCM:!eNULL:!NULL

    You can configure the SSLCipherSuite option as follows to get the A+ rating while validating with SSLLabs. However, this setting might affect performance. In addition to this setting, ensure that you have set the SSLProxyProtocol option at the proxy level.

    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

    SSLProtocol

    Access Gateway supports this option when listening as a server to clients (typically browsers). This directive specifies SSL protocols for mod_ssl to use when establishing the server environment. Clients can only connect with one of the specified protocols. The accepted values are SSLv3, TLSv1, TLSv1.1, TLSv1.2 and all of these.

    The syntax for this is SSLProtocol [+-]protocol. For example, SSLProtocol +SSLv3.

    For information about configuring the SSL versions, see Apache documentation.

    NAGGlobalOptions onFormFillPolicyRedirUseHttp=on

    This option enables Access Gateway to redirect based on HTTP status code 302 along with the location header when a Form Fill policy requires redirect.

    By default, Access Gateway uses JavaScript to trigger redirect in the Form Fill policy. You can use this option if any issue occurs with JavaScript redirects.

    NAGGlobalOptions NoAuthHdrWithoutPwd=on

    This option restricts sending the authorization header with Identity Injection policy when a password is unavailable. For example, When users authenticate with Kerberos contract.

    This option is set to off by default.

    NAGGlobalOptions NAGRenameCookie=on

    Set this option to off to prevent the session ID from getting changed automatically. By default, this option is set to on.

    ProxyErrorOverride

    Allows you to specify which errors you want returned to the browser unchanged by Access Gateway Service.

    Some applications add more information, such as keys and JavaScript, in the message. If this information is critical, specify an override and allow the error message to be returned to the browser without any modifications.

    For example, NetStorage requires an override for the 401 error because it includes a key in the 401 error. The portal page for the Micro Focus Open Enterprise Server requires an override for error 403 because it includes JavaScript.

    You can use the following syntax to set this option:

    • ProxyErrorOverride on -401 -403:Allows all errors to be changed to Gateway Service errors except errors 401 and 403, which are sent unchanged.

      This syntax allows you to list the few errors you want to forward without change while allowing all the others to be changed to Gateway Service errors.

    • ProxyErrorOverride off +401 +403:Disables the changing of web server errors to Gateway Service errors except for errors 401 and 403, which are changed to Gateway Service errors.

      Use this option when you have only a few errors to be changed to Gateway Service errors.

    NAGSendURLinErrorResponses on

    This option does not include a href when you access a protected resource and a 302 redirect occurs.

    AllowEncodedSlashes NoDecode

    When this option is enabled, URLs are accepted, but encoded slashes are not decoded.

    For example, the server accepts the encoded URL www.example.com%2Ffinance, but does not try to decode the encoded slash (%2F for /).

    For more information, see AllowEncodedSlashes Directive.

    NAGGlobalOptions ExcludeDNSFull=on

    When this option is set to on, the DNS name is excluded from being rewritten by that domain. The HTML Rewriting does not happen when the backend DNS name is included in the Exclude DNS Name list.

    SetStrictTransportSecurity off

    Set this option to off if you want to disable HTTP Strict Transport Security. By default, it is set to on.

    NAGGlobalOptions SetHashedCookiesInResponse=on

    Access Manager prints only the hashed values of all IPC and AGIDC cookies in the log files. When this option is set to on, Access Gateway sets these hashed values of IPC and AGIDC cookies into browsers with the name IPCZQX0354154289-Hash and AGIDC0354154289-Hash.

    For more information, see Adding Hashed Cookies into Browsers.

    NAGSessionKey Default

    In case of cross-domain authentication, the Access Gateway session cookie is encrypted before sending it as a URL query parameter for additional security. An example URL of Access Manager is https://novell.blr.com:9443/%20-CECCjdOOBPIqZZNtF+dRlAyDfTFvOPwnO0xzOQTcnrubNzJ6GFe6FF8dWRzzg7RY9iZJYxNLaU80KnJOoqtqf6u2g==

    You can use this option to specify the password as per the administrator's needs. It is recommended to use passwords with more characters to increase security.

