Want to Try Safe Browsing?
By Glenn Faden on Aug 24, 2006
If you have installed Solaris Trusted Extensions, you may want to try
the Safe Browsing environment that I use at Sun. The configuration is a
bit complicated, but I have provided most of the files in a compressed
tar file txdemo
which you can download. After uncompressing the file you should extract
it as root in the global zone. The tar file will extract into /opt/txdemo.
It is assumed that you will be using separate Firefox browsers in the
public and internal zones. The public zone will be used to access the
external Internet and the internal zone will be used for the internal
Intranet. To maintain network separation, a URL transfer service will
forward external URLs from your internal browser so that they can be
processed using the pubic browser.
Some of these files need to be customized or copied.
The manifest for the url-xfer service needs to be copied into the
public zone which you will use to access the public Internet. You
should do this as root in the public zone. For example:
# cd /var/svc/manifest/application
# mkdir web
# cp /opt/txdemo/var/svc/manifest/application/web/url-xfer.xml web
The two proxy.pac scripts (public.pac, internal.pac) should be
customized as described in each script. The values for urlProxy and
corpProxy should be changed as appropriate for your office environment.
You must configure your browser proxy settings approriately, via the
Connection Settings panel for Proxies. This is normally under the
For example, in the public browser you should specify the following URL:
In the internal browser you should specify the following URL:
The shell script ./bin/openURL is specific to Firefox. If you are using
a different browser you will need to customize this script. If the
mozilla-xremote-client application is not in /usr/lib/firefox you will
need to correct the pathname.
In addition to these steps, you will need to specify the networking
policy for web access. All of the following steps can be done
graphically using the Computers and Networks GUI in the Solaris
Managment Console. If you prefer to do get your hands dirty, the files
can be edited by hand.
The port 8080 in the public zone must be specified as a Multilevel
Port. If you are using an all-zones IP address in the public zone, you
should specify the port of the shared IP address.
The /etc/security/tsol/tnzonecfg entry would look like this:
If the public zone has a unique IP address, you should specify the per-zone port. The entry should look like this:
You will need to create unlabeled hosts type entries for the public and
internal labels. The entries should look like this in
You should assign the public template to your corporate web proxy
server, and specify that the default template for your corporate
network is internal.
You will need entries like this in /etc/security/tsol/tnrhdb
# Corporate Proxy Servers
# Default Label for Corporate Intranet
You should reboot the public zone after the configuration is complete.
Then you should enable the service in the public zone as follows:
# svcadm enable url-xfer
You should now be able to run the demonstration. How'd it go?