Skip past navigation linksSecure Global Desktop 4.31 Administration Guide > Security > Using Secure Global Desktop with proxy servers

Using Secure Global Desktop with proxy servers

To use a proxy server with Secure Global Desktop, clients need to be configured with the address and port number of the proxy servers that should be used when connecting to Secure Global Desktop. You may also need to configure Secure Global Desktop to give clients information about traversing server-side proxy servers.

This topic covers:

Supported proxy servers

To use Secure Global Desktop with a proxy server, the proxy server must support tunneling.

For the browser-based webtop, you can use HTTP, Secure (SSL) or SOCKS version 5 proxy servers.

For the classic webtop, the Java™ technology clients can use HTTP, Secure (SSL) or SOCKS version 5 proxy servers. For the Native Clients, you can only use HTTP and SOCKS version 5 proxy servers.

For SOCKS version 5 proxy servers, Secure Global Desktop supports the Basic and No authentication required authentication methods. No server-side configuration is required.

Client proxy settings for the browser-based webtop

For the browser-based webtop, there are two connections to consider:

Connections between the web browser and the Secure Global Desktop Web Server for example to display a webtop, always use the proxy server settings configured for the web browser.

For the Secure Global Desktop Client connections, the settings in the profile whether the Secure Global Desktop Client determines the proxy server settings from a web browser or from the profile itself. The Secure Global Desktop Client always stores the last proxy settings it used in the profile cache.

If the profile has Use default web browser settings enabled, this means that the proxy server settings are determined from the user's web browser. If the Secure Global Desktop Client is Integrated mode, it either uses the last used proxy settings from the profile cache (if available) or starts the user's default web browser to obtain the proxy settings. In Integrated mode, if Establish proxy settings on session start is enabled in the profile and the Secure Global Desktop Client starts the user's default web browser every time.

To be able to determine the proxy server settings from a web browser, the web browser must have Java technology enabled. If Java technology is not available or it is disabled in the web browser, the proxy settings must be manually specified in the profile.

Note If proxy server settings are defined in the Java Control Panel for the Sun Java Plug-in, these settings are used instead of the web browser settings.

If the profile has Manual proxy settings enabled, this allows you to configure the proxy server settings in the profile itself. You can specify either an HTTP or a SOCKS proxy server or both.

Client proxy settings for the classic webtop

For the classic webtop, the client proxy server settings are configured as follows:

Customized themes for the Java technology client

If you have created a customized webtop theme, it may contain HTML files which are used as "entry points" to Secure Global Desktop. An HTML file counts as an entry point if it is the first HTML page to be loaded which contains Secure Global Desktop applets. In order for Secure Global Desktop to detect and use the proxy server configured in the browser, each applet in an entry-point HTML file must include the ProxyServer and ProxyFrame proxy parameters.

Using the proxy server diagnostic application for the Java technology client

The Java technology client has a diagnostic application, proxyinfo, which can be used to investigate any problems Secure Global Desktop encounters when it acquires proxy information.

To access the application, users must type the following URL in their web client:
http://server.com/tarantella/cgi-bin/ttawebtop.cgi/tarantella/resources/info/sco/tta/proxyinfo.html

You must always run this application through the ttawebtop.cgi program.

When you run the application, the Proxy server information page displays and processes the proxy server configuration. The results are output on screen.

The information displayed shows what the application has detected about the user's web client settings and what tests the application has carried out.

The key piece of information shown is the name and port numbers of the candidate proxy servers. These are the proxy servers that Secure Global Desktop can connect to.

You can configure the level of detail shown by the application by adding a parameter to the applet, as follows:

  1. Open the /opt/tarantella/var/docroot/resources/info/sco/tta/proxyinfo.html file in an editor.
  2. Look for the TTAAPPLET tag.
  3. Insert the following parameter tag between the opening and closing TTAAPLET tags:
    Skip past command syntax or program code<param name="LOG_MASK" value="bit mask">

    The bit mask values for this parameter are:

    Value Setting Details shown
    1 General The web client settings the proxyinfo application detected
    2 Details The tests the proxyinfo application has carried out
    4 Overrides The domains which have been manually excluded
    8 Registry Windows registry details

    The default value is 7, which shows General, Details and Overrides, but not Registry.

  4. Close the file and save the changes.

Using proxy server automatic configuration scripts

Whenever client proxy server configuration is determined from a web browser, you can use an automatic configuration script to automatically configure the proxy settings.

You specify the URL of the configuration script in the connection settings for the web browser. The automatic configuration script must be written in JavaScript and have either a .pac file extension or no file extension. See the Netscape Proxy Auto-Config File Format page for details.

Note Use this format for all web browsers supported by Secure Global Desktop.

Known issue with automatic configuration scripts

Proxy server automatic configuration scripts can specify a list of proxy servers to try. If the first proxy server in the list is unavailable, the browser tries the other proxy servers in turn until it finds one that is available.

