09-24-2008 03:06 AM
I have this situation.
In our network all clients use a manual proxy configuration on the browser to connect to Internet.
Some clients also use the laptops to connect from their home to the IVE through an UMTS card.
We have no proxy settings on this connection but we would like to have the proxy setting directly from the IVE so we have configured to use the proxy on these users from the IVE.
It is correct or not because at the moment it doesn't work?
09-24-2008 06:49 AM
I have a lot of experience with Network Connect and how it handles proxying. Can you tell me what you have coded in the NC profile for the proxy to be used? How are you deciding that the current configuration is not working?
09-24-2008 07:01 AM
I have configured on the User Network Connect Profiles the Manual configuration of the proxy server (IP address and port). If I correctly understood the instantproxy.pac should be a merge with of the browser proxy settings and what configured in the IVE: it is right?
In my case I have to find only the proxy server settings because for the UMTS card connection I have no proxy settings. But unfortunately I found a merge with the proxy settings for the lan connection configured in the browser.
I hope you will understand.
Many thanks for your collaboration
09-25-2008 12:43 AM
In the UMTS connection there is no proxy setting in the browser because the client use UMTS not only for connecting to the IVE.
The proxy settings in the IVE for those specific roles is manual proxy setting (IP address and port).
But I remember to you that in the browser settings there is a manual proxy configuration with some exclusions.
Do you know where the function FindClientProxy(url, host) is called??
09-25-2008 07:52 AM
I've looked at a number of instantproxy.pac files, and have never seen a call to FindClientProxy(url, host).
What is specified for the proxy in the NC connection policy which is applied to the UMTS users?
09-25-2008 08:38 AM
You are right. I checked in Internet but I never find a proxypac with this function but it is created when the client connects to IVE looking at the browser settings for LAN on the laptop where I have configured a manul proxy and some exclusions in order to access local servers without proxy.
In fact, if I configure the IVE to pass to client the proxy by manual configuration I find the proxy Ip address and port on the function: FindServerProxy
It is crazy.
09-25-2008 08:56 AM
I think you are seeing normal behavior. The instantproxy.pac file needs to make sure that the client browser can still reach the SA device through it's original proxy settings, and to make sure that any traffic which goes through the tunnel into the secured network can reach a proxy in case it requires one. So, the FindProxyforURL function in the instantproxy.pac file effectively says "traffic destined for the SA needs to use the client browser proxy settings; all other traffic uses the proxy settings in the NC profile."
My guess is that the FindClientProxy function was originally used to establish the proxy for access to the SA; I'm guessing that Juniper had problems with that, but never took it out of the instantproxy.pac file.
09-25-2008 09:13 AM
You are right. But looking at the instantproxypac I don't understand when the FindClientProxy function was called?
I know, looking at Juniper documentation that the instantproxypac should be a merge file for browser settings and IVE settings. So I suppose that the what I see in the FindClientProxy function was read from the browser and what is present in FindClientProxy function was read from IVE.
J-TAC engineer told me to put the proxypac in a server and pass it directly from the IVE but It is not possible at the moment. In your experience have you seen the FindClientProxy function?
Thanks a lot for all
12-01-2009 10:47 AM
i Have a problem with a proxy, i can access my network through the IVE without a proxy configured on my browser, but when i configure it manually i can´t acces. it´s possible that the proxy don´t passthrough the DHCP of the IVE?
12-01-2009 12:16 PM - edited 12-01-2009 12:16 PM
You could also set a user's proxy setting via a NC start script (.VBS script that modifies the reg.) Not sure if that would help in your case however. The proxy settings could be removed by a logoff script.
Can you paste a 'ipconfig' for before and after you connect with NC? I can't think of a reason why a proxy server would break DHCP.
12-01-2009 11:27 PM
it's only a theory, because i can´t connect to the SA when the proxy is configurated on the browser. the "ipconfig" on the machine doesn't change because the connection is not established.
12-02-2009 07:35 AM - edited 12-02-2009 07:36 AM
I haven't seen an issue like you describe with NC before. I would test with another proxy if possible (squid would be a good test).
Next you can enable client side logging on the IVE for Network Connect, start a policy trace for the user, and do a wireshark on the PC for both the Juniper virtual adapter as well as the physical adapter, start a http watch as well in IE to record the login and web session, start a TCPDump on the IVE then try again. Take a look at the debuglog.log and see if you can find any errors. If nothing stands out then you can take these logs and open a JTAC case.
Also please note that NC will only work with HTTP proxys (such as squid), not socks or any other type. Also make sure you are using IE or Firefox for your browser.
12-09-2009 12:13 AM
Hi to all,
The problem was, that my proxy denies the traffic for the new ip's assigned from the ive. When i connect to the ive, i assign an IP to the virtual security interface of the client.