Proxy at In
Warning: the information on this page is not "official". In September 2018, Intel IT published their official page at https://wiki.ith.intel.com/display/proxy/Proxy+Users+Guide+Home
WPAD automatic configuration
For computers and programs supporting the use of WPAD (Web Proxy Autodiscovery Protocol) (almost all web browsers, chromebooks and more) a WPAD configuration file is maintained by Intel IT and available at: http://wpad.intel.com/wpad.dat This is the official configuration used by all Windows systems maintained by IT so it's very unlikely to be broken - or at least never for very long.
If needed this can also be passed as a configuration URL, for example, to Mozilla Firefox and FoxyProxy. One possible reason one might have to explicitly set this URL is for instance because Intel IT does not set ".intel.com" as a DNS search domain in every location (same reason why http://goto.intel.com/TAC always works while http://goto/TAC only works in most places).
This (complex) configuration works better with internal intel.com sites thanks to various exclusion lists.
If you forget this URL you can find it quickly again on any IT system: Start Menu->type "proxy"->LAN settings.
Applications
SSH from a Mac to AWS
Check https://intelpedia.intel.com/AWS_Administrative_Bastion_Host for background info.
Create ~/.ssh/config with the following line:
Host *.amazonaws.com
ProxyCommand /usr/bin/nc -X 5 -x proxy-us.intel.com:1080 %h %p
Then start SSH with:
ssh -i "Key.pem" [email protected]
Where Key.pem is the private key generated in AWS
Where user is the user in the AWS system
Where ec2.compute.amazonaws.com is the DNS of the AWS system
SSH from Linux pool to outside
You can ssh into external systems with Secure IT's ssh client that is installed in our Linux server pool with:
ssh -o ProxyCommand='socat - "socks5:%h:%p|tcp:proxy-socks..intel.com:1080"' SOME_EXTERNAL_TO_INTEL_SITE
You can also add this to your $HOME/.ssh/config file to simplify retyping (change
Host example.com ProxyCommand nc -X 5 -x proxy-.intel.com:1080 %h %p
Then type on the command line, for example: ssh [email protected]
Using ssh2 to connect out via SOCKS proxy
Add this to your ~/.ssh2/ssh2_config:
github.com:
ProxyCommand /usr/intel/bin/socat - "socks5:%h:%p|tcp:proxy-socks..intel.com:1080"
With GIT
/usr/intel/pkgs/git/2.17.0/bin/git clone --config http.sslVersion=tlsv1.2 ssh://[email protected]/mmccoo/vocab.git
Using openssh to connect out via SOCKS proxy
With netcat
Modification of your .ssh/config file on a host where you use openssh you can modify your .ssh/config file to include
Host *
ProxyCommand nc -X 5 -x proxy-us.intel.com:1080 %h %p
Please don't modify your system's master config file /etc/ssh/ssh_config file, this affects all users and probably isn't what you want to do. On OpenSuse or SLES/SLED the 'netcat' provided here is netcat-openbsd. Be sure each Host directive has a full empty line between entries in your config files.
If your system does not have BSD netcat, e.g. you run Fedora, consider using this ProxyCommand instead.
Host *
ProxyCommand nc --proxy-type socks5 --proxy proxy-us.intel.com:1080 %h %p
Debian Linux netcat's nc command does not support -X, -x, --proxy, and --proxy-type, so use connect-proxy instead:
Host *
ProxyCommand connect-proxy -S proxy-us.intel.com:1080 %h %p
With connect.exe
If you do not have netcat installed, but you have connect.exe (which is the case for MinGW):
Inline:
ssh -o ProxyCommand='connect -S proxy-us.intel.com:1080 %h %p' externalsite.com
Using ~/.ssh/config:
Host *
ProxyCommand connect -S proxy-us.intel.com:1080 %h %p
git
To clone an http git URL (note: this does *NOT* work for git:// urls), inside Linux, do something like:
setenv http_proxy proxy-chain.intel.com:911 git clone http://github.com/tpope/vim-fugitive.git
To clone an http git URL, inside Windows, do something like:
git config --global http.proxy http://proxy-chain.intel.com:911 git clone --recursive https://github.com/spf13/spf13-vim.git
To clone an ssh git URL through the socks proxy (tested on OS X 10.8), do the following
1. Install connect (a socks proxy utility) using homebrew (or MacPorts) or your local package manager:
brew install connect
2. In your shell startup script (i.e. ~/.profile), set the following environment variables:
export SSH_SOCKS_SERVER='proxy-us.intel.com:1080' export GIT_PROXY_COMMAND='~/bin/socks_connect'
3. Create a text file called ~/bin/socks_connect with the contents:
#!/usr/bin/env bash connect -5 -S $SSH_SOCKS_SERVER $*
4. Make the script executable:
chmod +x ~/bin/socks_connect
Cloning git:// in Linux
Requirement : socat
1. Create the proxy file at ~/bin/gitproxy
mkdir ~/bin vi ~/bin/gitproxy
2. Copy these lines to the gitproxy file and save it. You can replace 'png' with a local proxy server for better speed. For example, in the US, use proxy-jf.intel.com.
#!/bin/bash PROXY=proxy.png.intel.com exec socat STDIO SOCKS4:$PROXY:$1:$2
3. Edit ~/.gitconfig and put these lines in. Edit gitproxy, name and email.
[core] editor = vi gitproxy = /home//bin/gitproxy [user] name = email =
4. Make the script executable:
chmod u+x ~/bin/gitproxy
Ubuntu 12.04 LTS and Newer Automatic Shell Script
The following shell script will set up Intel proxies on Ubuntu. The script has been tested on Ubuntu 12.04, 14.04, 16.04.2, and 18.04, but will probably work on other versions as well. Run it as follows:
wget --no-proxy --no-check-certificate https://intelpedia.intel.com/images/8/88/Setup_intel_proxy.sh.zip unzip Setup_intel_proxy.sh.zip chmod +x setup_intel_proxy.sh sudo ./setup_intel_proxy.sh
Matthew Fernandez: why does the above script set include 134.134.0.0/16 in no_proxy? At first I thought this was a mistake and it was supposed to be the private rage 172.16.0.0/12 (which is also missing), but after looking up 134.134.0.0/16 it seems this might be a range assigned to Intel in Hillsboro. Is this range universally reachable without a proxy for users outside US?
Proxy Environment Variables to set
Linux/UNIX/MinGW users who are using clients not capable of auto-configuration will want to define these environment variables.
export http_proxy=http://proxy-chain.intel.com:911 export https_proxy=http://proxy-chain.intel.com:912 export ftp_proxy=http://proxy-chain.intel.com:911 export socks_proxy=http://proxy-us.intel.com:1080 export no_proxy=intel.com,.intel.com,localhost,127.0.0.1
On OpenSuse or SLES look at /etc/sysconfig/proxy or use yast proxy, on other platforms consider modification of /etc/environment or ~/.bashrc
Ubuntu 12.04.4 LTS, Precise Pangolin Example
Manual Configuration
- Edit the
/etc/environmentfile
sudo vi /etc/environment
- Copy the following lines in the file:
http_proxy=http://proxy-chain.intel.com:911 https_proxy=http://proxy-chain.intel.com:912 ftp_proxy=http://proxy-chain.intel.com:911 socks_proxy=http://proxy-us.intel.com:1080 no_proxy=intel.com,.intel.com,localhost,127.0.0.1
- Save the file.
- Let's make the Proxy available every time that we use sudo
- Edit the
/etc/sudoersfile withvisudo. To use nano, instead runsudo EDITOR=nano visudo /etc/sudoers.
