ACE SSL initiation via Proxy server (squid)

Similar Messages

• ACE SSL Initiation - no check of server cert?

  SW 3.0(0)A1(4)
  I've configured SSL initiation and noticed that a successful session is established despite no valid root CA cert installed on the ACE.
  Does client SSL just work regardless without any cert validation?

  this is currently how it works.
  It will change in version 2.0
  Gilles.

• ACE ssl initiation

  Have done ssl init on the CSS before.
  It can be easily configured to present a client cert to the remote end like a browser would.
  I can't see how this is done on the ACE.
  Do I just apply an authgroup referring to the client cert in the ssl proxy configuration ?

  Hi,
  For SSL intiation ACE shall act as a client. So you will define a SSL-Proxy and just bind it with the policy map.
  Below config is for end-to-end SSL but look at bold part that is for SSL initiation and here is the link for your reference.
  access-list allow_all line 10 extended permit ip any any
  probe http KEEPALIVE-WEBS
    description Test for Webs Servers
    interval 15
    passdetect interval 30
    request method head url /ping.jsp
    expect status 200 200
  parameter-map type ssl ssl_ciphers
    cipher RSA_WITH_RC4_128_MD5
    cipher RSA_WITH_RC4_128_SHA
    cipher RSA_WITH_DES_CBC_SHA
    cipher RSA_WITH_AES_128_CBC_SHA
    cipher RSA_WITH_AES_256_CBC_SHA
  rserver host WEB001
    description Web Servers
    ip address 10.0.130.253
    probe KEEPALIVE-WEBS
    inservice
  rserver host WEB002
    description Web Servers
    ip address 10.0.130.252
    probe KEEPALIVE-WEBS
    inservice
  rserver host WEB003
    description Web Servers
    ip address 10.0.130.254
    probe KEEPALIVE-WEBS
    inservice
  rserver redirect OLD_SITE_REDIR
    webhost-redirection
  https://www.newsite.com 301
    inservice
  ssl-proxy service SERVER_SSL
    key www-server.key
    cert www-server.crt
    ssl advanced-options ssl_ciphers
  ssl-proxy service CLIENT_SSL
     ssl advanced-options ssl_ciphers
  serverfarm redirect REDIRECT
    rserver OLD_SITE_REDIR
      inservice
  serverfarm host VIP-WWW-443
    description servers-for-https
    rserver WEB001 443
      inservice
    rserver WEB002 443
      inservice
    rserver WEB003 443
      inservice
  serverfarm host VIP-WWW-80
    description servers-for-www
    rserver WEB001 80
      inservice
    rserver WEB002 80
      inservice
    rserver WEB003 80
      inservice
  sticky http-cookie wwwservers WWW-P80
    cookie insert
    timeout 720
    replicate sticky
    serverfarm VIP-WWW-80
  sticky http-cookie wwwservers WWW-P443
    cookie insert
    timeout 720
    replicate sticky
    serverfarm VIP-WWW-443
  class-map type http loadbalance match-all CLA7REDIR
    2 match http url http://www.oldsite.com/.*
  class-map type http loadbalance match-all CLA7WWW
    2 match http url http://www.newsite.com/.*
  class-map match-any VIP-P443
    2 match virtual-address 10.0.128.211 tcp eq https
  class-map match-any VIP-P80
    2 match virtual-address 10.0.128.211 tcp eq www
  policy-map type loadbalance first-match VIP_SERVER_P443
    class CLA7REDIR
      serverfarm REDIRECT
    class CLA7WWW
      sticky-serverfarm WWW-P443
      ssl-proxy client CLIENT_SSL
  policy-map type loadbalance first-match VIP_SERVER_P80
    class class-default
      sticky-serverfarm WWW-P80
  policy-map multi-match WWW_LB
    class VIP-P80
      loadbalance vip inservice
      loadbalance policy VIP_SERVER_P80
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
    class VIP-P443
      loadbalance vip inservice
      loadbalance policy VIP_SERVER_P443
      loadbalance vip icmp-reply active
      loadbalance vip advertise active
      ssl-proxy server SERVER_SSL
  interface vlan 128
    ip address 10.0.128.15 255.255.255.0
    access-group input allow_all
    service-policy input WWW_LB
    no shutdown
  interface vlan 130
    ip address 10.0.130.15 255.255.255.0
    access-group input allow_all
    no shutdown
  ip route 0.0.0.0 0.0.0.0 10.0.128.1
  Regards,
  Kanwal

