System-wide Transparent Proxy With URL Patterns

Similar Messages

• IIS Reverse Proxy with URL rewrite.

  Hi all, hoping to leverage the wealth of knowledge contained here.
  Any assistance would be very welcome.
  I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
  I need to redirect all requests with a specific virtual directory suffix only.
  ie; https://domain.test.com/outbound/Content/query_etc
  With /Outbound/ being the trigger.
  This should be redirected to http://10.10.10.10/inbound/Content/query_etc
  While at the same time, requests without the /outbound/ suffix should be handled locally.
  I have configured the reverse proxy as described in a few articles, and have had no luck.
  Here's a snippet from my (sanitized) web.config at the site level.
  <rewrite>
  <outboundRules>
  <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
  <match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
  <action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
  </rule>
  <preConditions>
  <preCondition name="ResponseIsHtml1">
  <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
  </preCondition>
  </preConditions>
  </outboundRules>
  <rules>
  <rule name="ReverseProxyInboundRule1" stopProcessing="true">
  <match url="^outbound/(.*)" />
  <action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
  </rule>
  </rules>
  </rewrite>
  To me, this looks correct, yet it doesn't work.
  With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

  Hi Andrew,
  Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
  By using URL Rewrite Module together with
  Application Request Routing module you can have IIS 7 act as a
  reverse proxy.
  It seems like URL Rewrite can't re-route the request somewhere else out of the server.
  Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc  it will fail with 404.
  Hosting multiple domain names under a single account using URL Rewrite.
  It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
  References:
  How to create a url alias using IIS URL Rewrite:
  http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
  Reverse Proxy with URL Rewrite v2 and Application Request Routing:
  http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Transparent proxy with ACE+CE (Client-ip spoof) slow response.

  I have configed transparent proxy with ACE and CE510+Bluecoat. I also enable client-ip spoofing. I use PBR for redirect request web page from client to ACE and I also use PBR for return traffic from any web servers to ACE(make complete flow for client-ip spoofing). Any thing is fine, but I have a little bit issue that when I try to browse to the new website and ACE load my request to CE510, I seem long time for page response, I monitor at ACE, it show connection is "ESTABLISH". When first page on these new website response after that I try to browse other pages on these new website, the response is normal. This happen for everytime that I test. I have already send configuration of ACE and CE. Anyone, please see anything that I config is correct. Thank you very much.

  Following link may help you
  http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_guide_chapter09186a00806b728a.html

• About the system wide wifi proxy setting

  I'm currently using BlackBerry Q10, and I love it, just for you know, I turn from iPhone5 to it.
  As I'm using it mostly inside China, the network connecttion is so bad, I need use proxy for accessing Google or Twitter service, so the wifi's proxy is very important to me.
  But I found inside my Q10 system, the wifi proxy setting in fact is not globally effect, it works when open browser, but when I try to add my Gmail account or twitter account, it can't go with my proxy setting. That too bad.
  is there any special setting to make it works, this is really importent to me
  Thanks!
  -Ryan

  Use privoxy with socks5 forwarding:
  http://www.privoxy.org/user-manual/config.html#SOCKS
  http://www.privoxy.org/user-manual/acti … F-PATTERNS

• Config transparent Proxy with LDAP authen with L4 switch?

  How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
  Async OS: 5.1.0-420
  Thank you,
  Thanapol

  Ezekiel,
  I wanted to add some clarification to your comments:
  1) Network TAP connected to T1/T2.
  This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
  2) L4 switch connected to P1.
  This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
  The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
  3) WCCP v2 connected to P1.
  WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
  L4TM information
  The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
  The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
  If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
  The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface.

