Proxy settings disabling users on network

hcl-bot · January 15, 2008, 3:54pm

We’ve recently upgraded Notes/Domino from 6.5.4 to 7.0.3. We also have upgraded our firewall to the latest and greatest version (Secure Computing - Sidewinder Firewall.)

With the old version of the Notes client and old version of the firewall, which used the Squid proxy, the users were prompted for their network user name and password to see images in html type emails they received. Things worked great.

Since upgrading to the new firewall, Sidewinder no longer uses the Squid proxy, so we’ve choses the domain authentication (MSLN), and we have been having problems with our users getting locked out of the network because of bad passwords used in the Notes location document for proxy authentification. This happens with both 6.5.4 and 7.0.3 clients.

What usually happens is that the user will enter their user name and password to access the html type emails, and it will work. But when it comes time to change their network passwords, the stored password in the location document still contains the old password, and when the user attempts to open an html email, Notes uses the old password until the user is locked out of the network. The user is not prompted to enter a new password, and there is no notification that the user has been locked out, until they attempt to access something on the network.

We’ve resolved the issue in one of two way, but neither actually resolve the issue to our satisfaction. One resolution has been to uncheck the proxy settings in the location document, thus prohibiting the user from seeing the images in the email. The other resolution has been to have the user update the password in the location document with the current password, but this will only be valid until the user has to change their password again. Thus, we’ll have to coach them on changing this setting again and again.

How can we resolve this issue permanently?

hcl-bot · January 15, 2008, 9:03pm

Subject: Proxy settings disabling users on network

We resolved a similar problem by creating a “generic” domain account just for proxy access, and using Notes Policy to push it silently to our Notes users. It was a bit fiddly, especially on the Domino side, and I’m not entirely satisfied with it, but it works.

To do this, create an account in AD called NotesClient or something similar, and give it a password. If you have a container for “special” accounts, put it there instead of in your normal user container, and give it minimal access to your domain.

Then you will need to add some fields to the Policy Settings\Desktop Settings form. I prefer to create a subform for any new fields, and then add the subform to the Policy form under the ‘Other’ tab. The fields you need to add are all editable text fields, and must be called ‘LocAllProxy_LoginName’, ‘LocAllProxy_Password’ and ‘LocAllProxyAuthenticationFlag’.

Now edit the Desktop Policy settings document, and populate the fields on the Proxy tab with your server and port details, and populate the new fields with the account name, password, and 1 respectively.

You now have a Notes policy which will push out the necessary settings to allow users to retrieve http in e-mails through your firewall.

The downside of this method is that users can see the proxy name & password in clear text if they look in their location documents, so you need to make sure it has minimal access in your domain. Also, if they are using the Notes browser, their usage will be logged under this generic account, and not their own account.

Also, the location doc gets encrypted for just that user (which may or may not be a problem).

hope this helps.

hcl-bot · January 15, 2008, 10:08pm

Subject: RE: Proxy settings disabling users on network

Peter,

Thanks for the reply.

We have discussed this, but we do have some people who do not have (not allowed to access) the internet. For these particular people, while they have network access, they do not have internet abilities. By granting them this “generic” domain account for Notes, they would have the ability to browse the internet, using the Notes browser, with this account, would they not?

Granted, these users would not have the ability to see the html emails anyway (at least the images), so it wouldn’t necessarily be that big of a deal…

I think I might need to give this a little more thought. For those that don’t have internet access, we wouldn’t need to configure the proxy settings. Hmmm…

Thanks for giving me more to think about.

hcl-bot · January 16, 2008, 5:15pm

Subject: RE: Proxy settings disabling users on network

Yes, by pushing this generic account info out to all users, you would potentially be allowing all users to browse the internet using the Notes browser.

I don’t think that there is any way to deploy a Notes policy to everyone EXCEPT a few users, although perhaps you might be able to configure an explicit policy to override an organizational policy…

What you really want is a way for the server to fetch all the html content in the e-mail as it arrives in the user’s mail file, and to present it as a complete e-mail to the user.

hcl-bot · January 17, 2008, 6:21am

Subject: RE: Proxy settings disabling users on network

Is there a way to get the server to get all the HTML content prior to getting to the user’s mail file? That definitely would be something worth looking into.

hcl-bot · January 17, 2008, 5:08pm

Subject: RE: Proxy settings disabling users on network

Not that I am aware of.