Secure Global Desktop 4.31 Administration Guide > Security > Using Secure Global Desktop with proxy servers
To use a proxy server with Secure Global Desktop, clients need to be configured with the address and port number of the proxy servers that should be used when connecting to Secure Global Desktop. You may also need to configure Secure Global Desktop to give clients information about traversing server-side proxy servers.
This topic covers:
To use Secure Global Desktop with a proxy server, the proxy server must support tunneling.
For the browser-based webtop, you can use HTTP, Secure (SSL) or SOCKS version 5 proxy servers.
For the classic webtop, the Java™ technology clients can use HTTP, Secure (SSL) or SOCKS version 5 proxy servers. For the Native Clients, you can only use HTTP and SOCKS version 5 proxy servers.
For SOCKS version 5 proxy servers, Secure Global Desktop supports the Basic and No authentication required authentication methods. No server-side configuration is required.
For the browser-based webtop, there are two connections to consider:
Connections between the web browser and the Secure Global Desktop Web Server for example to display a webtop, always use the proxy server settings configured for the web browser.
For the Secure Global Desktop Client connections, the settings in the profile whether the Secure Global Desktop Client determines the proxy server settings from a web browser or from the profile itself. The Secure Global Desktop Client always stores the last proxy settings it used in the profile cache.
If the profile has Use default web browser settings enabled, this means that the proxy server settings are determined from the user's web browser. If the Secure Global Desktop Client is Integrated mode, it either uses the last used proxy settings from the profile cache (if available) or starts the user's default web browser to obtain the proxy settings. In Integrated mode, if Establish proxy settings on session start is enabled in the profile and the Secure Global Desktop Client starts the user's default web browser every time.
To be able to determine the proxy server settings from a web browser, the web browser must have Java technology enabled. If Java technology is not available or it is disabled in the web browser, the proxy settings must be manually specified in the profile.
Note If proxy server settings are defined in the Java Control Panel for the Sun Java Plug-in, these settings are used instead of the web browser settings.
If the profile has Manual proxy settings enabled, this allows you to configure the proxy server settings in the profile itself. You can specify either an HTTP or a SOCKS proxy server or both.
For the classic webtop, the client proxy server settings are configured as follows:
If you have created a customized webtop theme, it may contain HTML files which are used as "entry points" to Secure Global Desktop. An HTML file counts as an entry point if it is the first HTML page to be loaded which contains Secure Global Desktop applets. In order for Secure Global Desktop to detect and use the proxy server configured in the browser, each applet in an entry-point HTML file must include the ProxyServer and ProxyFrame proxy parameters.
The Java technology client has a diagnostic application, proxyinfo
, which can
be used to investigate any problems Secure Global Desktop encounters when it
acquires proxy information.
To access the application, users must type the following URL in their web client:
http://server.com/tarantella/cgi-bin/ttawebtop.cgi/tarantella/resources/info/sco/tta/proxyinfo.html
You must always run this application through the ttawebtop.cgi
program.
When you run the application, the Proxy server information page displays and processes the proxy server configuration. The results are output on screen.
The information displayed shows what the application has detected about the user's web client settings and what tests the application has carried out.
The key piece of information shown is the name and port numbers of the candidate proxy servers. These are the proxy servers that Secure Global Desktop can connect to.
You can configure the level of detail shown by the application by adding a parameter to the applet, as follows:
/opt/tarantella/var/docroot/resources/info/sco/tta/proxyinfo.html
file in an editor.TTAAPPLET
tag.TTAAPLET
tags:
<param name="LOG_MASK" value="bit mask">
The bit mask values for this parameter are:
Value | Setting | Details shown |
---|---|---|
1 |
General | The web client settings the proxyinfo application detected |
2 |
Details | The tests the proxyinfo application has carried out |
4 |
Overrides | The domains which have been manually excluded |
8 |
Registry | Windows registry details |
The default value is 7
, which shows General, Details and Overrides, but not Registry.
Whenever client proxy server configuration is determined from a web browser, you can use an automatic configuration script to automatically configure the proxy settings.
You specify the URL of the configuration script in the connection settings for the web browser. The automatic configuration script must be written
in JavaScript and have either a .pac
file extension or no file extension.
See the Netscape Proxy Auto-Config File Format page for details.
Note Use this format for all web browsers supported by Secure Global Desktop.
Proxy server automatic configuration scripts can specify a list of proxy servers to try. If the first proxy server in the list is unavailable, the browser tries the other proxy servers in turn until it finds one that is available.
If you are using Microsoft Internet Explorer with Sun Java Plug-in version 1.5.0, only the first proxy server in the list is used. If that proxy server is not available, the connection fails. The solution is to use Sun Java Plug-in version 1.6.0.