• Unable to make SSL connection from Proxy Server to Directory Server

  I have recently installed Directory Proxy Server 5.2 Patch 3 on Solaris 9 server. Backend directories are Sun Directory Server 5.2sp3 using Thawte signed certificates.
  I can't get the Proxy Server to make a successful SSL connection to the Directory Servers. The proxy server can make the non-ssl connection without problem. When the Proxy Server attempts the SSL connection it gives SEC_ERROR_UNTRUSTED_ISSUER error. The SSL certificates on the Directory Servers are signed by Thawte and have just recently been updated. The certificate for the Proxy Server is also signed by Thawte. The CA certificate is loaded in both the Proxy Server and the Directory Server.
  I also have an iPlanet Directory Access Router (iDAR) 5.0 Server that is our current production server that serves these same directories and I haven't had a problem with SSL connection with it. So, the certificates are good.
  I've encluded an exerpt from the Proxy Server log below for one of SSL connection attempts.
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [STAT/CONN]    [   560
  307] Connection from secured listen port. New connection is on socket 37.
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [STAT/CONN]    [   560
  305] Number of open connections is 1.
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [STAT/CONN]    [   171
  211] [client(         152.3.100.30,  37)] Accepting connection via dukenet-group
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   302
  023] Failure with CERT_VerifyCertNow (checking signature, usage: "certUsageSSLSe
  rver").
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   302
  023] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  729] Rejected certificate on socket 38
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  729] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  728] Certificate rejected on socket 38
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  728] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  721] Read on socket 38 failed.
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  721] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   301
  006] Unexpected error on socket 38. (Error: -8172).
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   171
  002] [client(         152.3.100.30,  37)] [server(  152.3.101.110+  636,  38)] L
  ost connection to server, trying to failover to another
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   302
  023] Failure with CERT_VerifyCertNow (checking signature, usage: "certUsageSSLSe
  rver").
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   302
  023] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  729] Rejected certificate on socket 38
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  729] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  728] Certificate rejected on socket 38
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  728] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   385
  717] ber_flush unexpected error on socket 38
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   385
  717] SEC_ERROR_BASE + 20, NSPR error: -8172 (0xffffe014). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   385
  717] ber_flush unexpected error on socket 38
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   385
  717] NSPR error: -5938 (0xffffe8ce). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  721] Read on socket 38 failed.
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   385
  721] NSPR error: -5938 (0xffffe8ce). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   301
  006] Unexpected error on socket 38. (Error: -5938).
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [NOTICE]       [   171
  002] [client(         152.3.100.30,  37)] [server(    152.3.232.3+  636,  38)] L
  ost connection to server, trying to failover to another
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   385
  717] ber_flush unexpected error on socket 38
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   385
  717] NSPR error: -5938 (0xffffe8ce). Native errno is: 11
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [EXCEPTION]    [   190
  102] [client(         152.3.100.30,  37)] Rejecting request The server is tempor
  arily busy
  Aug 30 2005 16:12:12 king.oit.duke.edu SunONEDPS[ 17471]: [OP/CONN]      [   170
  904] [client(         152.3.100.30,  37)] [server(  152.3.101.110+  636,  38)] C
  onnection unbound by client

  No, that was on 5.1. For 6.0, my classpath has just:
  %JAVA_HOME%\lib\tools.jar;%WL_HOME%\lib\weblogic_sp.jar;%WL_HOME%\lib\weblogic.jar;
  %CLASSPATH%
  This works fine.

