Additional Proxy Details

This page covers advanced proxy topics: static vs automatic proxy behavior, NATS and evidence repository tunneling, and SSL bumping/interception.

Static vs Automatic Proxy

Automatic proxy means that we use the URL of the PAC file to get the proxy URL from the Operating System. Automatic proxy support is only applicable to macOS and Windows platforms. Other proxy settings are considered static proxy settings, and they require restarting the responder service if any changes are made.

There may be some issues if Automatic Proxy is used with our Isolation feature on Windows.

Because, for automatic proxies, wpad.dat or PAC files are fetched from the AutoConfigURL address by the Windows platform's own services. Therefore, these services may not have access to the target URL during DNS resolution or HTTP request processing. This may grant the responder direct access to the remote servers, bypassing the proxy. If a direct connection is not allowed from that machine, the responder will not be able to communicate with the AIR console. It is recommended that users exercise such scenarios for Windows platforms.

NATS & Evidence Repositories

The responder uses a NATS client to connect to a NATS server over port 4222. NATS is used to get notifications from the AIR console about the tasks in the queue. This helps the responder complete tasks promptly when assigned.

As our proxy requirement for the responder is to connect over a proxy server always, if it is set, the responder tries to connect to the AIR console's NATS server using HTTP or SOCKS5 proxies, like regular HTTP connections. It uses the same HTTP Connect method to create a tunnel to the server for the NATS protocol.

If the proxy server does not support tunneling on port 4222, the responder attempts to connect to the NATS server directly, thereby bypassing the proxy server. Note that this is the default behavior for all non-HTTP protocols, SMB, FTPS, and SFTP.

SMB uses port 445.

SFTP uses port 22.

FTPS uses port 21 and high ports for data transfer.

If the proxy server is configured to open a tunnel for our supported protocols, there shouldn't be any problem. Because of the fallback mechanism we use to bypass the proxy server when creating a tunnel fails, the responder should be able to send data to the remote server.

SSL Bumping/Interception

If the proxy server is configured to intercept SSL traffic between the responder and the AIR console, several essential points must be considered.

1. CA certificate of the AIR console should be considered valid by the proxy server. Otherwise, the proxy server cannot open a tunnel to the AIR console.

2. The responder uses Websocket for interACT communication over the HTTPS protocol. However, some proxy servers, e.g., Squid, may not support WebSocket communication well when SSL Bumping is enabled. So, the proxy server must be configured to handle Websocket over HTTPS with SSL bumping if interACT is used. This can be verified by opening an interACT terminal on the AIR console and seeing the established connection.