• Problems With url-pattern in a filter-mapping

  Hi!
  I need to make a filter when the clients call a jsf pages in /pages in my web application, but when i make the filter-mapping like this:
       <filter-mapping>
            <filter-name>sessionFilter</filter-name>
            <url-pattern>/pages/*.jsf</url-pattern>
       </filter-mapping>An exception appears:
  SEVERE: Parse error in application web.xml
  java.lang.IllegalArgumentException: Invalid <url-pattern> /pages/*.jsf in filter mapping
       at org.apache.commons.digester.Digester.createSAXException(Digester.java:2540)
       at org.apache.commons.digester.Digester.createSAXException(Digester.java:2566)
       at org.apache.commons.digester.Digester.endElement(Digester.java:1061)
       at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
       at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown Source)
       at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
       at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
       at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
       at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
       at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
       at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
       at org.apache.commons.digester.Digester.parse(Digester.java:1548)
       at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:263)
       at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:624)
       at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:216)
       at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119)
       at org.apache.catalina.core.StandardContext.start(StandardContext.java:4290)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1083)
       at org.apache.catalina.core.StandardHost.start(StandardHost.java:789)
       at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1083)
       at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:478)
       at org.apache.catalina.core.StandardService.start(StandardService.java:480)
       at org.apache.catalina.core.StandardServer.start(StandardServer.java:2313)
       at org.apache.catalina.startup.Catalina.start(Catalina.java:556)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:324)
       at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:287)
       at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:425)the <url-pattern>/pages/*</url-pattern> not work to me because process all pages, I nedd only *.jsf
  Please Help me whit this.

  "the <url-pattern>/pages/*</url-pattern> not work to me because process all pages, I nedd only *.jsf"
  Yes but in the filter you can get the url from the request.getUrl() and then only process requests that contain .jsf. Simply just pass all other requests along.
  Some information on url pattern matching:
  http://edocs.bea.com/wls/docs61/webapp/components.html#113049

• Restoring one system-wide dictionary (issue with spell checking)

  Hello all,
  For some reason, spell checking is behaving badly: it won't spell check German correctly anymore, even though it is set on “Multilingual”. English is alright, so I suspect my German dictionary got corrupt.
  My questions are:
  1- Will installing the 10.5.7 update resolve the issue?
  2- Where can I find the system-wide dictionaries used for spell-checking by OS X?
  3- Where can I download these dictionaries?
  I hope a clean install is not required just to get one dictionary/spellcheck file back…
  Thanks very much all!

  it won't spell check German correctly anymore, even though it is set on “Multilingual”.
  How about when you set it to Deutsch?
  2- Where can I find the system-wide dictionaries used for spell-checking by OS X?
  3- Where can I download these dictionaries?
  You can't find them or download them.
  I hope a clean install is not required just to get one dictionary/spellcheck file back…
  Maybe. You could also install CocoAspell and add a German dictionary from its selection.
  http://cocoaspell.leuski.net/

• Filter does not work with *.jsp URL pattern???

  Hi All,
  I am, by no means, very good at JSF or Java. I have looked at various forum posts on here for ways to implement a security filter to intercept requests to pages that first require one to be logged in, and if not, redirect them to the login page. Yes, I know a lot of you have heard this many times before, and I'm sorry to bring it up again.
  BUT, from the guidance of other posts, I have got a filter that works fine when the url pattern is set to "/faces/*" or "/<anything>/*", however it won't work for "*.jsp" or "*.<anything>"
  My filter is as follows:
  package test.security;
  import javax.faces.context.FacesContext;
  import javax.servlet.Filter;
  import javax.servlet.FilterChain;
  import javax.servlet.FilterConfig;
  import javax.servlet.http.HttpSession;
  import javax.servlet.ServletRequest;
  import javax.servlet.ServletResponse;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  public class SecurityFilter implements Filter{
      /** Creates a new instance of SecurityFilter */
      private final static String FILTER_APPLIED = "_security_filter_applied";
      public SecurityFilter() {
      public void init(FilterConfig filterConfig) {
      public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws java.io.IOException, ServletException{
          HttpServletRequest req = (HttpServletRequest)request;
          HttpServletResponse res = (HttpServletResponse)response;
          HttpSession session = req.getSession();
          String requestedPage = req.getPathTranslated();
          String user=null;
          if(request.getAttribute(FILTER_APPLIED) == null) {
              //check if the page requested is the login page or register page
              if((!requestedPage.endsWith("Page1.jsp")) /* This is the login page */
                  //set the FILTER_APPLIED attribute to true
                  request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
                  //Check that the session bean is not null and get the session bean property username.
                  if(((test.SessionBean1)session.getAttribute("SessionBean1"))!=null) {
                      user = ((test.SessionBean1)session.getAttribute("SessionBean1")).getUsername();
                  if((user==null)||(user.equals(""))) {
                     // try {
                   //       FacesContext.getCurrentInstance().getExternalContext().redirect("Page1.jsp");
                    //  } catch (ServletException ex) {
                    //      log("Error Description", ex);
                      res.sendRedirect("../Page1.jsp");
                      return;
          //deliver request to next filter
          chain.doFilter(request, response);
      public void destroy(){
  }My web.xml declaration for the filter is:
  <filter>
    <description>Filter to check whether user is logged in.</description>
    <filter-name>SecurityFilter</filter-name>
    <filter-class>test.security</filter-class>
  </filter>
  <filter-mapping>
    <filter-name>SecurityFilter</filter-name>
    <servlet-name>Faces Servlet</servlet-name>
  </filter-mapping>
  Note: I have also tried this with <url-pattern>*.jsp</url-pattern> for the filter mapping in place of the Faces Servlet
  My web.xml declaration for the url pattern is:
  <servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.jsp</url-pattern>
  </servlet-mapping>Which JSC/NetbeansVWP automatically creates a "JSCreator_index.jsp" which has:
  <?xml version="1.0" encoding="UTF-8"?>
  <jsp:root  version="1.2" xmlns:jsp="http://java.sun.com/JSP/Page">
    <jsp:forward page="Page1.jsp"/>
  </jsp:root>When run, this causes an Error 500 in the browser and a NullPointerException in SecurityFilter.java on the line:
  if((!requestedPage.endsWith("Page1.jsp")) /* This is the login page */I think I'm missing something that would be obvious to anyone who knows better than me. Any ideas?