• Timeout to Web Services using via Proxy Server

  Hello,
  I'm wondering if anybody can help.
  I have a couple of preset web services on the coldfusion web server. As far as I know these have never worked since it's original installation back in June 2011.
  Whenever I attempt to refresh one of the web services using CF administrator I am seeing the following error message:
  Unable to refresh webservice.
  Unable to read WSDL from URL: https://www.****.cfc?wsdl.
  Error: java.net.ConnectException: Connection timed out: connect.
  The server does not have a direct connection to the internet as it is connected to the internal company network which uses a proxy server for internet connectivity.
  I am suspecting that CF is attempting to connect to the internet without the knowledge of the proxy server.
  I have looked high and low but unable to locate anything in CF admin to add a proxy server.
  I'm hoping somebody can reply with a simple solution to fix the above.
  Many Thanks,
  Andy

  Andy, two things.
  First, the problem could be proxy-related, but I notice also that the URL has https. And in that you’re getting a connection timeout, it could be that the destination server (at that URL in the web service call) is set to only allow SSL calls (or perhaps even calls to that specific site, directory, or file) from a specific IP address. Try visiting that URL from a browser running ON THAT SERVER (where CF is installed). It does not good to test the URL from your local development workstation. That would not be the same IP address from which the request would come when run via CF.
  Second, as for specification of proxy info, here’s something to consider: the CF Admin interface showing web services is populated by a call from within CFML code (using CFINVOKE/cfobject/createobject) invoking that web service. If you can find the code that is really calling the web service, you should find that you can specify the proxy info there. See:
  http://livedocs.adobe.com/coldfusion/8/htmldocs/Tags_i_10.html (cfinvoke)
  http://livedocs.adobe.com/coldfusion/8/htmldocs/Tags_m-o_14.html (cfobject)
  http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=functions-pt0_23.html (createobject)
  Note that with createobject, you do it using a new (for CF8) argstruct. See the docs there for more, or my blog entry:
  http://www.carehart.org/blog/client/index.cfm/2007/9/5/cf8_hiddengem_createobject_argstruc t
  Let us know if any of this helps.
  /charlie

• How to properly terminate SSL at Sun Proxy Server?

