Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Users may be unable to connect to Live Share services via a proxy #86

Closed
jasongin opened this issue Feb 7, 2018 · 88 comments
Closed

Users may be unable to connect to Live Share services via a proxy #86

jasongin opened this issue Feb 7, 2018 · 88 comments

Comments

@jasongin
Copy link

@jasongin jasongin commented Feb 7, 2018

Users who are on a network that requires use of a proxy server to connect to external websites may experience problems using Live Share. Specifically, attempting to share using a connection mode of Auto (the default mode) or Relay may fail to connect to the relay service.

A partial workaround may be to use Direct connection mode, however then guests must be on the same network as you in order to join the session. (Direct connections may also work through a VPN, depending on the VPN client and server configuration.)

Please upvote and/or comment on this issue if you're experiencing proxy-related issues.

@JoshuaGarrison27
Copy link

@JoshuaGarrison27 JoshuaGarrison27 commented Feb 7, 2018

Just for anyone else working on this issue. The problem that I experiences with this issue went all the way down to only working on the same LAN connection. VPN over a WAN connection or anything like that would not work for me through our company proxy.

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Feb 8, 2018

Note we added a section on troubleshooting connections based on our experiences here to the docs to try to help people out. https://github.com/MicrosoftDocs/live-share/blob/master/docs/getting-started.md#troubleshooting-connections

@jasongin
Copy link
Author

@jasongin jasongin commented Feb 8, 2018

@Chuxel that looks great! The "getting started" page is getting really long though. Do you think it would make sense to move the sections about connection mode, connection troubleshooting, and firewall settings to a separate page, linked from the getting started page?

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Feb 8, 2018

@jasongin Yeah I was thinking about that as well. There's also the quick start articles that cut to the chase so this is the more detailed article with things like manual join in it so we'll have to figure out the right balance for this one.

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Feb 14, 2018

@jasongin We also had a user on Slack mention that we are not respecting the VS Code proxy settings. My assumption is we'll track this problem with this same GitHub issue.

@kdruff-c1
Copy link

@kdruff-c1 kdruff-c1 commented Feb 14, 2018

Our proxy essentially serves as a MITM and I'm seeing this issue when trying to sign-in:

fetch('https://insiders.liveshare.vsengsaas.visualstudio.com/').then(res => res.json()).then(console.log);

The promise is rejected and my fetch fails:

GET https://insiders.liveshare.vsengsaas.visualstudio.com/ net::ERR_INSECURE_RESPONSE

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Feb 15, 2018

@kdruff-c1 It looks like this is indeed a specific issue with proxies that we've now identified. We've got an internal thread going to see what we can do about it in the service. Thank you so much for reporting it!

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Feb 27, 2018

The intermediate SSL cert issue (#111) that was at least partially responsible for causing this issue should be resolved at this point. @kdruff-c1 - Can you retry to see if it resolves your problem? @JoshuaGarrison27 - I'd be curious if your issue is resolved as well. We're still working on full proxy support.

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Feb 27, 2018

@jasongin FYI - Joshua and I connected and he's still seeing the problem so we'll leave this issue open for the larger proxy problem.

@JoshuaGarrison27
Copy link

@JoshuaGarrison27 JoshuaGarrison27 commented Feb 27, 2018

Just for logging purposes, I worked with Chuck (@Chuxel ) to see if this was resolved for me. It looks like I will have to wait for full proxy support. Thanks for keeping me in the loop!

Edit: Should have refreshed my browser before posting this. haha. Thanks everyone.

@kedruff
Copy link

@kedruff kedruff commented Feb 27, 2018

I am unable to install dependencies ...

Visual Studio Live Share was unable to download needed dependencies to finish installation. Ensure you have network connectivity and restart VS Code to retry.

Sorry for the account change from @kdruff-c1 ... one of my colleagues had success creating a new github account w/ his corporate email and I tried that to no avail...

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Feb 27, 2018

@kendruff The good news is we're past the SSL issue, the bad news is it sounds like you may have some needed locations blocked by your local or corporate firewalls - least when not going through the proxy. Try running these commands from a terminal (you can also grab curl for windows here):

curl https://download.visualstudio.microsoft.com
curl https://download.microsoft.com

...and then...

curl --noproxy "*" https://download.visualstudio.microsoft.com
curl --noproxy "*" https://download.microsoft.com

If the first two give you a "document moved" HTML snippet while the last two cannot reach the destination, you're now hitting the proxy problem we have not resolved yet. Am I correct in assuming that is the case?

