We have a Man In The Middle proxy that supports all kind of protocols (http, tls, dns, mail protocols, grpc, etc...)... On apple devices we are running it using the Network Extension framework as a NETransparentProxy.
First of all, thank you for the framework, took a while to learn the ins and outs but it works nicely and runs smooth... However now that we start to roll it out to customers we see issues here and there.. For most it works fine, but for some that use other proxy/vpn solutions they run into all kind of "connectivity" issues...
E.g. some customers run products from companies like zscaler, fortinet, tailscale etc...
First we weren't sure if you could even run multiple TransparentProxy's that have the same network capture rules (e.g. the entire TCP range), but turns out that is fine as we tested it with a demo proxy of ours as well as the product version, both deployed as system extensions NETransparentProxy, and it is all fine.. However also here the ordering is not clear? Traffic seems to flow through both but cannot tell what the order is and if the user or we have any control over it.
Now... Our proxy is not a VPN and thus not open a tunnel to a remote location. It is local only there to protect the developer. As such in theory it should be compatible with any other VPN and proxy as any traffic we intercept (all traffic) is still ok to go through their proxy/client-vpn and than through a remote tunnel if desired.
So the questions I have is:
Is there a way, either from within the code or that our users can configure to, on the order of multiple (network extension or other) proxies?
Is TransparentProxy the correct solution if I also want compatibility with these other products and want to MITM the traffic?
The flows that current work fine are:
ClientApp --> NETransparentProxy[ours] --> remote target server
clientApp --> L7 HTTP/SOCKS5 Proxy (system or app-defined) --> NETransparentProxy[ours] --> remote target server
clientApp --> L7 HTTP/SOCKS5 Proxy (system or app-defined) --> NETransparentProxy[ours/demo] --> NETransparentProxy[demo/ours] --> remote target server
However when people also have products from zscaler, fortinet, tailscale or some others it seems to work sometimes but not always, which makes me think it is order defined?
What all of them have in common is that they need to go through a remote tunnel, whereas we do not go through a remote tunnel... Which if I am correct (perhaps I am not) should mean that as long as traffic always goes first via us that it should work?
e.g.
clientApp --> NETransparentProxy[ours] --> NETransparentProxy/Tunnel/...[third party vpn] --> Vpn Server --> remote target server
That should in that case just work.
But it does not work in case we are behind the (vpn proxy) client.
Please let me know if I provide enough detail and if I'm clear? I am mostly wondering about
what I can expect in terms of compatibility
if there is anything I (or our company user) can do about ordering/priority/something ?
0
0
41