If you are using Microsoft Internet Explorer with Sun Java Plug-in version 1.5.0, only the first proxy server in the list is used. If that proxy server is not available, the connection fails. The solution is to use Sun Java Plug-in version 1.6.0.

Proxy server exception lists

You can use proxy server exception lists to control which connections should not be proxied. Exception lists can be configured as follows:

An exception list is a semicolon-separated list of DNS host names:

Skip past command syntax or program codechicago.indigo-insurance.com;detroit.indigo-insurance.com;london.indigo-insurance.com

Note On Mozilla-based browsers, the list is a comma-separated list.

Exception lists may include the * wildcard:

Skip past command syntax or program code*.indigo-insurance.com

There is no translation between DNS hostnames and IP addresses in exception lists. For example, with an exception list of "*.indigo-insurance.com", connections to "chicago.indigo-insurance.com" and "detroit.indigo-insurance.com" would not use the proxy server, but connections to "192.168.5.20" and "192.168.5.30" (their IP addresses) would.

For the browser-based webtop, users must include the following entries in their exception lists:

Skip past command syntax or program codelocalhost; 127.0.0.1

Multiple client proxy server configurations and connections to Secure Global Desktop

If only one proxy server has been configured on the client, Secure Global Desktop uses this proxy server for all HTTP, HTTPS and Secure Global Desktop connections.

Note If this is a Secure (SSL) proxy server, the Secure Global Desktop traffic is only encrypted if the user has a secure connection to the Secure Global Desktop server.

If an HTTP and a SOCKS proxy server have been configured on the client, and you are using Secure Global Desktop in firewall forwarding mode, Secure Global Desktop uses the HTTP proxy server for all HTTP, HTTPS and Secure Global Desktop connections.

If an HTTP and a SOCKS proxy server have been configured on the client, and you are not using Secure Global Desktop in firewall forwarding mode, the proxy server Secure Global Desktop uses depends on the client. If the client is:

Proxy server timeouts

Proxy servers will drop a connection after a short period of time if there is no activity on the connection. By default, Secure Global Desktop sends keepalive packets every 100 seconds to keep the connection open.

If you find that applications disappear after a short while, you may have to increase the frequency at which keepalive packets are sent.

Server-side proxy server configuration

When a Secure Global Desktop client connects to the Secure Global Desktop Web Server, Secure Global Desktop can be configured to "instruct" the client to connect using a different DNS name and an array route. An array route is the address of a server-side SOCKS proxy server. The DNS name and array route are determined using the IP address of the client.

Configuring multiple DNS names

If a Secure Global Desktop server is known by different names on the network, for example inside and outside a firewall, you can configure that server to have multiple DNS names. This allows Secure Global Desktop clients to use different DNS names when connecting to a Secure Global Desktop server depending on the IP address of the client device.

You configure multiple DNS names for a Secure Global Desktop server on the General Properties panel in Array Manager or with the following command:

Skip past command syntax or program codetarantella config edit --server-dns-external dns_name ...

Each dns_name has the format client IP pattern:external DNS name, where IP_pattern is a regular expression matching a client IP address, for example 192.168.10.*.

In Array Manager, press the RETURN key after each name definition. On the command line, use a space to separate the names, for example:

Skip past command syntax or program codetarantella config edit --server-dns-external "192.168.10.*:boston.indigo-insurance.com" "*:www.indigo-insurance.com"

The order of the names is important. The first matching IP pattern is used. For example if the following names are defined:

Skip past command syntax or program code192.168.10.*:boston.indigo-insurance.com
*:www.indigo-insurance.com

Clients with IP addresses beginning 192.168.10 connect to boston.indigo-insurance.com, and all other clients connect to www.indigo-insurance.com. If the order of the names was reversed, all clients would connect to www.indigo-insurance.com.

Note You must restart the Secure Global Desktop server for multiple DNS names to take effect.

If you are using multiple DNS names and you want to enable secure connections, you need an X.509 certificate and key for each DNS name that is being used.

Configuring array routes

You configure the routes for an array with the following command:

Skip past command syntax or program codetarantella config edit --tarantella-config-array-netservice-proxy-routes route ...

Each route has the format IP_pattern:type:host:port, where:

Enclose each route in quotes and separate the routes with a space.

The order of the routes is important. The first matching client IP pattern is used.

Note You must restart every server in the array for array routes to take effect.

If you want to use an external SSL accelerator instead of Secure Global Desktop to handle SSL processing, append the route with :ssl (see the following example). This instructs the client to use SSL on that connection before continuing with the SOCKS connection. If you use an external SSL accelerator, you must also configure the Secure Global Desktop SSL Daemon to accept unencrypted connections. You do this using the Accept plaintext on secure port attribute on the server-specific Security Properties panel in Array Manager (tarantella config edit --security-acceptplaintext).

The following is an example array route:

Skip past command syntax or program code"192.168.5.*:CTDIRECT:" "192.168.10.*.*:CTSOCKS:taurus.indigo-insurance.com:8080" "*:CTSOCKS:draco.indigo-insurance.com:8080:ssl"

With this configuration:

Related topics