Question - Corporate HTTP Proxy

Forums › IT Pro and developers › Question - Corporate HTTP Proxy

anandpatel18

56 posts

Master Geek

#123385 5-Jul-2013 12:43

Hi,

I have a networking question that I can't seem to understand since I only have basic networking knowledge.

My work has a HTTP proxy as most work places do, they use it to monitor and block traffic to certain sites and stop certain services from working etc.

What I'm confused about is I can access some services through the browser (e.g. chrome) but not locally on the computer. I can't understand why some stuff is getting blocked and in some instances it's not.

For example, I have chrome installed, and put in the correct proxy settings. I can go to google.com and log into gmail, calander and drive etc all through the browser. But when I try to setup sync in the chrome browser (for bookmarks and extensions etc) it doesn't work. Just can't authenticate. I don't see how the traffic would be different since it's going through the same application.

This is the case for skydrive, dropbox etc. I can access via the browser but applications are blocked even once I put the correct proxy details in.

Wouldn't the traffic be the same if it's through a browser or application? both would be https using port 443.

Also I just tired to ping google.com via CMD and it timeouts. So not sure why it gets blocked via CMD (proxy has been setup in internet settings).

I managed to get the dropbox application to work via the socks proxy our work has. (didnt work for google stuff though). So why does the sock proxy work and not the http proxy?

Sorry I know these are random questions I would just like to understand how it works.

Cheers.

nathan

5695 posts

Uber Geek
Inactive user

#849683 5-Jul-2013 12:48

What OS are you on?

you cant proxy ICMP which is what a ping is

anandpatel18

56 posts

Master Geek

#849687 5-Jul-2013 12:56

Windows XP and Windows 7

nathan

5695 posts

Uber Geek
Inactive user

#849691 5-Jul-2013 12:58

Proxy could be specifically blocking those services you say aren't working

ani idea of what proxy software it is?

raytaylor

4014 posts

Uber Geek

Trusted

#849976 6-Jul-2013 01:34

Proxies work by breaking down pieces of the protocol and rewriting them.

For example - collecting an http object

1) Web browser goes and places an http request for www.google.com/logo.jpg but instead of doing a dns lookup and querying google.com's ip address, it just sends it to your proxy server.

2) The proxy server replies "hold on a moment"

It then goes and collects the file, and then sends it back to the web browser.

Now the proper way to do it would be natting. Rather than having a proxy server that breaks down the http request and getting the image file on your behalf, natting just rewrites packets so almost anything can pass though. If a proxy server doesnt understand a protocol like http, https, ftp or socks then it cannot pass through.

Proxies are a pain in the bum for users because they break things.
Whenever I set them up, i always use a product such as kerio control that is designed first as a router (natting) but has a transparent http proxy built in to process http and log / block urls etc while the natting lets everything else pass through happily.

Before natting became popular ~2004-2006, proxies were a popular way to share internet access in a network and some companies still use them. They also have the advantage of being a direct part of the http stream so they can log/monitor/block access.

Sorry for rambling but to sum up
- Proxy servers break things. Some stuff will work, other stuff wont.
- Socks and http are two different protocols. Socks is not 100% compatible with all applications that use it. Http is compatible with 99%
- The internet explorer settings are only internet explorer settings. Other applications can be designed to read those settings and use it themselves, but usually you need to set the proxy server in each application.
- As stated above, ping is an ICMP protocol which cannot be proxied.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#850013 6-Jul-2013 10:25

The analogy is not correct. Proxy servers don't "break" things. They act as proxy, that is they act on the behalf of the client.

Your steps 1,2 (and the last paragraph being 3) are correct.

However NAT is not the correct way of doing it, simply because companies use proxies for different reasons.

One is to save in data traffic, by making sure if a resource (image, CSS, script) is used by many users inside its network then it guarantees a copy is stored locally so it doesn't have to request from the original server.

Another reason is to make sure access to some websites is blocked if the site is not suitable for work.

In either case a NAT would not perform these tasks. NAT's function is to translate internal LAN addresses so that clients inside the network share a single WAN (external) address.

To the OP: configuring the proxy on your browser doesn't mean ALL applications on that computer will use a proxy. Many have their own proxy settings and many don't have proxy settings at all. This explain why some won't work out of the browser.

anandpatel18

56 posts

Master Geek

#850029 6-Jul-2013 11:17

Thanks for all this.

Sorry but I think we are moving away from my OP which is my fault as I might not have explained it well enough.

I understand what a proxy does etc and it's uses. I also understand configuring the proxy on your browser doesn't mean ALL applications on that computer will use a proxy. I should have explained this better. I put the proxy settings in the browser (chrome), the internet settings (in control panel) and in the application but still the service works via the browser but not the application. So that is where my confusion is, why is the application traffic getting blocked when it's going though the same proxy.

For example, Dropbox. Dropbox application has a settings tab to put proxy settings, it has three options, no proxy, system proxy or user defined etc. I've tried system proxy and user defined (using the exact same settings as the browser) but the application just wont connect but I can easily go to dropbox.com through the browser.

So this is where my confusion is, what is the difference between the application traffic and the browser traffic? Instead of proxy could it be the companies firewall blocks the application via a port? e.g. does the dropbox application try to use port 443 (https) which maybe blocked where as all the browser traffic goes through port 80? Even though it uses https as well? This is where my lack of networking knowledge comes is. I dont even know if that is possible (https traffic via port 80).

Just an FYI, I did notice something in one application which I was trying to use to connect to a google service, I setup the application with the proxy settings but it still wouldn't login. I checked the logs of the application and it said something about not receiving response from google and login timed out. I logged into the google "application specific passwords" page which shows last log on date and it showed the application did actually log on, it's just that the response from google must have been blocked when entering the companies network. So this could be where the problem is, but then again why does it work via the browser?

I know it's had to answer based on the information provided, just thought it was something very interesting that the services were not blocked via the browser but via the application.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#850033 6-Jul-2013 11:22

One problem is that for some stupid reason, I've discovered many applications (especially .NET Framework ones!) have no handling of 407 "Proxy Authentication Required" responses, so if your corporate proxy requires logging in (which it almost certainly does) then many applications will simply fail.

This is why if you have an ISA or TMG proxy, you are best installing the Firewall client which will authenticate on behalf of any apps that try and access the internet.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

freitasm

BDFL - Memuneh
79270 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#850057 6-Jul-2013 11:43

As above. Not all apps work well with proxies and some use different approaches.

lchiu7

6476 posts

Uber Geek

Trusted

#862588 20-Jul-2013 14:13

I run WebMarshall as the proxy server. It authenticates all requests against AD. Browsers fine since you can put the proxy name and port in the browser settings.

But apps like Skype, Dropbox don't since they cannot authenticate with AD. We have to create rules that allow certain apps to bypass authentication and currently I only allow Skype despite calls for Dropbox, I won't allow that!

I also allow FTP (Filezilla is the preferred client) since there are business reasons for using that. Otherwise I can't think of any reasons to allow exceptions in our environment. I have heard murmurings about Spotify but that is not a business app.

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.