Customizing the PROXY.CFG File - Feb. 29, 2008

What's a PROXY.CFG File?

The PROXY.CFG file (in SYS:\ETC\PROXY) provides both necessary and optional parameters to make the proxy function correctly. There are many parameters you can safely change in the the SYS:ETC\PROXY\PROXY.CFG file. Frequently they are dependent on the version of PROXY.NLM which is running. When Novell wants to add some small change to how PROXY.NLM works, they sometimes add a new option to be enabled in the PROXY.CFG file. If the option works well, it is often changed to be the default setting in the next, and later, proxy patches. However, there have been times when adding the parameter, at the supposed default settings, actually makes that setting work! (So, it is not a bad idea to specify the default actions.)

The raw PROXY.CFG file has barely enough settings to make the mini-webserver and error pages work. There are many optional parameters that can be added to effect how well proxy works, and how reliably it works, and turn on some newer features. You really want to use a custom PROXY.CFG file! I suggest using my version, at least for a start.

My PROXY.CFG File - Feb. 29, 2008 (Revision 30)

Feb 29, 2008 - Added new options from BorderManager 3.9 sp1 (beta) patch.

This PROXY.CFG file is based on ones used in my BorderManager servers. I am running BorderManager 3.8 and 3.9 at the moment, but many people are running my proxy.cfg files on older versions of BorderManager. I generally keep my servers patched to the latest version, inluding beta patches. This file may work very well in your environment, or you may have some particular issue that needs one of the settings to be the opposite of mine. However, if you have never modified your PROXY.CFG file, or are having some problems accessing certain web sites, you almost certainly want to give this one a try!

Why use my version? It generally fixes a lot of odd little problems, compared to use the default proxy.cfg that came with the installation of BorderManager. In general, my proxy.cfg file will often do the following:

Installing My PROXY.CFG File

  1. Make a backup copy of your SYS:ETC\PROXY\PROXY.CFG file
  2. Review the PROXY.CFG parameter TID 10059667
  3. Copy in my PROXY.CFG file to the SYS:ETC\PROXY directory, after changing any parameters you think should be adjusted for your environment. (Usually would be related to mail proxy or terminal server authentication settings).
  4. Unload Proxy
  5. Load Proxy (best to LOAD PROXY -CC to clear old cached data, in case the old data has corruption causing a problem)

You can download my PROXY.CFG file HERE. (Revision 30) - see the release notes below for recent changes

Note 1: If you have problems with Windows Update working with the latest patches and proxy.cfg file, have a look at tip #29.

Note 2: I do not generally use Mail Proxy, but I have added some (all?) of the optional Mail Proxy settings in my file, commented out. If you use Mail Proxy, I suggest you merge in your Mail Proxy settings, or review the TID mentioned above plus the latest patch installation text files. Same with terminal server authentication.

Note 3: If you like to type in just 'www' in your browser, and have the proxy automatically add your '' onto the URL, then you want to have DoNotCreateFullyQualifiedHostNames=1 left in the proxy.cfg. If you want to disallow that, change the =0 to =1. However, I have heard that some patch levels of proxy may be treating this setting exactly opposite, so if you don't get the result you want, try changing the setting.

Note 4: If you have problems with Transparent Proxy working, or HTTPS in general (to ports like 8009, 52443, 2200, etc.) be aware that newer PROXY.NLM patches enable tunneling control and you MUST make corresponding settings for tunneled port numbers in the PROXY.CFG file.

Updates to this Tip:

Release Notes - you should read through them!

Feb 29, 2008 - Added new options from BorderManager 3.9 sp1 (beta) patch.

Dec 16, 2007 - Warning for BM 3.7 Users: You may need to change the SendHTTP11Request=1 parameter to SendHTTP11Request=0. Some people have reported problems getting to certain sites (Yahoo was one) with that parameter set to 1.
Dec. 13, 2007 (Revision 29)- Fixed a problem involving one of the new settings, with double-quote characters. I had copied a section of the readme file giving the new grace login parameter, and it was using double-quotes that were not ... accepted by Novell's EDIT program. Looking at the file on the server with EDIT resulted in much of the Extra Configuration section simply going missing. I changed the double-quotes to ones that work OK now.

