Additional notes and considerations for IBM(R) SecureWay(R) FirstSecure The following sections provide last-minute updates for the FirstSecure, Policy Director, and Boundary Server product offerings. _______________________________________________________________________________ CONTENTS 1. Policy Director 1.1 IntraVerse 2.1.2 1.1.1 Windows(R) NT(TM)/95/98 IntraVerse Management Console, NetSEAT Client uninstall - PATH environment variable 1.1.2 Windows NT IntraVerse Server uninstall - PATH environment variable 1.1.3 Windows NT IntraVerse Server uninstall - registry entries 1.1.4 Windows NT/95/98 IntraVerse Management Console, NetSEAT Client uninstall - registry entries 1.1.5 AIX IntraVerse Server unconfigure/reconfigure 1.1.6 AIX IntraVerse Server with expired DCE credentials 1.1.7 AIX IntraVerse secmgrd problems 1.1.8 Tunneling to an AIX server 1.1.9 NetSEAT restrictions for Internet Explorer on Windows 98 1.1.10 Browsing the object space on an SSL-enabled Web server 1.1.11 Management Console installation 1.2 IBM Global Sign-On(TM), Version 2.0.200 1.2.1 Global Sign-On server (Solaris) and Transarc DCE 1.1 CPL 3 2. Boundary Server 2.1 IBM eNetwork(TM) Firewall version 3.3 2.1.1 Chaining SurfinGate proxy with Firewall HTTP proxy using FTP 2.2 MIMEsweeper Version 3.2 2.2.1 Configuring WEBsweeper 2.2.2 Disabling proxy caching in MIMEsweeper 2.3 SurfinGate 4.03 for Windows NT 2.3.1 SurfinGate and Internet Explorer 4.0 2.3.2 SurfinConsole 3. Public Key Infrastructure 3.1 IBM Vault Registry 2.2.2 3.1.1 IBM Vault Registry administration with double-byte character set languages 4. Trademarks _______________________________________________________________________________ 1. Policy Director Additional information about the Policy Director component products is provided in the following sections. ____________________ 1.1 IntraVerse 2.1.2 The following sections contain miscellaneous information about IntraVerse 2.1.2. ____________________________________________________________________ 1.1.1 Windows(R) NT(TM)/95/98 IntraVerse Management Console, NetSEAT Client uninstall - PATH environment variable On Windows NT, Windows 95, and Windows 98 machines, the IntraVerse Management Console and NetSEAT client uninstall operations do not remove DASCOM references from the PATH environment variable in the autoexec.bat file. To resolve the problem: 1. Edit the autoexec.bat file. 2. Remove the DASCOM directory from the PATH environment variable. _______________________________________________________________ 1.1.2 Windows NT IntraVerse Server uninstall - PATH environment variable On a Windows NT machine, the IntraVerse uninstall operation does not remove IntraVerse references from the PATH environment variable. To resolve the problem: 1. From the Windows Control Panel, double-click the System icon. 2. Select the Environment tab, and then select PATH from the System Variables list. 3. Delete the IntraVerse directory from the Value field. _______________________________________________________________ 1.1.3 Windows NT IntraVerse Server uninstall - registry entries The IntraVerse uninstall operation on an NT machine does not remove IntraVerse references from the registry. ____________________________________________________________________ 1.1.4 Windows NT/95/98 IntraVerse Management Console, NetSEAT Client uninstall - registry entries On Windows NT, Windows 95, and Windows 98 machines, the IntraVerse Management Console and NetSEAT client uninstall operations do not remove IntraVerse references from the registry. ___________________________________________________ 1.1.5 AIX IntraVerse Server unconfigure/reconfigure On an AIX IntraVerse server, an unconfigure operation cannot be followed by a reconfigure operation in FirstSecure Policy Director. To resolve the problem: If an unconfigure operation is necessary, uninstall after you unconfigure. Then reinstall and configure IntraVerse. ________________________________________________________ 1.1.6 AIX IntraVerse Server with expired DCE credentials An unconfigure operation on an AIX IntraVerse server will fail if the cell administrator does not have valid credentials. To resolve the problem: The cell administrator must ensure that his or her credentials have not expired before proceeding with the unconfigure operation. _____________________________________ 1.1.7 AIX IntraVerse secmgrd problems A secmgrd core dump on an AIX IntraVerse server might occur if the AIX server is involved with tunneling. To resolve the problem: Apply IBM DCE 2.2 PTF 3 to the AIX server, and then retry the operation. Contact your IBM service representative for further information and for a Web site where IBM DCE 2.2 PTF 3 is located. ________________________________ 1.1.8 Tunneling to an AIX server Telnet and FTP tunneling operations to an AIX IntraVerse server do not work consistently in the FirstSecure Policy Director. ______________________________________________________________ 1.1.9 NetSEAT restrictions for Internet Explorer on Windows 98 The NetSEAT client cannot perform tunneling operations (i.e., port 80) involving Internet Explorer on Windows 98 in the FirstSecure Policy Director. _____________________________________________________________ 1.1.10 Browsing the object space on an SSL-enabled Web server The IntraVerse Management Console cannot display the protected object space on a third-party server that IntraVerse WebSEAL has junctioned. Explanation: Administrators use the Management Console to display the contents of the protected object space on a junctioned server. The Management Console attempts to execute a Common Gateway Interface (CGI) script on the junctioned server. The CGI script named "query_contents" returns a list of the contents of the protected object space. When the backend server enforces authentication, such as Basic Authentication, the user attempting to execute the script must present a known identity to the backend server. The IntraVerse Management Console does not have an identity that is known to the backend server. Therefore, the backend server will deny the Console's request to execute the query_contents script. This prevents the Management Console from displaying the protected object space. To resolve the problem: 1. On the backend server, allow unrestricted access to the query-contents executable (typically located in cgi-bin). 