Work proxy
-
I started a new job in October, my first job at a proper corporate, and I am having trouble getting some of my stuff to work, as a result of my company's proxy servers. Specifically Dropbox and Spotify.
So our setup is this:
The company uses an automatic configuration script (pac file), to connect to the proxies. The main part of the logic just tries to bypass the proxy for local addresses. Though at the bottom of the script is this part:
// Default rule: All other traffic goes through the proxy servers // Check to see if the 4th octet is even or odd var myip=myIpAddress(); var ipbits=myip.split("."); var myseg=parseInt(ipbits[3]); if (myseg == Math.floor(myseg/2)*2) { // Even return "PROXY <server1_name>:8080; PROXY <server2_name>:8080; DIRECT"; } else { // Odd return "PROXY <server2_name>:8080; PROXY <server1_name>:8080; DIRECT"; }I assume it is some sort of load balancing
I have tried to set the network settings on both Dropbox and Spotify to the following without success:
- No Proxy
- Auto-detect
- server1_address, no username or password
- server1_address, AD username and password (with and without domain)
- server2_address, no username or password
- server2_address, AD username and password (with and without domain)
Some other random info:
- Selecting a server directly in "LAN Settings (Internet Properties)" instead of choosing the "automatic configuration" option produces the same results (i.e. all my internetz work except for these 2 programs)
- On Monday I played around with Fiddler to try to get a feeling of how it all works, and somewhere along the line I unchecked all options in "LAN Settings (Internet Properties)", selected "No Proxy" on Dropbox and Spotify, and everything worked. On Tuesday, however, everything was broken again. I know Fiddler can act as a proxy in some way or another, so I assume that is what happened, but I couldn't reproduce the results. Using Fiddler to bypass the proxy is thus an option, but more of a "last resport" option.
Can anybody help me with how to get everything up and running?
-
@Vault_Dweller I'm not sure if this is relevant, but my company has a similar proxy, but in addition to it we have to log into some sort of internet portal to actually get through (I think they're using zscaler?).
My understanding of it is that apps that are detected by the proxy as being web browsers get redirected to a login page (at one point it was using flash at some point in this process so browsers that did not have proper flash support/plugin ended up being entirely blocked). Apps that are not browsers get to go through directly (provided you have set the correct proxy credential using e.g. $http_proxy and such).
As a result, at one point I managed to get out of our network with e.g. curl but was blocked with Opera (which at that time wasn't just Chrome-under-a-different-name), until I changed the User-Agent to something that wasn't seen as a browser at all and thus bypassed the login page.
I think our system has actually somewhat changed since then and I have no idea whether this is relevant to you or not, but this is just to say that the proxy server itself might not be the only thing to consider...
-
Or you might be under similar rules as my workplace where the proxy denies "everything media streaming" and "everything file sharing".
-
@robo2 I just checked, and Spotify's web player works fine.
Is there some way (through Fiddler or via some other means) to differentiate between a "not working" connection and a "blocked" connection?
-
@Vault_Dweller I have no idea how Spotify's player work, but can you try installing a local proxy on your computer and tweak it to change e.g. the User-Agent that Spotify sends through, or the local port, or whatever? That might be enough to fool your company's proxy, or at least understand what exactly causes it to block Spotify?
-
@remi Thanks, I will have a look tomorrow
-
You could listen with wireshark and see what's being sent back.
-
I remember once setting up a vm and vpn to access the web and circumvent other things. Might work for you if you can get your vm thingie to output audio.
-
Keep in mind that if the company is deliberately blocking this, then circumventing it may well get you into trouble.
Spotify's web player working doesn't mean the app will if it uses a different port or whatever, and plenty of organisations deliberately block DropBox.
-
@loopback0 said in Work proxy:
Keep in mind that if the company is deliberately blocking this, then circumventing it may well get you into trouble.