As an aside, there was a circumstance where GitHub accounts were unable to start sharing (see #99) but this should be resolved. This error is prior to that point so it likely is not related.

@ericc4
Copy link

@ericc4 ericc4 commented Mar 1, 2018

Is there additional troubleshooting that I could add as a user to help with getting proxy connectivity working?

Forgot to add: Windows 7, VScode 1.20.1, authenticated corporate proxy that I unfortunately do not control

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Mar 1, 2018

@ericc4 Depending on your situation and the exact error you are seeing, we may need to implement better proxy support before you are unblocked. That is entirely dependent on the error you are getting, however.

That said, what error are you seeing and at what point?

@ericc4
Copy link

@ericc4 ericc4 commented Mar 1, 2018

@Chuxel When I sign in I get "Error Login Failed" from VScode, but in the browser it says "Ready to collaborate". I've tried entering a user code but I get the same error from VScode. Everything else in VScode that would require the proxy works fine, such as updates and installing extensions

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Mar 1, 2018

@ericc4 This may be due to the bug this issue is tracking. However, to verify, can you send us your logs after reproing? You can run the "Live Share: Export Logs" command to get a zip. From there you can either attach it here or shoot it to us at vsls-feedback@microsoft.com. @jasongin and I can verify its the same problem.

@AjkayAlan
Copy link

@AjkayAlan AjkayAlan commented Mar 2, 2018

#120 is a variation to this except it seems like it is stopping the sign in instead of stopping a sharing session. I closed #120 so we can focus on this first, and I will reopen it if this is fixed and #120 is not.

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Mar 2, 2018

For other's info - Both ericc4 and AjkayAlan had the following telltale sign in their logs that are another indicator of this problem:

[2018-03-01 16:35:16.603 Agent.Http E] > POST https://insiders.liveshare.vsengsaas.visualstudio.com/auth/token (c150ms sms) => 407 Proxy Authentication Required

@zachberger
Copy link

@zachberger zachberger commented Mar 7, 2018

I suspect there is also proxy issue when installing. I get stuck with this for about a minute:

image

Followed by:

image

curl https://download.visualstudio.microsoft.com
curl https://download.microsoft.com

outputs HTML

curl --noproxy "*" https://download.visualstudio.microsoft.com
curl --noproxy "*" https://download.microsoft.com

outputs
curl: (7) Failed to connect to download.visualstudio.microsoft.com port 443: Timed out

At this point I don't see Live Share: Export Logs in the command palate. I'm able to install other extensions with no issue.

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Mar 7, 2018

@zachberger Thanks for the awesome data. You are indeed correct. We cover this in connectivity troubleshooting, but here's the breakdown:

  1. Finishing the installation (as you see above) for VS Code requires access to download.visualstudio.microsoft.com and download.microsoft.com
  2. Signing in requires access to *.liveshare.vsengsaas.visualstudio.com (specifically insiders.liveshare.vsengsaas.visualstudio.com right now)
  3. Running in "relay" mode requires access to *.servicebus.windows.net

Each of these may be impacted by this proxy issue depending on the exact rules your company has setup.

@jasongin
Copy link
Author

@jasongin jasongin commented Mar 7, 2018

@zachberger, do you have HTTP_PROXY / HTTPS_PROXY environment variables set on your system? It's likely the Live Share extension isn't using them, but should.

Unfortunately VS Code doesn't do anything to help extensions use the correct proxy settings. For some discussion on that topic see microsoft/vscode#12588

We know there are a few things we need to do to fix proxy issues for Live Share; it's just taking some time to investigate, develop, and test the fixes.

@zachberger
Copy link

@zachberger zachberger commented Mar 7, 2018

Thanks, setting the proxy environment variables fixed. Normally I depend on my .bash_profile to do this, but when clicking a join link it didn't open VS Code via bash. I've now set them the variables system wide and the installation and sign in completed.

@Chuxel
Copy link
Collaborator

@Chuxel Chuxel commented Mar 8, 2018

@ericc4 @AjkayAlan @kedruff @JoshuaGarrison27 I had another person confirm that setting the environment variables Jason mentions above resolved the issue for them.

