Clearing a Proxy Authentication Connection - April 29, 2001

Ever notice that when you are Proxy Authenticated, that the next user following you on the same PC can get the same access rights through BorderManager? This is because proxy authentication (not cookie-based) associates the PC's IP address with the authenticated NDS ID for a period of time. Otherwise you might have to authenticate on every single IP packet - not pleasant for those who have to use SSL Proxy Authentication and type in name and password.

Proxy authentication clears these associations when the maximum connection idle time is exceeded. That means that after some period of time (the default is 3 minutes) with no HTTP traffic between PC and Proxy, the BorderManager server clears the authentication. While you can set the idle time lower in NWADMN32, BorderManager Setup, Authentication Context, at some point you reach a threshold that results in problems.

However, you can MANUALLY clear the authentication association by using the following URL in your browser to 'log out' of the proxy. This can be useful when testing access rules, and also if you just want to leave a PC cleanly after working on it as an admin. Put the following URL into your browser;

http://xxx.xxx.xxx.xxx:1959/cmd/BM-Logout.htm

Where xxx.xxx.xxx.xxx is the proxy IP address of your BorderManager server.

I suggest you bookmark the URL once you get there,

Thanks to Terry Rodecker for reminding me of this technique!

One thing that I discovered (after having problems, and reading Novell TID's) - the command is CASE-SENSITIVE.

If you have a company home page, you might want to put a link to a URL there that performs this function.

This information is also discussed in Novell TID's 2953643 and 10021222. Those TID's talk specifically about SSL Proxy Authentication, but this technique is the same if you are running CLNTRUST and want to clear your connection before another user logs in at the same PC.



Return to the Main Page