Spotify's web player working doesn't mean the app will if it uses a different port or whatever, and plenty of organisations deliberately block DropBox.Yes, I understand that, which is why I am trying to figure out if they are blocking it, or if I am just doing something wrong with the configuration
-
@Vault_Dweller Ok, I'm still trying to wrap my head around Wireshark, but here is the output from Fiddler when I right-click on the Dropbox icon after manually entering my proxy info (including AD username (format DOMAIN\username) and password) in Dropbox:
First
HTTP/1.1 407 Proxy Authentication Required Proxy-Authenticate: NEGOTIATE Proxy-Authenticate: NTLM Proxy-Authenticate: BASIC realm="<company_name_redacted>IWADirect" Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: close Connection: close Content-Length: 849 Proxy-Support: Session-Based-Authentication <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> <BODY> <FONT face="Helvetica"> <big><strong></strong></big><BR> </FONT> <blockquote> <TABLE border=0 cellPadding=1 width="80%"> <TR><TD> <FONT face="Helvetica"> <big>Access Denied (authentication_failed)</big> <BR> <BR> </FONT> </TD></TR> <TR><TD> <FONT face="Helvetica"> Your credentials could not be authenticated: "Credentials are missing.". You will not be permitted access until your credentials can be verified. </FONT> </TD></TR> <TR><TD> <FONT face="Helvetica"> This is typically caused by an incorrect username and/or password, but could also be caused by network problems. </FONT> </TD></TR> <TR><TD> <FONT face="Helvetica" SIZE=2> <BR> For assistance, contact your network support team. </FONT> </TD></TR> </TABLE> </blockquote> </FONT> </BODY></HTML>Second
HTTP/1.1 407 Proxy Authentication Required Proxy-Authenticate: NEGOTIATE TlRMTVNTUAACAAAADAAMADgAAAAVAongZPhWrWM3LSkAAAAAAAAAAHIAcgBEAAAABQCTCAAAAA9TAFUATQBNAEkAVAACAAwAUwBVAE0ATQBJAFQAAQAWAFoAQQBQAFAARQAzAFAAUgBPAFgAWQAEABIATwBVAFQALgBDAE8ALgBaAEEAAwAqAHoAYQBwAHAAZQAzAHAAcgBvAHgAeQAuAG8AdQB0AC4AYwBvAC4AegBhAAAAAAA= Cache-Control: no-cache Pragma: no-cache Content-Type: text/html; charset=utf-8 Proxy-Connection: Keep-Alive Connection: Keep-Alive Content-Length: 866 Proxy-Support: Session-Based-Authentication <HTML><HEAD> <TITLE>Access Denied</TITLE> </HEAD> <BODY> <FONT face="Helvetica"> <big><strong></strong></big><BR> </FONT> <blockquote> <TABLE border=0 cellPadding=1 width="80%"> <TR><TD> <FONT face="Helvetica"> <big>Access Denied (authentication_failed)</big> <BR> <BR> </FONT> </TD></TR> <TR><TD> <FONT face="Helvetica"> Your credentials could not be authenticated: "Another round of authentication required.". You will not be permitted access until your credentials can be verified. </FONT> </TD></TR> <TR><TD> <FONT face="Helvetica"> This is typically caused by an incorrect username and/or password, but could also be caused by network problems. </FONT> </TD></TR> <TR><TD> <FONT face="Helvetica" SIZE=2> <BR> For assistance, contact your network support team. </FONT> </TD></TR> </TABLE> </blockquote> </FONT> </BODY></HTML>Third
HTTP/1.1 200 Connection established Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list. Secure Protocol: Tls12 Cipher: Aes256 256bits Hash Algorithm: Sha384 384bits Key Exchange: ECDHE_RSA (0xae06) 256bits == Server Certificate ========== [Subject] CN=*.dropbox.com, OU=Dropbox Ops, O="Dropbox, Inc", L=San Francisco, S=California, C=US [Issuer] E=<someone>@<our_domain>, CN=<our_company>, O=<our_company> Insurance Company Limited, L=<suburb>, S=<province>, C=ZA [Serial Number] 00DA6E3FEE00000000 [Not Before] 2018/08/16 02:00:00 AM [Not After] 2020/11/05 02:00:00 PM [Thumbprint] 410C70A32FDA95566A2A3021334FA22D7FA9E2CA [SubjectAltNames] *.dropbox.com, dropbox.com
-
Ok, I was able to generate two files in Wireshark, one with all the HTTP traffic when I opened the Spotify app (which does not work), and one where I opened the Spotify web client (which does work). If anybody is interested in comparing the two and highlighting the differences for me, I will send the files to them.