  Dear Ginger and Boris,
  thanks for the information - the problem seems to ocur in EP7 as well, Boris told me it is fixed in SP15. We are on SP14 now, so there is hope !
  actually the information in the oss note stated above is also true, as we have an Oracle DB. On a similar demo system (only difference is SQL DB) the hyphen search works !
  best regards, thank you !
  Johannes

• Preference Pane for system wide audio EQ? (2 yrs later)

  I fully agree with the quoted message underneath.
  *"Is there some sort of universal Equalizer I can apply to all my audio? A Preference Pane would be great! I listen to an internet radio client (XM Radio) that doesn't have any EQ control.*
  *I know Audio Hijack can do this. But I'd rather not run a whole other application on top of the radio client just for EQ."* (original post from Feb 20, 2007 5:07 PM)
  I can't believe that almost 2 years later, there is still no system wide equalizer in OS X, working always, like, while watching YouTube or whatever. Yes, I know there is Hear now, but both apps, Hear and Audio Hijack Pro, are expensive and overkill for the simple ability to change some equalizer settings. A preference pane would be much better.

  I found a system wide EQ along with mixer and many other functions it works great its called Hear this is the web sight http://www.joesoft.com/products/hear.php

• Request with URL ending with "/" not routed through default servlet

  I have deployed a web application that has a controller servlet. This
  servlet is configured (via web.xml) to be the default servlet with a servlet
  mapping defined with url-pattern set to "/".
  Requests for URLs such as "my.host/my/path" are correctly routed to the
  controller servlet, whereas a request to "my.host/my/" is not - it causes a 404
  to be returned immediately by the container.
  Any help appreciated
  Peter

  There's not enough data in your post to answer the question directly. Posting an example URL would help a lot.
  The chances are that the problem lies in the URL - it might contain some characters that are not directly usable in the shell and are therefore getting munged when you use them in 'do shell script'. There are ways around this, but posting an example URL would go a long way to telling if that's the problem or not.
  It is also possible that the web site is configured to block specific user agents such as curl or wget (in a vain attempt to block automated downloads of the content) but, again, it's hard to say without knowing a specific URL.
  If this is the case, you could use curl's -A switch to specify a different 'User-Agent' and fake out the server. For example, to pretend you're using Safari, use something like:
  do shell script "curl -O -A 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_2) AppleWebKit/535.12+ (KHTML, like Gecko)' " & fullWeb
  (note the single quotes around the User-Agent string)

• Preference Pane for system wide audio EQ?

  Is there some sort of universal Equalizer I can apply to all my audio? A Preference Pane would be great! I listen to an internet radio client (XM Radio) that doesn't have any EQ control.
  I know Audio Hijack can do this. But I'd rather not run a whole other application on top of the radio client just for EQ.

