Use a forward proxy with EAA Client

Learn to configure EAA Client when you have a forward proxy within your organization.

Some organizations use a forward proxy server within the corporate network to connect to the internet. The user’s machine connects to the forward proxy server to perform operations like authentication, web-filtering and then the traffic is routed to the internet.

If EAA Client is installed on these machines, organizations require EAA Client to forward all EAA traffic to the forward proxy before reaching the EAA Cloud.

EAA Client supports both HTTP and HTTPS proxy type. With respect to proxy authentication, we support No Authentication, NTLMV2 Authentication modes.

You will first need to configure the system proxy for the end users’ machine. You may use a Group Policy management tool (GPO) to push the system proxy changes to all the end user’s machines. Based on the OS of the machine, Windows 7, Windows 10 or Mac, the system proxy setup is different as described below:

System Proxy configuration for Mac users:

On a Mac, since EAA Client sends secure web traffic, you should only use these proxy settings for any interface (Wi-fi, Thunderbolt, etc). For example, if you are using a Wi-Fi interface, you would configure the proxy settings as:

Even if you select multiple protocols for Mac, EAA Client will only send secure web traffic

If you select only Web Proxy (HTTP) as the protocol for any interface on Mac, EAA Client proxy settings will not work, since we send only secure web traffic:

System Proxy configuration for Windows 7 users.

Make sure you have added the manual proxy settings for your organization’s proxy server:

  1. Open the Start Menu and type proxy.
  2. Click, Configure proxy server.
  3. The Internet Properties window opens.
  4. Click the Connections tab.
  5. Click on LAN settings in the Local Area Network (LAN) settings section.
  6. Go to the Proxy server section, enter the Address and Port of the proxy server.

System Proxy configuration for Windows 10 users.

Make sure you have added the manual proxy settings for your organization’s proxy server:

  1. Open the Start Menu and click Settings
  2. Click, Network & Internet.
  3. Click Proxy. The proxy page opens.
  4. Go to the Manual proxy setup section.
  5. Turn Use a proxy server switch on
  6. In the Address field, enter the IP address of proxy server.
  7. In the Port field, enter the port of the proxy server.
  8. Add any exceptions list (optional)
  9. Click Save

Configure EAA Client with a forward proxy for Windows 10 and Mac Users

Learn to configure EAA Client to work with a forward proxy for Windows 10 and Mac machines.

Follow steps to configure EAA Client to work with a forward proxy server within your organization. This workflow is for Windows 10 and Mac users:

How to

  1. Run the silent install command with forward proxy mode enabled using the --forwardproxy enable option. If this option is not used in silent install then forward proxy is disabled.

    For example, to do a silent install for EAA Client for Windows 64 bit machine with an IdP_portal_URL of https://myidpportal.mycompany.com, enable the forward proxy server and you want EAA Client to start immediately after installation, you can run the command, after downloading the EAA Client:

    <EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url <idp_portal_url>  --forwardproxy enable

    For example, to do a silent install for EAA Client for Mac machine for an IdP_portal_URL of https://myidpportal.mycompany.com:

    sudo ./Contents/MacOS/installbuilder.sh --mode unattended --unattendedmodeui none --url https://myidpportal.mycompany.com  --forwardproxy enable
    
    Note: You cannot disable the forward proxy option on the command line with Silent install. You can only disable the forward proxy within the EAA Client Settings window.
  2. When the end user opens the EAA Client, the Proxy is enabled in the EAA Client Settings > Options, Advanced section. If the organization has configured a forward proxy on the employees’ laptop, the Proxy (URL host or IP address of proxy server URL) and the Authentication type is displayed. The Network will be Public (using Proxy):
    Note: If you are on a trusted network and proxy server is being used then, you will see Network: On-premises (using Proxy)

    EAA Client receives this information from the Proxy Settings configured by the network administrator on the Windows or Mac laptop. For configuring forward proxy on Windows 10, see How to Set Up a Proxy in Windows 10. For configuring forward proxy on macOS, see Enter proxy server settings on Mac.

  3. The admin must provide the proxy credentials to the employees of the organization. The end user will be prompted for proxy credentials and enters the Username, Password, and Domain and clicks OK. If any of the credentials are incorrect, the user is prompted again with this dialog box, till the credentials are correctly entered.

    All traffic intercepted by EAA Client, now goes through the organization’s internal forward proxy to reach the EAA Cloud, then to reach the app server. Likewise, all inbound traffic comes to the EAA Client through the forward proxy.

    For Windows, you will see this alert when EAA Client has successfully detected proxy configured in the system, if you check the alerts inside EAA Client Settings window:

    For Mac, you see this alert when EAA Client has successfully detected proxy configured in the system on the displayed interface, if Wi-Fi, if you check the alerts inside EAA Client Settings window:

    If you have any problems, see Use alerts to debug forward proxy issues with EAA Client. for more troubleshooting steps.

    Note:
    1. EAA Client checks the system proxy settings every 45 seconds for any changes like proxy server’s URL or IP address or port, domain, and updates accordingly.
    2. If the end user logs out or quits out of EAA Client, they will be prompted to enter the proxy credentials when they login or re-authenticate with EAA Client.
    3. If you disable the Enable Proxy option inside the EAA Client Settings window and re-enable it, you will be prompted to enter the proxy credentials.
    4. If the network administrator updates the PAC script inside Automatic proxy setup in the Proxy Settings on the Windows or Mac machine, EAA Client will not update the PAC details but will issue an alert “PAC file is already in use please disable existing PAC settings” See Check alerts inside EAA Client . The admin or user has to turn off the Proxy setup script in the Automatic proxy setup to fix this issue.
  4. The end user can disable the forward proxy in two ways:
    • Disable the Proxy inside EAA Client > Options, Advanced section.
    • Click Cancel while entering the proxy credentials, click Yes for Disable proxy.

