# setting global proxy settings



## tourniquet (Feb 17, 2009)

I have to use a proxy in order to connect to the net. In case of mozilla and internet explorer its easy to configure. but im having problems with several other applications which do not provide an option to set a proxy.

So how do I configure my laptop to use the same proxy for all programs so that I do not have to change the proxy settings for every program I use?


----------



## Tekmazter (May 22, 2008)

Most applications will leverage Windows proxy settings for anything related to ports 80, 443, 21 and 22 if IE is configured. However, all applications are not created equal and therefore this would be up to the development of the app itself. 

What apps do you have that are not applying these settings correctly?


----------



## tourniquet (Feb 17, 2009)

those programs do not have an option to set up a proxy. they are trying to connect without using any proxy which is not possible. the ports do not matter in my case. i basically want to use torrent2exe. how do i configure it to use the proxy?


----------



## tourniquet (Feb 17, 2009)

is there no way out???


----------



## asgley (Feb 26, 2009)

create yourself a vpn to a remote box over a web port... easy
though if they are trying to stop you from running bittorrents perhaps you should not bother?
Asg


----------



## Tekmazter (May 22, 2008)

asgley said:


> create yourself a vpn to a remote box over a web port... easy
> though if they are trying to stop you from running bittorrents perhaps you should not bother?
> Asg



This could work, however many of today's firewalls (CISCO ASA, Checkpoint etc...) have application inspection which will prevent encryption from running over port 80. In fact, you can so be explicit and creative now at the admin level, someone might offload this information when it's being read and do a redirect thru a honeypot and trace you back completely. 

Not to mention that this could certainly violate guidelines set forth by an organization. 

In this case he's looking to use a torrent app. 

(note my application inspection blurb above)

Torrent apps generally open tons of UDP ports and if his firewall admin does egress filtering (becoming very common these days), this is not going to work. You need to be put outside the firewall.


----------



## asgley (Feb 26, 2009)

yeah it almost certainly breaks any guidlines, but if you estab a vpn with a remote 443 all the firewall will see is an encrypted stream to a port that deals with encrypted data it will not be able to do any inspection.
Asg


----------



## Tekmazter (May 22, 2008)

asgley said:


> yeah it almost certainly breaks any guidlines, but if you estab a vpn with a remote 443 all the firewall will see is an encrypted stream to a port that deals with encrypted data it will not be able to do any inspection.
> Asg


While this is true, egress filtering will tackle this issue and drop you at the gateway. 

Also, MS ISA server in its current form can already do payload inspection over *inbound *SSL traffic. ISA can literally break open the flow, inspect it and then let it move to its destination or drop it. With the latest version of ISA (to be named TMG) this is also going to be done outbound. So, if a shop has this installed in their LAN in say a back to back firewall configuration ... well, you can try but someone may come knocking. 

If a company is in the business of protecting itself from the outside-in, then it should be proactively thinking about doing the same from the inside-out.


----------



## asgley (Feb 26, 2009)

i think you will find in the case where isa is on the front end to a load of web servers you can give it the private keys to allow it to decrypt inspect then encrypt to send on to the web servers, with the same happening in reverse when the data is sent back.
thee are quite a few devices that do this.
but to open other peoples ssl tunnels realtime.... i doubt this can be done if it has no prior knowledge of the connection, if it can then there are some serious security concerns to be raised, about sys admins sniffing your online banking info, credit card details, etc etc.


----------



## Tekmazter (May 22, 2008)

asgley said:


> i think you will find in the case where isa is on the front end to a load of web servers you can give it the private keys to allow it to decrypt inspect then encrypt to send on to the web servers, with the same happening in reverse when the data is sent back.
> thee are quite a few devices that do this.
> but to open other peoples ssl tunnels realtime.... i doubt this can be done if it has no prior knowledge of the connection, if it can then there are some serious security concerns to be raised, about sys admins sniffing your online banking info, credit card details, etc etc.


You're correct about ISA doing this only on the front end now. I also stated this earlier. However, there are already add-ons and have been for some time now which add the feature & functionality to do this outbound and with unbelievable ease. 

Check out Collective Software ClearTunnel. This is just one of a few out there which can inpsect outbound SSL on the fly and require little in the way of configuration using an ISA infrastructure in the LAN. Again, TMG is already incorporating this in Beta 2 and will have this ready to roll at FR.

A good blurb: Thoma Shinder

A full review: ISAServer.org


----------



## asgley (Feb 26, 2009)

this looks more like it doesnt intercept the encrypted stream but establishes the connection to the secure site from the isa server rather than from the client, the client in turn establishes an encrypted session from the local machine to the isa.

I thought you meant it was actually opening encrypted streams which would be much more serious.

interesting concept though, i'm going to take a look and perhaps setup a test platform to see in more detail whats going on.

Asg


----------



## Tekmazter (May 22, 2008)

asgley said:


> this looks more like it doesnt intercept the encrypted stream but establishes the connection to the secure site from the isa server rather than from the client, the client in turn establishes an encrypted session from the local machine to the isa.
> 
> I thought you meant it was actually opening encrypted streams which would be much more serious.
> 
> ...


Yes, I apologize. My explanation was not clear in that regard.

Bluecoat also has appliances which perform similarly but with a bit more of a price tag. 

I'm not sure what type of environment you have available to you now, but if you have an MSDN subscription and can get a hold of ISA for dev purposes or even TMG for that matter they are interesting products.


----------

