Skip to main content

Environments with no internet access (Forward proxy)

Environments with no internet access (Forward proxy)

A forwarding proxy can be used when running the UXM Desktop Agent in a restricted network where TCP/443 (HTTPs) traffic is blocked.

 

Setup Forward proxy on Linux Ubuntu

Use nginx proxy_connect module from  <https://github.com/chobits/ngx_http_proxy_connect_module#install>

NGINX can be compiled and setup with forwarding proxy via the following command lines:

sudo -i
apt-get update
apt-get install build-essential libpcre3 libpcre3-dev zlib1g zlib1g-dev libssl-dev libgd-dev libxml2 libxml2-dev uuid-dev
cd /tmp/
wget http://nginx.org/download/nginx-1.24.0.tar.gz
tar -xzvf nginx-1.24.0.tar.gz
git clone https://github.com/chobits/ngx\_http\_proxy\_connect\_module.git
cd nginx-1.24.0/
patch -p1 < /tmp/ngx\_http\_proxy\_connect\_module/patch/proxy\_connect\_rewrite\_102101.patch
./configure \
--user=www-data --group=www-data \
--prefix=/var/www/nginx \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \
--with-pcre \
--lock-path=/var/lock/nginx.lock \
--pid-path=/var/run/nginx.pid \
--with-http\_ssl\_module \
--with-stream \
--with-stream\_ssl\_preread\_module \
--with-stream\_ssl\_module \
--add-dynamic-module=/tmp/ngx\_http\_proxy\_connect\_module
make && make install

Afterwards edit /etc/nginx/nginx.conf

load\_module /var/www/nginx/modules/ngx\_http\_proxy\_connect\_module.so;

user  www-data;
worker\_processes  1;

#error\_log  logs/error.log;
#error\_log  logs/error.log  notice;
#error\_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker\_connections  1024;
}

http {
    include       mime.types;
    default\_type  application/octet-stream;

    #log\_format  main  '$remote\_addr - $remote\_user [$time\_local] "$request" '
    #                  '$status $body\_bytes\_sent "$http\_referer" '
    #                  '"$http\_user\_agent" "$http\_x\_forwarded\_for"';

    #access\_log  logs/access.log  main;

    sendfile        on;
    #tcp\_nopush     on;

    #keepalive\_timeout  0;
    keepalive\_timeout  65;

    #gzip  on;

    server {
        listen 3128;

        # dns resolver used by forward proxying
        resolver  8.8.8.8;

        # forward proxy for CONNECT request
        proxy\_connect;
        proxy\_connect\_allow            443;
        proxy\_connect\_connect\_timeout  10s;
        proxy\_connect\_read\_timeout     10s;
        proxy\_connect\_send\_timeout     10s;

        # forward proxy for non-CONNECT request
        location / {
            proxy\_pass http://$host;
            proxy\_set\_header Host $host;
        }
    }
}

Configure nginx service and start the service

Edit the systemd service file: nano /lib/systemd/system/nginx.service and add:

[Unit]
Description=The NGINX HTTP and reverse proxy server
After=syslog.target network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t
ExecStart=/usr/sbin/nginx
ExecReload=/usr/sbin/nginx -s reload
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true

[Install]
WantedBy=multi-user.target

Restart the nginx service and check status:

systemctl restart nginx.service
systemctl status nginx.service
systemctl enable nginx.service

 

Deploy UXM Desktop agent with proxy configured

The UXM Desktop agent needs to be deployed with proxy_auto_detect, proxy_server and proxy_port configured, see options in Deploying Desktop Agent (EXE)

UXM\_Desktop\_Agent\_YYYY.MM.DD.exe /verysilent /norestart /closeapplications /agent\_key=UXM\_AGENT\_KEY /collector=https://customername.uxmapp.com /log /enable\_ui\_plugin=true /enable\_chrome\_plugin=false /enable\_firefox\_plugin=false /force\_activation=false /proxy\_auto\_detect=false /proxy\_server=ip\_of\_proxy\_Server /proxy\_port=proxy\_port

Restart the UXM Desktop Agent service and verify in logfile C:\ProgramData\Systemslab\UXM PC Agent\Logs\PCAgent.exe.log that it can send the data and receive configuration.

Successful logs when connecting through proxy server:

...
2023-05-24 11:17:30 HTTPClient: [Information] Using collector: https://dev-emea-hf.uxmapp.com, verify\_ssl\_certificate: 1
2023-05-24 11:17:30 HTTPClient: [Information] Using proxy settings: 10.166.15.192 port 3128, auth: , AutoConfigUrl: 
...
2023-05-24 11:26:38 HTTPClient: [Information] Received ... 
2023-05-24 11:18:30 HTTPClient: [Information] Sending MultiMessage queue, size: 5489, max size is 10485760
...

Unsuccessful logs when connecting through proxy server:

...
2023-05-24 11:17:30 HTTPClient: [Information] Using collector: https://dev-emea-hf.uxmapp.com, verify\_ssl\_certificate: 1
2023-05-24 11:17:30 HTTPClient: [Information] Using proxy settings: 10.166.15.192 port 3128, auth: , AutoConfigUrl: 
...
2023-05-24 11:23:25 HTTPClient: [Information] Sending MultiMessage queue, size: 10985, max size is 10485760
2023-05-24 11:23:26 HTTPClient: [Error] ConnectionRefusedException collector: https://dev-emea-hf.uxmapp.com, displayText: Connection refused
2023-05-24 11:28:37 HTTPClient: [Error] OnTimer exception collector: https://dev-emea-hf.uxmapp.com, what: HTTP Exception, message: Cannot establish proxy connection: Not Allowed
...

 

Browser extensions

Currently browser extensions use Windows proxy settings and will only allow traffic if the proxy settings in the browser is configured to send through the forwarding proxy.

It's on the roadmap that browser extensions sends the data through the UXM Desktop Agent service.

 

Security

Traffic send to UXM will use HTTPs encryption through the forwarding proxy, SSL and custom HTTPs certificates needs to be configured on the proxy if proxy authorization is required.