  Hi:
  Client is using Sun Proxy Server (4.0.x) as a reverse proxy to a host with Sun Application Server Enterprise Edition with Access Manager / Portal / Identity Manager deployed as J2EE apps.
  For access through proxy with http, it is properly seen by AM as an http URL. But for access through proxy with https, it is seen by AM as an https URL.
  My suspicion is that the Proxy Server is not properly configured to terminate SSL at the proxy. However, I do not have enough experience with Sun Proxy Server to confirm. Below is the configuration file.
  Any ideas? My novice theory is that the multiple mapping rules are causing some sort of conflict. Perhaps the connect rule for port 443? All of the examples I have been able to find for mapping rules are from http to http or a local file, NOT https to http and vice-versa. Are these rules correct?
  Any help is greatly appreciated!
  Thanks,
  Gerald
  --- (start: obj.conf) --
  # You can edit this file, but comments and formatting changes
  # might be lost when the admin server makes changes.
  Init fn="flex-init" access="$accesslog" format.access="%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] \"%Req->reqpb.clf-request%\" %Req->srvhdrs.clf-status% %Req->vars.p2c-cl% %Req->vars.remote-status% %Req->vars.r2p-cl% %Req->headers.content-length% %Req->vars.p2r-cl% %Req->vars.c2p-hl% %Req->vars.p2c-hl% %Req->vars.p2r-hl% %Req->vars.r2p-hl% %Req->vars.xfer-time%"
  Init fn="init-proxy" timeout="300" timeout-2="15"
  <Object name="default">
  AuthTrans fn="match-browser" browser=".*MSIE.*" ssl-unclean-shutdown="true"
  NameTrans fn="reverse-map" from="http://pcmdv2.client.net:5111/idm" to="https://offlinebusiness.client.net:25002/idm" rewrite-location="true" rewrite-content-location="true"
  NameTrans fn="reverse-map" from="http://localhost:35007/deas" to="https://offlinebusiness.client.net:25002/deas" rewrite-location="true" rewrite-content-location="true"
  NameTrans fn="reverse-map" from="http://pcmdv2.client.net:5111" to="https://offlinebusiness.client.net:25002" rewrite-location="true" rewrite-content-location="true"
  NameTrans fn="map" from="https://offlinebusiness.client.net:25002" to="http://pcmdv2.client.net:5111" rewrite-host="true"
  NameTrans fn="map" from="https://offlinebusiness.client.net:25002/deas" to="http://localhost:35007/deas" rewrite-host="true"
  NameTrans fn="map" from="https://offlinebusiness.client.net:25002/idm" to="http://pcmdv2.client.net:5111/idm" rewrite-host="true"
  NameTrans fn="map" from="/deas" to="http://localhost:35007/deas" rewrite-host="true"
  NameTrans fn="map" from="/idm" to="http://pcmdv2.client.net:5111/idm" rewrite-host="true"
  NameTrans fn="map" from="/" to="http://pcmdv2.client.net:5111" rewrite-host="true"
  PathCheck fn="url-check"
  ObjectType fn="forward-ip" hdr="Proxy-ip"
  Service fn="deny-service"
  AddLog fn="flex-log" name="access"
  </Object>
  <Object name="file">
  PathCheck fn="unix-uri-clean"
  PathCheck fn="find-index" index-names="index.html"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service fn="send-file"
  </Object>
  <Object ppath="ftp://.*">
  ObjectType fn="cache-enable" query-maxlen="10" log-report="off"
  ObjectType fn="cache-setting" lm-factor="0.10" max-uncheck="7200"
  Service fn="proxy-retrieve"
  </Object>
  <Object ppath="http://.*">
  ObjectType fn="cache-enable" query-maxlen="10" log-report="off"
  ObjectType fn="cache-setting" lm-factor="0.10" max-uncheck="7200"
  Service fn="proxy-retrieve" method="*"
  </Object>
  <Object ppath="https://.*">
  Service fn="proxy-retrieve"
  </Object>
  <Object ppath="gopher://.*">
  ObjectType fn="cache-enable" query-maxlen="10" log-report="off"
  ObjectType fn="cache-setting" lm-factor="0.10" max-uncheck="7200"
  Service fn="proxy-retrieve"
  </Object>
  <Object ppath="connect://.*:443">
  Service fn="connect" method="CONNECT"
  </Object>
  <Object ppath="connect://.*:563">
  Service fn="connect" method="CONNECT"
  </Object>
  --- (end: obj.conf) --

  Isn't there two overlapping rules? Perhaps that confuses the SWPS?
  NameTrans fn="map" from="https://offlinebusiness.client.net:25002" to="http://pcmdv2.client.net:5111" rewrite-host="true"
  NameTrans fn="reverse-map" from="http://pcmdv2.client.net:5111" to="https://offlinebusiness.client.net:25002" rewrite-location="true" rewrite-content-location="true"
  and
  NameTrans fn="map" from="https://offlinebusiness.client.net:25002/idm" to="http://pcmdv2.client.net:5111/idm" rewrite-host="true"
  NameTrans fn="reverse-map" from="http://pcmdv2.client.net:5111/idm" to="https://offlinebusiness.client.net:25002/idm" rewrite-location="true" rewrite-content-location="true"
  covers the same URLs

• DirectAccess Force Tunneling via proxy server (TMG)