You can use proxy server exception lists to control which connections should not be proxied. Exception lists can be configured as follows:
An exception list is a semicolon-separated list of DNS host names:
chicago.indigo-insurance.com;detroit.indigo-insurance.com;london.indigo-insurance.com
Note On Mozilla-based browsers, the list is a comma-separated list.
Exception lists may include the * wildcard:
*.indigo-insurance.com
There is no translation between DNS hostnames and IP addresses in exception lists. For example, with an exception list of "*.indigo-insurance.com", connections to "chicago.indigo-insurance.com" and "detroit.indigo-insurance.com" would not use the proxy server, but connections to "192.168.5.20" and "192.168.5.30" (their IP addresses) would.
For the browser-based webtop, users must include the following entries in their exception lists:
localhost; 127.0.0.1
If only one proxy server has been configured on the client, Secure Global Desktop uses this proxy server for all HTTP, HTTPS and Secure Global Desktop connections.
Note If this is a Secure (SSL) proxy server, the Secure Global Desktop traffic is only encrypted if the user has a secure connection to the Secure Global Desktop server.
If an HTTP and a SOCKS proxy server have been configured on the client, and you are using Secure Global Desktop in firewall forwarding mode, Secure Global Desktop uses the HTTP proxy server for all HTTP, HTTPS and Secure Global Desktop connections.
If an HTTP and a SOCKS proxy server have been configured on the client, and you are not using Secure Global Desktop in firewall forwarding mode, the proxy server Secure Global Desktop uses depends on the client. If the client is:
Proxy servers will drop a connection after a short period of time if there is no activity on the connection. By default, Secure Global Desktop sends keepalive packets every 100 seconds to keep the connection open.
If you find that applications disappear after a short while, you may have to increase the frequency at which keepalive packets are sent.
When a Secure Global Desktop client connects to the Secure Global Desktop Web Server, Secure Global Desktop can be configured to "instruct" the client to connect using a different DNS name and an array route. An array route is the address of a server-side SOCKS proxy server. The DNS name and array route are determined using the IP address of the client.
If a Secure Global Desktop server is known by different names on the network, for example inside and outside a firewall, you can configure that server to have multiple DNS names. This allows Secure Global Desktop clients to use different DNS names when connecting to a Secure Global Desktop server depending on the IP address of the client device.
You configure multiple DNS names for a Secure Global Desktop server on the General Properties panel in Array Manager or with the following command:
tarantella config edit --server-dns-external dns_name ...
Each dns_name has the format client IP pattern:external DNS name
,
where IP_pattern
is a regular expression matching a client IP
address, for example 192.168.10.*
.
In Array Manager, press the RETURN key after each name definition. On the command line, use a space to separate the names, for example:
tarantella config edit --server-dns-external "192.168.10.*:boston.indigo-insurance.com" "*:www.indigo-insurance.com"
The order of the names is important. The first matching IP pattern is used. For example if the following names are defined:
192.168.10.*:boston.indigo-insurance.com *:www.indigo-insurance.com
Clients with IP addresses beginning 192.168.10 connect to boston.indigo-insurance.com, and all other clients connect to www.indigo-insurance.com. If the order of the names was reversed, all clients would connect to www.indigo-insurance.com.
Note You must restart the Secure Global Desktop server for multiple DNS names to take effect.
If you are using multiple DNS names and you want to enable secure connections, you need an X.509 certificate and key for each DNS name that is being used.
You configure the routes for an array with the following command:
tarantella config edit --tarantella-config-array-netservice-proxy-routes route ...
Each route has the format IP_pattern:type:host:port
, where:
IP_pattern
is a regular expression matching a client IP address, for example 192.168.10.*
.type
is a connection type. Use CTSOCKS
for a SOCKS version 5 connection.
Use CTDIRECT
to connect directly without using a proxy server.host
is the DNS name or IP address of the proxy server to connect to.port
is the port to connect to on the host.Enclose each route in quotes and separate the routes with a space.
The order of the routes is important. The first matching client IP pattern is used.
Note You must restart every server in the array for array routes to take effect.
If you want to use an external SSL accelerator instead of Secure Global Desktop to handle SSL processing, append
the route
with :ssl
(see the following example). This instructs the client to use SSL on that
connection before continuing with the SOCKS connection. If you use an external SSL accelerator, you must also configure the Secure Global Desktop
SSL Daemon to accept unencrypted connections. You do this using the Accept plaintext on secure port attribute on the
server-specific Security Properties panel in Array Manager
(tarantella config edit --security-acceptplaintext
).
The following is an example array route:
"192.168.5.*:CTDIRECT:" "192.168.10.*.*:CTSOCKS:taurus.indigo-insurance.com:8080" "*:CTSOCKS:draco.indigo-insurance.com:8080:ssl"
With this configuration:
Copyright © 1997-2007 Sun Microsystems, Inc. All rights reserved.