  I found a system wide EQ along with mixer and many other functions it works great its called Hear this is the web sight http://www.joesoft.com/products/hear.php

• IPhoto '08 Book upload errors with squid transparent proxy - tip

  Hi folks
  I've just "solved" a problem I was having with iPhoto Book uploads. The solution may apply to other publishing products from iPhoto and possibly iDisk uploads too.
  My firewall & proxy setup is basically Linux iptables redirecting all outbound http (port 80) connections to a dansguardian filter, which in turn is passed onto a squid instance running as a transparent proxy (oh, and there's a privoxy in this all too!). Yeah, OK, I know, slightly paranoid, but I don't want my children accidently browsing stuff I don't think they are old enough for yet!
  Now I had the problem before with iPhoto '06 as well, but at the time just didn't have the time or inclination to figure out what the problem was, and just did the book order and upload from the office, where it went through without a problem. This time I decided to dig a bit and see what was happening. The clue that triggered off the solution was watching the part of the order process where the book data is uploaded. In my default setup, the upload bar would scream through to 100%, and then sit there for ages, before coming back with a connection error. Watching the network flashy lights on the NIC on the firewall though, it suddenly dawned on me that what was happening was that the upload was screaming through to the squid (as there was no outbound network activity from the firewall while this was happening) and then sitting there waiting for squid to pass it on to the Apple site (as shown by the outbound NIC activity light suddenly going bonkers once the uoload bar hit 100%).
  So clearly there's a problem sending book orders via a squid proxy setup as a transparent proxy. It might also very well be dansguardian interfering and wanting to take the entire upload and checking it before passing it on to squid. I already have site exception setup for all apple.com urls though in dansguardian, so didn't think it would be that. I thought about dicking around with the squid acl's but didn't have the enthusiasm to spend half the day getting that working.
  So what I did in the end was tail the squid logs to see what was being proxied whilst the book order was going on, and then dropped in 3 new rules in my iptables setup just before the redirect rule. Tried ordering the book again, and voila!
  The three rules I inserted were:
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d mercury.apple.com -j ACCEPT
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d configuration.apple.com -j ACCEPT
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp -d publish.mac.com -j ACCEPT
  The "-s ! 10.1.1.1" bit is obviously particular to my setup, as I wouldn't want connections from the router itself being proxied, so that may need to either be customised or left out altogether. These three rules are then immediately followed by the redirect:
  $IPTABLES -t nat -A PREROUTING -s ! 10.1.1.1 -p tcp --dport 80 -j REDIRECT --to-port 8081
  Hope that is of some help to someone out there!
  K

  Tony,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at
  http://support.novell.com.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://support.novell.com/forums)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://support.novell.com/forums/faq_general.html
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• "system-wide" proxy ?

  I might not have the terminology quite right on this, I'm far from being an expert on the subject. That's why I'm turning to you guys !!!!!!!!!
  I'm currently tethering my iPhone's connection via an app called PDANet which allows the computer to connect to a sort of 'wifi router' via an ad-hoc connection. While this doesn't quite work as they advertise it to (probably something I'm not doing that's getting auto 'automagically' in Windows/OS X), I am able to 'connect' to my iPhone and get offered an IP back when this app is running. I then launch the small socks server from the iPhone's term and voila I can use it to browse the tubes in firefox (with the proper settings).
  Which is what brings me to my question: using this connection to my socks5 server running on my iPhone, I can resolve names and do http, at least. I'm just wondering, why this could be not set up as a 'system wide' service. In other words, all apps that want to connect to a certain IP/domain to a certain port, will do so as they always do. In other words why can't I set up a sort of service or daemon that uses this socks5 connection to the iPhone and sends back the data to the apps? As if my nameserver were the IP on the iPhone ? Or would I need something else running on the phone to provide that capability ?
  Right now, when I dhcpcd, I get my IP from the iPhone, but nothing gets written in /etc/resolv.conf. I can only ping the iPhone's IP (which is the one I use to connect via proxy in firefox), and what I can only assume is my phone's IP on the 3G network, which starts with 10 (if that means anything to you experts.)....
  Anyway, I'd like your thoughts on this..

  delta24 wrote:Try creating a script in /etc/profile.d named proxy.sh having all the proxy config.
  The behavier I want to achieve is that I can hot swap proxy and non proxy networks without restarting the browser. This works under gnome because chromium reads the proxy config from gconf which gets updated on network change but this doesn't work without gnome.
  Most of the time I'm on networks without proxies. Only in university I need them. A simple switch to activate them when needed would be nice.

