Glenn Faden's Blog

  • August 24, 2006

Want to Try Safe Browsing?

Guest Author
If you have installed Solaris Trusted Extensions, you may want to try
the Safe Browsing environment that I use at Sun. The configuration is a
bit complicated, but I have provided most of the files in a compressed
tar file  txdemo
which you can download. After uncompressing the file you should extract
it as root in the global zone. The tar file will extract into /opt/txdemo.

It is assumed that you will be using separate Firefox browsers in the
public and internal zones. The public zone will be used to access the
external Internet and the internal zone will be used for the internal
Intranet. To maintain network separation, a URL transfer service will
forward external URLs from your internal browser so that they can be
processed using the pubic browser.

Some of these files need to be customized or copied.

The manifest for the url-xfer service needs to be copied into the
public zone which you will use to access the public Internet. You
should do this as root in the public zone. For example:
    # cd /var/svc/manifest/application
# mkdir web
# cp /opt/txdemo/var/svc/manifest/application/web/url-xfer.xml web

The two proxy.pac scripts (public.pac, internal.pac) should be
customized as described in each script. The values for urlProxy and
corpProxy should be changed as appropriate for your office environment.

You must configure your browser proxy settings approriately, via the
Connection Settings panel for Proxies. This is normally under the
Preferences menu.

For example, in the public browser you should specify the following URL:

In the internal browser you should specify the following URL:

The shell script ./bin/openURL is specific to Firefox. If you are using
a different browser you will need to customize this script. If the
mozilla-xremote-client application is not in /usr/lib/firefox you will
need to correct the pathname.

In addition to these steps, you will need to specify the networking
policy for web access. All of the following steps can be done
graphically using the Computers and Networks GUI in the Solaris
Managment Console
. If you prefer to do get your hands dirty, the files
can be edited by hand.

The port 8080 in the public zone must be specified as a Multilevel
Port. If you are using an all-zones IP address in the public zone, you
should specify the port of the shared IP address.

The /etc/security/tsol/tnzonecfg entry would look like this:

If the public zone has a unique IP address, you should specify the per-zone port. The entry should look like this:


You will need to create unlabeled hosts type entries for the public and
internal labels. The entries should look like this in

You should assign the public template to your corporate web proxy
server, and specify that the default template for your corporate
network is internal.

You will need entries like this in /etc/security/tsol/tnrhdb
    # Corporate Proxy Servers
    # Default Label for Corporate Intranet

You should reboot the public zone after the configuration is complete.
Then you should enable the service in the public zone as follows:
    # svcadm enable url-xfer

You should now be able to run the demonstration. How'd it go?

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.