Proxy settings with Packet Tunnel Provider on Big Sur not being honored.

If you try this from a Network Configuration outside of the Packet Tunnel does it work?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

The issue is both on Big Sur Verrsion 11.0.1 and 11.1

Thanks,

Dankira.

If I set it manually from "System Preferences -> Network -> WiFi -> Advanced -> Proxies -> Automatic Proxy Configuration", it works.

If I push a "Global HTTP Proxy" profile, it works when using Chrome but not with Safari.

Thanks,

Dankira.

Okay, if setting your proxy settings from Proxy Settings via System Preferences -> Proxies -> Automatic Proxy Configuration does work, then can you try extracting these settings using the SCDynamicStore APIs and setting them to your proxy settings in your Network System Extension?

Code Block swift
let settings = NETransparentProxyNetworkSettings(tunnelRemoteAddress: "x.x.x.x")
let proxySettings = NEProxySettings()
guard let sysConf = SCDynamicStoreCopyProxies(nil) as? [CFString: AnyObject] else {
    return nil
}
proxySettings.autoProxyConfigurationEnabled = sysConf[kSCPropNetProxiesProxyAutoConfigEnable] as? Bool ?? false
proxySettings.proxyAutoConfigurationURL = sysConf[kSCPropNetProxiesProxyAutoConfigURLString] as? String
proxySettings.proxyAutoConfigurationJavaScript = sysConf[kSCPropNetProxiesProxyAutoConfigJavaScript] as? String
/* Additional proxy settings */
settings.proxySettings = proxySettings

If this does not work, try hardcoding some of your proxy settings as a test. This is not something you should deploy, but this should work as a test to see if these values are picked up for specific flows that match your proxy settings in your PAC file. For example, try hard coding a URL to your PAC file and if your flows fall within range that match your PAC file then you should see the remoteEndpoint reflect this when handed off to your provider in handleNewFlow. If that does not work then it could indicate an issue with your project configuration.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Need to do more test.

The call for sysConf[kSCPropNetProxiesProxyAutoConfigURLString] as? String actually shows what’s set in the systemwide proxy setting. However, it is not giving the desired effect. I am not sure if this works because the Systemwide proxy settings gets invalidated when a packet-tunnel extension is loaded. This has been my experience working with iOS and OSX. So, I am not sure if this is a valid test. 

I have been doing my test by hard-coding the proxy return. It always return something like “return "PROXY x.x.x.x:80"; . Nothing going DIRECT.

I see the agent downloading the pac script when running wireshark so I am sure the setting is received by the packet-tunnel framework. The issue is more that each http request is not utilizing the proxy setting. 

We’re using Packet Tunnel Provider in destination IP mode. We are using “packetFlow.readPackets { }” interface to pull data.

I also tried pushing “Global Proxy” through JAMF. I see only “Description” and “Auto” being pushed. I don’t see “ProxyPACURL” being pushed onto the MacBook. I am not sure if this an issue with Apple or JAMF.

The agent is still working under Catalina but not on Big Sur. I am wondering as to what changed.

Thanks,

Dankira.

Interesting. Okay, well if you are seeing a difference in functionality between Catalina and Big Sur then that is worth opening a bug report for further investigation. Please follow up with your Feedback ID.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thank you, Matt.

I submitted a bug: https://feedbackassistant.apple.com/feedback/8983799

Thanks,

Dankira.

Dankira,

Thank you for opening a bug report. In Catalina when you parsed the IP Packets coming off the virtual interface did you see proxy settings being applied to your packets at that point, and in Big Sur you are not seeing them? If so, you may want to test this with the latest version of Big Sur, or at least 11.2 Beta to see if that improves your situation at all. If you run this test, please make sure to update your bug report with those findings.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

Sorry, I somehow overlooked your last message. I tested also with the released version of Big Sur 11.2 and it is the same. In Catalina, I see the proxy settings being applied when parsing the IP packets but not in all versions of Big Sur.

Our customer is asking for a "Radar" ticket so that they follow the issue from their end. Where can I get that information?

Thanks for the help.

Dankira.

Dankira,

Thank you for the update. The Radar (r. 73723242) associated with this is an internal system that Apple uses to keep track of Feedbacks. So the best place to get information is on this bug from your end is the Feedback system, as this is were pertinent communication will be delivered.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thank you, Matt.

Dankira.

This issue is fixed in Big Sur Version 11.3 Beta (20E5210c).

This issue is fixed in Big Sur Version 11.3 Beta (20E5210c).

Great news, thank you for the update!


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com