  Hello
  I am looking to enable Force Tunneling for DirectAccess.  All web traffic would then go via TMG proxy.  This is all fine, but in the past this was once configured and stopped IMAP from working?  
  The question is, would forced tunneling only send http/https traffic to the proxy by design and all other traffic directly out? Other traffic does traverse the proxy when internal to the LAN but I am sure DA treats this a little different in terms of what
  protocols are forwarded - Is this correct?
  If this is the case then I am assumming the firewall infrastructure is stopping IMAP?
  Thanks

  Hi There - it is a strong recommendation even in Microsoft deployments not to use Force Tunnelling unless you really have to. Using Force Tunnelling will always revert to IP-HTTPS which is still technically the slowest of the transition technologies. This
  means DirectAccess clients use only IP-HTTPS to obtain IPv6 connectivity to the DirectAccess servers over the IPv4 Internet.  IP-HTTPS has much higher overheads than IPv6, 6to4 or Teredo. Also your proxy server will handle every request and consume
  plenty of bandwidth and you cannot put NRPT exemptions in force tunnelling as all traffic has to come through the tunnel. There is also the small issue of captive portals. There are more things to list but the above should be enough to start an argument on
  why not to do it !!
  You could implement a split tunnel with enforced web proxy (seeing as you have TMG) as per the guide / recommendations by Shannon Fritz below (which works well in reality.
  http://www.concurrency.com/infrastructure/web-filtering-for-directaccess-users-55/
  Kr
  John Davies

• Cannot connect via proxy server

  I need to use a proxy server in order to access university resources from off-campus.  (This is set up in Firefox using Tools > Options > Advanced > Network > Settings > Automatic proxy configuration URL.)  I have been doing this for two and a half years with no problems, but all of a sudden it doesn't work anymore.  I have made no recent changes to my computer (Windows XP laptop) or browser settings.  I get a connection has timed out / the server is taking too long to respond error message whenever I try to access a website via the university proxy server.  This is only an issue for websites that require the proxy, such as databases that the university library subscribed to.  I can access all public websites as usual.
  I have tried Internet Explorer and get the same problem.  If I disable the proxy server then my connection does not time out, I just get redirected to the university's "you are off campus and need to enable a proxy server to connect to this resource" page.  University technical support tells me there is nothing wrong with the proxy server and that I am set up properly to use it, and that as far as they can tell the issue is probably with my ISP.
  I am pretty sure this is indeed as Verizon issue, as I took my computer to a coffee shop and was able to access university resources via the proxy server just fine using the free wireless.  I also got out my old laptop, reformatted the hard drive, reinstalled the OS (Windows XP), and had the exact same problem trying to use the proxy server via my home Verizon connection.
  Incidentally, I am also unable to log in to Second Life using my home Verizon connection.  I get an error message saying the server isn't responding.  Again, I had no trouble with this using the coffee shop wireless.
  I have spent about three hours trying to get someone from Verizon to address this problem, but keep being told I need to talk to someone else.  I have now described this problem to ten different Verizon employees but have yet to reach anyone who even seems to know what a proxy server is, much less anyone who can help with this problem.  If anyone out there has any suggestions, I'd much appreciate it.  I cannot do much work from my apartment if I cannot access university resources.

  That Trace suggests there is a firewall at play somewhere blocking ICMP Echo. Since it's timing out past the modem I do have reason to believe that the modem may be up to something. Visit http://192.168.1.1/ and check the Firewall settings. If it's set to Low or High, disable it. If you are prompted for a User/Pass, try the following:
  admin/password
  admin/password1
  admin/admin
  admin/admin1
  Your Verizon Username and Password
  ========
  The first to bring me 1Gbps Fiber for $30/m wins!

• Referencing images via proxy server

  Hi. Has anyone else run into referencing images via an IIS proxy server? I
  can use the method to get the context path, but it doesn't bring me back
  something I can use to reference images. Do I have to hard code those in
  there all the time? :< DOH!

