Proxy Servers

To be able to connect to SGD through a proxy server, client devices might need to be configured with the address and port number of the proxy servers. You might also need to configure SGD to give clients information about server-side proxy servers.

This section includes the following topics:

• Supported Proxy Servers

• Configuring Client Proxy Settings

• Proxy Server Timeouts

• Configuring Server-Side Proxy Servers

Supported Proxy Servers

The supported proxy servers are listed in the Oracle Secure Global Desktop 4.6 Platform Support and Release Notes available at http://docs.sun.com/app/docs/doc/821-1928.

Configuring Client Proxy Settings

To configure client proxy settings, you must configure proxy settings for both the HTTP connections and the AIP connections. How you do this is described in the following sections.

HTTP Connections

HTTP connections are the connections between the user’s browser and the SGD web server, for example to display a webtop. These connections always use the proxy settings configured for the browser.

AIP Connections

AIP connections are the connections between the SGD Client and the SGD server used to display applications. For these connections, the settings in the client profile control whether the SGD Client determines the proxy settings from a browser or from the client profile itself.

The SGD Client always stores the last proxy settings it used in the client profile cache. See About the Profile Cache for details.

Determining Proxy Settings From a Browser

If the Use Default Web Browser Settings check box is selected in the client profile, the proxy server settings are determined from the user’s default browser. The SGD Client stores the proxy settings in the profile cache on the client device and uses these settings when it next starts.

If Establish Proxy Settings on Session Start is selected in the client profile, the SGD Client obtains the proxy settings from the browser every time it starts. The stored proxy settings are not used. If Automatic Client Login is selected in the client profile, the Establish Proxy Settings on Session Start setting is disabled.

If the SGD Client is Integrated mode, and there are no proxy settings in the profile cache, the SGD Client attempts to make a direct connection.

To be able to determine the proxy settings from a browser, the browser must have Java technology enabled. If Java technology is not available, or it is disabled in the browser, the proxy settings must be manually specified in the client profile.

Specifying Proxy Settings in the Client Profile

If the Manual Proxy Settings check box is selected in the client profile, you can specify either an HTTP or an SSL proxy server in the client profile itself.

Using Proxy Server Automatic Configuration Scripts

Whenever client proxy server configuration is determined from a browser, you can use an automatic configuration script to automatically configure the proxy settings.

You specify the Uniform Resource Locator (URL) of the configuration script in the connection settings for the browser. The automatic configuration script must be written in the JavaScript programming language and have either a .pac file extension or no file extension. See Proxy Auto-Config File for details.

Proxy Server Exception Lists

You can use proxy server exception lists to control the connections that are not proxied. Proxy exception lists can only be used if the proxy settings are determined from a browser. You cannot configure exception lists in the client profile. The exception list can be configured in the browser or Sun Java Plugin tool.

An exception list is a list of DNS host names. For Internet Explorer, the list is a semicolon-separated list. For Mozilla-based browsers, the list is a comma-separated list. Exception lists can include the * wildcard.

There is no translation between DNS host names and IP addresses in exception lists. For example, with an exception list of *.example.com, connections to chicago.example.com and detroit.example.com do not use a proxy server, but connections that use the IP addresses for these hosts do use a proxy server.

Exception lists must always include the following entries:

localhost; 127.0.0.1

Proxy Server Timeouts

Proxy servers can drop a connection after a short period of time if there is no activity on the connection. By default, SGD sends AIP keepalive packets every 100 seconds to keep the connection open.

If you find that applications disappear after a short while, you might have to increase the frequency at which AIP keepalive packets are sent.

In the Administration Console, go to the Global Settings -> Communication tab and decrease the AIP Keepalive Frequency. Alternatively, use the following command:

$ tarantella config edit --sessions-aipkeepalive secs

Configuring Server-Side Proxy Servers

SGD can be configured so that the SGD Client connects through a server-side SOCKS version 5 proxy server. The actual proxy server used is determined using the IP address of the client. This known as an array route.

If you use the SGD Gateway, array routes are only used for client connections that are not routed through an SGD Gateway.

You configure array routes by setting one or more filters that match client IP addresses to server-side proxy servers. Each filter has the format Client-IP-Pattern:type:host:port.

The Client-IP-Pattern can be either of the following:

• A regular expression matching one or more client IP addresses, for example 192.168.10.*

• A subnet mask expressed in the number of bits to match one or more client IP addresses, for example 192.168.10.0/22

The type is a connection type. Use CTSOCKS for a SOCKS version 5 connection. Use CTDIRECT to connect directly without using a proxy server.

The host and port are the DNS name or IP address and port of the proxy server to use for the connection.

SGD can be configured with several filters. The order of the filters is important because SGD uses the first matching Client-IP-Pattern.

If you use an external SSL accelerator instead of SGD to handle SSL processing, append the array route with :ssl, see the following example. This instructs the SGD Client to use SSL on that connection before continuing with the SOCKS connection. See Using External SSL Accelerators for details.

The following is an example of array routes configuration:

192.168.5.*:CTDIRECT: \
192.168.10.*.*:CTSOCKS:taurus.example.com:8080 \
*:CTSOCKS:draco.example.com:8080:ssl

With this configuration, the following applies:

• Clients with IP addresses beginning 192.168.5 have a direct connection.

• Clients with IP addresses beginning 192.168.10 connect using the SOCKS proxy server taurus.example.com on port 8080.

• All other clients connect using the SOCKS proxy server draco.example.com on port 8080. These clients also connect using SSL before continuing with the SOCKS connection.

How to Configure Array Routes

Before You Begin

You can only configure array routes from the command line.

Ensure that no users are logged in to the SGD servers in the array, and that there are no running application sessions, including suspended application sessions.

1. Configure the filters for array routes.

   Use the following command:

   $ tarantella config edit \
   --tarantella-config-array-netservice-proxy-routes routes

   Enclose routes in quotes and separate each filter with a comma, for example "filter1,filter2,filter3".

   The format of each filter is described in Configuring Server-Side Proxy Servers.

   The order of the filters is important. The first match is used.

2. Restart every SGD server in the array.

   You must restart every server in the array for array routes to take effect.