Introduction

This guide takes you through the migration from OpenText SOCKS and to the new company
approved ProxyCap.

Information on how to load the migrated Nordic SOCKS profile and test basic access will also be
covered.

Contents
Introduction...........................................................................................................................................1
Pre-migration steps...............................................................................................................................2
Uninstall OpenText SOCKS.....................................................................................................................3
Install ProxyCap.....................................................................................................................................4
Load the Nordic profile..........................................................................................................................6
Test access.............................................................................................................................................8
Post-migration steps and seeking help................................................................................................10
Uninstalling ProxyCap..........................................................................................................................11
Known caveats and various tips...........................................................................................................12
Using multiple profiles.....................................................................................................................12
Caveats............................................................................................................................................14
No valid GSSAPI library ….............................................................................................................14
Closing ProxyCap.........................................................................................................................14
ProxyCap fake name resolution...................................................................................................14
Combined IP and name rules.......................................................................................................15
Compatibility with WSL2..............................................................................................................15
Remote system resets connections (connection reset by peer error).........................................15
Credits.................................................................................................................................................16
Pre-migration steps
Before migrating, you must ensure you have a license to ProxyCap.

1. Go to the license request site in ServiceNow.

https://kyndryl.service-now.com/slm?
id=slm_request&sys_id=a0efcf0f97c41110f75bd2b00153afa3&sysparm_category=8c4fba8d
dbae41940fff28df4b961990

2. Fill out the license request form. It could look like this:

The version field should be a drop-down list (could take a few seconds to load after clicking).

3. Complete the request and wait for the license approval. You will get the following e-mails:

a. License request submitted

b. Your software license is available

4. Don’t continue this guide until you have received the second acknowledgement e-mail.

5. Set aside some time for the following steps. If you are critically dependent on proxy features
to reach customer environments, also set aside some time for troubleshooting in case
something goes awry while migrating.
Uninstall OpenText SOCKS
Ensure you have OpenText SOCKS removed, and that it won’t accidentally re-launch.

In case you have other proxy clients installed, like Proxifier, these must be uninstalled as well.
ProxyCap is not compatible with other proxy clients installed.

1. Open the Add or remove programs window

2. Find OpenText SOCKS on the list of installed programs (and any other proxy clients)

3. Select it, and click Uninstall

4. Reboot after uninstalling

Install ProxyCap
The following steps guide you through installing the correct version of ProxyCap. If you have an older
version installed for any reason, you don’t have to uninstall it first.

1. Open the Company Portal through the Start menu.

2. Enter proxycap in the Company Portal search bar and search. Select the ProxyCap icon from
the search results.

3. Verify that the version you have available is 5.38 or newer.

4. Click the Install button

5. Wait for ProxyCap to be installed. This might take some time. Just because the Company
Portal shows (Installed), it does not mean ProxyCap is installed yet.

6. When the Intune extension in Microsoft notification center tells you ProxyCap has been
installed, you must reboot. Here’s an example with Okta.

You can open the notification center in the lower right corner of the taskbar.

7. Reboot.

8. Your ProxyCap installation is now ready for the next step.

Load the Nordic profile
1. If for some reason you have ProxyCap installed already (from before following this guide),
check first that you have the correct version installed and ensure it’s v5.38.
Earlier versions do not work with the Nordic profile!

a. The working version is released on the Company Portal on Monday 12 September,

and it will not automatically upgrade from v5.37 to v5.38. In the Company Portal it
will be listed as not installed, and you can install it again according to the previous
section Install ProxyCap.

b. You can also check your version by opening the About ProxyCap window through the
task bar. Right click on the ProxyCap icon, then select About ProxyCap.

2. Make sure you have the new Nordic profile downloaded to your PC.

3. Open the ProxyCap Configuration UI through the task bar, then right click the ProxyCap icon,
then select Configuration

4. Once in the Configuration GUI, select Ruleset, then click Load…

5. Locate your Nordic profile, select it, and click Open

6. Accept the load message

7. Important! Click OK on the Configuration window

8. Your Nordic SOCKS profile is now loaded and active

Test access
Apart from testing access through using your normal customer systems that utilize the proxies, you
can explicitly test proxy access to your customers systems by following this section.

1. Open the ProxyCap Configuration UI through the task bar, then right click the ProxyCap icon,
then select Configuration

2. Once in the Configuration GUI, select Proxies, then a server you wish to test, then click the
yellow lightning bolt Check Proxy Server button.

3. Enter a desired test method, enter a customer URL and click Check Now

Do note, however, that you will only be able to test systems reachable by the proxies! You
will in most cases not be able to test arbitrary locations (duckduckgo.com or other
locations), since the proxies usually only allow for very specific destinations related to the
customer.
4. If you get a FAILED…

a. Did you remember to connect the GlobalProtect VPN?

b. Did you remember to connect with Toxclient or similar?

5. Hopefully you will see a SUCCEEDED message

Post-migration steps and seeking help
After successfully having migrated to ProxyCap, you need to hand in your OpenText license. You can
do this at
https://kyndryl.service-now.com/slm?
id=slm_request&sys_id=6a1f450b1b4468d050834002dd4bcbd9

For very basic help, you can check the Help@Kyndryl page on ProxyCap:
https://help.ocean.ibm.com/help/ui/#/article/proxycap/

Generally, there is not much help to get there, so you are encouraged to use the following channels.

If you have issues with ProxyCap in general, and your colleagues with the same Nordic profile do not
experience issues, you would most likely need to reach out to ProxyCap Support at
http://www.proxycap.com/support.html
which also answers some commonly asked questions. You can also reach out to the ProxyCap
Support at customersupport@proxylabs.com.

