Proxy configuration file (PAC) and WebSockets?

I need a solution

Hello wise people!

We have recently started finding more and more issues with websocket connections. In our infrastructure we have a little bit of a hybrid solution and quite a few internet breakouts globally. To control these flows we are using a proxy config file or PAC and works like a charm. Until recently…

Example flow:

A web page loaded from “” will want to load data from a third party, say via a VPN connection. From say “”.
For this traffic to be able to reach the VPN it will need to go via a diffrent explicit proxy than the normal surf traffic that gives access to “”.

Easily controlled in a pac right using something like this?

function FindProxyForURL(url, host) {

// If the hostname matches, send to Proxy A
if (dnsDomainIs(host, "") ||
    dnsDomainIs(host, ""))
        return "";

// All other traffic, use Proxy A
    return "PROXY";

However.. this seems not to be the case when there are websockets involved recently. I know a websocket connection should start its life as a normal http connection and then upgrade, and this we see in the SG logs.. but before this happens, it ignores what the proxy pac tells it and just goes for the default proxy. Regardless of what variables we use in the pac file. 

Did something change with Websockets? Did our lovely browser magnates decide to change something?
Has anyone else experienced the same and if so, any tips? 🙂

Thank you for your time!




RfHTML5 Error “Citrix Receiver cannot connect to the server” from external connection

  1. Under Citrix Policy, go to Policy
  2. In the middle pane, under Policies, modify an existing policy or create a new policy for external connections.
  3. In the right pane, click Actions > Edit Policy
  4. Edit Unfiltered window will appear, then type websock and hit Enter.
  5. Select WebSock trusted origin server list
  6. Enter the External URL //this is to allow external URL as a trusted URL
  7. Click OK


For internal connections, the policy for the web sockets is as follows :

Web Socket Connects – Allowed

Web Socket Port number – Default 8008

Web sockets trusted origin server – default *

The policy is assigned to all objects in the site.

WebSockets trusted origin server list

This setting provides a comma-separated list of trusted origin servers, usually Receiver for Web, expressed as URLs. Only WebSockets connections originating from one of these addresses is accepted by the server.

By default, the wildcard * is used to trust all Receiver for Web URLs.


Implementing Web Isolation

I need a solution

Dear Team,

On proxy-chaining (ProxySG), what is the best position in network to put Threat Isolation Proxy?

2 edges proxy available on this case, one proxy collecting session from clients, forwards it to another one proxy before reaching the internet.

My concerns are the websocket performance and policy management.

Best Regards,

Eric Halim



7021844: Reflection ZFE 1.0 Features and Release Notes

Product Overview

Reflection ZFE consists of a session server, a management server (Reflection Security Gateway), and the web client. Session allocation, authorization, and authentication are handled through the Reflection Security Gateway (RSG) Administrative WebStation.

The Reflection Management Server provides the engine that serves the sessions to all users that need to connect to your host data. The web client is a terminal emulator that can be accessed through a browser. Once assigned a session, your user has access to the host, provided they have browser access.


  • Supported emulation types: 3270, 5250, VT/SSH
  • Requires only a modern browser—no Java required for end users
  • Centralized management of sessions
  • Sessions can be assigned to all users, individual users, or groups
  • Secure end-to-end connections via TLS/SSL
  • Use of WebSockets to enhance real-time interaction with host
  • Broad platform support
  • Keyboard remapping
  • Metering of sessions

Known Issues

If you encounter an issue in Reflection ZFE, contact Attachmate Technical Support.

Current issues:

  • Recommended Browsers

It is highly recommended that Reflection ZFE users use Google Chrome or Mozilla Firefox. While Reflection ZFE 1.0 supports Microsoft Internet Explorer (IE) 10+, there are known performance issues with IE’s JavaScript engine that may negatively affect the end user experience with Reflection ZFE.

  • “Mixed content” error

When an administrator uses a mix of HTTP and HTTPS, connection requests are blocked and a “mixed content” error displays. To avoid this error:

    • If Reflection Security Gateway is accessed via HTTP, then Reflection ZFE sessions must be accessed (create/edit) via HTTP.
    • If Reflection Security Gateway is accessed via HTTPS, then Reflection ZFE sessions must be accessed (create/edit) via HTTPS.
  • Cannot edit session while logged into Reflection ZFE in another tab

When creating or editing sessions in Reflection Security Gateway, it is best to log out of the Reflection ZFE server that will be used for creating or editing the session. Not doing so can lead to unexpected behavior during the create/edit process.

  • Reflection Security Gateway (RSG) authentication session expires

See Technical Note 2779 for more information.

  • Key Mapping

Certain keys on a numeric keypad and some browser-specific keys cannot be mapped. For example in Chrome, Ctrl+n and Ctrl+w cannot be mapped.