Do any of you have HTTP_PROXY and HTTPS_PROXY environment variables set globally? If not, can you set these and retry?

@jasongin
Copy link
Author

@jasongin jasongin commented Mar 8, 2018

@Chuxel, those variables apply to Mac OS (and Linux, when we support it later). I don’t think they will help with any proxy issues on Windows.

However the latest Live Share update, released yesterday for VS Code and soon for VS, includes a fix specifically for authenticating proxies on Windows.

@Camble
Copy link

@Camble Camble commented May 30, 2018

@Priya91 I set both HTTP_PROXY and HTTPS_PROXY variables to the same http:// address, which has not helped.

@dhruvb14
Copy link

@dhruvb14 dhruvb14 commented Jun 5, 2018

I too am having issues with installing liveshare inside of VSCode, I was able to get it running inside of VS2017 by setting the HTTP_PROXY and HTTPS_PROXY variables. Seems to be an issue with not accepting my enterprise cert used for MITM.

[Client I] Trace log: C:\Users\dbhavsar\AppData\Local\Temp\VSFeedbackVSRTCLogs\20180605_122059_15282012592590_VSCode.log
[Client I] Extension, IDE, OS : VSLS/0.3.262 VSCode/1.23.1 Windows/10.0.15063
[Client I] Did not find user settings at <?:\<redacted>\<redacted>.json>
[Client I] Passed version check for Windows: found 10.0.15063
[Client I] Installing dependencies for Live Share...
[Client I] Downloading package '.NET Core Runtime 2.0.5 for win7-x86' 
[Client I] Download complete.
[Client I] Downloading package 'OmniSharp for Windows (.NET 4.6)' 
[Client E] Failed at stage: downloadPackages - Dependency download failed. RequestError: unable to verify the first certificate

@jakauppila
Copy link

@jakauppila jakauppila commented Jun 7, 2018

A coworker is getting the same problem as @dhruvb14 with Dependency download failed. RequestError: unable to verify the first certificate

Where do we need to inject our trusted CA? It's already in the machine store as well as in the following environment variables:

  • CURL_CA_BUNDLE
  • SSL_CERT_DIR
  • SSL_CERT_FILE

@modul8com
Copy link

@modul8com modul8com commented Jun 8, 2018

It somehow works now for some reason after the latest update ! Thank you !

@c0bra99
Copy link

@c0bra99 c0bra99 commented Jun 8, 2018

Still not working for me, version: 0.3.264.59210.
Proxy settings are in the environment variables, same strings as I use in .npmrc for node to work with my user/pass included, but live share still doesn't work

