To be able to connect to SGD through a proxy server, client devices might need to be configured with the address and port number of the proxy servers. You might also need to configure SGD to give clients information about server-side proxy servers.
This section includes the following topics:
The supported proxy servers are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.
To configure client proxy settings, you must configure proxy settings for both the HTTP connections and the AIP connections. How you do this is described in the following sections.
HTTP connections are the connections between the user’s browser and the SGD web server, for example to display a webtop. These connections always use the proxy settings configured for the browser.
AIP connections are the connections between the SGD Client and the SGD server used to display applications. For these connections, the settings in the client profile control whether the SGD Client determines the proxy settings from a browser or from the client profile itself.
The SGD Client always stores the last proxy settings it used in the client profile cache. See About the Profile Cache for details.
Note - You can only configure a SOCKS proxy for the AIP connection by specifying an array route, see Configuring Server-Side Proxy Servers for details.
If the Use Default Web Browser Settings check box is selected in the client profile, the proxy server settings are determined from the user’s default browser. The SGD Client stores the proxy settings in the profile cache on the client device and uses these settings when it next starts.
If Establish Proxy Settings on Session Start is selected in the client profile, the SGD Client obtains the proxy settings from the browser every time it starts. The stored proxy settings are not used. If Automatic Client Login is selected in the client profile, the Establish Proxy Settings on Session Start setting is disabled.
If the SGD Client is Integrated mode, and there are no proxy settings in the profile cache, the SGD Client attempts to make a direct connection.
To be able to determine the proxy settings from a browser, the browser must have Java technology enabled. If Java technology is not available, or it is disabled in the browser, the proxy settings must be manually specified in the client profile.
Note - If proxy server settings are defined in the Java Control Panel for the Sun Java Plugin tool, these settings are used instead of the browser settings.
If the Manual Proxy Settings check box is selected in the client profile, you can specify either an HTTP or an SSL proxy server in the client profile itself.
Whenever client proxy server configuration is determined from a browser, you can use an automatic configuration script to automatically configure the proxy settings.
Note - Use this format for all browsers supported by SGD.
You can use proxy server exception lists to control the connections that are not proxied. Proxy exception lists can only be used if the proxy settings are determined from a browser. You cannot configure exception lists in the client profile. The exception list can be configured in the browser or Sun Java Plugin tool.
An exception list is a list of DNS host names. For Internet Explorer, the list is a semicolon-separated list. For Mozilla-based browsers, the list is a comma-separated list. Exception lists can include the * wildcard.
There is no translation between DNS host names and IP addresses in exception lists. For example, with an exception list of *.example.com, connections to chicago.example.com and detroit.example.com do not use a proxy server, but connections that use the IP addresses for these hosts do use a proxy server.
Exception lists must always include the following entries:
Proxy servers can drop a connection after a short period of time if there is no activity on the connection. By default, SGD sends AIP keepalive packets every 100 seconds to keep the connection open.
If you find that applications disappear after a short while, you might have to increase the frequency at which AIP keepalive packets are sent.
In the Administration Console, go to the Global Settings -> Communication tab and decrease the AIP Keepalive Frequency. Alternatively, use the following command:
$ tarantella config edit --sessions-aipkeepalive secs
Note - You must restart every SGD server in the array for changes to this attribute to take effect.
SGD can be configured so that the SGD Client connects through a server-side SOCKS version 5 proxy server. The actual proxy server used is determined using the IP address of the client. This known as an array route.
If you use the SGD Gateway, array routes are only used for client connections that are not routed through an SGD Gateway.
You configure array routes by setting one or more filters that match client IP addresses to server-side proxy servers. Each filter has the format Client-IP-Pattern:type:host:port.
The Client-IP-Pattern can be either of the following:
A regular expression matching one or more client IP addresses, for example 192.168.10.*
A subnet mask expressed in the number of bits to match one or more client IP addresses, for example 192.168.10.0/22
The type is a connection type. Use CTSOCKS for a SOCKS version 5 connection. Use CTDIRECT to connect directly without using a proxy server.
The host and port are the DNS name or IP address and port of the proxy server to use for the connection.
SGD can be configured with several filters. The order of the filters is important because SGD uses the first matching Client-IP-Pattern.
If you use an external SSL accelerator instead of SGD to handle SSL processing, append the array route with :ssl, see the following example. This instructs the SGD Client to use SSL on that connection before continuing with the SOCKS connection. See Using External SSL Accelerators for details.
Caution - If SGD is configured for firewall forwarding, you cannot use multiple array routes because SGD cannot determine the IP address of the client device. You can configure a single array route, for example *:CTSOCKS:taurus.example.com:8080. See Firewall Traversal.
The following is an example of array routes configuration:
192.168.5.*:CTDIRECT: \ 192.168.10.*.*:CTSOCKS:taurus.example.com:8080 \ *:CTSOCKS:draco.example.com:8080:ssl
With this configuration, the following applies:
Clients with IP addresses beginning 192.168.5 have a direct connection.
Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.example.com on port 8080.
All other clients connect using the SOCKS proxy server draco.example.com on port 8080. These clients also connect using SSL before continuing with the SOCKS connection.
You can only configure array routes from the command line.
Ensure that no users are logged in to the SGD servers in the array, and that there are no running application sessions, including suspended application sessions.
Use the following command:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes routes
Enclose routes in quotes and separate each filter with a comma, for example "filter1,filter2,filter3".
The format of each filter is described in Configuring Server-Side Proxy Servers.
The order of the filters is important. The first match is used.
You must restart every server in the array for array routes to take effect.