Configure SOCKS5 Proxy for MATLAB Job Scheduler

Since R2026a

MATLAB® Parallel Server™ supports the use of a SOCKS5 proxy to forward all Parallel Computing Toolbox™ traffic between MATLAB clients and your MATLAB Job Scheduler cluster. This capability allows you to:

  • Provide a single access point for your cluster, reducing the need for multiple open ports, complex firewall or network configurations.

  • Simplify connectivity for clients outside your cluster’s virtual network, especially in cloud or hybrid environments.

  • Centralize authentication and encryption for all client connections.

Overview of SOCKS Proxy Server in MATLAB Parallel Server

A SOCKS5 proxy server enables MATLAB clients outside the cluster’s virtual network to connect to your MATLAB Job Scheduler cluster through a single endpoint.

The proxy server:

  • Accepts incoming connections from MATLAB clients.

  • Forwards traffic to the cluster scheduler and workers as appropriate.

  • Authenticates MATLAB clients with a certified cluster profile using mutual TLS (mTLS).

  • Encrypts all communication between the MATLAB client and the proxy.

Access parallelserverproxy Installation

To start a SOCKS5 proxy server within your cluster's virtual network, you need a parallelserverproxy installation. You can install and run the parallelserverproxy tool on the cluster node that runs the job manager or any other node within the cluster's virtual network.

You also need the mjssetup tool to the create shared secrets, signed certificates, and cluster profiles required for mTLS authentication and encryption.

You can download and install the parallelserverproxy and mjssetup tools using the instructions from these GitHub® repositories:

Start SOCKS5 Proxy Server with Mutual TLS Authentication and Encryption

Follow these instructions to start a SOCKS5 proxy server and create a certified cluster profile for the client to connect to the cluster.

With default settings, the parallelserverproxy tool starts a SOCKS5 proxy server with mTLS authentication and encryption. To set up and use the proxy server, you need signed certificate files for the SOCKS5 proxy and the cluster profile for the MATLAB client. Use this table to decide which step to begin with, based on your cluster configuration.

Cluster ConfigurationSolutionStarting Step

Your cluster is running at Security Level 3 or requires encrypted communication (mjs_def parameter USE_SECURE_COMMUNICATION=true).

Use your existing shared secret to create the signed certificates.

You might find the cluster shared secret at one of these default locations on a cluster node:

  • Linux® operating systems — /var/lib/mjs/security/secret.

  • Windows® operating systems — <PROGRAMDATA>\MJS\Checkpoint\security\secret, where <PROGRAMDATA> is the value of the system PROGRAMDATA variable.

Step 2: Start SOCKS5 Proxy Server

Your cluster has any other cluster configuration

Create a new shared secret.

Step 1: Create Shared Secret

Step 1: Create Shared Secret

If your cluster does not already have a shared secret, start here.

Create a shared secret file using the mjssetup tool. Specify the create-shared-secret command and a name for the shared secret file.

For example, create a shared secret file with the name "secret.json".

mjssetup create-shared-secret -outfile "secret.json"

Step 2: Start SOCKS5 Proxy Server

Start the SOCKS5 proxy server.

  1. If you already have an existing cluster shared secret or a shared secret from Step 1, generate signed certificate from the shared secret using the mjssetup tool. Specify the generate-certificate command, the path to the shared secret file, and the name of the certificate.

    For example, from the shared secret file "secret.json", generate a signed certificate with the name "proxyCert". Your shared secret file might not have an extension.

    mjssetup generate-certificate -secretfile "path_to_shared_secret_file/secret.json" -outfile "proxyCert"

  2. Start a SOCKS5s proxy server using default settings. To use mTLS, you must specify a path to the signed certificate file with the -certificate argument.

    For example, using a signed certificate file named "proxyCert.json", start a SOCKS5 proxy server. The resulting proxy server listens for incoming traffic on all network interfaces available on the machine running the proxy server, and uses the default port number 1080. When the proxy server starts, parallelserverproxy displays the URL template for the proxy server. 

    parallelserverproxy -certificate "proxyCert.json"
    SOCKS5 proxy ready to accept connections at: socks5s://*:1080

  3. Use the URL template to create the proxy server URL for the client connections by adding the resolvable hostnames or IP addresses of the cluster headnode and the machine running the proxy server.