      The end user may not be able to use EAA Client for accessing your TCP-type and tunnel-type client access application, if a forward proxy has been configured by the organization, since EAA Client does not intercept the traffic any more.

Configure EAA Client with a forward proxy for Windows 7 users

Learn to configure EAA Client to work with a forward proxy for Windows 7 machines.

Follow these steps to configure EAA Client to work with a forward proxy server within your organization if users are using Windows 7 machines:

How to

  1. In the Windows 7 System proxy settings, the admin or user must add proxy auto-configuration (PAC) file manually to the Script address when they want to use EAA Client with a forward-proxy server. The Script address must be http://127.50.100.1:9078/api/eaaproxypac.
  2. Run the silent install command with forward proxy mode enabled using the --forwardproxy enable option. If this option is not used in silent install then forward proxy is disabled.

    For example, to do a silent install for EAA Client for Windows 64 bit machine with an IdP_portal_URL of https://myidpportal.mycompany.com, enable the forward proxy server and you want EAA Client to start immediately after installation, you can run the command, after downloading the EAA Client:

    <EAA Client package directory>\EAAClient-x64.exe" --mode unattended --unattendedmodeui none --url <idp_portal_url>  --forwardproxy enable

    For example, to do a silent install for EAA Client for Mac machine for an IdP_portal_URL of https://myidpportal.mycompany.com:

    sudo ./Contents/MacOS/installbuilder.sh --mode unattended --unattendedmodeui none --url https://myidpportal.mycompany.com  --forwardproxy enable
    
    Note: You cannot disable the forward proxy option on the command line with Silent install. You can only disable the forward proxy within the EAA Client Settings window.
  3. When the end user opens the EAA Client, the Proxy is enabled in the EAA Client Settings > Options, Advanced section. If the organization has configured a forward proxy on the employees’ laptop, the Proxy (URL host or IP address of proxy server URL) and the Authentication type is displayed. The Network will be Public (using Proxy):
    Note: If you are on a trusted network and proxy server is being used then, you will see Network: On-premises (using Proxy)

    EAA Client receives this information from the Proxy Settings configured by the network administrator on the Windows or Mac laptop. For configuring forward proxy on Windows 10, see How to Set Up a Proxy in Windows 10. For configuring forward proxy on macOS, see Enter proxy server settings on Mac.

  4. The admin must provide the proxy credentials to the employees of the organization. The end user will be prompted for proxy credentials and enters the Username, Password, and Domain and clicks OK. If any of the credentials are incorrect, the user is prompted again with this dialog box, till the credentials are correctly entered.

    All traffic intercepted by EAA Client, now goes through the organization’s internal forward proxy to reach the EAA Cloud, then to reach the app server. Likewise, all inbound traffic comes to the EAA Client through the forward proxy.

    Note: When EAA Client is not in use, the admin or user has to remove the PAC script manually.

    For Windows, you will see this alert when EAA Client has successfully detected proxy configured in the system, if you check the alerts inside EAA Client Settings window:

    If you have any problems, see Use alerts to debug forward proxy issues with EAA Client. for more troubleshooting steps.

  5. The end user can disable the forward proxy in two ways:
    • Disable the Proxy inside EAA Client > Options, Advanced section.
    • Click Cancel while entering the proxy credentials, click Yes for Disable proxy.

      The end user may not be able to use EAA Client for accessing your TCP-type and tunnel-type client access application, if a forward proxy has been configured by the organization, since EAA Client does not intercept the traffic any more.

Limitations of EAA Client forward proxy support

These are the limitations of EAA Client when you have a forward proxy in your organization.

  1. Auto-detection for Web Proxy Auto Discovery (WPAD) protocol and proxy auto-configuration (PAC) is not supported in this release.
  2. MITM Proxy is not supported.
  3. SSO based authentication is not supported.
  4. On a Mac, when both VPN and EAA Client are enabled, any changes to the system proxy settings will not be detected inside the EAA Client Settings Window.
  5. EAA Client in Windows 7 does not support automatic management of PAC script configuration in system proxy settings. See Configure EAA Client with a forward proxy for Windows 7 users
  6. For internet explorer browser configuration, add 127.50.100.1 under Exceptions. See Microsoft docs for navigating to the Exceptions from the Settings > Internet options menu
  7. On a Mac, if you’re using a Safari browser, forward proxy is not supported.

Use alerts to debug forward proxy issues with EAA Client

Check the alerts to debug any commonly faced issues while configuring EAA Client with a forward proxy.

EAA Client issues several alerts in the EAA Client Settings window when you configure forward proxy when you have problems. You can set the verbosity to high and check the alerts, if you have problems.

  1. If the proxy server is not reachable from user’s machine, you get this alert:

    Check the proxy server host URL or IP address, port and make sure it’s correct. Retry after correcting it.

  2. If the user’s laptop is using a wrong authentication scheme, you will get the alert message:

    You should be using NTLMv2 authentication or No authentication scheme. Contact the network administrator to fix it.

  3. If you entered wrong proxy credentials, if you set the verbosity to high and check the alerts, you will see:

    Enter the correct proxy credentials and retry to authenticate with the proxy server.

  4. If you have an existing PAC file in your Automatic Proxy Setup, you will receive this alert message:

    You should disable the existing PAC settings.