Chapter 5

Proxy Configuration

This chapter includes the following topics:

Introduction

For enterprise customers it is important to be able to set up secure computing environments within their companies, and proxy configuration is an essential part of doing that. Proxy configuration acts as a security barrier; it ensures that the proxy server monitors all traffic between the Internet and the intranet. This is normally an integral part of security enforcement in corporate firewalls within intranets. Enterprise customers who want to use Java Plug-in to deploy applets on their intranet web pages may also set up proxy support. This support is required for Java Plug-in to work in an intranet environment and can be set up through the Java Plug-in Control Panel.

The Control Panel provides three proxy options:

"Use browser settings"
Manual configuration through the Protocol-Address-Port table
"Automatic proxy configuration URL"

If "Use browser settings" is selected, then proxy information is entered entirely through the browser. For Internet Explorer, go to Tools>Internet Options ... and select the Connections tab and then LAN Settings ... ; for Netscape, go to Edit>Preferences ... and select Advanced under Category and then Proxies. How this works and the three types of connections that can be set up through the browser-Direct, Manual, and Automatic-are described in the following sections.

If you select manual configuration in the Control Panel, then you must enter in the table for each protocol the address and port for the proxy server. Note that you may select to exclude some hosts from requiring proxy servers by listing them in the field labeled "No proxy host".

If you select "Automatic proxy configuration URL", then you must enter the URL for the location of the JavaScript called FindProxyForURL(URL url) that returns the proxy server to be used for a URL. Support for this script is the same as described below under Automatic Proxy Configuration.

How Java Plug-in Obtains Proxy Information

Because browsers on different platforms store proxy information differently, there is no generic mechanism to obtain proxy information. Here's how Java Plug-in obtains proxy information for three different browser-platform combinations:

Internet Explorer on Win32: Internet Explorer stores proxy information in the same set of keys in the windows registry. Java Plug-in obtains this information directly.

Netscape Navigator browser on Win32: Navigator 4 stores proxy information in the user preference file on the local machine. Java Plug-in reads and parses the user preference file to obtain the Navigator 4 proxy information. Netscape 6 has an API for obtaining proxy information. findProxyForURL(URL) returns proxy configuration information for the URL passed to it.

Netscape Navigator browser on the Solaris operating environment and Linux: Navigator stores proxy information in a file in the local machine. Java Plug-in reads and parses this file to obtain the proxy information. For Netscape 6 the process is the same as described in the previous section.

Java Plug-in obtains proxy information at startup time. If you change the proxy setting after Java Plug-in has started, you may force Java Plug-in to reload the proxy information from the browser through the p option in the Java Console.

Direct Connection

Direct connection does not use a proxy. For certain situations, such as when mobile users connect to the company through a modem, direct connection to the intranet environment is required, and proxies should not be used in these cases.

Manual Proxy Configuration

Both Internet Explorer and Netscape Navigator support manual proxy configuration. Users can specify the proxy server and port for each protocol. Users can also specify one proxy server and port for all protocols. To minimize the workload of the proxy server, some sites might bypass the proxy server completely when a machine is connecting to another machine inside the intranet environment. To do this, network administrators and users can specify the proxy server bypass list in the browser's setting.

Internet Explorer: Java Plug-in recognizes and supports the proxy server and port setting associated with the protocol. Internet Explorer supports various syntaxes in the proxy server bypass list, as follows:

IP address/hostname only
IP address/hostname with wildcard
IP address/hostname with protocol

For example, if you specify "121.141.23.5;*.eng;http://*.com" in the proxy server bypass list, then the browser bypasses the proxy whenever one of the following occurs:

"121.141.23.5" is requested
the URL hostname ends with ".eng"
the URL protocol is http and the URL hostname ends with ".com"

Currently, Java Plug-in supports the first two syntaxes in the proxy server bypass list in Internet Explorer. Internet Explorer also supports bypassing the proxy server for local (intranet) addresses without using the proxy server bypass list. Java Plug-in supports this option by bypassing the proxy server if the URL hostname is plain; i.e., the hostname contains no dot (.).

Netscape Navigator:Java Plug-in recognizes and supports the proxy server and port setting associated with the protocol. For example, if you specify ".eng,.sun.com" in the proxy server bypass list in the Netscape Navigator browser, it bypasses the proxy whenever the URL hostname ends with ".eng" or ".sun.com". Java Plug-in fully supports this syntax in the proxy server bypass list in Navigator.

