SMS scnews item created by Paul Szabo at Thu 28 Nov 2013 1140
Type: ITMatters
Modified: Thu 28 Nov 2013 1349; Sun 22 Dec 2013 1952; Sun 22 Dec 2013 2019; Thu 27 Mar 2014 0627; Mon 25 May 2015 1017; Tue 26 May 2015 1251; Fri 24 Jul 2015 0742; Fri 27 Nov 2015 0746; Sat 19 Dec 2015 1500; Tue 2 May 2017 0803
Distribution: World
Auth: psz@como.maths.usyd.edu.au

Transparent proxy (no proxy settings needed)

I implemented a new transparent proxy for Maths. All outgoing network
accesses should now work, without a need for explicit proxy settings:
leave setting as "no proxy" or "direct connection to internet".

You cannot use explicit "fixed" proxy settings anymore, support for the
"old ways" has been discontinued. The settings of "automatically detect"
or "use proxy.pac" are fine. Best is to use no proxy settings at all:
simplest, and allows itinerant laptops to work inside and out without a
change.

Please let me know of any problems.

Cheers, Paul

---

FAQ (frequently un-asked questions)

Do connections now go direct?
  No. Connections are handled by the proxy server, in a transparent way.
  Neither the sender nor the receiver will normally notice the presence
  of the proxy server.

Are incoming connections allowed?
  No. There has been no change. Only outgoing connections are allowed.
  Incoming connections are allowed in special cases only e.g. to our SSH
  server with skeys (and to our web and mail servers etc), as described in
  http://www.maths.usyd.edu.au/loc/comp/alpha/net-security.html
  (We still have a firewall.)

Are there traffic quotas?
  Yes. There has been no change. All connections are logged, all
  (incoming, response) bytes are counted. The traffic limits are
  practically infinite (though determined people can reach them).
  See  http://www.maths.usyd.edu.au/s/TrafficLimits  for details.

Are all outgoing connections allowed?
  Only TCP and UDP connections are allowed.
  Traffic to some ports, traditionally used by the Blaster worm and
  similar, are blocked: ports 135-139, 445, 1025-1029, 1900, 3389, 5000.
  Please let me know if this causes difficulties.
  NTP to outside does not work, due to some technical oddity. All NTP
  traffic is grabbed for (replied by) our NTP server; our DHCP provides
  a correct ntp-servers setting (to our internal NTP server).

ping, traceroute do not work
  These normally use ICMP, and the proxy only allows TCP and UDP.
  Even "traceroute -T" does not quite work because the proxy does
  not preserve IP_TTL.

Are all connections transparent?
  Yes. - Were not so before Nov2015: Connections to TCP port 80 (mostly
  HTTP) were not done transparently because the Uni border router would
  not allow it (enforced Uni caches, though useless). - Before May2015,
  HTTP requests (in fact all TCP port 80 connections) went through
  Apache not the new transparent proxy, preventing access to servers
  that ran on port 80 but served something other than HTTP.

What were the old proxy settings?
  Now you should use "no proxy".
  Using the previously suggested settings:
   - automatically detect for this network
   - automatic script http://siv/proxy.pac
  now is same as "no proxy" (the proxy.pac file changed to say DIRECT).
  Settings for the "old ways" (that do not work anymore) used to be:
   - manual settings (type host port):
       http     siv     80
       https    siv     8008
       socks    siv     1080
       ftp      siv     80
     (https is sometimes known as secure, socks preferred version 5 or
     could be version 4)
   - some software used "environment" variables
       http_proxy=http://siv:80/
       https_proxy=http://siv:8008/
     though some would want without the trailing slash or without the
     leading http://, and some software had other settings.
  Support for the "old ways" has been discontinued about Oct2015.

Why only in Nov2013, not earlier?
  Because nobody told me this could be done... now please stop asking
  questions, am already sore from kicking myself.


Actions:
ball UNCLUTTER for printing
ball AUTHENTICATE to mark the scnews item as read
School members may try to .