Configure a VEN-specific Windows Proxy
Beginning in VEN release 22.5, you must explicitly configure the Windows proxy for the VEN. In previous VEN releases, you didn't need to configure a proxy on Windows operating systems; instead, the VEN discovered proxy configurations automatically using the WPAD protocol or the Internet Explorer browser PAC file.
Caution
Enforce an allow rule for proxy connectivity
If your environment includes a proxy server, make sure your Illumio policy includes an allow rule for the proxy's IP:port before applying a new policy in Selective or Full Enforcement mode. Otherwise, if the VEN discovers that no allow rule is in place allowing the proxy connection, it reports a policy sync error and tries continually to sync policy. In that circumstance, the VEN and the PCE will not be able to communicate.
Important
This topic applies to VENs deployed on servers or virtual machines and Endpoint VENs (VENs deployed on endpoints, such as Windows laptops.)
Ways to Configure a VEN-specific Windows Proxy
There are two ways to configure a VEN-specific Windows Proxy:
Configure Windows Proxy by Editing the Pairing Script
Note
For details about generating a pairing key and pairing script, see "Pairing Profiles and Scripts" in the section VEN Installation & Upgrade Using VEN Library in this guide.
You can configure a VEN-specific Windows proxy by adding the -proxy-server parameter to the pairing script.
In the following example, the proxy-server parameter is placed at the end of the script after the -activation-code parameter:
illumio-ven-ctl.exe show-proxy PowerShell -Command "& {Set-ExecutionPolicy -Scope process remotesigned -Force; Start-Sleep -s 3; Set-Variable -Name ErrorActionPreference -Value SilentlyContinue; [System.Net.ServicePointManager]::SecurityProtocol=[Enum]::ToObject([System.Net.SecurityProtocolType], 3072); Set-Variable -Name ErrorActionPreference -Value Continue; (New-Object System.Net.WebClient).DownloadFile('https://example-server.io:443/api/v26/software/ven/image?pair_script=pair.ps1&profile_id=60', (echo $env:windir\temp\pair.ps1)); & $env:windir\temp\pair.ps1 -management-server example-server:443.io -activation-code <code> -proxy-server <proxy_server:port>;}"Configure Windows Proxy using CTL Commands
Use the following CTL commands to explicitly configure a Windows proxy.
Installation:
<VEN Installation Directory>\illumio-ven-22.2.32-xxxx-preview.win.x64.exe /install VEN_PROXY_SERVER=<proxy_server:port>
Activation:
<VEN Installation Directory>\illumio-ven-ctl.exe activate -management-server <pce_server:port> -activation-code <code> -proxy-server <proxy_server:port>
Restart:
You must restart the VEN after setting (or changing) its proxy configuration.
<VEN Installation Directory>\illumio-ven-ctl.exe restartManage the proxy configuration:
The VEN CTL supports using the set-proxy, reset-proxy, and show-proxy commands to configure a proxy on Windows. Use of these commands takes precedence over netsh and discovery using the Internet Explorer PAC file.
For more information about how the Windows VEN supports a proxy server, see "VEN Proxy Support" in the section Prepare for VEN Installation in this guide.
The set-proxy command sets the proxy server for the VEN to use.
<VEN Installation Directory>\illumio-ven-ctl.exe set-proxy <proxy_server:port>
The show-proxy command shows the current proxy configuration.
<VEN Installation Directory>\illumio-ven-ctl.exe show-proxy
The reset-proxy command removes the current proxy configuration.
<VEN Installation Directory>\illumio-ven-ctl.exe reset-proxy
VEN-Specific Proxy Configuration
In the 23.4-VEN release, you can choose to explicitly configure the Windows proxy for the VEN.
Caution
Enforce an allow rule for proxy connectivity.
If your environment includes a proxy server, make sure that your Illumio policy includes an allow rule for the proxy's IP:Port before applying a new policy in Selective or Full Enforcement mode. Otherwise, if the VEN discovers that no allow rule is in place to allow the proxy connection, it reports a policy sync error and tries continually to sync policy. In that circumstance, the VEN and the PCE will not be able to communicate.
About the VEN-Specific Proxy
The VEN CTL (including pairing script) supports the set-proxy, reset-proxy, and show-proxy commands to configure a proxy on Windows.
When configured with these commands, the setting takes precedence over netsh and discovery using the Internet Explorer PAC file, as shown here:
Direct > VEN specific proxy (NEW) > WinHttp Proxy > IE setting for localSystem account
For more information about how the Windows VEN supports a proxy server, see VEN Proxy Support.
Explicitly Configure a Windows Proxy
Use the following commands to explicitly configure a Windows proxy:
Installation:
<VEN Installation Directory>\illumio-ven-22.2.32-xxxx-preview.win.x64.exe/ install VEN_PROXY_SERVER=<proxy_server:port>
Activation:
<VEN Installation Directory>\illumio-ven-ctl.ps1 activate - management-server <pce_server:port> - activation-code <code> -proxy-server <proxy_server:port>
Restart:
You must restart the VEN after setting or changing its proxy configuration:
<VEN Installation Directory>\illumio-ven-ctl.ps1 restart
Proxy Configuration Management:
The set-proxy command sets the proxy server for the VEN to use.
<VEN Installation Directory>\illumio-ven-ctl.exe set-proxy <proxy_server:port>
The show-proxy command shows the current proxy configuration:
<VEN Installation Directory>\illumio-ven-ctl.exe show-proxy