As I said, I just want to know if I am being blocked by the proxy, or if it is just me not configuring Spotify correctly.
-
@Vault_Dweller said in Work proxy:
@loopback0 said in Work proxy:
Keep in mind that if the company is deliberately blocking this, then circumventing it may well get you into trouble.
Spotify's web player working doesn't mean the app will if it uses a different port or whatever, and plenty of organisations deliberately block DropBox.Yes, I understand that, which is why I am trying to figure out if they are blocking it, or if I am just doing something wrong with the configuration
Just ask them?
I did wonder if you'd set the proxy settings in Spotify then I re-read the OP and remembered you had.
Windows, I assume?
-
@loopback0 said in Work proxy:
Just ask them?
But that's boring. EDIT: More importantly, I would like to understand networking and proxies a bit better in general
@loopback0 said in Work proxy:
Windows, I assume?
Yip
-
LOL, ok. It seems that patience really is a virtue. When I open Spotify, it tells me that no internet connection detected. But, if I leave it open for about 30 seconds, it magically finds a connection. Up until now, I just a) closed it or b) changed the proxy settings almost immediately when the "no connection" message popped up.
So that's that sorted. Knowing at least that I have the correct settings, it should be easy to identify the issue with Dropbox
-
Ok, so the Dropbox thing seems to be no-go. Following the connection in Wireshark (I'm starting to understand it!), the SSL part has both a "client hello" and "server hello", but directly afterwards there is a "Unknown CA". After much Googling, and AIUI, the long and the short is it seems that Dropbox has "its own mechanism to check the authenticity of the server it is connecting to", which is a problem when connecting through proxies in general. It seems that, by default, Dropbox doesn't work behind proxies and you need to configure the proxy to allow it.
I searched for "dropbox ssl inspection behind proxy" and found, among others, the below articles.
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk104238So whether IT blocked it explicitly or are just not aware that it is blocked, I wouldn't know, short of asking them. And I do not want to ask them, just in case they respond with "oh, we didn't know it was blocked, but it should probably be blocked anyway" and put some additional measures in place to make sure it is REALLY blocked.
TL;DR: If I understand it correctly (and let me know if I'm not), I'm out of luck because Dropbox is weird.
-
@Vault_Dweller Can you dig up the common name and signatory the certificate you're getting? Notably, are you getting dropbox's certificate, or are you getting your employer's because they are snooping/re-encrypting?
-
@PleegWat Uhhm, how would I go about doing that?
EDIT: The "server hello" contains 4 certificates, 3 from my employer and 1 from Dropbox
-
@Vault_Dweller In wireshark, for an SSL connection, after the ClientHello and ServerHello messages there is a Certificate message. That's probably in the same packet as the ServerHello message:
That screenshot's off google and is SSLv3, but TLS1.0 through TLS1.2 work the same.
If there's any certificates from your employer in the chain, then they are re-encrypting and that's why dropbox rejects it. Don't assume any SSL-encrypted connection is secure in that case.
-
-
@Vault_Dweller Yup, corporate SSL snooping.
-
@PleegWat Same here. Just got an email from a colleague in IT saying, in essence, "I just noticed that corporate IT has turned on filtering and we can no longer access Google Drive", and quoting another email from corporate IT saying "now that we have SSL inspection enabled for most of the offices we are now able to enforce this policy".
Although... there are strong privacy laws here (including privacy from your own employer), I wonder if something could be made on the grounds that the company is accessing information that should be private (between me and the website I'm contacting)...
-
Our corporate proxy settings are pushed out by Group Policy. And the proxy is terrible. Half the Internet doesn't load, including sites needed for work, and the ones that are accessible break about 1 out of every 3 tries because the proxy craps itself to death when trying to MIM its SSL cert.
So I have a Linux VM I use for most web browsing, because that's exempt from Group Policy and thus bypasses the whole issue. (For now.)
-
@remi said in Work proxy:
Although... there are strong privacy laws here (including privacy from your own employer), I wonder if something could be made on the grounds that the company is accessing information that should be private (between me and the website I'm contacting)...
