Secure Global Desktop Administration Guide > Security > Using Secure Global Desktop with proxy servers

Using Secure Global Desktop with proxy servers

To use Secure Global Desktop with a proxy server, the proxy server must support tunneling.

For the browser-based webtop, you can use HTTP, Secure (SSL) or SOCKS v5 proxy servers.

For the classic webtop, the Java™ technology clients can use HTTP, Secure (SSL) or SOCKS v5 proxy servers. For the Native Clients, you can only use HTTP and SOCKS v5 proxy servers.

For SOCKS v5 proxy servers, Secure Global Desktop supports the Basic and No authentication required authentication methods. No server-side configuration is required.

Configuring proxy server settings on clients

To use a proxy server with Secure Global Desktop, clients need to be configured with:

• The address and port number of the proxy servers your LAN uses to connect to the Internet.
• An exception list of addresses which do not need to be accessed through the proxy server, for example, addresses on your corporate intranet.

The proxy server settings on client devices can be configured automatically or manually.

Automatic configuration

You can automatically configure the proxy server settings by using the URL of an autoconfig file. The file must be written in JavaScript and have either a .pac file extension or no file extension. See the Netscape Proxy Auto-Config File Format page for details.

Note Use this format for all web browsers supported by Secure Global Desktop.

Browser-based webtop

For the browser-based webtop, the proxy server settings are used by Secure Global Desktop Client.

The Secure Global Desktop Client on Windows client devices can only use an autoconfig file if:

• the URL of the autoconfig file is configured in Internet Options in the Windows Control Panel; and
• the Use default proxy settings option is set on the Proxy tab in the Options menu for the Secure Global Desktop Client.

On UNIX or Linux client devices, the Secure Global Desktop Client uses the user preferences file to store proxy server settings. This file can be automatically configured using a shell script.

Classic webtop

For the classic webtop, the URL of the autoconfig file is configured in the options for the web browser hosting the Java technology clients.

For the Native Client on UNIX, Linux or Mac OS X client devices, the user preferences file is used to store proxy server settings. This file can be automatically configured using a shell script.

Manual configuration

Browser-based webtop

For the browser-based webtop, the proxy server settings are used by Sun Secure Global Desktop Client.

On Windows client devices, the proxy server settings come either:

• from the Internet Options in the Windows Control Panel; or
• from the Proxy tab in the Options menu for the Secure Global Desktop Client.

On UNIX or Linux client devices, the proxy server settings come from the user preferences file.

Classic webtop

For the classic webtop:

• the Java technology clients, the proxy server settings come from the browser (via Microsoft Virtual Machine or Sun Java Plug-in).
• the Native Client for Windows, the proxy server settings have to be manually configured in the client. Click Options in the Webtop menu.
• the Native Client on UNIX, Linux or Mac OS X client devices, the proxy server settings are configured in the user preferences file.

Exception lists

An exception list is a semicolon-separated list of DNS host names:

chicago.indigo-insurance.com;detroit.indigo-insurance.com;london.indigo-insurance.com

Exception lists may include the * wildcard:

*.indigo-insurance.com

There is no translation between DNS hostnames and IP addresses in exception lists. For example, with an exception list of "*.indigo-insurance.com", connections to "chicago.indigo-insurance.com" and "detroit.indigo-insurance.com" would not use the proxy server, but connections to "192.168.5.20" and "192.168.5.30" (their IP addresses) would.

Note On Netscape browsers, the list is a comma-separated list.

Known issues with proxy servers

If you are using the Sun Java Plug-in version 1.5.0 with the classic webtop, the Plug-in does not make the browser's proxy server settings available to the client. Currently the only solution is to use an earlier version of the Plug-in.

Proxy server configuration and connections to Secure Global Desktop

If only one proxy server has been configured on the client, Secure Global Desktop uses this proxy server for all HTTP, HTTPS and Secure Global Desktop connections.

Note If this is a Secure (SSL) proxy server, the Secure Global Desktop traffic is only encrypted if the user has a secure connection to the Secure Global Desktop server.

If an HTTP and a SOCKS proxy server have been configured on the client, and you are using Secure Global Desktop in firewall forwarding mode, Secure Global Desktop uses the HTTP proxy server for all HTTP, HTTPS and Secure Global Desktop connections.

If an HTTP and a SOCKS proxy server have been configured on the client, and you are not using Secure Global Desktop in firewall forwarding mode, the proxy server Secure Global Desktop uses depends on the client. If the client is:

• a Secure Global Desktop Client, Secure Global Desktop uses:
  • the HTTP proxy server for the HTTP and HTTPS connections; and
  • the SOCKS proxy server for all Secure Global Desktop connections.
• a Secure Global Desktop Java™ technology client, Secure Global Desktop uses:
  • the HTTP proxy server for the HTTP and HTTPS connections; and
  • the HTTP proxy server for all Secure Global Desktop connections but the connections go via the SOCKS proxy server first.
• a Native Client, Secure Global Desktop uses:
  • the HTTP proxy server for the HTTP and HTTPS connections; and
  • the SOCKS proxy server for all Secure Global Desktop connections.

Proxy server timeouts

Proxy servers will drop a connection after a short period of time if there is no activity on the connection. By default, Secure Global Desktop sends keepalive packets every 100 seconds to keep the connection open.

If you find that applications disappear after a short while, you may have to increase the frequency at which keepalive packets are sent.

Using the proxy server diagnostic application for the classic webtop

The classic webtop has a diagnostic application, proxyinfo, which can be used to investigate any problems Secure Global Desktop encounters when it acquires proxy information.

To access the application, users must type the following URL in their web client:

http://server.com/tarantella/cgi-bin/ttawebtop.cgi/tarantella/resources/info/sco/tta/proxyinfo.html

You must always run this application through the ttawebtop.cgi program.

Note The proxyinfo application is only available to web clients. If Native Client for Windows users experience problems with proxy servers, they should check their Console Log for more information.

When you run the application, the Proxy server information page displays and processes the proxy server configuration. The results are output on screen.

The information displayed shows what the application has detected about the user's web client settings and what tests the application has carried out.

The key piece of information shown is the name and port numbers of the candidate proxy servers. These are the proxy servers that Secure Global Desktop can connect to.

Customizing the output of the proxyinfo application

The proxyinfo application is a Secure Global Desktop Java™ applet. You can configure the level of detail shown by the application by adding a parameter to the applet.

To add the parameter:

1. Open the /opt/tarantella/var/docroot/resources/info/sco/tta/proxyinfo.html file in an editor.
2. Look for the TTAAPPLET tag.
3. Insert the following parameter tag between the opening and closing TTAAPLET tags:

   <param name="LOG_MASK" value="bit mask">

4. Close the file and save the changes.

The bit mask values for this parameter are:

The default value is 7, which shows General, Details and Overrides, but not Registry.

Customized themes for the classic webtop

If you have created a customized webtop theme, it may contain HTML files which are used as "entry points" to Secure Global Desktop. An HTML file counts as an entry point if it is the first HTML page to be loaded which contains Secure Global Desktop applets. In order for Secure Global Desktop to detect and use the proxy server configured in the browser, each applet in an entry-point HTML file must include the ProxyServer and ProxyFrame proxy parameters.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.