-
Notifications
You must be signed in to change notification settings - Fork 166
Proxy Configuration
📝 This Wiki page has moved. For the latest content, see Proxy Configuration on the IAP Desktop documentation page. |
---|
You can configure IAP Desktop to use a proxy server to access Google Cloud APIs.
IAP Desktop supports 3 ways to configure proxy server settings:
- System (Use system settings): IAP Desktop obtains proxy server settings from Windows. You can change these settings by using the Windows control panel.
- Manual: Explicitly provide a server name and port to use as HTTPS proxy server.
- Auto-config: Specify a URL to a proxy autoconfiguration (PAC) file. IAP Desktop downloads and evaluates the file and applies proxy settings accordingly.
When you use (2) or (3), you can optionally specify a username and password if your proxy server requires authentication.
All proxy server settings can be viewed and modified under Tools > Options > Network:
If your organization uses a proxy server that performs filtering and SSL inspection, some additional configuration might be required to allow users to use IAP Desktop.
IAP Desktop uses the Windows Trusted Root Certification Authorities Certificate Store for verifying TLS certificates. If your proxy server performs SSL inspection and therefore re-encrypts traffic, make sure to add the proxy server's CA certiticate to this certificate store.
To let IAP Desktop communicate with Google Cloud APIs, make sure that your proxy server permits HTTPS communication to the following domains:
https://oauth2.googleapis.com
https://openidconnect.googleapis.com
https://compute.googleapis.com
https://oslogin.googleapis.com
https://cloudresourcemanager.googleapis.com
https://logging.googleapis.com
The IAP TCP forwarding tunnels that IAP Desktop uses to create SSH and RDP connections use WebSockets. Make sure that your proxy server permits WebSocket communication to the following domain:
https://tunnel.cloudproxy.app
Note: Squid (and possibly other proxy servers) does not allow WebSocket
connections when configured to perform SSL inspection (bumping). To allow
WebSocket communication, exclude tunnel.cloudproxy.app
from SSL termination
by letting Squid splice connections to this domain.
When you enable Endpoint Verification, IAP Desktop uses mutual TLS (mTLS) for all Google APIs and for IAP TCP forwarding. mTLS is not compatible with SSL inspection.
To use Endpoint Verification, exclude the following domains from SSL inspection.
https://oauth2.mtls.googleapis.com
https://compute.mtls.googleapis.com
https://oslogin.mtls.googleapis.com
https://cloudresourcemanager.mtls.googleapis.com
https://logging.mtls.googleapis.com
https://mtls.tunnel.cloudproxy.app
Note: If you use Squid, you can exclude domains from inspection by configuring them to use splicing instead of bumping.
IAP Desktop is an open-source project and not an officially supported Google product.