VEN Proxy Support
This section describes how to enable proxy support for the VEN on all supported operating systems: Windows, Linux, AIX, and Solaris.
Caution
Enforce an allow rule for proxy connectivity
If your environment includes a proxy server, make sure your Illumio policy includes an allow rule for the proxy's IP:port before applying a new policy in Selective or Full Enforcement mode. Otherwise, if the VEN discovers that no allow rule is in place allowing the proxy connection, it reports a policy sync error and tries continually to sync policy. In that circumstance, the VEN and the PCE will not be able to communicate.
Note
Due to platform differences, proxy support setup for the VEN differs between Unix-based and Windows operating systems. The VENs for Unix-based operating systems do not require a system-wide proxy setting. For Unix-based VENs, each application obtains the proxy settings from the user; for example, curl --proxy myproxy:80. On Windows, the operating system provides proxy settings; for example, the Chrome browser uses the same proxy setting as Microsoft Edge. See the sections below for details about setting up VEN proxy support by platform.
VEN Connections via Windows Proxy Servers
Illumio Core supports a VEN-to-PCE connection through proxy servers.
The default proxy configuration on the OS is used and proxy configuration might not be required or available on the VEN.
Only non-authenticated proxy is supported, which might require that you add an exception for the PCE address.
Only HTTP proxy is supported. The VEN detects the proxy automatically and configuration or mode change is not required.
Configuration for a Windows Proxy Server
If the network environment supports WPAD protocol, the VEN automatically uses WPAD to discovery proxies and no special configuration is required.
If proxy configuration is done via a PAC file, you must import Internet Explorer's (IE) proxy setting with the PAC file URL to the LocalSystem user (S-1-5-18). The VEN only supports
http://PAC file URL. It does not supportfile://URLs.If proxies are statically configured, you can configure using one of the following two methods:
Using
netsh winhttp set proxycommand. This method takes precedence.For
netsh winhttpusage, refer to https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731131(v=ws.10).Importing IE setting with static proxies setting to the LocalSystem user.
For importing IE settings for the VEN, refer to https://serverfault.com/questions/34940/how-do-i-configure-proxy-settings-for-local-system.
Note
Both IE-based proxy setting and
netsh winhttpcan be pushed to the endpoints (PCs) using Group Policy.
For information about the proxy string format to use for Windows proxy servers, see also WINHTTP_PROXY_INFO (winhttp.h) - Win32 apps in the Microsoft documentation for information.
VEN Connections via Unix-based Proxy Servers
Release 21.1.0 and later releases extend VEN proxy support from Windows to Linux, AIX, and Solaris systems.
In comparison with Windows, the following limitation affects this feature for Unix-based proxy servers. This release doesn't support the Web Proxy Auto Discovery (WPAD) protocol or proxy discovery via the Proxy Auto Discovery (PAC) file for Unix-based proxy servers. This limitation occurs because VENs use LibCurl as the HTTP transport library, but LibCurl does not provide JavaScript execution capability needed to run proxy scripts. For a workaround, see Proxies - Everything curl.
Configuration for Unix-based Proxy Servers
To set up your environment for a Unix-based proxy server, perform the following steps:
Set the proxy string during activation using the
--proxy-serveroption. For example, useillumio-ven-ctl activate --proxy-server proxy-stringas shown:root@qual-solaris11-L:/opt/illumio# /opt/illumio_ven/illumio-ven-ctl activate --management-server example.com:8443 --activation-code <code> --proxy-server 172.24.88.114:3128 Checking Runtime Environment.......... Activating Illumio ------------------ Storing Activation Configuration ..... Starting Illumio Processes............ Pairing Status -------------- Pairing Configuration exists ......SUCCESS VEN Manager Daemon running ........SUCCESS Master Configuration retrieval ....SUCCESS VEN Configuration retrieval .......SUCCESS VEN has been SUCCESSFULLY paired with Illumio root@qual-solaris11-L:/opt/illumio# /opt/illumio_ven/illumio-ven-ctl show-proxy proxy_server: 172.24.88.114:3128Set or modify the proxy string using
illumio-ven-ctl set-proxy proxy-stringand clear the proxy setting usingillumio-ven-ctl reset-proxyas shown:[root@ven-rhel illumio_ven]# ./illumio-ven-ctl set-proxy http://proxy.example.com:3128 Updating proxy to http://proxy.example.com:3128. VEN restart needed. [root@ven-rhel illumio_ven]# ./illumio-ven-ctl restart Shutting down illumio-control: - venAgentMonitor Stopping venAgentMonitor: [ OK ] <snip> Starting illumio-control: - Environment Setting up Illumio VEN Environment: [ OK ] <snip> [root@ven-rhel illumio_ven]# ./illumio-ven-ctl show-proxy proxy_server: http://proxy.example.com:3128 [root@ven-rhel illumio_ven]# ./illumio-ven-ctl reset-proxy Resetting proxy. VEN restart needed. [root@ven-rhel illumio_ven]# ./illumio-ven-ctl restart Shutting down illumio-control: - venAgentMonitor Stopping venAgentMonitor: [ OK ] <snip> Starting illumio-control: - Environment Setting up Illumio VEN Environment: [ OK ] <snip> [root@ven-rhel illumio_ven]# ./illumio-ven-ctl show-proxy No proxy is set
Restart the VEN after the proxy is set, modified, or cleared, except when the proxy is enabled using
--proxy-serverduring activation. Query your current proxy setting using theillumio-ven-ctl show-proxycommand.Use the proxy string format:
[<scheme>"://"]<server>[":"<port>]In the string format,
[]indicates optional values in the command and<>indicates required values in the command; therefore, specifying either--proxy-server 172.24.88.114:3128orhttp://172.24.88.114:3128are both valid.Note
When specified, only the “http” scheme is supported. Schemes such as “https” or any other schemes are not supported. For example,
http://myproxy:8080orhttp://10.0.0.2:80.
For Linux RPM (or AIX installp) installation, you can set the proxy string by setting and exporting the proxy string from the VEN_PROXY_SERVER shell variable before invoking the RPM (or installp) command.
For Solaris pkgadd, you can set the proxy string by setting the VEN_PROXY_SERVER variable to an answer file (typically created using the pkgask command).
Linux Pairing Script Activation for Proxy Servers
Typically, VENs are paired with the PCE directly. However, if a workload is behind a Web Proxy, you must follow these steps to enable your Linux/Unix VEN to successfully pair to your PCE:
From the PCE web console menu, go to Servers & Endpoints > Pairing Profile.
Copy the pairing line from the Linux/Unix OS Pairing Script window.
Paste this pairing line into a text file so that you can edit it.
Edit the pairing line to make the following two changes (displayed in bold):
Add –x <proxy-string> to the curl command to indicate the proxy string.
Add --proxy-server <proxy-string> to the switch to pass the proxy string to the pairing script.
rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir -p /opt/illumio_ven_data/tmp && curl –x <proxy-string> --tlsv1 "https://example.com:8443/api/v18/software/ven/image?pair_script=pair.sh&profile_id=1" -o /opt/illumio_ven_data/tmp/pair.sh && chmod +x /opt/illumio_ven_data/tmp/pair.sh && /opt/illumio_ven_data/tmp/pair.sh --management-server <server fqdn> --proxy-server <proxy-string>
Paste the revised script into the Linux/Unix terminal and press Enter.
The workload starts the pairing process. As the pairing script runs, success messages appear. Wait until the message “Workload has been SUCCESSFULLY paired with Illumio” displays, which means your VEN (behind a proxy server) and the PCE are paired.