1.3 Proxy Servers

To be able to connect to SGD through a proxy server, client devices might need to be configured with the address and port number of the proxy servers. You might also need to configure SGD to give a client device information about server-side proxy servers.


Proxy server configuration is not available for tablet devices. Connections always use the proxy settings configured for the browser on the tablet device.

This section includes the following topics:

1.3.1 Supported Proxy Servers

The supported proxy servers are listed in the Oracle Secure Global Desktop Platform Support and Release Notes.

1.3.2 Configuring Client Proxy Settings

To configure client proxy settings, you must configure proxy settings for both the HTTP connections and the AIP connections. How you do this is described in the following sections. HTTP Connections

HTTP connections are the connections between the user's browser and the SGD web server, for example to display a workspace. These connections always use the proxy settings configured for the browser. AIP Connections

AIP connections are the connections between the SGD Client and the SGD server used to display applications. For these connections, the settings in the client profile control whether the SGD Client determines the proxy settings from a browser or from the client profile itself.

The SGD Client always stores the last proxy settings it used in the client profile cache. See Section 6.2.5, “About the Profile Cache” for details.


You can only configure a SOCKS proxy for the AIP connection by specifying an array route, see Section 1.3.4, “Configuring Server-Side Proxy Servers” for details.

Determining Proxy Settings From a Browser

If the Use Default Web Browser Settings check box is selected in the client profile, the proxy server settings are determined from the user's default browser. The SGD Client stores the proxy settings in the profile cache on the client device and uses these settings when it next starts.

If Establish Proxy Settings on Session Start is selected in the client profile, the SGD Client obtains the proxy settings from the browser every time it starts. The stored proxy settings are not used.

To be able to determine the proxy settings from a browser, the browser must have Java technology enabled. If Java technology is not available, or it is disabled in the browser, the proxy settings must be manually specified in the client profile.


If proxy server settings are defined in the Java Control Panel for the Java Plug-in tool, these settings are used instead of the browser settings.

Specifying Proxy Settings in the Client Profile

If the Manual Proxy Settings check box is selected in the client profile, you can specify either an HTTP or an SSL proxy server in the client profile itself. Using Proxy Server Automatic Configuration Scripts

Whenever client proxy server configuration is determined from a browser, you can use an automatic configuration script to automatically configure the proxy settings.

You specify the URL of the configuration script in the connection settings for the browser. The automatic configuration script must be written in the JavaScript programming language and have either a .pac file extension or no file extension. See Proxy Auto-Config File for details.


Use this format for all browsers supported by SGD. Proxy Server Exception Lists

You can use proxy server exception lists to control the connections that are not proxied. Proxy exception lists can only be used if the proxy settings are determined from a browser. You cannot configure exception lists in the client profile. The exception list can be configured in the browser or Java Plug-in tool.

An exception list is a list of DNS host names. For Internet Explorer, the list is a semicolon-separated list. For Mozilla-based browsers, the list is a comma-separated list. Exception lists can include the * wildcard.

There is no translation between DNS host names and IP addresses in exception lists. For example, with an exception list of *.example.com, connections to chicago.example.com and detroit.example.com do not use a proxy server, but connections that use the IP addresses for these hosts do use a proxy server.

Exception lists must always include the following entries:


1.3.3 Proxy Server Timeouts

Proxy servers can drop a connection after a short period of time if there is no activity on the connection. By default, SGD sends AIP keepalive packets every 100 seconds to keep the connection open.

If you find that applications disappear after a short while, you might have to increase the frequency at which AIP keepalive packets are sent.

In the Administration Console, go to the Global Settings, Communication tab and decrease the AIP Keepalive Frequency. Alternatively, use the following command:

$ tarantella config edit --sessions-aipkeepalive secs

You must restart every SGD server in the array for changes to this attribute to take effect.

1.3.4 Configuring Server-Side Proxy Servers

SGD can be configured so that the SGD Client connects through a server-side SOCKS version 5 proxy server. The actual proxy server used is determined using the IP address of the client. This known as an array route.

If you use the SGD Gateway, array routes are only used for client connections that are not routed through an SGD Gateway.

You configure array routes by setting one or more filters that match client IP addresses to server-side proxy servers. Each filter has the format Client-IP-Pattern:type:host:port.

The Client-IP-Pattern can be either of the following:

  • A regular expression matching one or more client IP addresses, for example 192.168.10.*

  • A subnet mask expressed in the number of bits to match one or more client IP addresses, for example

The type is a connection type. Use CTSOCKS for a SOCKS version 5 connection. Use CTDIRECT to connect directly without using a proxy server.

The host and port are the DNS name or IP address and port of the proxy server to use for the connection.

SGD can be configured with several filters. The order of the filters is important because SGD uses the first matching Client-IP-Pattern.

If you use an external SSL accelerator instead of SGD to handle SSL processing, append the array route with :ssl, see the following example. This instructs the SGD Client to use SSL on that connection before continuing with the SOCKS connection. See Section 1.6.2, “Using External SSL Accelerators” for details.


If SGD is configured for firewall forwarding, you cannot use multiple array routes because SGD cannot determine the IP address of the client device. You can configure a single array route, for example *:CTSOCKS:taurus.example.com:8080. See Section 1.5.2, “Firewall Traversal”.

The following is an example of array routes configuration:

"192.168.5.*:CTDIRECT" \
"192.168.10.*.*:CTSOCKS:taurus.example.com:8080" \

With this configuration, the following applies:

  • Clients with IP addresses beginning 192.168.5 have a direct connection.

  • Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.example.com on port 8080.

  • All other clients connect using the SOCKS proxy server draco.example.com on port 8080. These clients also connect using SSL before continuing with the SOCKS connection. How to Configure Array Routes

You can only configure array routes from the command line.

Ensure that no users are logged in to the SGD servers in the array, and that there are no running application sessions, including suspended application sessions.

  1. Configure the filters for array routes.

    Use the following command:

    $ tarantella config edit \
    --tarantella-config-array-netservice-proxy-routes routes

    Separate each filter with a space and enclose in double quotation marks (" "). For example, "filter1" "filter2" "filter3".

    The format of each filter is described in Section 1.3.4, “Configuring Server-Side Proxy Servers”.

    The order of the filters is important. The first match is used.

  2. Restart every SGD server in the array.

    You must restart every server in the array for array routes to take effect.