Skip past navigation linksSecure Global Desktop 4.40 Administration Guide > Security > Using SGD With Proxy Servers

Using SGD With Proxy Servers

To use a proxy server with SGD, clients need to be configured with the address and port number of the proxy servers to used when connecting to SGD. You might also need to configure SGD to give clients information about traversing server-side proxy servers.

This page includes the following topics:

Supported Proxy Servers

To use SGD with a proxy server, the proxy server must support tunneling. You can use HTTP, Secure (SSL) or SOCKS version 5 proxy servers.

For SOCKS version 5 proxy servers, SGD supports the Basic and No authentication required authentication methods. No server-side configuration is required.

Client Proxy Settings

For the client proxy settings, there are two connections to consider:

Connections between the web browser and the SGD Web Server for example to display a webtop, always use the proxy server settings configured for the web browser.

For the SGD Client connections, the settings in the profile whether the SGD Client determines the proxy server settings from a web browser or from the profile itself. The SGD Client always stores the last proxy settings it used in the profile cache .

Note You can only configure a SOCKS proxy for the SGD Client connection by specifying an array route.

If the profile has Use default web browser settings enabled, this means that the proxy server settings are determined from the user's web browser. If the SGD Client is Integrated mode, it either uses the last used proxy settings from the profile cache (if available) or starts the user's default web browser to obtain the proxy settings. In Integrated mode, if Establish proxy settings on session start is enabled in the profile and the SGD Client starts the user's default web browser every time.

To be able to determine the proxy server settings from a web browser, the web browser must have Java™ technology enabled. If Java technology is not available or it is disabled in the web browser, the proxy settings must be manually specified in the profile.

Note If proxy server settings are defined in the Java Control Panel for the Sun Java Plug-in, these settings are used instead of the web browser settings.

If the profile has Manual Proxy Settings enabled, this allows you to configure the proxy server settings in the profile itself. You can specify either an HTTP or an SSL proxy server.

Using Proxy Server Automatic Configuration Scripts

Whenever client proxy server configuration is determined from a web browser, you can use an automatic configuration script to automatically configure the proxy settings.

You specify the URL of the configuration script in the connection settings for the web browser. The automatic configuration script must be written in JavaScript and have either a .pac file extension or no file extension. See the Netscape Proxy Auto-Config File Format page for details.

Note Use this format for all web browsers supported by SGD.

Known Issue With Automatic Configuration Scripts

Proxy server automatic configuration scripts can specify a list of proxy servers to try. If the first proxy server in the list is unavailable, the browser tries the other proxy servers in turn until it finds one that is available.

If you are using Microsoft Internet Explorer with Sun Java Plug-in version 1.5.0, only the first proxy server in the list is used. If that proxy server is not available, the connection fails. The solution is to use Sun Java Plug-in version 1.6.0.

Proxy Server Exception Lists

You can use proxy server exception lists to control the connections that are not proxied. Proxy exception lists can only be used if the proxy settings are determined from a web browser. You cannot configure exception lists in the client profile. The exception list can be configured in the web browser or Sun Java Plug-in.

An exception list is a semicolon-separated list of DNS host names:

Skip past command syntax or program;;

Note On Mozilla-based browsers, the list is a comma-separated list.

Exception lists can include the * wildcard:

Skip past command syntax or program code*

There is no translation between DNS host names and IP addresses in exception lists. For example, with an exception list of "*", connections to "" and "" do not use the proxy server, but connections to "" and "" (their IP addresses) do.

Users must include the following entries in their exception lists:

Skip past command syntax or program codelocalhost;

Proxy Server Timeouts

Proxy servers can drop a connection after a short period of time if there is no activity on the connection. By default, SGD sends keepalive packets every 100 seconds to keep the connection open.

If you find that applications disappear after a short while, you might have to increase the frequency at which keepalive packets are sent.

Server-side Proxy Server Configuration

When an SGD client connects to the SGD Web Server, SGD can be configured to "instruct" the client to connect using a different DNS name and an array route. An array route is the address of a server-side SOCKS proxy server. The DNS name and array route are determined using the IP address of the client. How you configure an SGD server to have multiple DNS names is described in SGD and DNS Names. How you configure array routes is described in the following section.

Configuring Array Routes

You configure array routes with the following command:

Skip past command syntax or program code$ tarantella config edit --tarantella-config-array-netservice-proxy-routes route ...

Each route has the format Client-IP-Pattern:type:host:port.

The Client-IP-Pattern can be either of the following:

The type is a connection type. Use CTSOCKS for a SOCKS version 5 connection. Use CTDIRECT to connect directly without using a proxy server.

The host is the DNS name or IP address of the proxy server to connect to and the port is the port to connect to on the host.

Enclose the array routes in quotes and separate each route with a comma, see the example below.

The order of the routes is important. The first matching client IP pattern is used.

Note You must restart every server in the array for array routes to take effect.

If you want to use an external SSL accelerator instead of SGD to handle SSL processing, append the route with :ssl, see the following example. This instructs the client to use SSL on that connection before continuing with the SOCKS connection. If you use an external SSL accelerator, you must also configure the SGD SSL Daemon to accept unencrypted connections. You configure this as follows:

  1. In the SGD Administration Console, click the Secure Global Desktop Servers tab and select an SGD server.
  2. Click the Security tab.
  3. Select the SSL Accelerator Support check box.
  4. Click Save.
  5. Repeat these steps for each SGD server in the array.

Alternatively, use the following command:

Skip past command syntax or program code$ tarantella config edit --array --security-acceptplaintext 1

The following is an example array route configuration:

Skip past command syntax or program code"192.168.5.*:CTDIRECT:,192.168.10.*.*,*"

With this configuration:

Related Topics