Please visit the Lightspeed Systems Community Site for the latest documentation.
Access Keys:
Skip to content (Access Key - 0)








Search Lightspeed Systems Rocket

Navigation

Toggle Sidebar

Configuring a Rocket Appliance as a Proxy Server

Skip to end of metadata
Go to start of metadata

Without a proxy server, if a user accesses a secure HTTPS site only the domain name (subject) in the SSL certificate will be visible to the Web Filter. Thus, block or allow decisions can only be made based on this domain rather than the full URL.

If you configure a Rocket appliance as a proxy server then all HTTPS requests can be examined just like HTTP requests. When a user requests a secure website, such as banking site, the encrypted request will be sent to the proxy server. The proxy server will then decrypt it in order to read the full URL.

If it is determined to be an allowed request, the proxy server will then carry out the request on the client's behalf over SSL as expected. If the site is a blocked site, then the request will be denied and the user will see a block page.

Mobile devices may also be configured to use the proxy server. It is not recommended that you use the proxy server in conjunction with the Lightspeed Systems Mobile Filter on laptops. Make sure you configure mobile devices with a proxy server hostname that will resolve both on the inside and outside of your network.

The proxy server listens on TCP port 8080 on Rocket appliances where the Proxy Server role is enabled.

To configure a Rocket appliance as a proxy server, follow the steps below.

T-Mobile 4G and LTE Devices Are Not Supported
T-Mobile's implementation caching servers is not compatible with the proxy module in the Lightspeed Systems Rocket. T-Mobile redirects lookup requests to their caching servers in most instances using a 301 redirect. Basically, this allows users to retrieve cached versions of web pages that would normally be blocked by the Rocket appliance. T-Mobile is aware of the issue but as of this time has not taken any steps to resolve. Refer to the "How to make internet settings in T-Mobile U8150-A?" and "Proxy servers disrupting service" discussions on the T-Mobile Support forum for more information.
  1. Configure your network.
    • In an Active Directory environment use Group Policy Objects (GPOs) to enforce the use of the proxy server.
    • In a Novell environment use ZENWorks to enforce the use of the proxy server.
  2. Configure your Rocket or Bottle Rocket appliance as a proxy server.
    1. Connect the Management port on the Rocket appliance to a port on your LAN switch.
    2. Log in to this appliance.
    3. Click Administration and then click Server Roles.
    4. Check (select) Proxy Server.
    5. Click Save.

You should also install the SSL certificate from the Rocket appliance since some SSL sites will not work if the certificate is not installed as a trusted root authority.

You need to download the SSL certificate from the proxy/Rocket appliance and install it on any of your proxy clients. You can push it out through a GPO (Microsoft Exchange) or ZENWorks (Novell) at the same time that you push out the proxy settings.
The SSL certificate can be downloaded from the Rocket appliance by going to the http://(fqdn)/lsaccess/proxycert URL. You will need to use the FQDN of the proxy to access the URL and download the certificate.

Note:
For iOS devices running iOS 6.0 and above you can use Lightspeed Systems Mobile Manager to push a global proxy configuration that requires no user intervention to use the Rocket appliance proxy server. This is an alternative Web Filter solution that does not require Lightspeed Systems Mobile Browser app. See the Mobile Manager Global Proxy wiki page on the Mobile Manager wiki for more information.
  1. Oct 11, 2012

    Robert Robb says:

    Any chance the port number used can be set manually in an upcoming release? We ...

    Any chance the port number used can be set manually in an upcoming release? We are using the lightspeed to replace an existing proxy/filter machine and it uses a different port. Many of the machines were set manually and we could just change dns except the port number is different. We have that port already identified in firewalls as well to force the old proxy. Also, are the bridge ports not used in a proxy situation as they don't have ip settings?

  2. Jan 31, 2013

    David Kull says:

    I have installed the certificate, and now the secure website loads. However, wh...

    I have installed the certificate, and now the secure website loads. However, when the user launches the Citrix app, the Citrix client fails to run due to a certificate error.

    There error reads:
    Unable to launch your application. Contact your help desk with the following information: Cannot connect to the Citrix XenApp Server. SSL Error 59: The server sent a security certificate identifying "xxx.xxx.xxx.xxx", the SSL connection was to "www.xxxxx.com"

    How do I resolve this issue?

    Note:
    When I use a squid proxy server, the application works fine.

  3. May 15, 2013

    tim bynum says:

    iOS Users Note: At the time of this post, should the Global Proxy setting on a C...

    iOS Users Note: At the time of this post, should the Global Proxy setting on a Configurator-supervised device be set to proxy through the Rocket, all SSL sites will report a certificate error. The Rocket delivers an incorrect certificate to the iOS device. While using the Safari browser, this is a moderate annoyance, having to accept malformed cert after cert.

    Where the Global Proxy completely breaks down is when the user wants to use an app to touch SSL traffic. Since the app will not present the user with a choice of accepting an invalid certificate, the app simply does not work. For instance, the App Store application simply cannot connect to the store.

    Lightspeed's interim workaround is a Lightspeed-technician-only exceptions whitelist.

    At the time of this writing, until the proxy service is ready for prime-time, note that your iOS SSL functionality will be exceedingly limited.

    1. May 08, 2013

      Dennis DeVore says:

      I also noticed that when using the proxy setting on iOS it breaks our MDM soluti...