Dec. 9, 2007 (Revision 28)- Added new parameters provided by the BM38SP5_IR1.ZIP patch. Some of them are commented out, so review the readme for the patch if you have applied it and see if there are new proxy.cfg settings you would like to implement, then go uncomment and modify the proxy.cfg file as needed.

Oct 30, 2006 (Revision 27)- Changed sendhttp11request=0 to =1 on advice from Novell. With BM38SP5 and later patches, major improvements on the handling of http 1.1 headers has been implemented. This switch allows those changes to be used, and in earlier revisions should result in someone better (or at least different) handling of http 1.1 requests through a proxy.

Oct 27, 2006 (Revision 26)- Changed PassContentLength=0 to =1 after finding that at least one web site ( would not work properly with FireFox 1.5.0.x or IE6. (FireFox 2.0 was said to be fine without this change).

June 26, 2006 (Revision 25)- A minor update reflecting a new option available in BM38SP4_IR4 or later patches regarding Scheduled Downloads. I put in a non-default option to turn that feature on, but I left it commented out in this proxy.cfg version. If you want scheduled downloads to work, you may need to enable the setting EnableScheduledDownload=1. This includes allowing option 22 on the proxy console screen to work, which also requires you to have scheduled downloads enabled.

June 12, 2006 (Revision 24)- Fixed a typo in rev. 23 where I forgot to comment out a remark. Added the option SendHTTP11Request=0 to try to fix a problem getting to certain web sites.

May 26, 2006 (Revision 23)- I have updated the proxy.cfg file with new parameters introduced in BM38SP4_IR4. Most are commented out in this version, but I did implement the parameter to move the annoying ICP Parent Down messages from the console screen to the ICP Statistics screen.

July 2, 2005 (Revision 21)- The biggest change here is in the syntax for the tunneling control option. The syntax for calling out port numbers was incorrect. The correct syntax is to number the port entries, as in 'port1', 'port2', 'port3', etc. With this syntax, all configured port numbers will be allowed for tunneling HTTPS. I have also specified port 2200 as one tunneling port number, since it is commonly used for Apache web management.

Another note - while testing Terminal Services Authentication for a client, I ran into the problem where it simply didn't work. I found that the browser was configured to not proxy the entire local subnet (192.168.10.*). If you tell the browser not to use proxy for the BorderManager server's IP address, it causes terminal services authentication to break, so do not do that on the browsers configured in the terminal/citrix server.
June 17, 2005 (Revision 20)- Users have been reporting a bug with the tunneling control option in (at least) BM38SP2, BM38SP3 and BM38SP3_IR1. I have confirmed, and so has Novell. Specifically, if you turn on the tunneling control option, and put in a list of port numbers that you want to be tunnelled, only the first one listed will work. I'm waiting to hear more from Novell on the cause and a fix for this.

Apr. 28, 2005 (Revision 20)- Added two new settings from the BM38SP3_IR1.EXE patch. The first one allows password expiration notice on grace logins in SSL Proxy Authentication. The second makes user names show up in the extended log files.

Apr. 25, 2005 (Revision 19)- I made two changes to the existing settings, but did not add any new entries. The first change was to disable logging of http tunneling. I had thought I disabled that before, but must have uploaded a different version. If tunneling logging is enabled, you will get an ever-enlarging log file in the SYS:ETC\PROXY directory called TUNNEL.LOG. If you want logging, enable it yourself! The second change was to enable tunneling for ports 8009 (NRM), 52443 (iFolder, on some servers), and 444 (SSL Proxy Authentication if you customize the port as many people do).

