Using proxy to connect outside of Spotfire environment with Web Player or Automation Services – Revvity Signals

Date Posted: 2019-02-15
Product: TIBCO Spotfire®

Problem:

Using proxy to connect outside of Spotfire environment with Web Player or Automation Services

Solution:

Web Player (WP) and Automation Services (AS) are based on Microsoft .Net, and system.Net defaultProxy can be set for their network traffic.

Preferred practice

If the defaultProxy setting is left empty, as in the default service config, the proxy settings in Internet Options of the user running the Node Manger are used.
The easiest way to manage this is to run the Node Manger as a service account, and to use Internet Explorer as this service account (e.g. using runas) to access the Internet Options and to verify access. For general map access, try to access https://geoanalytics.tibco.com/service/ssl/services-list.json and adjust proxy settings until it works.
Remember to check "bypass local addresses", or the Web player will not start since it will fail to access the Spotfire Server (no proxy should be used for that communication).

If Internet Options is not fit for purpose or when running as Local System

Microsoft documentation describing the defaultProxy element: https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/network/defaultproxy-element-network-settings

The proxy settings (defaultProxy) are set in the Spotfire.Dxp.Worker.Host.exe.config file for each service.

There are some aspects that are important to note for the usage in Spotfire:

The bypasslist needs to include regex(s) that match all addresses used in backend of the Spotfire Environment (all nodes, all servers).
The bypasslist must also include regex(s) for all resources the Service is planning to access without proxy (e.g. TIBCO Spotfire Statistics Services, data sources which use http, image servers, ...)
If a proxy script is used (scriptLocation is used), the bypassing of addresses can be handled there.

Comments on the documentation (as of 2018) from the Spotfire perspective:

* "If bypassonlocal is set to any value, scriptLocation is ignored."

So, if you are trying to use a proxy script, make sure the bypassonlocal is not set to _any_ value.

* "If the defaultProxy element is empty, the proxy settings from Internet Explorer will be used."

The settings used here are the settings for the user session performing the outgoing request (Node Manager service account or the delegated Kerberos user)

Sub Processes only read Internet Options

When sub processes are triggered (e.g. PDF export including maps, and some other cases) these processes do not read the config files for AS/WP, so their connections only use the Internet Options of the user they are running as.
This user is the Node Manager service account, or the delegated user for the cases where the user is delegated to the sub process (if delegated Kerberos is used).

For verifying functionality for different users on the machine in question:

Runas can be used to start Internet Explorer as another user for testing an address that requires proxy (and e.g. changing Internet Options for that user)
For Local System, PStools is needed to do the same for that account (https://marckean.com/2010/12/17/run-internet-explorer-as-the-local-system-account/)

Some configuration examples in Spotfire.Dxp.Worker.Host.exe.config in the service configuration:

Default

  <!-- ********* Proxy settings ********** -->
  <!-- See https://msdn.microsoft.com/en-us/library/sa91de1e.aspx  for more information. -->
  <!-- If you have an authenticated proxy, credentials for theproxy server can be set -->
  <!-- in section "applicationSettings/Spotfire.Dxp.Web.Properties.Settings" above -->
  <!-- using "ProxyUsername" and "ProxyPassword" -->
  <system.net>
    <defaultProxy>
    </defaultProxy>
  </system.net>

Conclusion:

defaultProxy is empty, so Internet Options are used.
Basic authentication is supported if the proxy defined require authentication, and this can be defined as described above. Other authentication options would require the Internet Options to be used correctly.

Adding the company wide proxy script

Might be needed if the sevice account, e.g. Local System, does not pick up the company standard profile on this machine. All bypassing etc is handled by the script.

  <system.net>
    <defaultProxy enabled="true">  
      <bypasslist></bypasslist>
      <proxy scriptLocation="http://proxyserver.contoso.com/pathtoproxyscript.pac" />
    </defaultProxy>
  </system.net>

Conclusion: All bypassing etc is handled by the script.

A proxy server configured with bypass for machines in the range 10.105.. and DNS names ending with *.contoso.com

  <system.net>
    <defaultProxy enabled="true">  
      <bypasslist>
        <add address="[a-z]+\.contoso\.com$" />  
        <add address="10\.105\.\d{1,3}\.\d{1,3}" />  
      </bypasslist>
      <proxy bypassonlocal="true" proxyaddress="http://proxyserver.contoso.com" />
    </defaultProxy>
  </system.net>

Conclusion: Bypassing the proxy for addresses to no-proxy locations have to be defined, including to localhost (this is the bypassonlocal). The addresses in the bypasslist are defined as regex that should match the hosts for which the proxy should not be used.
Contoso.com is the example domain Microsoft use in their documentation

The number of regex you can enter is unlimited, so you do not need to make the regex so complicated that only one line define everything you want.
This mean that the regex can be made rather crude since it only needs to separate the addresses that will be accessed by the Web Player process (so you do not need to think about all other possible addresses). Documentation:

Microsoft documentation: https://docs.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/network/defaultproxy-element-network-settings

Keywords: proxy , proxies , PDF export , map , maps , map chart , mapchart