    For example, if the cluster headnode hostname is clusterHostname and the proxy server is running on machine with the hostname proxyHostname, the proxy URL is:

    clusterHostname?proxy=socks5s://proxyHostname:1080

Step 3: Create Cluster Profile

Any client that wants to connect to the proxy server must have a corresponding client certificate file signed with the cluster secret file for authentication. You can create a certified cluster profile that incorporates the signed client certificate file and the proxy URL to enable clients to connect to the cluster.

  1. Using the mjssetup tool, create a certificate file for the cluster profile from the cluster shared secret used in Step 2. Specify the generate-certificate command, the path to the shared secret file, and the name of the certificate.

    For example, from the shared secret file "secret.json", generate a signed certificate with the name "profileCert". Your shared secret file might not have an extension.

    mjssetup generate-certificate -secretfile "path_to_shared_secret_file/secret.json" -outfile "profileCert"

  2. Using the mjssetup tool, create the certified cluster profile. Specify the create-profile command, the name of the cluster job manager as the cluster name, the proxy URL as the cluster hostname, and the path of the certificate file for the profile.

    For example, create a cluster profile for the cluster with the job manager name "jobManagerMJS", using the proxy server URL "clusterHostname?proxy=socks5s://proxyHostname:1080" and certificate file "profileCert.json". The command creates a cluster profile file jobManagerMJS with the extension .json.

    mjssetup create-profile -name jobManagerMJS -host clusterHostname?proxy=socks5s://proxyHostname:1080 -certificate profileCert.json

The shared secret, signed certificates, and associated certified cluster profile control which users can connect to the job manager. You must store this data securely and distribute the certified cluster profile to users through a secure channel.

You can use the Cluster Profile Manager to import a profile into the MATLAB client. For more information, see Discover Clusters and Use Cluster Profiles (Parallel Computing Toolbox).

Test SOCKS5 Proxy Server Without Mutual TLS

Use these instructions to start and test SOCKS5 proxy server for MATLAB clients and MATLAB Job Scheduler cluster in closed networks.

When you have a MATLAB Job Scheduler cluster that does not require client verification, you can simplify the testing workflow by starting a SOCKS5 proxy server with mTLS disabled.

Note

Security Considerations: Disabling mutual TLS (mTLS) removes client authentication and does not encrypt client-to-proxy traffic or exposed services. Do not use this configuration in production or on open networks. Use only in closed, isolated environments for temporary testing purposes with trusted clients.

Start the SOCKS5 proxy server with mTLS disabled, leaving all other settings at their default values. To disable mTLS, specify the disableMutualTLS argument. 

parallelserverproxy -disableMutualTLS
Warning: Client verification disabled with -disableMutualTLS
SOCKS5 proxy ready to accept connections at: socks5://*:1080

Use the displayed URL template to create the proxy server URL for the client connections by adding the resolvable hostname or IP address of the cluster headnode and the machine running the proxy server.

For example, if the cluster headnode hostname is clusterHostname and the proxy server is running on machine with the hostname proxyHostname, the proxy URL is:

clusterHostname?proxy=socks5://proxyHostname:1080

Create a cluster profile using the mjssetup tool. Specify the create-profile command, the name of the cluster job manager as the cluster name, and the proxy URL as the cluster hostname.

For example, create a cluster profile for the cluster with the job manager name jobManagerMJS and the proxy server URL clusterHostname?proxy=socks5://proxyHostname:1080. The create-profile command creates a cluster profile file jobManagerMJS with the extension .json.

mjssetup create-profile -name jobManagerMJS -host clusterHostname?proxy=socks5://proxyHostname:1080
You can use the Cluster Profile Manager to import a profile into the MATLAB client. For more information, see Discover Clusters and Use Cluster Profiles (Parallel Computing Toolbox).

See Also

Topics