To be able to connect to SGD through a proxy server, client devices might need to be configured with the address and port number of the proxy servers. You might also need to configure SGD to give a client device information about server-side proxy servers.
Proxy server configuration is not available for tablet devices. Connections always use the proxy settings configured for the browser on the tablet device.
This section includes the following topics:
The supported proxy servers are listed in the Oracle Secure Global Desktop Platform Support and Release Notes.
To configure client proxy settings, you must configure proxy settings for both the HTTP connections and the AIP connections. How you do this is described in the following sections.
HTTP connections are the connections between the user's browser and the SGD web server, for example to display a workspace. These connections always use the proxy settings configured for the browser.
AIP connections are the connections between the SGD Client and the SGD server used to display applications. For these connections, the settings in the client profile control whether the SGD Client determines the proxy settings from a browser or from the client profile itself.
The SGD Client always stores the last proxy settings it used in the client profile cache. See Section 6.2.5, “About the Profile Cache” for details.
You can only configure a SOCKS proxy for the AIP connection by specifying an array route, see Section 1.3.4, “Configuring Server-Side Proxy Servers” for details.
If the Use Default Web Browser Settings check box is selected in the client profile, the proxy server settings are determined from the user's default browser. The SGD Client stores the proxy settings in the profile cache on the client device and uses these settings when it next starts.
If Establish Proxy Settings on Session Start is selected in the client profile, the SGD Client obtains the proxy settings from the browser every time it starts. The stored proxy settings are not used.
To be able to determine the proxy settings from a browser, the browser must have Java technology enabled. If Java technology is not available, or it is disabled in the browser, the proxy settings must be manually specified in the client profile.
If proxy server settings are defined in the Java Control Panel for the Java Plug-in tool, these settings are used instead of the browser settings.
Whenever client proxy server configuration is determined from a browser, you can use an automatic configuration script to automatically configure the proxy settings.
You specify the URL of the configuration script in the
connection settings for the browser. The automatic
configuration script must be written in the JavaScript
programming language and have either a
.pac file extension or no file
extension. See
Proxy
Auto-Config File for details.
Use this format for all browsers supported by SGD.
You can use proxy server exception lists to control the connections that are not proxied. Proxy exception lists can only be used if the proxy settings are determined from a browser. You cannot configure exception lists in the client profile. The exception list can be configured in the browser or Java Plug-in tool.
An exception list is a list of DNS host names. For Internet Explorer, the list is a semicolon-separated list. For Mozilla-based browsers, the list is a comma-separated list. Exception lists can include the * wildcard.
There is no translation between DNS host names and IP
addresses in exception lists. For example, with an exception
list of *.example.com, connections to
chicago.example.com and
detroit.example.com do not use a proxy
server, but connections that use the IP addresses for these
hosts do use a proxy server.
Exception lists must always include the following entries:
localhost; 127.0.0.1
Proxy servers can drop a connection after a short period of time if there is no activity on the connection. By default, SGD sends AIP keepalive packets every 100 seconds to keep the connection open.
If you find that applications disappear after a short while, you might have to increase the frequency at which AIP keepalive packets are sent.
In the Administration Console, go to the Global Settings, Communication tab and decrease the AIP Keepalive Frequency. Alternatively, use the following command:
$ tarantella config edit --sessions-aipkeepalive secs
You must restart every SGD server in the array for changes to this attribute to take effect.
SGD can be configured so that the SGD Client connects through a server-side SOCKS version 5 proxy server. The actual proxy server used is determined using the IP address of the client. This known as an array route.
If you use the SGD Gateway, array routes are only used for client connections that are not routed through an SGD Gateway.
You configure array routes by setting one or more filters that
match client IP addresses to server-side proxy servers. Each
filter has the format
Client-IP-Pattern:type:host:port.
The
Client-IP-Pattern
can be either of the following:
A regular expression matching one or more client IP addresses, for example
192.168.10.*A subnet mask expressed in the number of bits to match one or more client IP addresses, for example
192.168.10.0/22
The type is a connection type. Use
CTSOCKS for a SOCKS version 5 connection. Use
CTDIRECT to connect directly without using a
proxy server.
The host and
port are the DNS name or IP address
and port of the proxy server to use for the connection.
SGD can be configured with several filters. The
order of the filters is important because SGD uses
the first matching Client-IP-Pattern.
If you use an external SSL accelerator instead of
SGD to handle SSL processing, append the array
route with :ssl, see the following example.
This instructs the SGD Client to use SSL on that
connection before continuing with the SOCKS connection. See
Section 1.6.2, “Using External SSL Accelerators” for details.
If SGD is configured for firewall forwarding, you
cannot use multiple array routes because SGD
cannot determine the IP address of the client device. You can
configure a single array route, for example
*:CTSOCKS:taurus.example.com:8080. See
Section 1.5.2, “Firewall Traversal”.
The following is an example of array routes configuration:
"192.168.5.*:CTDIRECT" \ "192.168.10.*.*:CTSOCKS:taurus.example.com:8080" \ "*:CTSOCKS:draco.example.com:8080:ssl"
With this configuration, the following applies:
Clients with IP addresses beginning
192.168.5have a direct connection.Clients with IP addresses beginning
192.168.10connect using the SOCKS proxy servertaurus.example.comon port 8080.All other clients connect using the SOCKS proxy server
draco.example.comon port 8080. These clients also connect using SSL before continuing with the SOCKS connection.
You can only configure array routes from the command line.
Ensure that no users are logged in to the SGD servers in the array, and that there are no running application sessions, including suspended application sessions.
Configure the filters for array routes.
Use the following command:
$ tarantella config edit \ --tarantella-config-array-netservice-proxy-routes
routesSeparate each filter with a space and enclose in double quotation marks (
""). For example,"filter1" "filter2" "filter3".The format of each filter is described in Section 1.3.4, “Configuring Server-Side Proxy Servers”.
The order of the filters is important. The first match is used.
Restart every SGD server in the array.
You must restart every server in the array for array routes to take effect.