Map behind firewall/proxy

Started by joel23, October 25, 2013, 07:37:23 PM

Previous topic - Next topic

joel23

Hi,
I am not able to get a map in my company, guess because of the firewall.
I might have missed it, but I can't find a location where I can define a proxy or should the Map use the proxy defined in the system / IE?
regards,
Joerg

Mario

The map panel embeds an IE and thus uses the default settings used by IE.

meyersoft

I also have this issue here.
Proxy is set in IE and google maps can be accessed via IE.
What else can I do?
Has someone else had this issue and solved it?

Mario

Looks like your firewall is just doing it's job. A firewall exists to prevent applications (like IMatch) connecting to the Internet (in the Geo Panel) without you knowing about and allowing it. You have to make an exception for IMatch in your firewall so it allows IMatch to connect to the Internet.

meyersoft

This is no personal, but a company firewall/proxy, so I won't be able to make changes.
Doesn't imatch use the default http port for the map?
I wouldn't bother if the "check for update" feature would not work if it uses different ports, but the map panel would really be helpful.

Mario

The GeoPanel loads a local HTML page, and this page then connects to whatever Map provider you have chosen (OpenSteetMap, Bing, Google). Do all services fail? Can you to reverse geo-tagging via the Tools menu?

Winfried

Not really a solution for a company firewall/proxy setup,
but I had a simular problem in my home network.
see: https://www.photools.com/community/index.php?topic=1504.0

So I opened the firewall for some IPs
for IMatch-Version-Check: 87.106.9.227
for Ajax-Version-Check (Google): 173.194.0.0/16, because it is hosted on a big farm.

But that is no solution on enterprise level.
Since I am working in this proxy/firewall-business for a global company, I can just advice you to discuss the problem with your security team.
In such situation I normally propose to use a socks client to bring the request through proxy and firewall.

Winfried

joel23

#7
Quote from: Winfried on April 29, 2014, 08:19:27 PM

But that is no solution on enterprise level.
Since I am working in this proxy/firewall-business for a global company, I can just advice you to discuss the problem with your security team.
In such situation I normally propose to use a socks client to bring the request through proxy and firewall.

Winfried
Winfried, you might try if netsh winhttp set proxy proxy-server="http=myproxy:8080" bypass-list="*.some.com  works, I am not behind a FW right now.

But I agree, I would like to see that too. A simple box where proxy settings can be applied (and IMatch using the entries). Even if the above command should work, some people don't have access to C:\ or to a command prompt in companies (eg. when on Citrix) and since we got "browser choice" using IE's settings would be not enough.

ps
And yes Mario, it fails on all settings. IMatch tries to reach all services directly.
The only exception was just some minutes ago when I connected to my company via VPN from home, but this is because the VPN client forces the OS to use companies proxy settings.
regards,
Joerg

meyersoft

Quote from: Mario on April 29, 2014, 06:46:03 PM
The GeoPanel loads a local HTML page, and this page then connects to whatever Map provider you have chosen (OpenSteetMap, Bing, Google). Do all services fail? Can you to reverse geo-tagging via the Tools menu?
Yes, all services fail.
I can however reverse-geo-tag.

joel23

Quote from: meyersoft on April 30, 2014, 09:04:52 AM
Quote from: Mario on April 29, 2014, 06:46:03 PM
The GeoPanel loads a local HTML page, and this page then connects to whatever Map provider you have chosen (OpenSteetMap, Bing, Google). Do all services fail? Can you to reverse geo-tagging via the Tools menu?
Yes, all services fail.
I can however reverse-geo-tag.
Me too. I checked: reverse-geo-tagging uses the system proxy.
regards,
Joerg

Mario

Check for Update, Email, Reverse goe-tagging and the web-related functions use my own code, based on HHML components provided by Windows.
The Geo Panel and App Panels are embedded Internet Explorer controls. They use the proxy settings made configured for Internet Explorer. Maybe there is a problem?

meyersoft

Maybe a silly question, but what is the difference between Windows and IE proxy?
Where can I set the proxy settings especially for IE that are no Windows settings?

joel23

Quote from: Mario on April 30, 2014, 09:53:57 AM
Check for Update, Email, Reverse goe-tagging and the web-related functions use my own code, based on HHML components provided by Windows.
The Geo Panel and App Panels are embedded Internet Explorer controls. They use the proxy settings made configured for Internet Explorer. Maybe there is a problem?
No, there is no problem. It seems that the Geo Panel somehow ignores IE's settings.

"Map" tries to connect directly (fail), "reverse geo-tagging" uses the system proxy (okay), "updates" accesses directly (okay) but by HTTPS, which outgoing is allowed here in our FW.

MAPI of course works, but SMTP eg. to Gmail don't, because Port 25 and SSL 465 are blocked by FW as well. But SMTP usually can't be or is not forced through a proxy.
See attachment, name of sending system and proxy-domain name are whitened.

[attachment deleted by admin]
regards,
Joerg

Mario

Can you show me the proxy settings you have made in Internet Explorer?

meyersoft

Attached are my IE proxy settings.

[attachment deleted by admin]

joel23

Quote from: meyersoft on April 30, 2014, 10:29:49 AM
Maybe a silly question, but what is the difference between Windows and IE proxy?
Where can I set the proxy settings especially for IE that are no Windows settings?
No, I am not talking about IE settings not being windows or system wide settings, but what is set there is valid within the user context only (logged in user), written to the registry (HKCU) and accessed via WinInet.
If there is no user login/context and by this no IE settings, for example on servers, update services might fail.

What is set via netsh winhttp set proxy proxy-server="http=myproxy:8080" bypass-list="*.some.com should be system wide settings, but is accessed by WinHTTP (different API)
MSDN tells that WinInet is a superset of WinHttp; if possible WinInet should be used.
regards,
Joerg

joel23

Quote from: Mario on April 30, 2014, 11:29:16 AM
Can you show me the proxy settings you have made in Internet Explorer?
If you asked for my settings: I am afraid I can't show, at least not as you might expect it, sorry.

Winfried and I am are talking about proxy settings on enterprise level, which might mean that the settings are defined by a PAC- or WPAD-file and automatically applied by a GPO. Users might not be able to apply a proxy manually to IE like 'meyersoft' did and showed in the dialogue.

The PAC-file just tells which proxy has to be used (= if the workstation is in "mein-domain.local" and destination HOST in the local "nets", access hosts directly, else use the proxy)

if( dnsDomainIs(host, ".mein-domain.local") ||
  isPlainHostName(host) ||
  isInNet(host, "10.0.0.0", "255.0.0.0") ||
  isInNet(host, "192.168.1.0", "255.255.255.0") ||
  isInNet(host, "192.168.168.0", "255.255.255.0") ||
  isInNet(host, "192.168.106.0", "255.255.255.0") ||
  isInNet(host, "192.168.210.0", "255.255.255.0") ||
   return "DIRECT";
   }
        else {
       return "PROXY my-proxy-server.external-domain.de:8080; DIRECT";

This works well, otherwise 500 people couldn't do their daily work. But I am not sure if there is an entry somewhere in the OS (registry) for a proxy when a PAC-file is used. On the other hand utilizes reverse-geo-tagging the proxy (and MAP not).
I have no clue why it behaves that different here.

If meyersoft's proxy is working correct, it IMHO should work.  When I apply this values in IE (on my private computer), both, the map and reverse geo-tagging are utilizing the proxy and nothing is working anymore, as it should be.
regards,
Joerg

Mario

All IE-based features (WebBrowser Control, which is part of Windows) in IMatch use the proxy settings made for Internet Explorer. When I change my proxy settings in IE to a proxy which does not exist, the Geo Panel stops working. When I change back to a working proxy, or to no proxy at all, the Geo Panel works again.

This shows that the WebBrowser control in IMatch reacts on the proxy settings. This is actually the default and I don't change it in any way. Usually this just works, unless an application is explicitly blocked or the target addresses used by the OpenView system used by IMatch are blocked (google, bing, OpenStreetMap, jQuery), etc.). The general rule is, when you can reach an address with IE, it also works in IMatch. Maybe ask your IT Admin for an analysis of why the traffic is blocked. IMatch does not interface with the Internet or the proxy server directly. It's all through the WebBrowser control. I had never to change any proxy settings or anything.

joel23

Quote from: Mario on May 01, 2014, 08:54:45 AM
All IE-based features (WebBrowser Control, which is part of Windows) in IMatch use the proxy settings made for Internet Explorer. When I change my proxy settings in IE to a proxy which does not exist, the Geo Panel stops working. When I change back to a working proxy, or to no proxy at all, the Geo Panel works again.
Yes, I know - this is what I described above, guess it's the same with the Map, or does it work when you set it to a non-existent proxy?
But this is on private computers.
Quote
This shows that the WebBrowser control in IMatch reacts on the proxy settings. This is actually the default and I don't change it in any way. Usually this just works, unless an application is explicitly blocked or the target addresses used by the OpenView system used by IMatch are blocked (google, bing, OpenStreetMap, jQuery), etc.). The general rule is, when you can reach an address with IE, it also works in IMatch.
I know, that is the general rule, but it seems not to work for meyersoft on a private computer (as I understand it) and Winfried and me behind an enterprise FW; whereas not the FW is the problem.
Quote
Maybe ask your IT Admin for an analysis of why the traffic is blocked.
Sorry, I won't soliloquize. ;)
Plz forget "blocking". It is blocked by FW because a direct access was made by IMatch. As you can see in the network dump, IMatch Map obviously didn't utilized the proxy, but tried to reach ee-in-* hosts directly (Google). That an enterprise FW are blocking direct calls is normal and nothing to change about this.
IMHO to be checked why there was no proxy used.

Quote
IMatch does not interface with the Internet or the proxy server directly. It's all through the WebBrowser control. I had never to change any proxy settings or anything.
Going to http://173.194.70.101/maps in a browser, which is one of the servers which was called, gives me a security risk because of an odd security certificate. Does the Webbrowser control makes it calls with suppressing this errors? 
I will set up my IE using a free proxy and with/without a PAC-file later. We'll see what happens.

[attachment deleted by admin]
regards,
Joerg

Mario

Geo Panel == Map Panel.

IMatch does not connect to any of the map servers. The open source OpenLayers toolkit used in the Map Panel is what makes the connections, depending on which service is enabled and what the library needs. IMatch only loads the OpenLayers-based map, which then loads map data from whatever server is configured using XML requests. All this is fully dynamic and map data is loaded as needed, e.g. when the user pans.

I have no control or idea why this traffic may be blocked by a proxy server. I've tried two remote proxies and they had no problems routing the traffic. I can't do more. And I can't impact how OpenLayers accesses the map servers to download the maps. These are just plain web service requests which access the databases operated by Google, Microsoft or the OpenStreetMap project.

joel23

With my test's here with a pac-file and an external proxy IMatch works as expected and used the proxy, except when the local firewall was active. But this is a different story, because the (local) FW prevents IMatch to access the network layer at all.
I have to check again on Monday, can be it is an IE 11 issue - we had that with other apps. After resetting IE everything works.
regards,
Joerg

joel23

Update: I made several tests incl. network dumps over the last weeks, but so far no luck.
As soon there is a predefined pac-file in use (in enterprise environment applied eg. by a GPO) IMatch tries to connect Google- or Geotag-Servers directly.
Direct connections are of cause blocked by Firewalls in those environments.
regards,
Joerg