cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
Nigel_Pain
Lapis Lazuli | Level 10 Nigel_Pain
Lapis Lazuli | Level 10

Routing SGMAP requests to the SAS OSM servers

Posted 08-11-2023 05:50 AM (1408 views)

SAS 9.4M7 on Windows server 2019

Enterprise Guide 8.3 on Windows 10

SAS Studio 3.81 Enterprise Edition

 

We are having problems enabling users to pull Open Street Map mapping into PROC SGMAP output. By default servers in our environment do not have direct access to the public internet, so we have rules on the proxy servers to allow access by our SAS servers to the SAS OSM servers. This was actually set up to allow geomapping in Visual Analytics (and that works fine). But what we're finding is that this fails for ordinary users, but not for user accounts which are configured for server admin - these are in a different active directory container. I don't have much understanding of how proxies work but here's the analysis from our proxy admins:

 

When a user attempts to load a map using PROC SGMAP, the map is not rendered in the client. On inspecting the traffic on the SAS server using wireshark during the failure, the following behaviour is noted :-

 

The SAS server issues DNS lookup requests to its OS configured name servers for opnsta.sas.com and gets a no such name response. The name servers are internal and cannot perform public DNS resolution. This is by design and a security configuration. Hence if an internal resource needs to connect to an internet website, it must use a secure proxy server.

After the first DNS answer, it then performs a DNS query for the server which hosts the PAC file from our internal DNS server and gets a valid response. It downloads the PAC file.

Whilst it is downloading the PAC file it sends two further DNS lookups to internal DNS for opnstc.sas.com and then openstb.sas.com which both return no such name.

 

It then connects to the proxy server gleaned from the PAC file. However it does not parse these correctly. The PAC file is configured to return back to the requesting application PROXY name.of.our.proxy:portnumber (i.e. use this as a proxy server). But the application appears to receive the PROXY name.of.our.proxy:portnumber returned and then tries to connect to it as a webserver which fails as it isn't one.

It should be noted that the admin users (for whom the functionality works) don't have a PAC file configuration and so calls are directed straight to the proxy server. Has anyone had a similar experience, and did you find a resolution? I haven't had much luck with TS, because they say that there's no configuration options for PROC SGMAP and it just sends a straight call to the internet.

 

Thanks

 

0 Likes
Reply
7 REPLIES 7
SASKiwi
PROC Star SASKiwi
PROC Star

Re: Routing SGMAP requests to the SAS OSM servers

Posted 08-11-2023 06:39 PM (1362 views)  |   In reply to Nigel_Pain

How far did this go at Tech Support? The fact that it works in VA but not in Base SAS suggests there is a different mechanism being used and comparing them may help. If TS hasn't escalated the problem, maybe push for that?

 

Maybe discussing this with an Info Security expert where you work, comparing admin and normal account AD permissions might uncover the reasons.

0 Likes
Reply
Nigel_Pain
Lapis Lazuli | Level 10 Nigel_Pain
Lapis Lazuli | Level 10

Re: Routing SGMAP requests to the SAS OSM servers

Posted 08-14-2023 05:35 AM (1339 views)  |   In reply to SASKiwi

Thanks for the response @SASKiwi .

My understanding from Tech Support was that PROC SGMAP simply sends a request to the SAS OSM servers. The main difference between normal and admin accounts is that normal ones are configured to use a PAC file and this is what's causing the issue. Admin accounts don't have that setting and so they automatically get routed to the proxy. They did say that others had had this issue in the past, so I was wondering if one of them would appear here and say how (if?) they'd managed to fix it.

VA works because there are configuration settings for the JVM which routes requests via a proxy. In the wrapper.conf for the web app server:

wrapper.java.additional.53=-Dhttp.proxyHost=our.proxy.fqdn 
wrapper.java.additional.54=-Dhttp.proxyPort=80
wrapper.java.additional.55=-Dhttp.nonProxyHosts="localhost|127.0.0.1|*.our.domain"
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Routing SGMAP requests to the SAS OSM servers

Posted 08-14-2023 09:42 AM (1331 views)  |   In reply to Nigel_Pain
I wonder if SGMAP would use the HTTP_PROXY/HTTPS_PROXY/NO_PROXY environment variables if set. For example:
options set=HTTP_PROXY "http://our.proxy.fqdn:80";
options set=NO_PROXY "localhost,127.0.0.1,.our.domain";
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
Nigel_Pain
Lapis Lazuli | Level 10 Nigel_Pain
Lapis Lazuli | Level 10

Re: Routing SGMAP requests to the SAS OSM servers

Posted 08-15-2023 05:52 AM (1317 views)  |   In reply to gwootton

Thanks @gwootton , that was a good thing to try. But sadly it made no difference. 

0 Likes
Reply
Nigel_Pain
Lapis Lazuli | Level 10 Nigel_Pain
Lapis Lazuli | Level 10

Re: Routing SGMAP requests to the SAS OSM servers

Posted 08-15-2023 06:02 AM (1313 views)  |   In reply to Nigel_Pain

More information on this. The proxy administrator and I had another look at things and it appears that the main issue is that when a user starts a SAS session for the first time a local profile is created for them on the compute server. However, this doesn’t include the important Internet Options covering the PAC file and proxy server (Control Panel, Internet Options, Connections tab, LAN Settings). If a user subsequently logs in to a full user session on the server (eg. using RDP) then the profile gains these settings, and thereafter they can download the maps.

I don’t imagine there’s much we can do about this, as we can’t control what parts of a user profile are created when they are logging on as batch, and only local admins on the compute server can get an RDP session on the server. So it seems we are stuck.

0 Likes
Reply
gwootton
SAS Super FREQ gwootton
SAS Super FREQ

Re: Routing SGMAP requests to the SAS OSM servers

Posted 08-15-2023 10:19 AM (1305 views)  |   In reply to Nigel_Pain
In looking online you might be able to use runas to get a profile without the user logging on to the host:

runas /env /profile /user:<domain>\<username> cmd.exe

https://merserver.com/index.php/2022/11/01/windows-create-a-user-profile-without-logging-in-as-the-u...
--
Greg Wootton | Principal Systems Technical Support Engineer
0 Likes
Reply
Nigel_Pain
Lapis Lazuli | Level 10 Nigel_Pain
Lapis Lazuli | Level 10

Re: Routing SGMAP requests to the SAS OSM servers

Posted 08-15-2023 10:43 AM (1298 views)  |   In reply to gwootton

That does seem to work (I tried it with my ordinary user account). But I'd need to know the person's password. There's no way I can do that.

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 7 replies
  • ‎08-11-2023 05:50 AM
  • 1409 views
  • 1 like
  • 3 in conversation