Mar. 18, 2005 (Revision 18)- After seeing a syntax error when I loaded proxy, regarding the http tunneling options, I did some experiments and determined that if you did not add a port number there, you would get a cosmetic error message. Port 443 would be tunneled, but nothing else. I changed the examples (commented out) to show how to allow tunneling for Novell Remote Manager (NRM) and iFolder (if using port 52443). I also disabled the option to do tunneling logging, as the log files could get big without you knowing it.

Jan. 17, 2005 (Revision 17)- Added two new options from the BM38FP3E / BM37FP4D patches.

Jan. 9, 2005 (Revision 16)- I reversed one setting that was causing both error messages on the proxy console screen and een an occasional abend. The setting was for a new feature called SupportLargePostRequest. Setting that option =1 fixes a problem related to WebAccess, but causes other problems, related to messages about "Scheduling WaitForTCPToSendPostRequestHeaders". I have now set this option to 0 in revision 16. The other change is to the noDummySlashUpstream parameter. I have found out that the option requires a lower-case 'n' for the first letter in the current patches, so I put it in with both upper- and lower-case N in the event that a future patch wants it to be upper-case.

Dec. 16, 2004 (Revision 15)- Added two new options that require the proxy.nlm from BM37FP4D or BM38FP3C. One in particular is supposed to fix those annoying random 403 permission denied errors.

Oct. 18, 2004 (Revision 14)- Revision 13 added some new settings to control HTTP tunneling, on ports other than 443. I have changed my proxy.cfg file setting to DISABLE that feature, because I have seen problems getting to secure web sites with it enabled. (If you get a 503 error in you browser, and some mention of tunneling, you need to look at the tunneling settings in proxy.cfg). Tunneling is not always done on port 443, and I'd rather err on the side of allowing web site traffic by default, and allow the local administrator to decide if he/she wants to block tunneling on non-standard port numbers. (An example of a non-standard port number would be any URL starting with HTTPS://, and including a colon/port number, such as The only change I have made from proxy.cfg revision 13 to 14 is to set the EnableTunnelingControl from 1 (enabled) to 0 (disabled).

Sept. 17, 2004 (Revision 13)- Revision 13 includes new settings from BM38SP2, BM38FP3A and BM38FP3B. The changes include adding support for control of tunneling (and logging denied attempts), mail proxy antispam exceptions, a large posting through http proxy fix, and a webwasher setting.

June 8, 2004 (Revision 12) - Revision 12 has a few newer settings, related to late BorderManager 3.7 or 3.8 patches, but also has cosmetic changes. The comment character was changed from # to ; and spacing and more comments were added. A section for Nsure auditing was added (though I haven't yet got auditing to work properly).

I have had feedback on two settings in my proxy.cfg file that I want to pass on.

Jan, 26, 2004 (Revision 11) - I have made several changes since Rev. 10.

July 8, 2003 (Revision 10) - Uncommented lines I had added for troubleshooting in the previous revision. This revision is for the BM37FP3A.EXE patch, or for servers that are running the PROXY.NLM from one of those patches. I have not had any problems (abends) with the options used in proxy.cfg.

May 21, 2003 (Revision 9) - After hearing from at least two people in the public forums that have had abends relating to revision 8 of my proxy.cfg file (BM37SP2 or BM37FP3), I have made changes to the settings. I have commented out the four most recent changes to the proxy.cfg file since BM37SP2 came out, in the hope that one of those settings is directly related to the abends.

[Extra Configuration]
# Next entry (from BM37FP3 patch) fixes caching issue with multiple browsers on one PC
# Next entry (from BM37Sp2) attempts to fix problems with proxy not unloading
# Next entry (from BM37Sp2) fixes problem browsing certain web sites
#DoNotSendExtraCRLF = 1
# Next entry (from BM37Sp2) fixes problem browsing certain web sites
#EnableIncomplete302ResponseFix = 0

As soon as I get more feedback on which (if any) of the above settings seems to be causing abends, I will post an update here.

