Using FME Server with a Proxy Server
A proxy server is a computer on your LAN that allows you to connect to external servers without compromising the security of your internal network. If you are consuming FME Server Web Services and your organization uses a proxy server on your network, you can configure FME Server to connect through the proxy.
1. Set Up the Proxy Server Connection
To connect FME Server to a proxy server, follow the appropriate set of instructions, depending on the Windows account that is running the FME Server System Services:
Note: To determine the account that is running the FME Server System Services, run services.msc
. In the Services dialog, the account that is running any of the FME Server-related services is listed under Log On As.
- On all machines hosting FME Engines, log on to Windows using an administrator account.
- Run the Windows Command Prompt as administrator, and execute the following commands:
netsh
winhttp
set proxy <ProxyServerName>:<Port_No>
Where <ProxyServerName> is the proxy server name, and <Port_No> is the port through which communication with the proxy server takes place.
For example:
netsh
winhttp
set proxy myproxy:80
Note: For more information about the set proxy
syntax, see https://technet.microsoft.com/en-us/library/cc731131.aspx#BKMK_5
- On all machines running FME Engines, log on to Windows using the account that runs the FME Engines.
- From the Start menu, choose Control Panel > Internet Options > Connections > LAN settings.
- Check the box beside Use a proxy server for your LAN.
- Enter the address and port number for your proxy server. Click OK.
- Test the connection to your proxy server. Open a browser and navigate to a web site. If the connection is set up properly, you are prompted to provide proxy server credentials before the web site opens.
2. Make the FME Engines Aware of the Proxy Server
- Run the Windows Command Prompt as administrator, and navigate to:
$(FME_SERVER_HOME)\Server\fme
- Run the following commands:
- <Basic|Digest|NTLM> is Basic, Digest, or NTLM, depending on the authentication method used by the proxy server. If not specified,
Basic
is assumed. - <UserName> is the username for running the proxy server.
- <password> is the password for the proxy server account.
- (Applies only to any Amazon S3 configurations, including Amazon S3 Bucket Modified triggers, Upload to Amazon S3 external actions, Amazon S3 Watch Publisher, Amazon S3 Subscriber, and Amazon S3 bucket Resources.)
- Open fmeCommonConfig.txt.
- Update the following settings:
- Open the propertiesFile.properties file under the fmerest folder, and update the same settings as above.
SYSTEMPROXY_ENABLED=true
SYSTEMPROXY_AUTHENTICATION=true
SYSTEMPROXY_USER=<UserName>
SYSTEMPROXY_PASSWORD=<password>
Where <UserName> is the username for running the proxy server and <password> is the password for the proxy server account.
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Proxy Setting" "Use System Proxy"
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Proxy Authentication Method" "<Basic|Digest|NTLM>"
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Proxy Server Require Authentication" "true"
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Proxy Username" "<UserName>"
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Proxy Password" "fme_encrypt(<password>)"
Where:
3. Make the FME Server S3 Publisher, S3 Subscriber, and S3 Resources Aware of the Proxy Settings
Note: Applies only to any Amazon S3 configurations, including Amazon S3 Bucket Modified triggers, Upload to Amazon S3 external actions, Amazon S3 Watch Publisher, Amazon S3 Subscriber, and Amazon S3 bucket Resources.
- Open processMonitorConfigCore.txt.
- Add the following settings to the START_SYSTEM_Subscriber_s3 and START_SYSTEM_Publisher_s3watch configurations to specify which proxy server to use. Replace <my-proxy-host> with the name of the proxy server hostname, and <my-proxy-port> with the proxy server communication port:
- Open <FMEServerDir>\Utilities\configureTomcat.bat for editing. (Or, if your FME Server installation uses your own web application servlet, open the equivalent file.)