  I solved this problem last night. I ditched IIS, redid my machine with just
  WLS on it now! :> Now I just have to figure out how to get the FTP
  functionality I lost. Any ideas?
  "PHenry" <[RemoveBeforeSending][email protected]> wrote in message
  news:[email protected]..
  Hi. Has anyone else run into referencing images via an IIS proxy server?I
  can use the method to get the context path, but it doesn't bring me back
  something I can use to reference images. Do I have to hard code those in
  there all the time? :< DOH!

• Cant access Cs Live from application via proxy server

  Hi,
  I have a problem with CS Live. When I try and access it via a web browser I can login ok, but when I try using the application extension and sign in that way it gets rejected.
  Web access is via a Bluecoat proxy server. Checking the access logs I found the following message (ip's replaced with x's):
  xxx.xxx.xxx.xxx - - authentication_failed PROXIED "Computers/Internet" - 407 TCP_DENIED CONNECT - tcp services.acrobat.com 443 / - - "Adobe-ServiceManager" xxx.xxx.xxx.xxx 341 179 -
  I have rules setup inside the proxy for whitelist's that can allow access for problem websites, but including services.acrobat.com inside them doesnt have any effect.
  has anyone every come across this as it was working ok with no changes made a week ago and now it doesnt.
  Thanks

  Having the same problem - Having no luck either, sorry I'm of no help but would appreciate some help if you figure something out. Thanks
  Stephanie

• Ftp via proxy server 4.0.1

  We have proble with ftp access via our proxy server 4.0.1, with authentization to LDAP database.
  We can connect to anonymous FTP servers with Firefox, but to nonanonymous we can not.
  If we use some software for connect to FTP (Total Commander etc.), we can not connect to anonymous and nonanonymous FTP.
  connecting process to anonzmous FTP with Total Commander:
  Connect to:(12.10.2006)
  hostname=ftp.nai.com/CommonUpdater
  Firewall=192.168.1.112:8080
  Connect
  GET ftp://ftp.nai.com/CommonUpdater/HTTP/1.0 Host:ftp.nai.com/CommonUpdater
  HTTP/1.1 200 OK
  Copied (12.10.2006 ..) http://ftp.nai.com/CommonUpdater/ -> D:\temp...
  and then popup error window "Connecting closed"
  thanks

  Does total commnder recognize http proxy gatewaying for ftp?
  If so, can you capture the traffic between the total commander, the proxy, and the ftp server? (Use any available snoop commands to do this.) and paste it here?

• "Sorry, we can't connect to your account. Please try again later." when attempting to activate access 2013 via proxy server

  I am able to install Access 2013 but when it comes to activating it, it gives me the above error.
  I have already had my SysAdmin add the following URLs to our whitelist but with no effect:
  roaming.officeapps.live.com:443/
  ols.officeapps.live.com:443/
  Can anyone suggest anything else that I could try or any other URLs that I may need to add to our whitelist?
  Many thanks,
  Ricky

  We recommend you check the corporate proxy server / firewall log, it will tell you the URL that
  Office 2013 was trying to access.
  Add them to your whitelist to see if the issue persists.
  Tylor Wang
  TechNet Community Support