For more information about manual proxy configuration in your browser, please consult the user guide for your browser.

Automatic Proxy Configuration

Both Internet Explorer and Netscape Navigator support automatic proxy configuration. The browser's automatic proxy configuration is set to a particular URL that contains a JavaScript file with .pac or .js extension. This file contains a function called FindProxyForURL() that contains the logic to determine which proxy server to use when the browser receives a connection request. This function is written by the system administrator for the particular intranet environment. When the browser starts up, it recognizes the URL of the JavaScript file and downloads the file to the local machine using direct connection. Then whenever it needs to make a new connection, the browser executes the JavaScript function FindProxyForURL() in the file to obtain the proxy information to set up the connection.

Internet Explorer: During startup, Java Plug-in downloads the JavaScript file to the local machine using direct connection. Then whenever it needs to make a new connection, it executes the FindProxyForURL function to obtain the proxy information using the JavaScript engine in Internet Explorer.

Netscape Navigator browser:During startup, Java Plug-in downloads the JavaScript file to the local machine using direct connection. Then whenever it needs to make a new connection, it executes the FindProxyForURL() function to obtain the proxy information by using the JavaScript engine in the Netscape Navigator browser.

There are a number of predefined JavaScript functions which can be called from the JavaScript function FindProxyForURL(). Java Plug-in provides its own implementation of these functions to completely emulate the automatic proxy configuration. Here are a few notes regarding this implementation:

Function dnsResolve() always returns an empty string if the host is not an IP address
Function isResolvable() always returns false if the host is not an IP address.
Function isInNet() always returns false if the host is not an IP address.

Note that executing the function FindProxyForURL() always returns proxy information as a string. Java Plug-in extracts the setting in the following way:

If "DIRECT" is in the string, Java Plug-in assumes direct connection.
If "PROXY" is in the string, it uses the first proxy setting for the connection.
If "SOCKS" is in the string, it uses the SOCKS v4 for the connection.
Otherwise, the proxy information in the string is incorrect. In this cases, Java Plug-in assumes direct connection.