- Append the same proxy settings to the line beginning with "%EXECUTABLE%" //US//%SERVICE_NAME% --JvmOptions:
- Reinstall the FME Server Application Server Windows Service
-Dhttp.proxyHost=<my-proxy-host> -Dhttp.proxyPort=<my-proxy-port> -Dhttps.proxyHost=<my-proxy-host> -Dhttps.proxyPort=<my-proxy-port> -Dhttp.nonProxyHosts=localhost
For example:
START_SYSTEM_Subscriber_s3="C:/Program Files/FMEServer/Utilities/jre/bin/FMESubscriber.exe" -FMESERVER_CLASSPATH "C:/Program Files/FMEServer/Server/lib/;C:/Program Files/FMEServer/Server/lib/fmeutil/;C:/Program Files/FMEServer/Utilities/jdbc/*" -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Stack=true -Dhttp.proxyHost=qc-proxynoauth -Dhttp.proxyPort=8080 -Dhttps.proxyHost=qc-proxynoauth -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost -Xms32m -Xmx256m COM.safe.fmeserver.notification.plugin.FMESubscriberPluginS3 "C:/Program Files/FMEServer/Server/config/subscribers/s3.properties"
For example:
"%EXECUTABLE%" //US//%SERVICE_NAME% --JvmOptions "-Dcatalina.base=%TOMCAT_DIR%;-Dcatalina.home=%TOMCAT_DIR%;-Djava.endorsed.dirs=%TOMCAT_DIR%\endorsed;-Djava.io.tmpdir=%TEMP_DIR%\tomcat;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=%TOMCAT_DIR%\conf\logging.properties;-Dhttp.proxyHost=qc-proxynoauth;-Dhttp.proxyPort=8080;-Dhttps.proxyHost=qc-proxynoauth;-Dhttps.proxyPort=8080;-Dhttp.nonProxyHosts=localhost"
Execute the following command from a command prompt, modifying the path according to the installation directory of your FME Server:
configureTomcat.bat remove "C:\Program Files\FMEServer\Utilities"
Execute the following command, modifying the path according to the installation directory of your FME Server System Share:
configureTomcat.bat install "C:\Program Files\FMEServer\Utilities" "C:\ProgramData\Safe Software\FME Server\resources\system\temp"
4. Restart the FME Server System Services
Restart all of the FME Server System Services. For more information, see Starting and Stopping FME Server Manually.
Specifying Custom Proxy Maps
You can specify custom proxy maps in addition to, or instead of, using the system proxy. A custom proxy map allows you to map access to specific URLs through an alternative proxy on your system. Use a custom proxy map if you need to bypass your network's default rules or system proxy settings in order to access these URLs.
The following syntax specifies how to map access to one or more URLs through a custom proxy. Repeat all parameters for each URL, as shown:
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Custom Proxy Map" "<Source_URL>,<Proxy_URL>,<Proxy_Port>,<Requires_Authentication>,<UserName>,fme_encrypt(<Password>),<Authentication_Method>[,<Source_URL>,<Proxy_URL>,<Proxy_Port>,<Requires_Authentication>,<UserName>,fme_encrypt(<Password>),<Authentication_Method>]"
Where:
Other Notes
To use a proxy server without authentication, instead specify:
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Proxy Server Require Authentication" "false"
To stop using the proxy server, run:
fme.exe APPLY_SETTINGS SYSTEM "Proxy/Proxy Setting" "No Proxy"
1. Set Up the Proxy Server Connection
A proxy connection must be configured on all machines hosting FME Engines.
You can use a graphical administration tool specific to your Linux distribution. For example, using the Ubuntu graphical tool, proxy servers are configured under Network > Network Proxy.
Alternatively, open the /etc/environment file in an editor and edit it directly:
- Add the following lines, modifying appropriately.
- In some Linux releases, the apt-get update command clears all environment variables when used with
sudo
. To maintain the values configured above, edit file /etc/sudoers as follows:- Run the following command to open the file for editing safely:
- Locate the following line:
- After this line, add the following line:
visudo
Defaults env_reset
Defaults env_keep = "<environment_variables>"
where <environment_variables> are the environment variables modified in step 1a. For example:
Defaults env_keep = "http_proxy https_proxy"
- Log out and reboot to make sure the changes take effect.
http_proxy="http://<my_proxy.server.com>:<my_proxy_port>/"
https_proxy="http://<my_proxy.server.com>:<my_proxy_port>/"
no_proxy="localhost,127.0.0.1,<my_local_address>,.<my_local_domain.com>"
HTTP_PROXY="http://<my_proxy.server.com>:<my_proxy_port>/"
HTTPS_PROXY="http://<my_proxy.server.com>:<my_proxy_port>/"
NO_PROXY="localhost,127.0.0.1,<my_local_address>,.<my_local_domain.com>"
2. Make the FME Engines Aware of the Proxy Server
- Run the Linux command line and navigate to: /opt/fme-engine-<year>, where <year> is the FME Server release version, such as 2016.
- Run the following commands:
- <Basic|Digest|NTLM> is Basic, Digest, or NTLM, depending on the authentication method used by the proxy server. If not specified,
Basic
is assumed. - <UserName> is the username for running the proxy server.
- <password> is the password for the proxy server account.
- (Applies only to any Amazon S3 configurations, including Amazon S3 Bucket Modified triggers, Upload to Amazon S3 external actions, Amazon S3 Watch Publisher, Amazon S3 Subscriber, and Amazon S3 bucket Resources.)
- Open fmeCommonConfig.txt.
- Update the following settings:
- Open the propertiesFile.properties file under the fmerest folder, and update the same settings as above.