[VSIX I] Acquired an access token for the VSO account '<30:c068add4>'
[Client.Rpc.Auth V] < #1 [9] auth.loginWithExternalToken(<47:6db21cec>)
[Agent.Rpc.Auth V] > #1 [9] auth.loginWithExternalToken(<0:>)
[Agent.Auth V] CredRead(<4:59d6e80e>, <30:52163006>) => 1168
[Agent.Auth I] External token cache miss.
[Agent.Http V] < POST https://insiders.liveshare.vsengsaas.visualstudio.com/auth/exchange
[Agent.Http E] > POST https://insiders.liveshare.vsengsaas.visualstudio.com/auth/exchange (c688ms sms) => 407 Proxy Authentication Required
[Agent V] < #1 telemetry.genericOperation: <53:4d27d5d9>
[Client.Rpc V] > #1 telemetry.genericOperation: <0:>
[Agent E] Remote exception in auth.loginWithExternalToken request handler: Microsoft.Cascade.Agent.HttpResponseStatusException: Visual Studio Live Share has detected you are behind an authenticated proxy and that you need to take steps for Live Share to use it. To find out more about proxy setup, see http://aka.ms/vsls-docs/proxy.
   at Microsoft.Cascade.Agent.HttpResponseMessageExtensions.ThrowHttpStatusException(HttpResponseMessage response) in E:\A\_work\24\s\src\Agent\HttpResponseMessageExtensions.cs:line 90
   at Microsoft.Cascade.Agent.HttpResponseMessageExtensions.<ThrowIfFailedAsync>d__2.MoveNext() in E:\A\_work\24\s\src\Agent\HttpResponseMessageExtensions.cs:line 46
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Cascade.Agent.AuthenticationService.<ExchangeTokenAsync>d__34.MoveNext() in E:\A\_work\24\s\src\Agent\AuthenticationService.cs:line 424
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Cascade.Agent.AuthenticationService.<LoginWithExternalTokenInternalAsync>d__29.MoveNext() in E:\A\_work\24\s\src\Agent\AuthenticationService.cs:line 254
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Cascade.Agent.AuthenticationService.<LoginWithExternalTokenAsync>d__28.MoveNext() in E:\A\_work\24\s\src\Agent\AuthenticationService.cs:line 226
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Cascade.Rpc.RpcDispatcher`1.<>c__DisplayClass23_2.<<BuildMethodMap>b__2>d.MoveNext() in E:\A\_work\24\s\src\Rpc\RpcDispatcher.cs:line 217
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Cascade.Rpc.RpcDispatcher`1.<HandleRequestAsync>d__16.MoveNext() in E:\A\_work\24\s\src\Rpc\RpcDispatcher.cs:line 99
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.Cascade.Rpc.RpcServiceUtil.<RequestAsync>d__3.MoveNext() in E:\A\_work\24\s\src\Rpc\RpcServiceUtil.cs:line 56
[Agent.Rpc.Auth V] < #1 [9] Error: Visual Studio Live Share has detected you are behind an authenticated proxy and that you need to take steps for Live Share to use it. To find out more about proxy setup, see http://aka.ms/vsls-docs/proxy.
[Client.Rpc.Auth V] > #1 [9] Error: Visual Studio Live Share has detected you are behind an authenticated proxy and that you need to take steps for Live Share to use it. To find out more about proxy setup, see http://aka.ms/vsls-docs/proxy.
[VSIX E] Failed to sign-in with the user '<30:c068add4>' credentials: Visual Studio Live Share has detected you are behind an authenticated proxy and that you need to take steps for Live Share to use it. To find out more about proxy setup, see http://aka.ms/vsls-docs/proxy.
[VSIX E] Failed to create a collaboration session. Visual Studio Live Share has detected you are behind an authenticated proxy and that you need to take steps for Live Share to use it. To find out more about proxy setup, see http://aka.ms/vsls-docs/proxy.

@Priya91
Copy link

@Priya91 Priya91 commented Jun 13, 2018

@k7shanmugam @jasongin @srivatsn People are hitting downloader issues on vscode due to cert issues, and as mentioned here, these are already solved by vscode, we should push to get the downloader apis exposed, so we don't have to duplicate these solutions in our extension as well.

@jakauppila
Copy link

@jakauppila jakauppila commented Jun 13, 2018

I was able to get past Dependency download failed. RequestError: unable to verify the first certificate by specify the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0.

Far from ideal, but it does pinpoint that the issue is that node is not looking at the appropriate trust stores.

@lostintangent
Copy link
Member

@lostintangent lostintangent commented Aug 8, 2018

We've made a significant amount of improvements to our proxy support (thanks @Priya91!), so we're going to close this general-purpose issue, and track any remaining proxy work via specific issues. Please let us know if you run into connectivity problems. Otherwise, we'll track progress via the issues we've already got logged. Thanks!

@lornz
Copy link

@lornz lornz commented Aug 15, 2018

Is there a solution for proxies with a 'pac'-File?

"Unable to connect to the remote server. TrackingId:40b15f09-60d4-4c48-a8ee-76eb4d25e532, Address:sb://vsls-prod-ins-euw-private-relay.servicebus.windows.net/c0b214cbd3852b83c1535c97274f182be2b4--70c9e139-ed6f-485c-bf1b-5f0ef2ff7eb1, Timestamp:15.08.2018 07:48:27"

@grork
Copy link

@grork grork commented Aug 15, 2018

@Priya91, do you have any insight into PAC files?

@yangwen2
Copy link

@yangwen2 yangwen2 commented Mar 8, 2019

@lornz For pac file, have you tried to set the proxy setting to one of the server + port specified in your PAC file?

@Jeff5519
Copy link

@Jeff5519 Jeff5519 commented Apr 16, 2019

Our internet access requires a proxy server with user authentication.