If you are experimenting with modifying the profile, or are otherwise an advanced user of ProxyCap,
you might find help in the Kyndryl ProxyCap community on Yammer.
Uninstalling ProxyCap
If for some reason you do not need ProxyCap anymore, and wish to uninstall it, you might need to
do the following. Some employees experience that after uninstalling ProxyCap, after a reboot the
installation is launched again by Intune.

1. Remove from the Startup apps list

Picture credit: Klaudia.Schoenherr

2. Uninstall as normally through Add or remove programs

Remember to hand in your license at

https://kyndryl.service-now.com/slm?
id=slm_request&sys_id=6a1f450b1b4468d050834002dd4bcbd9
Known caveats and various tips
A list of a few known caveats and various tips to using ProxyCap efficiently.

Using multiple profiles

If you use multiple ProxyCap profiles, possibly also modifying them, the following workflow might be
handy for you.

As far as I could figure out, the current ruleset being worked on is the "displayed" one, as opposed to
"the one that is loaded". That is, there is the "displayed" ruleset and the "active" ruleset.

There is no notion of working on a "ruleset defined by a specific file". Rather there are the following
operations:

 Load: will read a ruleset from a file, and display it in the GUI (the displayed ruleset is not
active).

 Save as: will write the currently displayed ruleset in a file. The saved ruleset is not activated.

 OK: activate the currently displayed ruleset, and save it in \ProgramData\ProxyCap\

machine.prs, but do not save it in any other file

 Cancel/close window: will discard any changes to the currently displayed ruleset (there is no
notion of an "open" ruleset file), and will not change the currently active profile.

 Reboot: load and activate the rules saved in \ProgramData\ProxyCap\machine.prs

 Open the ProxyCap Config GUI: load and display the rules saved in \ProgramData\ProxyCap\
machine.prs

 Open the ProxyCap Config GUI without a machine.prs file present: will result in an error
"Failed to load ruleset: The system cannot find the file specified."

Replacing the machine.prs file with normal file operations (delete, copy new file to machine.prs) will
effectively also load a new profile. Restarting the ProxyCap service or GUI is not necessary.

That means "working on a ruleset file" is not well defined by ProxyCap but must be defined by the
user. My workflow for managing multiple rulesets currently is to:

1. Load rules from file

2. Modify open rules

3. Save them immediately to file

4. And press cancel

This way I ensure:

 I never change the active ruleset, but simply work on "offline copies" for other
uses/customers than the one I have active

 When I need to activate a ruleset (a strictly mentally different operation), I Load it and OK
(activate) it immediately

Doing both operations at the same time is technically possible, but it is not the optimal experience.
Caveats
No valid GSSAPI library …
Getting the No valid GSSAPI library could be located error actually means Authentication failed. This
is not expected using the Nordic profile, since we use AF (access firewall) authentication with
Toxclient as opposed to SOCKS proxy server authentication.

Picture credit Rodrigo Castrillon, solution credit Lucas Eduardo Ortega Caldeira.

Closing ProxyCap
“Closing” the ProxyCap window does not save the current profile. See section above on using
multiple profiles for details.

Picture credit Tomasz.Kozlowski.

ProxyCap fake name resolution

The way ProxyCap handles name resolution, is to "fake" addresses for all domains. If you expect a
certain set of IP addresses for a service, you will be fooled.

Looking closer with netstat -an, you see that the actual connection is of course to the correct IP, and
the connection does not show up in the ProxyCap connections tab either. Doing an actual nslookup
also returns the correct address. But this discrepancy means you can't rely on for example ssh
reporting correct address when connecting to a domain, and other similar cases.

Combined IP and name rules

In case you want to create your own profile and rules, please keep in mind there is still a bug related
to combined IP and domain name rules. When using rules that contain both IP addresses and
domain names while "remote name resolution" is selected, it looks like a new error has surfaced.
Non-proxied systems still work, and systems reached by IP also work (including domains for which
there are hosts-file entries).

When using rules that contain both IP addresses and domain names while "remote name resolution"
is selected, it looks like a new error has surfaced. Non-proxied systems still work, and systems
reached by IP also work (including domains for which there are hosts-file entries).

 curl reports "Immediate connect fail for 127.128.0.1: Bad access"

 Firefox reports "Unable to connect. An error occurred during a connection to ..."

 Chrome reports "Your Internet access is blocked" and

 Internet Explorer reports "Can't reach this page" and more info "The DNS name does not
exist. Error Code: INET_E_RESOURCE_NOT_FOUND"

 Edge reports "Hmmm… your Internet access is blocked" and

ERR_NETWORK_ACCESS_DENIED

No errors are emitted in the ProxyCap error log, and no entries created for connections either.
Splitting the rules in IP-only and domain name-only rules resolves this issue.

Compatibility with WSL2

WSL2 and ProxyCap (and other proxy clients) have an incompatibility related to winsock2 and LSP. If
you haven’t used OpenText SOCKS, and you use WSL2, you will most likely experience that WSL2 will
not start, and you will see the following error:

The attempted operation is not supported for the type of object referenced.

If you experienced this issue with OpenText SOCKS, the fix should also work after installing ProxyCap.

The solution to this is described in the ProxyCap community Yammer post about WSL2.

Remote system resets connections (connection reset by peer error)

Some combinations of server and client will result in the server resetting connections, instead of
taking them down gracefully. This will result in ProxyCap generating a series of errors. If you do not
experience other errors, then the errors can be safely ignored.

Picture credit Younes Serrar.

Credits
Much of this guide owes to the Kyndryl ProxyCap community on Yammer.

Screenshots taken from the Yammer community have credits attached. All other screenshots are
taken by the document author.