Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersQuestion - Corporate HTTP Proxy


48 posts

Geek
+1 received by user: 3


Topic # 123385 5-Jul-2013 12:43
Send private message

Hi, 

I have a networking question that I can't seem to understand since I only have basic networking knowledge.

My work has a HTTP proxy as most work places do, they use it to monitor and block traffic to certain sites and stop certain services from working etc. 

What I'm confused about is I can access some services through the browser (e.g. chrome) but not locally on the computer. I can't understand why some stuff is getting blocked and in some instances it's not.

For example, I have chrome installed, and put in the correct proxy settings. I can go to google.com and log into gmail, calander and drive etc all through the browser. But when I try to setup sync in the chrome browser (for bookmarks and extensions etc) it doesn't work. Just can't authenticate. I don't see how the traffic would be different since it's going through the same application. 

This is the case for skydrive, dropbox etc. I can access via the browser but applications are blocked even once I put the correct proxy details in. 

Wouldn't the traffic be the same if it's through a browser or application? both would be https using port 443.

Also I just tired to ping google.com via CMD and it timeouts. So not sure why it gets blocked via CMD (proxy has been setup in internet settings).

I managed to get the dropbox application to work via the socks proxy our work has. (didnt work for google stuff though). So why does the sock proxy work and not the http proxy? 

Sorry I know these are random questions I would just like to understand how it works.

Cheers.

Create new topic
4993 posts

Uber Geek
+1 received by user: 1327

Trusted
Microsoft

  Reply # 849683 5-Jul-2013 12:48
Send private message

What OS are you on?

you cant proxy ICMP which is what a ping is



48 posts

Geek
+1 received by user: 3


  Reply # 849687 5-Jul-2013 12:56
Send private message

Windows XP and Windows 7

 
 
 
 


4993 posts

Uber Geek
+1 received by user: 1327

Trusted
Microsoft

  Reply # 849691 5-Jul-2013 12:58
Send private message

Proxy could be specifically blocking those services you say aren't working

ani idea of what proxy software it is?

3259 posts

Uber Geek
+1 received by user: 643

Trusted

  Reply # 849976 6-Jul-2013 01:34
Send private message

Proxies work by breaking down pieces of the protocol and rewriting them.

For example - collecting an http object

1) Web browser goes and places an http request for www.google.com/logo.jpg but instead of doing a dns lookup and querying google.com's ip address, it just sends it to your proxy server.

2) The proxy server replies "hold on a moment"

It then goes and collects the file, and then sends it back to the web browser.

Now the proper way to do it would be natting. Rather than having a proxy server that breaks down the http request and getting the image file on your behalf, natting just rewrites packets so almost anything can pass though. If a proxy server doesnt understand a protocol like http, https, ftp or socks then it cannot pass through.

Proxies are a pain in the bum for users because they break things.
Whenever I set them up, i always use a product such as kerio control that is designed first as a router (natting) but has a transparent http proxy built in to process http and log / block urls etc while the natting lets everything else pass through happily.

Before natting became popular ~2004-2006, proxies were a popular way to share internet access in a network and some companies still use them. They also have the advantage of being a direct part of the http stream so they can log/monitor/block access.

Sorry for rambling but to sum up
 - Proxy servers break things. Some stuff will work, other stuff wont.
 - Socks and http are two different protocols. Socks is not 100% compatible with all applications that use it. Http is compatible with 99%
 - The internet explorer settings are only internet explorer settings. Other applications can be designed to read those settings and use it themselves, but usually you need to set the proxy server in each application.
 - As stated above, ping is an ICMP protocol which cannot be proxied.




Ray Taylor
Taylor Broadband (rural hawkes bay)
www.ruralkiwi.com

There is no place like localhost
For my general guide to extending your wireless network Click Here

BDFL - Memuneh
61807 posts

Uber Geek
+1 received by user: 12451

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 850013 6-Jul-2013 10:25
Send private message

The analogy is not correct. Proxy servers don't "break" things. They act as proxy, that is they act on the behalf of the client.

Your steps 1,2 (and the last paragraph being 3) are correct.

However NAT is not the correct way of doing it, simply because companies use proxies for different reasons.