    For example: NAGSessionKey NAM-CROSS-DOMAIN-SESSION-KEY-ENCRYPTION-PASSWORD.

    By default, the password is set to default.

    NAGGlobalOptions TempUserTTL=<value in minutes>

    The IPC cookie (temporary cookie), which is set by Access Gateway is valid for only 2 minutes for a user accessing Access Manager for the first time. You can use this option if you require increasing the time limit for the validity of IPC cookie.

    For example, a user is trying to access a protected resource for the first time and has to register user details before authenticating to Access Manager. In this scenario, if the registration process takes longer time (more than 2 minutes), the IPC cookie gets invalidated and hence demangling of the cookie fails. If you enable this option with the required time limit (2 to 30 minutes), the user can complete the registration process and access the protected resource.

    Here, value in minutes can be 2 to 30. If this option is not added, Access Manager uses the default value, 2 minutes.

    For example, NAGGlobalOptions TempUserTTL=10. For more information, see TID 7022368.

    NAGGlobalOptions OverwriteWithIICookie=on

    This option overwrites any browser cookie if Access Gateway creates a cookie with the same name by using the Identity Injection policy. By default, this option is set to on.

    For example, an Identity Injection policy injects TestCookie with the value <cn>, where cn=foo, and the browser sends a cookie with the same name TestCookie with the value bar. This option overwrites the value bar to foo and the cookie TestCookie=foo is sent to the backend web server.

    If you set this option to off, both cookies are sent to the backend web server.

    NoXSSURLs request-urls

    Disables the XSS attack detection for a request coming from a URL containing a specific path/filename.

    Configure this option and specify the request-urls for which you want to disable the XSS attack detection.

    The request-urls is a white-space separated list of the path/filename section of URLs. Specify the path/filename in double quotes if it contains white spaces.

    This option supports percent-encoding (URL encoding). Add a parameter -penc if the request-urls values are percent-encoded.

    For example,

    NoXSSURLs "/user/dir dir/form.html"

    NoXSSURLs -penc "/root/dir%20%20%20dir/form.html"

    Access Manager does not detect the XSS attack for requests that come from any URL containing /user/dir dir/form.html.

    NOTE:A mix of both URL-encoded value and not encoded value is not supported in the same list. You can use each option multiple times.

    NAGGlobalOptions DisableDetectXSS=on

    Set this option to on if you want to disable the XSS attack detection for all request. By default, this option is set to off.

    To disable the XSS attack detection for a proxy service, see NAGHostOptions DisableDetectXSS=on, NoXSSURLs request-urls, and NoXSSRefererURLs referer-urls.

    NoXSSRefererURLs referer-urls

    Disables the XSS attack detection for a request coming from a referer header containing a specific path/filename.

    Configure this option and specify the referer-urls for which you want to disable the XSS attack detection. The referer-urls is a white-space separated list of the path/filename section of the referer header. Specify a value in double quotes if it contains white spaces.

    This option supports percent-encoding (URL encoding). Add a parameter -penc if the referer-urls values are percent-encoded.

    For example,

    NoXSSRefererURLs /nesp/idff/spassertion_consumer /portal/user/content

    NoXSSRefererURLs -penc "/images/dir%20%20jpeg/logo.html"

    Access Manager will not detect the XSS attack for requests that come from any referer heading containing /nesp/idff/spassertion_consumer or /portal/user/content.

    NOTE:A mix of both URL-encoded value and not encoded value is not supported in the same list. You can use each option multiple times.

    NAGGlobalOptions DisableFavicon=off

    Set this option to on if you want Access Gateway to block any http request containing the filename favicon.ico and return HTTP 404 Not Found to the browser.

    By default, this option is set to off.

    NAGGlobalOptions CookieBrokerEncode

    By default, Access Gateway encodes and decodes the encrypted session key during URL redirection of the authentication process.

