Needless to say, I was peeved. I did some digging and came up with this absolutely wonderful little program called Proxytunnel. You see, if your network admins are anything like mine (and most are), they will have allowed you acccess to secure sites via an HTTP proxy. The thing with SSL and proxies is that because everything's encrypted, the proxy can do naught but just pass on your requests to the sites in question, and can't have any say on what protocol is used. So get Proxytunnel, drop it in /usr/local/bin or anywhere else in your path, and then do something like this:
/usr/local/bin/proxytunnel -a 5222 -g 123.123.123.123 \
-G 8080 -d myjabberserver.com -D 5222
You can now access your Jabber server by setting up iChat to connect to server localhost instead of myjabberserver.com (the 123.123.123.123 IP address is the IP of your proxy server; 8080 is the port. The first 5222 is the port on localhost that proxytunnel will be listening to, the last one is the port of your jabber server. Note that you need to run Proxytunnel as root if you want it to listen on a port below 1024; however, you can make it listen on a different port.So to access GMail's secure POP server as localhost:995, you could do:
sudo /usr/local/bin/proxytunnel -a 995 -g 123.123.123.123 \
-G 8080 -d pop.gmail.com -D 995
To access it as localhost:9995, just do:
/usr/local/bin/proxytunnel -a 9995 -g 123.123.123.123 \
-G 8080 -d pop.gmail.com -D 995
If your Mac is always connected to a firewalled network, you can stop reading now. Set up proxy tunnels, and you can use any service you want.
Defining host aliases to work with default application settings
However, I have a PowerBook which I lug home most evenings, and this would cause a few problems. I can write scripts to set up and tear down all the proxy tunnels I need (one for GMail, one for a regular POP3 mail server, and one for my Jabber server), but I'd have to change all my mail, iChat etc. settings back if I was going to be able to work outside the office. So I thought of a nice solution ... why don't I just make 127.0.0.1 an alias to the hosts in my /etc/hosts file? Sure enough, I changed the line:
127.0.0.1 localhost
to:
127.0.0.1 localhost myjabberserver.org pop.gmail.com pop.myisp.com
These are the host names for my Jabber server and POP servers. Now we need to let lookupd flush its cache so that it reads the changes, so we issue a lookupd -flushcache. Now, with proxytunnel running, when Mail.app looks up pop.gmail.com, the resolver tells it it's 127.0.0.1, the local host, so it connects to port 995, and the proxy tunnel forwards the request via the proxy server.
The rather obvious limitation is that you can only have one proxy tunnel per port, so if you want to access two services that use the same port, you're out of luck. Fortunately I use port 5222 for Jabber, 995 for GMail's secure POP, and 110 for my ISP's POP3 server, so I don't have such limitations.
Putting it all together
Now that everything works, we need a quick way to switch between the office (behind a firewall) configuration and the home (open access) configuration. I created two copies of the hosts file: the modified one as /etc/hosts.proxytunnel and the original hosts file as /etc/hosts.default. And now here comes the AppleScript. Please note that line breaks have been added for a narrower display, but they must be removed when you paste this code in Script Editor:
do shell script "/usr/local/bin/proxytunnel -a 5222 -g 123.123.123.123
-G 8080 -d myjabberserver.org -D 5222 &> /dev/null &"
with administrator privileges
do shell script "/usr/local/bin/proxytunnel -a 995 -g 123.123.123.123
-G 8080 -d pop.gmail.com -D 995 &> /dev/null &"
with administrator privileges
do shell script "/usr/local/bin/proxytunnel -a 110 -g 123.123.123.123
-G 8080 -d pop.myisp.com -D 110 &> /dev/null &"
with administrator privileges
do shell script "cp /etc/hosts.proxytunnel /etc/hosts"
with administrator privileges
do shell script "lookupd -flushcache" with administrator privileges
You could just write a shell script, of course, but AppleScript gives you a nice password dialog when you run this from the script menu (you need admin privileges to swap the hosts files, in addition to setting up the tunnel for ports below 1024; lookupd and the first tunnel could be run without admin privileges, but it's there for symmetry). And now, the one to bring everything back to normal (the first line has been split; it should be one line):
do shell script "cp /etc/hosts.default /etc/hosts"
with administrator privileges
do shell script "lookupd -flushcache" with administrator privileges
do shell script "killall proxytunnel" with administrator privileges
Enjoy your unfettered Internet access.
[robg adds: Before you try this one, keep in mind that breaking internet access policies at your place of employment may get you terminated ... which would be a high price to pay for checking your Gmail account!]