• System wide proxy settings without gnome and kde

  Hi,
  this is my software stack:
  linux
  X
  openbox
  chromium
  my university had the great idea to cencor and filter the internet so that students can't do bad stuff and besides that can't do anything at all. They even block ping and ssh connections.. but that's another story.
  here are my problems with that:
  chomium devs seem to live in a very small world in which only kde and gnome exist, because these envirenments are the only way to let chromium know that it should use a proxy server.
  I've written a small script that works perfectly for most of my stuff. here it is:
  $ cat ~/.proxyon
  export http_proxy='proxy.fh-brandenburg.de:3128'
  export https_proxy='proxy.fh-brandenburg.de:3128'
  export ftp_proxy='ftp-proxy.fh-brandenburg.de:21'
  export socks5_proxy='socks5-proxy.fh-brandenburg.de:1080'
  export HTTP_PROXY=http_proxy
  export HTTPS_PROXY=https_proxy
  export FTP_PROXY=ftp_proxy
  export SOCKS5_PROXY=socks5_proxy
  gsettings set org.gnome.system.proxy autoconfig-url 'http://proxy.fh-brandenburg.de/proxy.pac'
  gsettings set org.gnome.system.proxy mode 'manual'
  gsettings set org.gnome.system.proxy.http enabled true
  gsettings set org.gnome.system.proxy.http host 'proxy.fh-brandenburg.de'
  gsettings set org.gnome.system.proxy.http port 3128
  gsettings set org.gnome.system.proxy.https host 'proxy.fh-brandenburg.de'
  gsettings set org.gnome.system.proxy.https port 3128
  gsettings set org.gnome.system.proxy.ftp host 'ftp-proxy.fh-brandenburg.de'
  gsettings set org.gnome.system.proxy.ftp port 21
  gsettings set org.gnome.system.proxy.socks host 'socks5-proxy.fh-brandenburg.de'
  gsettings set org.gnome.system.proxy.socks port 1080
  gsettings set org.gnome.system.proxy ignore-hosts "['localhost', '127.0.0.0/8', '*.fh-brandenburg.de' ]"
  to start chromium i've made another script to test the proxy behavier:
  $ cat ~/start_chromium.sh
  source ~/.proxyon && echo $http_proxy && chromium
  This should work because I set every proxy variable I'm aware of and the script spits out the correct proxy server but chromium still don't uses any proxies. Does anyone have a solution to this? I'm out of ideas..

  delta24 wrote:Try creating a script in /etc/profile.d named proxy.sh having all the proxy config.
  The behavier I want to achieve is that I can hot swap proxy and non proxy networks without restarting the browser. This works under gnome because chromium reads the proxy config from gconf which gets updated on network change but this doesn't work without gnome.
  Most of the time I'm on networks without proxies. Only in university I need them. A simple switch to activate them when needed would be nice.

• Why does my ssh tunnel drop when I switch on a system wide proxy

  The subject says pretty clearly what is puzzling me. After I establish a connection via ssh and initiate a tunnel for email access through a corporate firewall (using Apple Mail as the client and POP3 for the protocol), I find that enabling a system wide proxy (socks5, http, and https) via the same ssh tunnel causes the email to stop working. Upon switching, the http proxy (Safari) works fine -- e.g. the tunnel is healthy. This confuses me. The ssh link which hosts several tunnels is fine. I am forwarding local port 10025 and 10110 on the tunnel to a mail server behind the firewall. The socks5 proxy and http proxy are running on local ports 11080, 18080, and 18080, respectively. Why is Apple mail paying attention to the proxy settings at all? It would seem that since Apple Mail makes no attempt to connect (via the Activity window) that the link is dead, however, turning off the proxy brings the email tunnel back to normal. Wierd. Any advice? This is running on a normal 10.4 (not server), but I don't think there are any significant differences in behavior. I asked on the networking discussion, but got no response.

  Two things jump into my mind: poor WiFi signal strength on the desktop PC or a dirty OS installation on the desktop PC. I'm quite sure that this has nothing to do with the cisco VPN client itself.
  Assuming that you reach your remote workspace through the cisco VPN client it might also be that the remote part (the VPN concentrator) gets congested and drops your connection but than other employees would complain as well (can be checked with your ICT guys).
  The thing is: when you lose Internet connection on your laptop while surfing a web site and connection comes back again within no time you won't notice anything. If the same happens to a system constantly receiving encrypted packets and some are missing the VPN client will drop the connection. Completely different protocols (http/ipsec) that are differently prone to packet drops...