  • Some antivirus software blocks WebSockets

Reflection ZFE requires a WebSocket connection between the web browser and the server. Antivirus software might prevent WebSocket connections, especially when ports 80 or 8080 are used. If you think your antivirus software may be preventing WebSockets, first try a different port. For troubleshooting, see

  • Sessions configured across multiple Reflection ZFE servers

When a Reflection ZFE session is created, a particular Reflection ZFE server is specified by the administrator. When that session is launched from the Links List, it will always be opened on the server specified by the administrator. If there are multiple session servers in the environment, this may lead to unexpected behavior.

  • VT issues

The following issues may occur with VT sessions:


    • Heavy text output, such as from “Is -IR” may cause slow performance.
    • Scrolling regions may appear slow and/or choppy.
    • Cursor movement may be slow and/or choppy.
    • Internet Explorer is particularly slow, and performance degrades further when higher-than-default values are used for rows and columns.

Character sets

    • Graphical characters and some character sets are not supported.
    • Some non-English characters may cause the terminal display to freeze.

Other VT issues

    • A blinking rectangle is the only cursor style current supported.
    • Insert/delete column (DECIC, DECDC) may fail.
    • VT400 will not recognize DECSCL.
    • In rare occasions, using VT102-style features with BCE, the left margin is displaced a few inches to the right.
    • Pasting a string containing square brackets ‘[‘ or ‘]’ will fail.
    • Pan Down (SU) and Pan UP (SD) Scroll Left (SL), and Scroll Right (SR) are not supported.
    • Some VT320 Window Reports (such as DECTTC, DECTLTC, and DECRPDE) fail.
    • Setting columns per page (DECSCPP) or lines per page (DECSLPP) may fail.

  • Known hosts entries

Only ssh-rsa and ssh-dss are valid as public key types for Reflection Security Gateway known_hosts entries. Key types that contain the string “-sha2-256” are not recognized.

  • Extraneous sessions may be launched when using the Links List

When a session is launched from the Reflection Security Gateway Links List, the resulting URL can lead to extra sessions being launched if the user refreshes the page or navigates away from Reflection ZFE and then returns to the session.

  • Field Outline in a 3270 session

The 3270 attributes for field outlines are not fully supported. Reflection ZFE currently supports underline and overline; however, left vertical line, right vertical line, and combinations of the four line types are not yet supported.

  • “(ECL1011) Error connecting to host: Connection to host failed.”

This misleading error message displays when a TLS/SSL connection to a host fails because the certificate was not added to the trusted certificate store. The error is not a connection issue; it is a certificate issue.

If you encounter this error, check the Reflection Security Gateway trusted certificate store. In Administrative Web Station, click Security Setup > Certificates tab. Scroll to View or modify certificates trusted by the terminal emulator applet. If the certificate is not listed, Import it.

  • SSL 3.0 is disabled by default

For security reasons, enabling SSL 3.0 is not recommended. However, for hosts that absolutely require SSL 3.0, you can follow these steps to enable the protocol:

    1. Stop the applications or services that will be using SSL 3.0.
    2. Open <install_dir>/jre/lib/security/ in a text editor.
    3. Remove or comment out the line jdk.tls.disabledAlgorithms=SSLv3.
  • TLS/SSL connections are disabled on machines using IBM JDK 7.1 or 8

See Technical Note 2780 for more information.

  • Session connections are slow and may time out on some platforms when connecting to a host via TLS/SSL

See Technical Note 2781 for more information.

Obtaining the Product

After you purchase Reflection ZFE, the product is available to download from Attachmate Downloads: For more information on using the Download Library, see Technical Note 0200.

For information about purchasing or evaluating Reflection ZFE, please email

Installing the Product

For information about installing the product, see the Reflection ZFE Installation and Deployment Guide:

Technical Resources

For more information about Reflection ZFE, see the Technical Resources page:


Require Intermediate results using live audio with Watson’s Speech to text (websockets)

I am working on IBM Watson’s Speech-to-Text (Websockets). I want to use a microphone which takes my audio input in chunks and as soon as a chunk of audio is recieved it is converted into text using websockets just like that happens in Google voice search.

Here is a code that i found. This code does so what i want but it takes pre-recorded audio files which is not my requirment.

Can anybody please help me to achieve my required goal? Is there anybody who can provide some code sample of what i am willing to do? or can tell me how should i edit the above code so that it fulfills my requirement?

Its Urgent !! Please help !!


http 400 – Websockets with WAS 9 and IIS


i have setup a was9 environment with java 8 for supporting a websockets application ( using cometd)

the applications works when i use the direct port of the application server ( port 9082)

but when i use IIS + plugin it returns a http code of 400.

i have installed websockets support into IIS but that didnt solved the question.

Do you know if the combination IIS+Plugin was9 , works for websockets?
(searched around and notice tat only works for apache based browsers – did it changed=)

Joao Mota