    However, Access Gateway can be placed behind a third party web application firewall that forwards the request to Access Gateway after performing URL decoding. Access Gateway, by default, tries to decode the URL. This results in issues while processing the request at a later stage.

    Using this option, you can enable or disable URL encoding and decoding of the session key at Access Gateway.

    For example, to disable the encoding, set the option as follows:

    NAGGlobalOptions CookieBrokerEncode=off

    By default, this option is set to on.

    NAGWSMangleCookiePrefix

    Use the NAGWSMangleCookiePrefix <AnyString> option to specify the string added to the application cookie after manipulation.

    For more information about this option, see Cookie Mangling.

    NAGWSMangleCookieDomainPath

    Set this option to configure additional domain names and paths that Access Gateway uses while cleaning mangled cookies.

    For more information, see Cookie Mangling.

    NAGServerSignature

    (Access Manager 4.5 Service Pack 3 and later)

    The server name is displayed in the Access Gateway response header. Use this option to hide the server name in the response header. Alternatively, instead of hiding the server name, you can display a false name for the server. The following list describes the usage of this option:

    • NAGServerSignature: Hides the server name.

    • NAGServerSignature "<false server name>"

      Replaces the server name with a false server name.

      For example, specifying NAGServerSignature "apache server" will display apache server in the response header.

    • NAGServerSignature <false server name>

      Replaces the server name with a false server name. However, if you do not use quotes, it will display only the first word of the string.

      For example, specifying NAGServerSignature apache server will display apache in the response header.

    NoRedirectTargetCheck on

    (Access Manager 4.5 Service Pack 4 and later)

    URL redirection occurs at Access Gateway when a user accesses a proxy service containing the cookie domain different than the cookie domain of the master proxy service. While redirecting, the request can be tampered with to redirect users to an external malicious site. To prevent such issues, only configured proxy service domains are permissible by default.

    To override this default behavior, set this option. However, be aware that setting this option to on brings in security risk.By default, this option is set to off.

    RedirectTargetWhiteList <comma separated list of DNS name>

    (Access Manager 4.5 Service Pack 4 and later)

    This option allows a list of domains to be added to the whitelist and allows URL redirection to occur at Access Gateway when a user accesses a proxy service having a different cookie domain than the cookie domain of the master proxy service. When this option is set, URL redirection happens to only the sites that are configured in the whitelist.

    For example, RedirectTargetWhiteList www.youtube.com

    RedirectTargetWhiteList www.youtube.com,www.b2c.com:444/portal

    AJPToken <passcode>

    (Access Manager 4.5 Service Pack 4 and later)

    To change the default password used to communicate between HTTPD and tomcat, make the following changes:

    • Set the AJPTone <passcode> option and specify the passcode.

    • Set the same passcode in opt/novell/nam/mag/conf/serverl.xml .

    For more information, see AJP Communication Setting for Access Gateway in the NetIQ Access Manager 4.5 Security Guide .

For the list of proxy service level advanced options, see Table 3-2.

Options to Clean Up Thick Client State At Browser

When Access Gateway detects the idle timeout, the user is redirected to Identity Server for authentication. If the client uses content type and URL pattern (as defined in the advanced options NAGUrlPattern and NAGContentType), the user must be redirected to a pre-defined timeout URL as defined in the NAGAuthFrontChannel advanced option. The redirected URL also contains additional information such as ESP login URL, the contract name, and the landing page URL as defined in the advanced options.

The following advanced options must be used together to clean up the thick client:

Advanced Option

Description

NAGLauncher

URL that launches the client.

NAGUrlPattern /messagebroker/*

URL pattern that identifies if a specific request came from a client.

NAGContentType application/x-amf

Content type in the Request header that is used to identify if the request is a client.

NAGAuthBackChannel /namtimeout/timeoutamf

Timeout handler on the server.

NAGAuthFrontChannel

Timeout handler on the server which includes the published DNS name of the server.