      I also noticed that when using the proxy setting on iOS it breaks our MDM solution because of the certificates.

      Also, chromebooks can't visit any https sites as well.

  4. Oct 17, 2013

    Luke Reagor says:

    Tim and Dennis, are you still having problems with the Global Proxy?

    Tim and Dennis, are you still having problems with the Global Proxy?

    1. Nov 22

      William DiDomenico says:

      I am experiencing the same issue that Dennis has described. Once the Global Prox...

      I am experiencing the same issue that Dennis has described. Once the Global Proxy profile is installed whether through Apple Configurator or our MDM, AirWatch, it breaks our MDM. Profiles pushed from AirWatch are not installed, and the enrollment process cannot be completed. I have installed the Lightspeed Proxy and Web Console self-signed certificates as trusted certs.

      1. Nov 22

        tim bynum says:

        William, We discontinued use of the Rocket's proxy services.

        William,

        We discontinued use of the Rocket's proxy services.

      2. Jan 23

        Jonathan Freese says:

        We use JAMF Casper as our MDM and had the same problem with profiles not getting...

        We use JAMF Casper as our MDM and had the same problem with profiles not getting through and the enrollment process failing to complete after the SSL cert and Global Proxy profile were installed. I tracked the problem down to APN payloads being rejected. (The APNs were getting through the proxy server without issue.) After Lightspeed Support added our MDM server to the special whitelist (Adding the MDM server to the ignore list didn't do the trick.) the APN payloads were able to pass through without issue and JAMF Casper worked exactly as expected when deploying or removing profiles and enrolling devices. Since our MDM server was added to the whitelist I haven't had a single problem with APNs or profiles on any of our managed devices.

  5. Feb 03

    William DiDomenico says:

    We were able to get the MDM portion of our deployment working, but we're having ...

    We were able to get the MDM portion of our deployment working, but we're having no luck getting our iPads using the Global Proxy to work with an Apple Caching server. While the caching server is enabled, all the iPads will receive the error "Unable to Download Item". If I disable the caching server, downloads will proceed normally. If I use an alternative proxy server (e.g. Squidman) the iPads use the caching server no problem

    1. Feb 03

      Jonathan Freese says:

      Which version of Caching Server are you using? Using Caching Server 2 (10.9.1) w...

      Which version of Caching Server are you using? Using Caching Server 2 (10.9.1) with "Only cache content for local networks" unchecked I have yet to have any problems.

      Is the computer running your Caching Server in the technician Global Whitelist? We had similar issues at first when using the Global Proxy so I had any server managing APNs, DNS, or SU/Caching added to the Global Whitelist to prevent any oddities and unchecked the default "Only cache content for local networks" and it resolved our issues.

      1. Feb 03

        William DiDomenico says:

        We are using the caching server on 10.9.1, "only cache content for local network...

        We are using the caching server on 10.9.1, "only cache content for local networks" is unchecked. I'm guessing the technician whitelist is something only Lightspeed support has access to

        1. Feb 03

          Jonathan Freese says:

          It is accessed by support only. Send them an email with the IPs and FDQNs of the...

          It is accessed by support only. Send them an email with the IPs and FDQNs of the servers and they can add them to the list.

          1. Feb 03

            William DiDomenico says:

            Just got off the phone with support, I did send them a list of IPs to whitelist,...

            Just got off the phone with support, I did send them a list of IPs to whitelist, but the tech said they've made a change on the back-end and it is actually the port that gets blocked. Also, he mentioned something about the engineers not recommending IPs be whitelisted because those can be re-written. Once the port was whitelisted, the App Store began working again. I found a document on how to force a specific port for the caching service: http://support.apple.com/kb/HT5590

            I hope this helps anyone else having similar issues.

  6. Feb 06

    Nathan Forrest says:

    We are having an issue with caching server as well but I am wondering if it's so...

    We are having an issue with caching server as well but I am wondering if it's something with the subnets.

    I.E. iPad is on 10.9.x.x network and the proxy is on our 10.1.x.x, caching server running 10.9.1 is on 10.9.x.x network. With all our clients pointed at our rocket on the 10.1 network I see a ton of traffic downloading from the proxy address from the internet. Local caching server also has the box unchecked to restrict to local network. I don't see any caching being hit on the server during the download either. Would the caching server need to be on the 10.1.x.x network the same as the proxy server or should that matter? Is it a port issue as well?

    1. Feb 06

      Jonathan Freese says:

      My guess would be it is a port issue. We're running multiple VLANs and the subne...

      My guess would be it is a port issue. We're running multiple VLANs and the subnets for our iPads and server are on a different subnet and VLAN.

    2. Feb 06

      William DiDomenico says:

      The caching server has to have the same external IP address as the devices it wi...

      The caching server has to have the same external IP address as the devices it will serve. Some users have set up NAT rules to route all traffic destined to Apple's network (17.0.0.0/8) through a single external IP so any internal device, regardless of VLAN, will use the caching server. I have two caching servers; one for non-proxy devices and the other for proxy devices. I have a dynamic NAT rule set up in our Cisco ASA that sends Internet-destined traffic from the second caching server out the same external IP address as the Rocket. The first caching server has the same external IP as non-proxied devices

  7. Feb 06

    Nathan Forrest says:

    Makes sense. I'll give that a shot. Thanks!

    Makes sense. I'll give that a shot. Thanks!

Adaptavist Theme Builder Powered by Atlassian Confluence