	Chapter 5 Proxy Configuration This chapter includes the following topics: "Introduction" " How Java Plug-in Obtains Proxy Information" "Direct Connection" "Manual Proxy Configuration" "Automatic Proxy Configuration" Introduction For enterprise customers it is important to be able to set up secure computing environments within their companies, and proxy configuration is an essential part of doing that. Proxy configuration acts as a security barrier; it ensures that the proxy server monitors all traffic between the Internet and the intranet. This is normally an integral part of security enforcement in corporate firewalls within intranets. Enterprise customers who want to use Java Plug-in to deploy applets on their intranet web pages may also set up proxy support. This support is required for Java Plug-in to work in an intranet environment and can be set up through the Java Plug-in Control Panel. The Control Panel provides three proxy options: "Use browser settings" Manual configuration through the Protocol-Address-Port table "Automatic proxy configuration URL" If "Use browser settings" is selected, then proxy information is entered entirely through the browser. For Internet Explorer, go to Tools>Internet Options ... and select the Connections tab and then LAN Settings ... ; for Netscape, go to Edit>Preferences ... and select Advanced under Category and then Proxies. How this works and the three types of connections that can be set up through the browser-Direct, Manual, and Automatic-are described in the following sections. If you select manual configuration in the Control Panel, then you must enter in the table for each protocol the address and port for the proxy server. Note that you may select to exclude some hosts from requiring proxy servers by listing them in the field labeled "No proxy host". If you select "Automatic proxy configuration URL", then you must enter the URL for the location of the JavaScript called `FindProxyForURL(URL url)` that returns the proxy server to be used for a URL. Support for this script is the same as described below under Automatic Proxy Configuration. How Java Plug-in Obtains Proxy Information Because browsers on different platforms store proxy information differently, there is no generic mechanism to obtain proxy information. Here's how Java Plug-in obtains proxy information for three different browser-platform combinations: Internet Explorer on Win32: Internet Explorer stores proxy information in the same set of keys in the windows registry. Java Plug-in obtains this information directly. Netscape Navigator browser on Win32: Navigator 4 stores proxy information in the user preference file on the local machine. Java Plug-in reads and parses the user preference file to obtain the Navigator 4 proxy information. Netscape 6 has an API for obtaining proxy information. `findProxyForURL(URL)` returns proxy configuration information for the URL passed to it. Netscape Navigator browser on the Solaris operating environment and Linux: Navigator stores proxy information in a file in the local machine. Java Plug-in reads and parses this file to obtain the proxy information. For Netscape 6 the process is the same as described in the previous section. Java Plug-in obtains proxy information at startup time. If you change the proxy setting after Java Plug-in has started, you may force Java Plug-in to reload the proxy information from the browser through the `p` option in the Java Console. Direct Connection Direct connection does not use a proxy. For certain situations, such as when mobile users connect to the company through a modem, direct connection to the intranet environment is required, and proxies should not be used in these cases. Manual Proxy Configuration Both Internet Explorer and Netscape Navigator support manual proxy configuration. Users can specify the proxy server and port for each protocol. Users can also specify one proxy server and port for all protocols. To minimize the workload of the proxy server, some sites might bypass the proxy server completely when a machine is connecting to another machine inside the intranet environment. To do this, network administrators and users can specify the proxy server bypass list in the browser's setting. Internet Explorer: Java Plug-in recognizes and supports the proxy server and port setting associated with the protocol. Internet Explorer supports various syntaxes in the proxy server bypass list, as follows: IP address/hostname only IP address/hostname with wildcard IP address/hostname with protocol For example, if you specify "`121.141.23.5;.eng;http://.com`" in the proxy server bypass list, then the browser bypasses the proxy whenever one of the following occurs: "`121.141.23.5`" is requested the URL hostname ends with "`.eng`" the URL protocol is `http` and the URL hostname ends with "`.com`" Currently, Java Plug-in supports the first two syntaxes in the proxy server bypass list in Internet Explorer. Internet Explorer also supports bypassing the proxy server for local (intranet) addresses without using the proxy server bypass list. Java Plug-in supports this option by bypassing the proxy server if the URL hostname is plain; i.e., the hostname contains no dot (.). Netscape Navigator:Java Plug-in recognizes and supports the proxy server and port setting associated with the protocol. For example, if you specify "`.eng,.sun.com`" in the proxy server bypass list in the Netscape Navigator browser, it bypasses the proxy whenever the URL hostname ends with "`.eng`" or "`.sun.com`". Java Plug-in fully supports this syntax in the proxy server bypass list in Navigator. For more information about manual proxy configuration in your browser, please consult the user guide for your browser. Automatic Proxy Configuration Both Internet Explorer and Netscape Navigator support automatic proxy configuration. The browser's automatic proxy configuration is set to a particular URL that contains a JavaScript file with `.pac` or `.js` extension. This file contains a function called `FindProxyForURL()` that contains the logic to determine which proxy server to use when the browser receives a connection request. This function is written by the system administrator for the particular intranet environment. When the browser starts up, it recognizes the URL of the JavaScript file and downloads the file to the local machine using direct connection. Then whenever it needs to make a new connection, the browser executes the JavaScript function `FindProxyForURL()` in the file to obtain the proxy information to set up the connection. Internet Explorer: During startup, Java Plug-in downloads the JavaScript file to the local machine using direct connection. Then whenever it needs to make a new connection, it executes the FindProxyForURL function to obtain the proxy information using the JavaScript engine in Internet Explorer. Netscape Navigator browser:During startup, Java Plug-in downloads the JavaScript file to the local machine using direct connection. Then whenever it needs to make a new connection, it executes the `FindProxyForURL()` function to obtain the proxy information by using the JavaScript engine in the Netscape Navigator browser. There are a number of predefined JavaScript functions which can be called from the JavaScript function `FindProxyForURL()`. Java Plug-in provides its own implementation of these functions to completely emulate the automatic proxy configuration. Here are a few notes regarding this implementation: Function `dnsResolve()` always returns an empty string if the host is not an IP address Function `isResolvable()` always returns false if the host is not an IP address. Function `isInNet()` always returns false if the host is not an IP address. Note that executing the function `FindProxyForURL()` always returns proxy information as a string. Java Plug-in extracts the setting in the following way: If "DIRECT" is in the string, Java Plug-in assumes direct connection. If "PROXY" is in the string, it uses the first proxy setting for the connection. If "SOCKS" is in the string, it uses the SOCKS v4 for the connection. Otherwise, the proxy information in the string is incorrect. In this cases, Java Plug-in assumes direct connection.