[VPN] Managing browser proxy settings on VPN client

Watson, Travis Travis.Watson at Honeywell.com
Mon Jul 28 21:14:23 EDT 2003


Cool!  Thanks, Volker.

--Travis

-----Original Message-----
From: Volker Tanger [mailto:volker.tanger at discon.de]
Sent: Friday, July 25, 2003 1:28 AM
To: Watson, Travis
Cc: DShaw at exceed.com.au; vpn at lists.shmoo.com
Subject: Re: [VPN] Managing browser proxy settings on VPN client


Greetings!

On Tue, 22 Jul 2003 09:31:45 -0700 "Watson, Travis"
<Travis.Watson at Honeywell.com> wrote:

> There is no real way to do it unless your users are all doing dial-up.
>  For IPSec--particularly broadband--users will either have to use two
>  different browsers or manually toggle it on or off


You can provide a special (reduced) PAC config file for the browser
(http://wp.netscape.com/eng/mozilla/2.0/relnotes/demo/proxy-live.html)
which usually is called "proxy automation" and is used for the CARP
protocol (http://www.linofee.org/~elkner/da/mmb99/7/CarpSpec.html) as
well as for client-based http routing, load balancing and failover. 


An example for your setup would look approximately like

    function FindProxyForURL(url, host)
    {
        return "PROXY proxy.example.com:3128; DIRECT";
    }


with which the browser first will try to contact the proxy (change the
example given to your setup). (Only) If a connect to the proxy fails, it
will fall back to the next option - direct (proxy-less) connection. You
will need to provide the file locally, though.

Worked successfully and reliably for a big international company.


Microsoft systems (MS-Proxy 2.0, IE 4.0) had a few issues with the CARP
protocol (which is designed by Microsoft, btw.) back then, but Netscape
(proxy and browser) worked flawlessly:

	- MS-Proxy array died when its master died (lame workaround(s): 
	  NetBIOS name round-robin for the array name + DNS round robin 
	  as returned last-resort proxy entry)

	- sometimes the IE browser was stuck when it reached the last 
	  proxy on the returned list and did not try from the beginning 
	  of that list. Seems to be a cacheing problem (semi-reliable 
	  workaround: repeat the first entry again as very last one).

I don't know wether that's still a problem with IE 5.x/6.0 and MS-ISA,
but chances are good, I fear. Despite working in MS's own labs with
their specialists, these issues never were resolved...

Bye

Volker Tanger

-- 

ITK-Security
discon gmbh
DeTeWe AG & Co. KG

Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/


     

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn



More information about the VPN mailing list