Their answer to that would be that they'll block everything by default and then only explicitly white-list sites via a byzantine bureaucratic process, including an affidavit that you're only using it for work purposes and that it's okay for them to snoop.
-
@Unperverted-Vixen Then I guess I'll have to submit one request per site that I find on a typical Google search results page, with justification that "I'm looking for <clearly work related search query> and need to access all of those pages to see if one contains the answer to my question". Of course I'll tell my manager that I can't fix the bug that was assigned to me until I get the answer from corporate IT.
Seriously though, I'm not sure the affidavit route would hold in local law (apart from the fact that affidavit doesn't exist under local law, but there are equivalents...), there are some "reasonable expectation" clauses that the employer can't get out of (e.g. AFAIK you cannot entirely forbid employees to use a phone on their desk for personal use provided this remains "reasonable", that term having some lengthy definition in jurisprudence).
But it's just idle thought anyway, just my way to say that I strongly dislike this snooping/filtering, even though in practice there is little I can do about it.
-
@remi I'd rather they didn't, but I understand why they do. Besides, even if you accept that there's a reasonable expectation of personal use of employer resources (which I'm not sure I do, despite doing so to post to this site - I consider it a bonus, not an expectation), how are they supposed to know that your personal use of employer resources is "reasonable" or not if they aren't able to monitor it?
If I don't like it, then I have the option of not abusing my employer's resources for personal use and using my phone instead.
-
@Unperverted-Vixen said in Work proxy:
via a byzantine bureaucratic process, including an affidavit that you're only using it for work purposes and that it's okay for them to snoop.
Or they could just apply that affidavit to all sites and let them snoop in the first place. Problem solved.
If I don't like it, then I have the option of not abusing my employer's resources for personal use and using my phone instead.
You could recognize that the employee has right to a reasonable amount of "personal use" of work resources. In which case the legal solution would be to have a button (browser extension?) that enabled and disabled "personal mode" which removed the snooping and filters.
-
@anonymous234 said in Work proxy:
Or they could just apply that affidavit to all sites and let them snoop in the first place. Problem solved.
Which, in practice, is basically what they do, at least in my company: on first access to the proxy I have to click through to indicate that I agree with the T&C of my employer's internet access, basically.
But still, I'm not sure it fully covers what the local law says. It all depends on what the employer does with this information afterwards (if it's just blocking access to a list of sites clearly indicated as "not for work" with no further action, that is almost certainly OK), but as I said local law is very touchy on that issue... Note that I used the
:thonking:emoji, to show I wasn't really serious about it though.If I don't like it, then I have the option of not abusing my employer's resources for personal use and using my phone instead.
You could recognize that the employee has right to a reasonable amount of "personal use" of work resources. In which case the legal solution would be to have a button (browser extension?) that enabled and disabled "personal mode" which removed the snooping and filters.
Interestingly, this is very close to stuff that has actually been before a judge. It has been judged as illegal for an employer to access a folder on your computer that is clearly labelled as personal (such as it being in your home folder and called "private" or some such). So yeah, there are some clear precedent that you can have private stuff located on company property, and that the company has no right to access it (it may ask you to delete it or take various administrative actions against you if it's detrimental to the work, of course).
So not only would your solution of a "personal browsing" button not be totally unrealistic (at least on legal grounds), but even more than that I wouldn't be entirely surprised if that actually ended up implemented one day (with virtual machines and sandboxes, that might even be doable with a reasonable amount of security).
But let's be honest, I fully agree with @Unperverted-Vixen here:
@Unperverted-Vixen said in Work proxy:I'd rather they didn't, but I understand why they do.
-
@remi said in Work proxy:
I wonder if something could be made on the grounds that the company is accessing information that should be private (between me and the website I'm contacting)
On a work computer, on work time?
-
@loopback0 said in Work proxy:
On a work computer, on work time?
Employers vary substantially in how relaxed they are about this. Some try to measure everything precisely and to prohibit everything they don't think of as work, others are much less worried about things provided the actual work gets done. The former would likely also rather you didn't discuss anything to do with last night's TV over the watercooler too “because that's stealing time from the company”…
-
@Unperverted-Vixen said in Work proxy:
@remi I'd rather they didn't, but I understand why they do. Besides, even if you accept that there's a reasonable expectation of personal use of employer resources (which I'm not sure I do, despite doing so to post to this site - I consider it a bonus, not an expectation), how are they supposed to know that your personal use of employer resources is "reasonable" or not if they aren't able to monitor it?
