5.7 Advanced Access Gateway Service Options

The following settings apply to all reverse proxies, unless the option is overwritten by an advance proxy service setting (see Section 2.2.3, Configuring Advanced Options for a Domain-Based Proxy Service).

  1. In the Administration Console, click Devices > Access Gateways > Edit > Advanced Options.

  2. To activate these options, remove the pound (#) symbol, configure the value, save your changes, then update the Access Gateway.

    #NAGGlobalOptions FlushUserCache=on: Specifies whether cached credential data of the user is updated when the session expires or the user changes an expiring password.

    • When this option is on, which is the default setting, the credentials and the Identity Injection data are refreshed.

    • When this option is turned off, the cached user data can become stale.

      For example, if your password management service is a protected resource of the Access Gateway and this option is turned off, every time a user changes an expiring password, the user’s data is not flushed and the Access Gateway continues to use stale data for that user.

    #NAGGlobalOptions DebugHeaders=on: When this option is enabled, an X-Mag header is added with debug information. The information can be seen in sniffer traces and with plug-ins such as ieHTTPHeaders, Live HTTP Headers, and FireBug. This option should only be enabled when you are working with Novell Support and they instruct you to enable the option.

    #NAGGlobalOptions DebugFormFill=on: When this option is enabled, additional debug information related to the processing of a Form Fill policy is added to the Apache error_log file. The Form Fill entries generated by this option begin with a FF: marker.

    #NAGGlobalOptions NoURLNormalize=on: When this option is enabled, it disables the URL normalization protection for back-end Web servers. This option resolves issues in serving Web content from Web servers that have double-byte characters such as Japanese language characters.

    #NAGAdditionalRewriterScheme webcal://: When this option is enabled, the rewriter rewrites URLs that have a scheme of webcal://. The default rewriter configuration only rewrites URLs with a scheme of http:// or https://.

    #NAGGlobalOptions AppendProviderID=on: When this option is enabled, it displays the ESP Provider ID in the Access Gateway authorization audit logs. This option helps to know the issues related to ESP provider ID in the audit log file.

    #NAGGlobalOptions RemoveEmptyHeaderValue: This option enables the Identity Injection policy not to send an empty header with null value when a value is not available. By default, the Access Gateway sends an empty header with a null value if a value is not available.

    #SSLHonorCipherOrder on: This option enables you to customize the SSLCipherSuite used by the Access Gateway Service. This helps you in taking preventive measures when new vulnerabilities are published.

    To avoid Browser Exploit Against SSL/TLS (BEAST) attacks, use the advanced option as follows:

    SSLHonorCipherOrder on

    SSLCipherSuite !aNULL:!eNULL:!EXPORT:!DSS:!DES:RC4-SHA:RC4-MD5:ALL

    For more information on the format and set of options you can specify in the value, see OpenSSL documentation.

    #CacheMaxFileSize Configuring this value in the Advanced Options of a proxy service allows you to set the size of the file that can be stored in the cache. By default the size is set to 5 MB. Add the line CacheMaxFileSize <bytes>, for example, CacheMaxFileSize 99900000.

    NOTE:All the path-based services under the domain-based service will inherit the new value.

    For information on the equivalent touch files in the 3.1 SP5 Access Gateway Appliance, see list of touch files.

    For example, applications may have a public and a protected resource configured. Both resources may use an identity injection policy such as to inject an USERID. The public resource uses the user name if authenticated. If the user accesses the public resource (before authentication), the Access Gateway sends an empty header variable USERID. Web servers may not handle an empty header and may respond with an error. In such a scenario use the advanced option to stop the Access Gateway from sending an empty header with null value.

  3. To disable an option, add the # symbol in front of the option, save your changes, then update the Access Gateway.