sudo visudo -f /etc/sudoers
- Find entry:
Defaults env_reset
- Below add
Defaults env_keep += "http_proxy https_proxy ftp_proxy socks_proxy no_proxy"
- Edit the
/etc/apt/apt.conffile
sudo vi /etc/apt/apt.conf
- Add the following lines:
Acquire::http::proxy "http://proxy-chain.intel.com:911"; Acquire::https::proxy "http://proxy-chain.intel.com:912";
ActiveState Perl CPAN
From a Windows cmd shell, do something like:
set http_proxy=http://proxy-chain.intel.com:911 cpan
Java in Windows
To pass proxy parameters to java.exe in Windows:
java.exe -Dhttp.proxyHost=proxy-chain.intel.com -Dhttp.proxyPort=911 -Dhttps.proxyHost=proxy-chain.intel.com -Dhttps.proxyPort=912
Sublime Text 3
To install packages in Sublime Text 3 using Package Control, the proxy needs to be specified in Package Control settings: Preferences > Package Settings > Package Control > Settings - User
{
"http_proxy": "proxy-chain.intel.com:911"
}
If you see error message InvalidCertificateException add these lines to the same config :
"downloader_precedence":
{
"linux": [ "curl", "urllib", "wget" ],
"osx": [ "urllib" ],
"windows": [ "wininet" ]
}
Subversion
Add the following to ~/.subversion/servers:
http-proxy-host = proxy-us.intel.com http-proxy-port = 911
Spotify
Upon launch, go to sign in screen. Find the link to settings and enter:
Type: HTTP
Address: proxy-chain.intel.com
Port: 911
Username:
Password:
After entering, press "Update Proxy". Back at the login, you must use Spotify username/password credentials, logging in with email (versus username) will not work and login with Facebook will not work. After initial login, if nothing seems to load, File -> Exit and reopen.
Notepad++
Launch Notepad++ with administrator privileges? (Help Menu) -> Set Updater Proxy...
Proxy server: proxy-chain.intel.com
Proxy port: 911
Plugins -> Plugin Manager -> Show Plugin Manager
Click Settings button
Proxy address : proxy-chain.intel.com
Proxy port: 911
Mumble VoIP
Configure->Settings->Network
Type: SOCKS5 proxy
Hostname: proxy-us.intel.com
Port: 1080
Username:
Password:
Visual Studio Code
File->Preferences->User Settings In settings.json add: {
"http.proxy": "http://proxy-chain.intel.com:911", "https.proxy": "https://proxy-chain.intel.com:912"
}
npm (node.js)
To install packages using npm for node.js set the proxy by executing the following:
npm config set proxy http://proxy-chain.intel.com:911 npm config set https-proxy http://proxy-chain.intel.com:912 npm config set strict-ssl false set HTTP_PROXY=http://proxy-chain.intel.com:911 set HTTPS_PROXY=http://proxy-chain.intel.com:912 npm --without-ssl --insecure install
Atom
Run
apm config set proxy "http://proxy-chain.intel.com:911" apm config set https_proxy "https://proxy-chain.intel.com:912" npm config set proxy "http://proxy-chain.intel.com:911" npm config set https_proxy "https://proxy-chain.intel.com:912"
(Note that apm may not be on your path. Usually found in C:\Users\
Gradle
If it does not exist, create the file .gradle/gradle.properties in your home directory.
Add to .gradle/gradle.properties:
systemProp.http.proxyHost=proxy-chain.intel.com systemProp.http.proxyPort=911 systemProp.http.nonProxyHosts=*.intel.com|localhost
systemProp.https.proxyHost=proxy-chain.intel.com systemProp.https.proxyPort=912 systemProp.https.nonProxyHosts=*.intel.com|localhost
Bower
Make a file called .bowerrc in your home directory which contains the following:
{
"directory": "bower_components",
"registry": "https://bower.herokuapp.com",
"https-proxy": "http://proxy-chain.intel.com:912"
}
If .bowerrc already exist, add
"https-proxy": "http://proxy-chain.intel.com:912"
Julia
Prior to 0.5.0 you need to execute the following in the
git config --global url."https://github.com/".insteadOf git://github.com/ git config --global http.proxy http://proxy-chain.intel.com:911 git config --global https.proxy https://proxy-chain.intel.com:912
You may also need to delete your .julia folder located somewhere like c:\Users\
After 0.5.0 you just need to set your proxy environment variables.
Ruby gems
sudo gem install rake -p "http://proxy-chain.intel.com:911"
Note - it seems that the "-p" argument shown above does not work, and instead the environment variable HTTP_PROXY should be set to this path. For example (c-shell example given here):
setenv HTTP_PROXY http://proxy-chain.intel.com:911 sudo gem install rake
Vagrant
Add the following environment variables to your system:
HTTP_PROXY=http://proxy-chain.intel.com:911 HTTPS_PROXY=http://proxy-chain.intel.com:912
And/Or use the vagrant-proxyconf plugin
Maven
Create the file $HOME/.m2/settings.xml with the following content:
http true http proxy-chain.intel.com 911 intel.com https true https proxy-chain.intel.com 912 intel.com
Python
Anaconda Python
Make a file called .condarc in your $HOME directory which contains
proxy_servers:
http: http://proxy-chain.intel.com:911
https: https://proxy-chain.intel.com:912
In Windows, $HOME is C:\Users\
NOTE:
In order to install Natural Language Processing Toolkit in Anaconda:
a) First run: nltk.set_proxy('http://proxy-chain.intel.com:911')
b) Then run: nltk.download()
NOTE:
To install other packages without using 'conda install package_name' add the following code after importing 'os' package: import os os.environ['http_proxy'] = 'http://proxy-chain.intel.com:911' os.environ['HTTP_PROXY'] = 'http://proxy-chain.intel.com:911' os.environ['https_proxy'] = 'https://proxy-chain.intel.com:912' os.environ['HTTPS_PROXY'] = 'https://proxy-chain.intel.com:912'
Pip Python
command line
pip3 --proxy https://proxy-chain.intel.com:911 <...>
config file
Create the file pip.ini . On windows, located at: %APPDATA%\pip\pip.ini
Add these lines:
[global] proxy = http://proxy-chain.intel.com:911
src: https://stackoverflow.com/a/43473312
wget
Make a file called .wgetrc in your $HOME directory (or the directory of whatever depends on wget) which contains
http_proxy=http://proxy-chain.intel.com:911 https_proxy=https://proxy-chain.intel.com:912 ftp_proxy=http://proxy-chain.intel.com:911
or set these as environmental variables as described in the section above. More details here.
curl
Add the following environment variable if you experience problems passing the proxy args to imbedded curl calls.
export ALL_PROXY='socks5://proxy-us.intel.com'
Eclipse
(Windows)
Under Preferences/Network Connections:
in "Active Provider" drop down menu: select "Manual"
fill table Proxy entries as following:
| Schema | Host | Port | Provider | Auth | User | Password |
|---|---|---|---|---|---|---|
| HTTP | proxy-chain.intel.com | 911 | Manual | No | ||
| HTTPS | proxy-chain.intel.com | 912 | Manual | No |
(Linux)
same as above, but you might need to use a local proxy instead, like proxy-mu.
NOTE: under Proxy bypass you might add other local (test) servers that not require proxies
Docker
General SOCKS support in docker should now also be in main-stream code, see https://github.com/docker/docker/pull/20366
On Ubuntu Linux 14.04 Make sure docker daemon runs with http_proxy env variable defined (e.g., in /etc/default/docker).
On Ubuntu Linux 16.04 and beyond. As a result of OS using systemd; the docker daemon need extra configuration. Follow instructions from https://docs.docker.com/engine/admin/systemd/#http-proxy
Notice The docker service file might be /lib/systemd/system/docker.service
For the pre-Windows 10 versions of Docker and Kitematic start the virtualbox host with
docker-machine rm default
docker-machine create -d virtualbox --engine-env HTTP_PROXY=http://proxy-chain.intel.com:911 \
--engine-env HTTPS_PROXY=https://proxy-chain.intel.com:912 \
--engine-env NO_PROXY=192.168.99.100 default
When you start Kitematic it will initially show an error, but just click "Use Virtualbox".
On Windows 10 (using Docker for Windows), right click on the Docker icon in the notification area, select Settings. Then click Proxies. Select "Manual proxy configuration" and enter the following then click Apply.
Web Server (HTTP): http://proxy-chain.intel.com:911
Secure Web Server (HTTPS): http://proxy-chain.intel.com:912
Bypass for these hosts: intel.com,.intel.com,localhost,127.0.0.1
- More information on Docker proxy setup
- Docker proxy setup on Ubuntu
yum / dnf
Add the following line to /etc/yum.conf
proxy=https://proxy-chain.intel.com:912
Fedora 24 and newer, update into /etc/dnf/dnf.conf (Use the http version, dnf doesn't like https proxy)
proxy=http://proxy-chain.intel.com:911
Rust - rustup
To download and install Rust using rustup, download rustup-init here: https://www.rust-lang.org/install.html. Then run rustup-init.exe.
For more information, see https://github.com/rust-lang-nursery/rustup.rs#working-with-network-proxies
On Windows:
The easiest way is to create a permanent environmental variable. To create an environmental variable, right-click the Start button and go to System -> Advanced system settings -> Advanced tab -> Environment Variables... -> (Under System variables) New.... Set Variable name to https_proxy, set Variable value to socks5://proxy-us.intel.com:1080, and click OK. Then run rustup-init.exe.
Alternatively, to temporarily set an environmental variable before running rustup-init.exe, open up a terminal where rustup-init.exe is.
In Command Prompt, run this command:
set https_proxy=socks5://proxy-us.intel.com:1080
If using PowerShell, run this instead:
$env:https_proxy = "socks5://proxy-us.intel.com:1080"
Then run ./rustup-init.exe.
SSH to Intel AI DevCloud via colfaxresearch.com
After obtaining a username and then downloading and configuring your private SSH key, add to your account's ~/.ssh/config. Adjust u9999/9999 as appropriate.
Host colfax
User u9999
HostName localhost
Port 4022
IdentityFile ~/.ssh/colfax-access-key-9999
ProxyCommand ssh -T colfax-via-proxy
Host colfax-via-proxy
User guest
HostName cluster.colfaxresearch.com
IdentityFile ~/.ssh/colfax-access-key-9999
LocalForward 4022 c009:22
# (Windows) ProxyCommand connect.exe -S proxy-us.intel.com:1080 %h %p
# (Mac) ProxyCommand nc -X 5 -x proxy-us.intel.com:1080 %h %p
# (Unix) ProxyCommand nc -x proxy-us.intel.com:1080 %h %p
Usage: ssh colfax
SecureCRT SSH and SecureFX SFTP
SecureCRT and SecureFX clients support SSH and SFTP, respectively. It is a commercial product for MS Windows from VanDyke Software. It is similar to the F-Secure SSH Client.
To configure SecureCRT/FX:
- Go to Options--> Global Options --> Firewall
- Click "Add" and add
- Name: "Intel Proxy" (or any name you want to call it)
- Hostname: proxy-us.intel.com (or proxy-jf, proxy-sc, etc.)
- Port: 1080
- Click "OK"
- Add a session to an exernal host:
- Goto "Session Manager" and click on "New Session" (icon) to enter the New Session Wizard
- Select "SSH2" as the SecureCRT protocol, then "Next"
- Enter your Hostname (foo.bar.com), select Firewall "Intel Proxy", and Username (your login name), then "Next"
- Enter "SFTP" as the SecureFX protocol, then "Next", then "Finish"
- To use, click on "Session Manager" then click on the hostname session you just created
IRC Client Pidgin
To reach a chat server outside the Intel network, Pidgin (or another IRC client) can be configured with the following settings:
Basic Tab:
Protocol: IRC
Username: (any nickname you choose, but it has to be something)
Server: irc.freenode.net
No password
Advanced Tab:
Port: 6697
Encodings: UTF-8
Check “Use SSL”
Proxy Tab:
Proxy type: SOCKS 5
Host: proxy-us.intel.com (or your local equivalent, see below)
Port: 1080
Other Intel proxies besides proxy-us.intel.com include proxy-jf, proxy-sc, proxy-iind, proxy-iild, proxy-ir, proxy-mu, proxy-png, proxy-prc, all ending with .intel.com.
Architecture
There are two types of proxy servers at Intel.
DMZ or External proxy servers
These servers provide proxy access between Intel and the public internet. The DMZ proxy servers operate in clustered pools that sit behind load balancers which will distribute your traffic up among the proxy servers as well as provide redundancy for when a proxy server is down for maintenance. The DMZ proxy servers can only access external content, and cannot access internal content or web pages. The proxy-us.intel.com address is the load balanced address for the DMZ proxy servers in the US (there are other Intel DMZ proxy pools for Ireland, Israel, Malaysia, China, Germany, and India). The proxy-us.intel.com address is actually split between two separate pools, One in JF (proxy-jf.intel.com) and one in FM (proxy-fm.intel.com). Using the proxy-us.intel.com address is the recommended DMZ address in the US, as it provides very high redundancy across two campuses, and two separate Internet Service providers. There are many legacy DNS address for various campuses such as proxy-hf.intel.com, or proxy-ch.intel.com, which all point back to proxy-us.intel.com.
Internal Proxy servers
Internal proxy servers enable access to internal intel resources such as SharePoint sites etc…, these proxy servers do not have access to the Internet, however they are configured with forwarding policies that will forward queries to external websites to the DMZ proxy servers. When you hear the phrase “proxy-Chain”, this is referring to the “chain” of proxy servers that start at the Internal proxy’s, then forward requests to the external proxys’s if necessary. Additionally the proxy-chain.intel.com address is a geographically aware DNS address on the load balancers, which will direct your traffic to the nearest Internal proxy server to your location, then to the nearest DMZ proxy server. This behavior is especially useful when you are fetching both internal and external resources using clients that do not understand NO_PROXY; by using the proxy chain, you send all requests to a proxy that does know the difference.
Another concept to understand is the autoproxy.
Autoproxy
Intel uses an Autoproxy system based on the industry standard WPAD (Web Proxy Auto discovery) protocol. When your web browser is configured to use “Automatically detect settings” it will look up and contact one of the many WPAD servers we run, which will dynamically generate (based on your geographical location, IP network range, and other variables) a file called WPAD.DAT, which is a large JavaScript file that will tell your browser where to direct traffic. For example, the WPAD.dat file will tell your browser to send traffic to the DMZ proxy servers for external websites, and the Internal proxy servers for internal websites. Additionally we will use JavaScript to force traffic for some specific sites out specific proxy servers, typically in cases where the destination has whitelisted a specific IP range for us to access secure content. If you would like to inspect the WPAD.dat file yourself in more detail, you can simply point your browser to http://wpad.intel.com/wpad.dat and save the file, you can then open it as a text file and view the javascript that will be passed to your browser.
HTTP VS. SOCKS PROXYS
Another point to mention is the different between HTTP, and SOCKS proxy servers. HTTP proxy servers, as their name implies can only handle HTTP and HTTPS traffic, and cannot handle traffic for other protocols (such as SSH, Telnet, IM Protocols, etc…). SOCKS (or more specifically SOCKS5) is a protocol that will enable almost any application to work via the proxy servers, as long as the application supports SOCKS, and the require port has been approved by Intel InfoSec and enabled on the Firewalls. For example, if you wanted to SSH out of Intel, you could configure an application like Putty to use “proxy-us.intel.com” port 1080 using the SOCKS5 protocol, and would then be able to SSH via the Intel firewalls to external hosts.
Proxy Ports
Proxy ports serve to distinguish between the type of traffic and protocol, so the load balancers and proxy servers know what type of traffic they are dealing with. Standard HTTP traffic should use port 911, HTTPS/SSL traffic should use port 912, SOCKS5 traffic should use port 1080. The primary reason for distinguishing between HTTP and HTTPS traffic is session persistency. HTTP traffic will only have a session persistency of 30 seconds via our load balancers, meaning that your traffic will only be sent to the same proxy server for up to 30 seconds before the load balancers will direct traffic to another proxy server in order to effectively balance the massive volume of internet traffic we generate. Such short session persistency time will break HTTPS however, because if the load balancer changes traffic to a different proxy server in the middle of a session, that will change your external IP address, which will break the encrypted SSL session, as it will look like someone trying to inject data into the secure session, and the remote host will terminate the session. For this reason we use port 912 with HTTPS traffic, which will use a 1 hour session timer, which is long enough for almost all secure sessions.
Complete list of proxy servers
- World: proxy-chain.intel.com (redirects traffic to the most appropriate proxy server from the regional servers below)
- US: proxy-us.intel.com (splits traffic between proxy-jf.intel.com and proxy-fm.intel.com)
- India: proxy-iind.intel.com
- Israel: proxy-iil.intel.com
- Ireland: proxy-ir.intel.com
- Germany: proxy-mu.intel.com
- Malaysia: proxy-png.intel.com
- China: proxy-prc.intel.com (splits traffic between proxy-shm.intel.com and proxy-shz.intel.com)
SOCKS connection not working for proxy-chain.intel.com
As of at least 2018-08-21, SOCKS connections to port 1080 do not seem to work for the server "proxy-chain.intel.com". It seems that SOCKS connections are only able to work to site-specific / country-specific servers such as "proxy-us.intel.com" as well as "proxy-socks.fm.intel.com", etc. Does anyone know the reason for this? Is "proxy-chain.intel.com" using some other port for SOCKS, or is SOCKS not supported at all on that server? Can someone with information about this please document it here? Thanks, --Mpelstei (talk) 11:35, 21 August 2018 (PDT)
Why can't this be handled at the gateway???
The single gateway that other companies use that does not require individual applications/systems to be configured, is called “transparent” proxy mode. Intel uses what’s referred to as “Explicit” proxy mode.
Transparent proxy servers are used in scenarios where the primary reason you have implemented proxy servers is for Content control (restricting inappropriate work websites), and caching. Transparent proxy mode requires no proxy configuration on any applications, as the network will use policy based routing to direct all HTTP/HTTPS traffic to the proxy servers automatically. Non HTTP/HTTPS traffic, however, will be directed around the proxy servers, allowing them to connect directly to the internet. While this is very convenient, it is also much less secure, and Intel Information Security policy prevents us from operating transparent proxy servers.
One of the primary advantages from a security perspective of using explicit proxy servers is that it complements the company's Data Loss Prevention procedures, by making it much more difficult for unauthorized data exfiltration. For example, if a Virus made it into the Intel network and was attempting to collect sensitive data and send it back out using FTP, the virus would be unable to send the traffic out of Intel without detailed knowledge of our proxy infrastructure, as the virus would need to be configure to use the appropriate Intel proxy servers. This is particularity important at a company like Intel where our intellectual property is worth many billions of dollars. Additionally, the Transparent proxy mode does not scale as well for high bandwidth scenarios, or companies with a worldwide footprint.
Note that the load balanced records (like proxy.sc.intel.com and proxy.fm.intel.com) will not respond to ping commands, and that is expected. The individual machines, e.g. proxy-chain.glb.intel.com will respond to ping.
If the application uses non-standard ports for access, then IT Service Operations will need to get a request to the proxy team to enable those specific ports.
Contact:
GSM Infrastructure IT Service Operations / Technical Assistance Center (TAC) [1]
Conditional Proxy
Use the following script as proxy command if you need to use ssh/git/etc.. from inside and outside the Intel network:
#!/usr/bin/perl -w
my $nc = '/usr/bin/nc';
my ($host, $port) = @ARGV;
my $proxy = 'proxy-us.intel.com';
if ($host !~ /\./ || $host =~ /(^|\.)intel\.com$/ ||
$host =~ /^(10|172\.1[6789]|172\.2[0-9]|172\.3[01]|192\.168|192\.0\.2|143\.183|134\.134)\./ ||
! gethostbyname($proxy) ) {
exec($nc, $host, $port);
} else {
exec($nc, '-X', '5', '-x', $proxy.':1080', $host, $port);
}
This script requires netcat.
Netcat examples
Connecting to a web server:
- Through SOCKS 5:
nc -X 5 -x proxy-us.intel.com:1080 google.com 80
- Through HTTP CONNECT proxy server:
nc -X connect -x proxy-chain.intel.com:911 google.com 80
- Connecting to an SSH server with SOCKS 5:
nc -X 5 -x proxy-us.intel.com:1080 login.trilug.org 22
... Older historical information and references ...
Proxy Servers at Intel are managed by DNS Engineering. To see the proxy server settings, simply surf to autoproxy.intel.com and open the file (JavaScript syntax) which opens at this location.
If you know that your application needs a direct proxy server, you can find one at this listing of Intel proxy servers. (Use port 911 for the proxy server. For PuTTY proxy configuration, setting to port 1080 and using SOCKS5 appears to work.)
See also
- Configuring Skype to talk through the Intel Firewall
- FTP proxy
- Proxifier - Make iMessage, other tools use the Intel proxy