• Error during connection to https web-service via proxy-server

  Hello!
  I have created Web Service Proxy using wizard in JDeveloper. Then added some code for authorization on my corporate proxy server.
  Then I was trying to connect to two different web services
  - first one was HTTP web-service - successful
  - second one was HTTPS web-service - failed with error :
  <Error> <Net> <BEA-000903> <Failed to communicate with proxy: myproxy/myproxyport. Will try connection target_url/443 now.
  java.net.ProtocolException: Server redirected too many times (4)
       at weblogic.net.http.HttpsClient.makeConnectionUsingProxy(HttpsClient.java:433)
       at weblogic.net.http.HttpsClient.openServer(HttpsClient.java:358)
       at weblogic.net.http.HttpsClient.New(HttpsClient.java:527)
       at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:239)
       at com.sun.xml.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:136)
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.process(HttpTransportPipe.java:187)
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.processRequest(HttpTransportPipe.java:124)
       at com.sun.xml.ws.transport.DeferredTransportPipe.processRequest(DeferredTransportPipe.java:121)
       at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:866)
       at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:815)
       at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:778)
       at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:680)
       at com.sun.xml.ws.client.Stub.process(Stub.java:272)
       at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:153)
       at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:115)
       at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:95)
       at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:136)
       at $Proxy30.queryRange(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at weblogic.wsee.jaxws.spi.ClientInstanceInvocationHandler.invoke(ClientInstanceInvocationHandler.java:84)
       at $Proxy31.queryRange(Unknown Source)
       at com.volga_dnepr.wsi.fusion.model.sched_mov.SchedMovSoap12Client.main(SchedMovSoap12Client.java:54)
  Although if i switch off proxy server everything works perfect (both HTTP and HTTPS web-services).
  What could be the problem with?

  Hi Kenneth,
  At the moment, SALT does not support the configuring of an outbound proxy server. I suspect you could use a transparent proxy server, i.e., a proxy server/router combination that proxies outgoing requests, although this isn't something we have tested. My suggestion would be to open a support case and ask for this enhancement. I think it is a reasonable thing for SALT to support.
  Regards,
  Todd Little
  Oracle Tuxedo Chief Architect

• SFTP via proxy server

  Hi
  I am using jcracft api for SFTP. It is working fine. But now i want to do same using proxy server.
  can anybody tell me suitable proxy server and some code example.
  Thanks in advance

  Just a further update on the above :
  I saw some advice suggesting I need to connect to a SOCKS server as well. So I put the below code in place.
  System.getProperties().put( "socksProxyPort", "80");
  System.getProperties().put( "socksProxyHost" ,"proxy.abc.def");
  However, this gave me the same error as above.
  Then I heard that I need to authenticate myself to the SOCKS server.
  So, here is what I wrote to do that:
  Authenticator.setDefault(new Authenticator(){
  protected PasswordAuthentication getPasswordAuthentication() {
  return new PasswordAuthentication("auser", "apswd".toCharArray());
  I used the same username and passwords as I had used for the ftp.proxyUser and ftp.proxyPassword, because I do not have any other passwords - perhaps this is the incorrect thing to do....?
  Then, I got the following exception:
  java.net.SocketException: Malformed reply from SOCKS server
  Does that mean I am actually connected to the SOCKS server or not, I wonder. I read in a few places that some proxies use SOCKS and some don't. I don't know how to determine whether mine does or not. When I look at the properties of the proxy in Internet explorer, I notice that the SOCKS section is blanked out. I can fill it in myself, of course, but my program still has the same errors as above.

• Webclipping via proxy server with autorization

  I am using a proxy server that requires authorization to access web pages. How can I configure the web clipping tool to use username and password during the authorization with the proxy server? The wireless portal configuration page has an option to define this username/pwd pair but it seems not to be used by the web clipping tool according to the application logs (DEBUG WcsTxLiaison: setupProxyAuthorization host = *******, user = null, scheme = null). I tried to access the web clipping tool by logging in on the hostname/webtools/login.uix page with both the orcladmin or my private username and navigating to the "services" tab and clicking on the "web clipping" tool link.
  More debug messages:
  (webclipping-web: DEBUG Provider Id = default_wireless_instance_id
  webclipping-web: DEBUG Portlet Id = -1
  webclipping-web: DEBUG Portlet Instance Id = default_wireless_service_id
  webclipping-web: DEBUG Portal User Id = default_wireless_user_name

  Does total commnder recognize http proxy gatewaying for ftp?
  If so, can you capture the traffic between the total commander, the proxy, and the ftp server? (Use any available snoop commands to do this.) and paste it here?