SYSTEMPROXY_ENABLED=true
SYSTEMPROXY_AUTHENTICATION=true
SYSTEMPROXY_USER=<UserName>
SYSTEMPROXY_PASSWORD=<password>
Where <UserName> is the username for running the proxy server and <password> is the password for the proxy server account.
./fme APPLY_SETTINGS SYSTEM "Proxy/Proxy Setting" "Use System Proxy"
./fme APPLY_SETTINGS SYSTEM "Proxy/Proxy Authentication Method" "<Basic|Digest|NTLM>"
./fme APPLY_SETTINGS SYSTEM "Proxy/Proxy Server Require Authentication" "true"
./fme APPLY_SETTINGS SYSTEM "Proxy/Proxy Username" "<UserName>"
./fme APPLY_SETTINGS SYSTEM "Proxy/Proxy Password" "fme_encrypt(<password>)"
Where:
3. Make the FME Server S3 Resources Aware of the Proxy Settings
Note: Applies only to any Amazon S3 configurations, including Amazon S3 Bucket Modified triggers, Upload to Amazon S3 external actions, Amazon S3 Watch Publisher, Amazon S3 Subscriber, and Amazon S3 bucket Resources.
- Open processMonitorConfigCore.txt.
- Add the following settings to the START_SYSTEM_Subscriber_s3 and START_SYSTEM_Publisher_s3watch configurations to specify which proxy server to use. Replace <my-proxy-host> with the name of the proxy server hostname, and <my-proxy-port> with the proxy server communication port:
- Depending on how your FME Server is configured to start, modify startApplicationServer.sh or startServer.sh, located in <FMEServerDir>/Server, to point to the proxy settings.
-Dhttp.proxyHost=<my-proxy-host> -Dhttp.proxyPort=<my-proxy-port> -Dhttps.proxyHost=<my-proxy-host> -Dhttps.proxyPort=<my-proxy-port> -Dhttp.nonProxyHosts=localhost
For example:
START_SYSTEM_Subscriber_s3="C:/Program Files/FMEServer/Utilities/jre/bin/FMESubscriber.exe" -FMESERVER_CLASSPATH "C:/Program Files/FMEServer/Server/lib/;C:/Program Files/FMEServer/Server/lib/fmeutil/;C:/Program Files/FMEServer/Utilities/jdbc/*" -Djava.net.preferIPv4Stack=true -Djava.net.preferIPv4Stack=true -Dhttp.proxyHost=qc-proxynoauth -Dhttp.proxyPort=8080 -Dhttps.proxyHost=qc-proxynoauth -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost -Xms32m -Xmx256m COM.safe.fmeserver.notification.plugin.FMESubscriberPluginS3 "C:/Program Files/FMEServer/Server/config/subscribers/s3.properties"
For example, in startApplicationServer.sh:
JAVA_OPTS="-Dhttp.proxyHost=qc-proxynoauth -Dhttp.proxyPort=8080 -Dhttps.proxyHost=qc-proxynoauth -Dhttps.proxyPort=8080 -Dhttp.nonProxyHosts=localhost -Xmx1G -Xms128M"
4. Restart the FME Server System Services
Restart all of the FME Server System Services. For more information, see Starting and Stopping FME Server Manually.
Specifying Custom Proxy Maps
You can specify custom proxy maps in addition to, or instead of, using the system proxy. A custom proxy map allows you to map access to specific URLs through an alternative proxy on your system. Use a custom proxy map if you need to bypass your network's default rules or system proxy settings in order to access these URLs.
To map access to a URL through a custom proxy, run this command for each URL:
./fme APPLY_SETTINGS SYSTEM "Proxy/Custom Proxy Map" "<Source_URL>,<Proxy_URL>,<Proxy_Port>,<Requires_Authentication>,<UserName>,<Password>,<Authentication_Method>"
Where:
- <Source_URL> is the URL you want to access. The URL must be an exact match with the URL in the request; for example, http://www.lib.uwaterloo.ca/locations/umd/digitization_project/Roads_NTDB.zip.
- <Proxy_URL> is the URL of the proxy server on your system that will handle requests to the <Source_URL>.
- <Proxy_Port> is the port number on the proxy server through which requests are handled.
- <Requires_Authentication> is true or false, depending on whether the proxy server requires authentication to access. If true, provide <UserName>, <Password>, and <Authentication_Method> (Basic, Digest, or NTLM).
Other Notes
To use a proxy server without authentication, instead specify:
./fme APPLY_SETTINGS SYSTEM "Proxy/Proxy Server Require Authentication" "false"
To stop using the proxy server, run:
./fme APPLY_SETTINGS SYSTEM "Proxy/Proxy Setting" "No Proxy"