The method of setting http_proxy and https_proxy for Visual Studio Live Share is a very poor design since it exposes a user name and password into a system wide environment variable.

Is there any plan for a more secure method of dealing with a proxy server?

@Priya91
Copy link

@Priya91 Priya91 commented Apr 17, 2019

@Jeff5519 If you use your AAD logon credentials for proxy authentication, and you have the proxy setting configured in OS Settings, then we will read the proxy information from OS and use your logon credentials to authenticate. If you need separate credentials, we don't support that today, since that requires having a separate UI to get the credentials from user, and then securing it.. We haven't had many user reports for this scenario, so we don't have plans to support that yet.

@farangkao
Copy link

@farangkao farangkao commented Jun 19, 2019

Tried several ways to connect in Visual Studio 2019, but i don't manage to connect by Relay or Direct.
Behind Firewall (with Proxy Pac configuration)
I can download and read the proxy pac file and i also tried to use some of the ip addresses there for stearing via HTTP_PROXY and HTTPS_PROXY, but to no avail.
The Output from Live Share Window stays empty, the Message on Top says can't connect.

Our proxy does use Active Directory logon credentials and the Proxy settings are configured in the Windows 10 Proxy "script" section.

@Priya91
Copy link

@Priya91 Priya91 commented Jun 19, 2019

@Jeff5519
Copy link

@Jeff5519 Jeff5519 commented Jun 20, 2019

I was able to get live share working by setting the HTTP_Proxy and HTTPS_Proxy environment variables without including my logon credentials.
HTTPS_PROXY=http://:8080
HTTP_PROXY=http://:8080
Some things that may have helped: Make sure you create these as system environment variables and reboot after you set them. Both definitions use "http".

@yilun11
Copy link

@yilun11 yilun11 commented Nov 19, 2019

It doesn't seem to respect http proxy variables in JSON config file, but will respect them in environment variables (Windows, 1.37.1). Unfortunately, those env variables will interfere with other apps trying to access local network so I'll see if I can get it to respect it somehow from JSON config.

@bucmic
Copy link

@bucmic bucmic commented Jan 29, 2020

Works perfectly with system env variables but we don't want to deploy them globally. Any other way to make it work with proxy? Why is Live Share not able to read proxy settings from OS?

@kpatrick
Copy link

@kpatrick kpatrick commented Feb 29, 2020

curl https://download.visualstudio.microsoft.com currently gives back an error

<title>500 - Internal Server Error</title>

500 - Internal Server Error

@bucmic
Copy link

@bucmic bucmic commented Mar 2, 2020

curl https://download.visualstudio.microsoft.com currently gives back an error

<title>500 - Internal Server Error</title> # 500 - Internal Server Error

It is https://visualstudio.microsoft.com/downloads/

@hjrb
Copy link

@hjrb hjrb commented Dec 1, 2020

In our environment it still doesn't work in sudden cases. For extensions it work. But for LiveShare it doesn't. The only way to get this to work is to set both environment variables AND set the property "http.proxy" in the settings.json to the address of the proxy server including the user name and password. That is certainly a security issue and very inconvenient.

@Maxim-Mazurok
Copy link

@Maxim-Mazurok Maxim-Mazurok commented Aug 20, 2021

We have two proxies:

  1. The one that uses NTLM Authentication (using Windows credentials, Active Directory, all that stuff)
  2. And we have proxy without any auth, specifically for tools such as git/npm/etc that do not support NTLM Auth.

When I set HTTP_PROXY and HTTPS_PROXY to proxy #1 (NTLM auth) - it doesn't work, logs me out and doesn't let me log in with my Microsoft account, redirects to http://127.0.0.1:53612/?error=Unable%20to%20login.

When I set these env vars to proxy #2 (no auth) - it works like a charm. Logs me in and lets me use live share session.

So, am I correct to assume that this extension doesn't support NTLM Auth proxies?

@Maxim-Mazurok
Copy link

@Maxim-Mazurok Maxim-Mazurok commented Aug 20, 2021

Also, docs say that it'll use default system proxy on Windows, but it doesn't.
I have my system settings set to auto-detect mode.
And we have wpad.dat file with function FindProxyForURL(url, host) {...} that chooses the right proxy for host.
But I can see in Wireshark that it's trying to connect to vsls servers directly:
screenshot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet