Use a proxy with the SOCKS protocol

A proxy is a program that acts as an intermediary between a client and server. It is often used to interconnect two networks via a single point.

SOCKS is a protocol that is independent of the application protocol, and is used to relay a TCP session via a proxy. This independence means that it can relay the PeSIT protocol with or without SSL.

This topic describes how to use a proxy and SOCKS, and includes:

SOCKS protocol architecture

Transfer CFT supports versions 4 and 5 of the SOCKS protocol. A brief explanation of the SOCKS protocol is provided in this topic.

Proxy server is between the client  and server where client initiates the Connect Request to proxy

About the connection

SOCKS4

When using SOCKS4, the exchange between client and server consists of:

  1. The client logs into the proxy and sends it a connection request specifying the server IP address (version 4) or host name, the listening port number of the server, and a user name.
  2. The proxy checks the connection request and either executes or rejects it.
  3. A response is sent to the client, indicating the status of the request (the server is connected, the connection with the server has failed, the user is not authorized, and so on). Once the connection is correctly established between the proxy and server, the client and the server are connected via the proxy and can perform transparent data inter exchanges (PeSIT, and so on).

SOCKS5 exchanges

When using SOCKS5, the exchange between client and server consists of:

  1. The client and server negotiate an authentication method for the client. The client sends a list of methods it supports and the server responds to indicate which method it has chosen. The only method supported by Transfer CFT is username/password.
  2. The client authenticates itself using its username/password. The sever response code indicates if the authentication was successful or not. If authentication is refused, the server immediately closes the connection.
  3. The client sends a connection request to the proxy, specifying the remote server IP address or host name and its port number.
  4. The proxy checks the connection request and either executes or rejects it. A response is sent to the client, indicating the request was successful or not. Once the connection is correctly established between the proxy and server, the client and the server are connected via the proxy and can perform transparent data inter exchanges (PeSIT, and so on). If the connection if refused, the server immediately closes the connection.

Using a proxy in Transfer CFT

The CFTNET command for a proxy is static. To apply modifications, Transfer CFT must be shutdown, the new parameters interpreted (CFTUTIL) and Transfer CFT restarted.

Additionally, at least one file transfer protocol (CFTPROT command) must be declared for the CFTNET command (describing an access via a proxy for a protocol).

Note Transfer CFT only accepts outgoing calls.

The protocols (CFTPROT) and the networks (CFTNET) must be declared in the CFTPARM command to be applied by Transfer CFT.

File transfers via a proxy

Placement of proxy between Transfer CFT in Intranet and client in Internet

Error codes

Transfer CFT responds to error codes from a proxy with:

  • Error code 91 for SOCKS4
  • Error code 5 for SOCKS5

Transfer CFT repeats the transfer. The transfer timeout and number of attempts will depend on the CFTTCP command RETRYW, RETRYN and RETRYM parameters defining the network characteristics of the remote partner.

  • 92 and 93 for SOCKS4
  • Error code != 5 and > 0 for SOCKS5

Transfer CFT puts the transfer on hold (K status). The operator must manually restart (START command) the transfer.

Configuring a connection

To configure an outgoing connection through a proxy, user must define the following objects. The numbers referenced here are taken from the example below.

  • A network resource with the class 1 (NET0 in the example).
  • A network resource with the class 2 (NSOCKS5 in the example) and inet parameter = NET0. This net also contains SOCKS proxy host, port, username and password.
  • A transfer protocol with the parameter net = NSOCKS5 (value used in the example).
  • A partner referencing the protocol and class = 2 in its CFTTCP definition.
  • The default port for proxy servers is 1080.

Example

CFTNET ID = 'NET0',
TYPE = 'TCP',
CALL = 'INOUT',
MAXCNX = '128',
CLASS = '1',
HOST = 'localhost'

CFTNET ID = 'NSOCKS5',
TYPE = 'TCP',
CALL = 'INOUT',
MAXCNX = '32',
CLASS = '2',
HOST = proxy_address,
PORT = proxy_port,
INET = 'NET0',
PROTOCOL = 'SOCKS5',
USER = 'john',
PASSWORD = 'foo'

CFTPROT ID = 'PESITANY_SOCKS5',
NET = 'NSOCKS5'

CFTPART ID = 'PARIS_NSOCKS5',

CFTTCP ID = 'PARIS_ NSOCKS5',
CLASS = '2',

SOCKS references

Setting up a proxy for Copilot

The proxy implementation for Transfer CFT Copilot is handled directly by the Java Socket class, and uses either the SOCKS V4 or V5 protocol. Note that the HTTP proxy that is used to connect to the Copilot server for downloading is different from the one used for SOCKS 4 data exchange between Copilot client and server. Therefore, you require 2 proxies:

  • An HTTP proxy that you set in internet browser
  • A SOCKS 4 proxy that you set in Copilot

Since the Copilot log in screen in a browser window does not provide a way to enter proxy settings, you must force the Connect to a product dialog box to display by entering faulty credentials in the Copilot log in screen. Once this connection dialog box displays, you can then set the proxy address and port.

The step is only required for your first log in through a proxy. Copilot retains the proxy address and port settings for subsequent connections.

To remove proxy and revert to the standard log in, simply remove the proxy address and port settings in the connection dialog box.

Connect to a product dialog box

Copilot Connect to a product login screen

Related Links