If I don't like it, then I have the option of not abusing my employer's resources for personal use and using my phone instead.
But that's a really depressing outlook. Your employer is paying you as a professional to do a defined task, as long as you full-fill your part there ought to be reasonable latitude and respect. Once they start spying that all goes out the window.
It gets even more stupid once you factor-in all the costs of some daft IT bod (or, more likely, a middle manager with time on their hands) sitting watching whether @japonicus is properly tied to his keyboard, eyes glued to the IDE and typing sufficiently quickly. Because if I wanted to abuse things then I really could, SSL snooping wouldn't be what stopped me.
If I were mucking around too much and not doing productive work then that would pretty quickly become obvious - no snooping required. In a past life, while I was still a postgrad, a porn-surfing lab tech found that out to his cost (at @dkf's WTFU co-incidentally).
-
@japonicus Most (all?) of the time there isn't going to be some person sat monitoring what everyone is up to at that moment in time. It'll just be logged somewhere so that if someone needs to check, or pull a report or whatever, they can. Maybe some alerts for suspicious activity.
There should be no expectation that a company allows personal usage of their resources on their time. If they allow it, it's a bonus.
-
@loopback0 hopefully you're generally right about that, but I did work somewhere else where the over-paid head of IT essentially did exactly what I described (he of course also had the largest desk I've ever seen and several huge monitors - perhaps to make up for inadequacy elsewhere).
I tunnelled most of my browsing via my home server - because many of the websites I needed for work were blocked by the stupid firewall.
-
@japonicus said in Work proxy:
In a past life, while I was still a postgrad, a porn-surfing lab tech found that out to his cost (at @dkf's WTFU co-incidentally).
It happens. Idiotic to get caught; home access is so cheap these days. And it's definitely not the worst of thing to occur in the general scheme of things. Diverting money into personal schemes is worse, whether those are for bitcoin, gambling or drunkenness. Or abusing power over others. Porn is simply embarrassing by comparison.
What is silly is blocking off most sites, including those used for essential research and for corporate promotion, just in case they might be abused. We don't do that… except for critical systems (servers, lab instrument controllers, tha sort of thing) and we can keep that level of security going much more easily when we can say “use your office PC instead for that”: always better to not have to fight battles with users.
-
@Unperverted-Vixen said in Work proxy:
If I don't like it, then I have the option of not abusing my employer's resources for personal use and using my phone instead.
On your employer's WiFi?
-
@Jaloopa Am I still on my university's WiFi if my phone's WiFi connection says it's connected to 'DNS66 VPN'?
-
@pie_flavor 1) I don't know
2) I don't care
-
-
@pie_flavor oh, that was meant to be funny? Sorry, I didn't notice
-
@loopback0 said in Work proxy:
@remi said in Work proxy:
I wonder if something could be made on the grounds that the company is accessing information that should be private (between me and the website I'm contacting)
On a work computer, on work time?
Yes, and yes. I was careful to make clear it depends on local law, because, well, of course it does. In France, it has been ruled (more than once, so there is a clear body of jurisprudence) that private information is, well, private, even if accessed through means that are controlled by someone else (your employer). This has been ruled time and again for things like personal correspondance (snail mail or email) or phone, which is why I wondered how internet browsing would fit or not in that framework.
There should be no expectation that a company allows personal usage of their resources on their time. If they allow it, it's a bonus.
That one is a slightly different thing (again, in French law at least). You're right that there is no expectation that your employer should allow personal usage of their resources. However if they do, then there is an automatic right to privacy. Your employer can forbid you to make personal phone calls using your office phone (*), but if they allow it, they have no rights to snoop on you when you do so (and again, there are regularly employment tribunal cases that center around this, so it's been validated by judges many times).
(*) although in that specific case it might be that they cannot even prevent you from making "reasonable" use of it, e.g. they couldn't fire you for calling your children's school in an emergency or other similar thing, but I'm not sure of that -- and it doesn't really matter to the rest of my point, so let's forget about this.