2. Log in to the Management Console and complete the following steps: a. Create a new ACL. b. Place the following entries in the ACL: user cell_admin a-bc---Tdm----lrx group iv-admin a-bc---Tdm----lrx c. Attach the ACL to the query_contents executable. These steps ensure that only the administrator or the Management Console can send requests through IntraVerse WebSEAL to execute the query_contents script on the backend server. Any other user who attempts to execute the query_contents script through WebSEAL will be denied access. ______________________________________ 1.1.11 Management Console installation When installed on Windows NT, Windows 95, or Windows 98, the Management Console Start Menu entry on the desktop is placed in the wrong position in non-English versions. For example, in Italian the "Programs" menu is named "Programmi" and applications should be installed in submenus of the Programmi menu. Instead of putting itself in that location, the Management Console creates a new "Programs" menu and places itself there. ___________________________________________ 1.2 IBM Global Sign-On(TM), Version 2.0.200 The following section contains miscellaneous information about IBM Global Sign-On, Version 2.0.200. ________________________________________________________________ 1.2.1 Global Sign-On server (Solaris) and Transarc DCE 1.1 CPL 3 The Global Sign-On server does not install correctly on a Solaris machine if the Transarc 1.1 CPL 3 patch has been applied. To resolve the problem: The Global Sign-On server installation failure is due to a DCE patch level check. Before you install Global Sign-On, do the following: 1. Locate the PATCH.LEVEL file in the /opt/dce directory. 2. Copy the PATCH.LEVEL file to PATCH.LEVEL.BACKUP. 3. Edit the PATCH.LEVEL file and replace the text "CPL 3" with "Patch 39". 4. Save the PATCH.LEVEL file. 5. After you successfully install the Global Sign-On server: a. Erase the altered PATCH.LEVEL file. b. Rename the PATCH.LEVEL.BACKUP file to PATCH.LEVEL. NOTE: You do not need this procedure if Global Sign-On server is installed before you apply the CPL 3 patch to Transarc DCE 1.1. _______________________________________________________________________________ 2. Boundary Server Additional information about the Boundary Server component products is provided in the following sections. __________________________________________ 2.1 IBM eNetwork(TM) Firewall version 3.3 The following section contains miscellaneous information about IBM eNetwork Firewall version 3.3. __________________________________________________________________ 2.1.1 Chaining SurfinGate proxy with Firewall HTTP proxy using FTP If Finjan SurfinGate v4.0.3 is chained with the IBM Firewall V3.3 for AIX HTTP proxy, IBM Firewall PTF 3.3.1 will be required to run FTP traffic through the chain. Contact IBM support for PTF availability information. All other protocols work correctly. No changes are required to use SurfinGate with the IBM Firewall for NT HTTP proxy. ____________________________ 2.2 MIMEsweeper Version 3.2 The following sections contain miscellaneous information about MIMEsweeper Version 3.2. ____________________________ 2.2.1 Configuring WEBsweeper When you configure WEBsweeper, set the "Don't Chain" option for internal addresses to allow normal traffic to work inside the secure network. ____________________________________________ 2.2.2 Disabling proxy caching in MIMEsweeper If you disable proxy caching in MIMEsweeper, be sure to change ProgressMessages enabled=true to ProgressMessages enabled=false in the webswp.cfg file. Otherwise, you receive an error message. ___________________________________ 2.3 SurfinGate 4.03 for Windows NT The following sections contain miscellaneous information about SurfinGate 4.03 for Windows NT. __________________________________________ 2.3.1 SurfinGate and Internet Explorer 4.0 SurfinGate and Internet Explorer 4.0 cannot run on the same machine. ___________________ 2.3.2 SurfinConsole You cannot install Windows NT software products on a machine while SurfinConsole is active. _______________________________________________________________________________ 3. Public Key Infrastructure Additional information about the Public Key Infrastructure component product is provided in the following section. ____________________________ 3.1 IBM Vault Registry 2.2.2 The following section contains miscellaneous information about IBM Vault Registry 2.2.2. ______________________________________________________________________ 3.1.1 IBM Vault Registry administration with double-byte character set languages IBM Vault Registry administration is performed using a browser such as Netscape or Microsoft(R) Internet Explorer. The version of Netscape that is provided with AIX 4.3.2 does not handle double-byte character set (DBCS) correctly for the Web-based forms used by IBM Vault Registry. For DBCS languages, use a remote Windows machine to access the IBM Vault Registry administration Web pages and to use the latest version of either Netscape (for example, 4.5 or higher) or Microsoft Internet Explorer (4.0 or higher). _______________________________________________________________________________ 4. Trademarks The following terms are trademarks of International Business Machines Corporation in the United States, or other countries, or both: eNetwork Global Sign-On IBM SecureWay Microsoft, Windows, Windows NT, and the Windows logo are trademarks or registered trademarks of Microsoft Corporation in the United States and other countries. Other company, product, and service names may be trademarks or service marks of others.