Also, I have a report from a user that could not get Windows Update to work with Win2k PC's until he commented out


Apr. 25, 2003 (Revision 8) - Added a new line in Extra Configuration for a feature first available in the BM37FP3.EXE patch to fix the "Accept-encoding header improperly handled" issue.

Apr. 21, 2003 (Revision 7) - Added several new lines applicable to the proxy.nlm version in BM37SP2.EXE. I also removed the comment from the file to fix the HTTPS Streaming Bug as shown below.

[HTTP Streaming]

This assumes that you have applied the PROXY.NLM version from the BM37SP1, BM37SP2, BMMACSSL1 or BM36SP3 patches. Otherwise, you could be subject to the HTTP streaming bug! (That bug is the HTTP proxy continuing to stream Internet radio, etc, to the proxy until proxy is unloaded).

Prior to the patches mentioned above, if you fixed the HTTP streaming bug with the above setting, you broke Windows Update.

Note that the BM37SP2 patch does not include the browser plug-in for Terminal Server Authentication.

Mar. 24, 2003 (Revision 6) - Added the line EnableHTTPSLogging=0 to the ExtraConfiguration section to fix an ABEND that can occur in BorderManager 3.7 before the BM37SP2.EXE patch. This also means that you cannot log HTTPS access via the HTTP Proxy.

Mar. 5, 2003 (Revision 5) - Added new settings related to the BMMACSSL1.EXE patch. That patch fixes the Macintosh SSL Proxy authentication issue, the Mac HTTP tunneling issue, and as a bonus fixes the problem where HTTP Transparent Proxy didn't support SSL. As of this writing, I am trying to find out if the HTTP Streaming Bug / Windows Update bug issue have both been fixed at the same time.

Jan. 30, 2003 (Revision 4) - Added several new lines (commented out!) into PROXY.CFG, for terminal server authentication. The settings are explained in a section below.

For troubleshooting purposes, I recommend you refer to the latest version of my proxy.cfg as REVISION 4 in the Novell Public Forums. Revision 4 will be the one with terminal services authentication settings and change from the revision 3 setting described below.

Note: In revision 3, at Novell's recommendation, I changed to DoNotCacheWhenCookieFound=0, from =1. While this gives a little better performance, I also have found out that there are some web sites that rely on cookies not being cached to work properly. If you have users complaining that they cannot log into and use some web site, you may need to set the value to=1. Because of this issue, I have changed back to using =1 again.

Sept. 7, 2002 (Revision 3) - I changed one setting in the proxy.cfg file as follows:


(I did have it set to =1). Novell says that with proxy version 031, the default value used to be the switch was set to 0 as default, but it was changed. If the switch is present in proxy.cfg with value 1 or not present, all pages that come with a cookie header will not be cached. (This may be desirable with some problem web sites - you will have test to find out). Novell says that having the value set to 1 might cause a performance drop as fewer pages would be cached. Novell recommends having this setting in proxy.cfg =0, so pages with cookie headers will be cached and only pages with no cache headers will not be cached.

June 15, 2002 (Revision 2) - Updated proxy.cfg file with changes to fix a Windows Update problem. I found that having the following setting in my PROXY.CFG file was preventing Windows Update patches from installing on my XP Pro and Win2k Pro PC's. Symptoms would be that the patches would download, but fail to install, if Internet Explorer was configured to use the HTTP Proxy.

[HTTP Streaming]

What I have done in the current posted version is to comment out the [ResetOriginServerConnAfterClientReset=1 line, as follows:

[HTTP Streaming]

I then unloaded and reloaded PROXY.NLM to pick up the change, and Windows Update problems disappeared. However, I am concerned that the problem that entry was designed to fix (HTTP Streaming audio started by a user never stops, even when the user has closed their browser and turned off their PC). I am trying to get clarification from Novell if the latest version of PROXY.NLM for BorderManager 3.5, 3.6 and 3.7 (version 31) still requires a setting to fix the HTTP Streaming issue.