One is to save in data traffic, by making sure if a resource (image, CSS, script) is used by many users inside its network then it guarantees a copy is stored locally so it doesn't have to request from the original server.

Another reason is to make sure access to some websites is blocked if the site is not suitable for work.

In either case a NAT would not perform these tasks. NAT's function is to translate internal LAN addresses so that clients inside the network share a single WAN (external) address.

To the OP: configuring the proxy on your browser doesn't mean ALL applications on that computer will use a proxy. Many have their own proxy settings and many don't have proxy settings at all. This explain why some won't work out of the browser.





Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund



48 posts

Geek
+1 received by user: 3


  Reply # 850029 6-Jul-2013 11:17
Send private message

Thanks for all this.

Sorry but I think we are moving away from my OP which is my fault as I might not have explained it well enough.

I understand what a proxy does etc and it's uses. I also understand configuring the proxy on your browser doesn't mean ALL applications on that computer will use a proxy. I should have explained this better. I put the proxy settings in the browser (chrome), the internet settings (in control panel) and in the application but still the service works via the browser but not the application. So that is where my confusion is, why is the application traffic getting blocked when it's going though the same proxy.

For example, Dropbox. Dropbox application has a settings tab to put proxy settings, it has three options, no proxy, system proxy or user defined etc. I've tried system proxy and user defined (using the exact same settings as the browser) but the application just wont connect but I can easily go to dropbox.com through the browser.

So this is where my confusion is, what is the difference between the application traffic and the browser traffic? Instead of proxy could it be the companies firewall blocks the application via a port? e.g. does the dropbox application try to use port 443 (https) which maybe blocked where as all the browser traffic goes through port 80? Even though it uses https as well? This is where my lack of networking knowledge comes is. I dont even know if that is possible (https traffic via port 80).

Just an FYI, I did notice something in one application which I was trying to use to connect to a google service, I setup the application with the proxy settings but it still wouldn't login. I checked the logs of the application and it said something about not receiving response from google and login timed out. I logged into the google "application specific passwords" page which shows last log on date and it showed the application did actually log on, it's just that the response from google must have been blocked when entering the companies network. So this could be where the problem is, but then again why does it work via the browser?

I know it's had to answer based on the information provided, just thought it was something very interesting that the services were not blocked via the browser but via the application.

3044 posts

Uber Geek
+1 received by user: 467

Trusted
Subscriber

  Reply # 850033 6-Jul-2013 11:22
Send private message

One problem is that for some stupid reason, I've discovered many applications (especially .NET Framework ones!) have no handling of 407 "Proxy Authentication Required" responses, so if your corporate proxy requires logging in (which it almost certainly does) then many applications will simply fail.

This is why if you have an ISA or TMG proxy, you are best installing the Firewall client which will authenticate on behalf of any apps that try and access the internet.

BDFL - Memuneh
61807 posts

Uber Geek
+1 received by user: 12451

Administrator
Trusted
Geekzone
Lifetime subscriber

  Reply # 850057 6-Jul-2013 11:43
Send private message

As above. Not all apps work well with proxies and some use different approaches.




Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff)

 

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

4975 posts

Uber Geek
+1 received by user: 105

Trusted

  Reply # 862588 20-Jul-2013 14:13
Send private message

I run WebMarshall as the proxy server. It authenticates all requests against AD. Browsers fine since you can put the proxy name and port in the browser settings.

But apps like Skype, Dropbox don't since they cannot authenticate with AD.  We have to create rules that allow certain apps to bypass authentication and currently I only allow Skype despite calls for Dropbox, I won't allow that!

I also allow FTP (Filezilla is the preferred client) since there are business reasons for using that. Otherwise I can't think of any reasons to allow exceptions in our environment. I have heard murmurings about Spotify but that is not a business app.




System One: Popcorn Hour A200,  PS3 SuperSlim, NPVR and Plex Server running on Gigabyte Brix (Windows 10 Pro), Sony BDP-S390 BD player, Pioneer AVR, Raspberry Pi running Kodi and Plex, Panasonic 60" 3D plasma, Google Chromecast

System Two: Popcorn Hour A200 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Samsung 4K player, Google Chromecast

 


My Google+ page 

 

 

 

https://plus.google.com/+laurencechiu

 

 

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.