June 3, 2002 (Revision 1) - Updated proxy.cfg file with some new settings for the PXY031 / BM36C02 patches.

Terminal Server Authentication Notes (Jan. 21, 2004)

Jan 24, 2004 update - Thanks to Gareth Jones for giving this bit of information in the Novell Public Forums. In order for PXYAUTH to install correctly on a Citrix server, the Windows system directory is assumed to be on the C: drive. Gareth was unable to get PXYAUTH to install until he mapped the C: drive to his J$ share (where J: was configured as the OS drive). Once installed, he was able to disconnect the C: mapping, and pxyauth worked fine.

Jan 30, 2003: These settings are going to be explained in a BorderManager Cool Solutions article to be published soon, with screenshots showing what you must do at the browser. Novell sent me the preliminary article for study and asked that I share the information liberally. I will try to explain further here:

There are two methods for using proxy authentication - cookie-based, and the usual (CLNTRUST, SSL Proxy Authentication).

Cookie-based authentication is designed primarily for terminal services environments, where multiple users share an IP address. The idea is to base authentication on the presence of a cookie in the browser rather than the IP address. The problems were a) browsing SSL sites did not work, and b) cookie-based authentication applied to all users, not just a terminal server. That means CLNTRUST no longer worked for anyone, and everyone had to suffer through the SSL login screen.

With BorderManager 3.7SP1 (and later), the problems have been fixed, but it requires new settings in PROXY.CFG as shown below:

[Extra Configuration]

[Authentication Subnets]

(or you can use:)

[Authentication Ranges]

(or you can use:)

[Authentication Addresses]

The EnableTerminalServerAuthentication=1 setting enables the new feature for authenticating particular addresses with the new authentication scheme. The default setting is 0, which disables the feature.

The RedirectHTTPSRequest=1 setting allows for redirection of HTTPS such that browsing SSL sites will work with the new authentication scheme. Previously you could not browse SSL sites with cookie-based authentication. The default setting is 0, which disables the feature.

The authentication address sections shown above are used to limit the addresses for which the new authentication scheme applies. For performance reasons, you should keep the address ranges as small as possible, and apparently even in a different subnet class than everyone else. You can use any of the settings (authentication subnets, ranges, or addresses), not all three at the same time. For example, if you have only a single terminal server at address, use:

[Authentication Addresses]

Once you have the desired PROXY.CFG settings in place, unload and reload PROXY.NLM to put them into effect. Next you have to know what to do at the browser to make use of the new feature.

Step 1: Try to browse from an IP address covered by the entries for authentication subnets, ranges or addresses. That should generate an SSL Proxy authentication login screen, as usual. (No CLNTRUST running. If you want to test this on a PC, see tip 45 here.)

Step 2: Log in to the SSL Proxy authentication screen as usual.

Step 3: [If you have not installed the PXYAUTH program] You should see a new prompt come up! The prompt will be called "Script Prompt:" and will say "BorderManager Session Identification (Copy the number for Internet Access)" . And there will be a number shown. We'll call it the session number.

Here is where things get tricky. You need to cut and paste the session number. Press Ctrl-C to copy it to the clipboard. Then click on the OK button.

Step 4: A new login dialog box comes up, asking for User Name and Password. Paste the session number into the login screen as the User Name. Leave the password field blank, and click on OK.

You should now be proxy-authenticated, and further browsing IN THAT BROWSER WINDOW should not require additional authentication. If you launch another browser window with Ctrl-N, you also do not need to authenticate again. If you close the browser window, you will have to repeat the authentication process.

Note: The BM37FP3B.EXE patch AFTER BorderManager 3.7 service pack 2 includes a browser plug-in (the PXYAUTH.EXE program) that will automate this process for Citrix clients using Internet Explorer or Netscape.

Note: Terminal Services Authentication will NOT work if you configure the browser on the termain server to not proxy the BorderManager IP address.

Return to the Main Page