VEN Proxy Support

This section describes how to enable proxy support for the VEN on all supported operating systems: Windows, Linux, AIX, and Solaris.

CAUTION:

For both platforms (Windows and Unix-based operating systems), the VEN does not automatically add IP addresses of proxy servers to the allowlist. Instead, be sure to write allow rules for proxy server IP addresses on the PCE. When the VEN is moved into Enforced mode, failure to write allow rules will result in permanent loss of connectivity between the VEN and the PCE. If that were to happen, the PCE will not be able to apply rules to the VEN to help restore connectivity.

NOTE:

Proxy support setup for the VEN is different between Unix-based versus Windows operating systems due to platform differences. The VENs for Unix-based operating systems do not require system wide proxy setting. For Unix-based VENs, each application obtains the proxy settings from the user, for example, curl --proxy myproxy:80. On Windows, the operating system provides proxy settings; for example, the Chrome browser uses the same proxy setting as Microsoft Edge. See the topics below for the details of setting up VEN proxy support by platform.

VEN Connections via Windows Proxy Servers

For Windows workloads only, Illumio Xpress supports a VEN-to-PCE connection through proxy servers.

  • The default proxy configuration on the OS is used and proxy configuration might not be required or available on the VEN.
  • Only non-authenticated proxy is supported, which might require you that add an exception for the PCE address.
  • Only HTTP proxy is supported. The VEN will detect the proxy automatically and configuration or mode change will not be required.

Configuration for a Windows Proxy Server

  • If the network environment supports WPAD protocol, the VEN will automatically use WPAD to discovery proxies and no special configuration is required.

  • If proxy configuration is done via a PAC file, you will have to import Internet Explorer's (IE) proxy setting with the PAC file URL to the LocalSystem user (S-1-5-8). The VEN only supports http:// PAC file URL. It does not support file:// URLs.

  • If proxies are statistically configured, you can configure using one of the following two methods:
    NOTE:

    Both IE-based proxy setting and netsh winhttp can be pushed to the endpoints (PCs) using Group Policy.

For information about the proxy string format to use for Windows proxy servers, see also WINHTTP_PROXY_INFO (winhttp.h) - Win32 apps in the Microsoft documentation for information.

VEN Connections via Unix-based Proxy Servers

VEN proxy support is provided for all operating systems: Windows, Linux, AIX, and Solaris systems.

In comparison with Windows, the following limitation affects this feature for Unix-based proxy servers. Illumio Xpress doesn't support the Web Proxy Auto Discovery (WPAD) protocol or proxy discovery via the Proxy Auto Discovery (PAC) file for Unix-based proxy servers. This limitation occurs because VENs use LibCurl as the HTTP transport library, but LibCurl does not provide JavaScript execution capability needed to run proxy scripts. For a workaround, see Proxies - Everything curl.

Configuration for Unix-based Proxy Servers

To set up your environment for a Unix-based proxy server, perform the following steps:

  1. Set the proxy string during activation using the --proxy-server option. For example, use illumio-ven-ctl activate --proxy-server proxy-string as shown:

    root@qual-solaris11-L:/opt/illumio# /opt/illumio_ven/illumio-ven-ctl activate --management-server example.com:8443 --activation-code <code> --proxy-server 172.24.88.114:3128
Checking Runtime Environment..........             Activating Illumio
             ------------------
Storing Activation Configuration .....
Starting Illumio Processes............               Pairing Status
               --------------
Pairing Configuration exists ......SUCCESS 
VEN Manager Daemon running ........SUCCESS 
Master Configuration retrieval ....SUCCESS 
VEN Configuration retrieval .......SUCCESS 
VEN has been SUCCESSFULLY paired with Illumio
root@qual-solaris11-L:/opt/illumio# /opt/illumio_ven/illumio-ven-ctl show-proxy
proxy_server: 172.24.88.114:3128

  2. Set or modify the proxy string using illumio-ven-ctl set-proxy proxy-string and clear the proxy setting using illumio-ven-ctl reset-proxy as shown:

    [root@ven-rhel illumio_ven]# ./illumio-ven-ctl set-proxy http://proxy.example.com:3128
 
Updating proxy to http://proxy.example.com:3128. VEN restart needed.
[root@ven-rhel illumio_ven]# ./illumio-ven-ctl restart
Shutting down illumio-control: 
 - venAgentMonitor Stopping venAgentMonitor:               [  OK  ]
<snip>
 
Starting illumio-control: 
 - Environment Setting up Illumio VEN Environment:         [  OK  ]
<snip>
 
[root@ven-rhel illumio_ven]# ./illumio-ven-ctl show-proxy
proxy_server: http://proxy.example.com:3128
[root@ven-rhel illumio_ven]# ./illumio-ven-ctl reset-proxy
Resetting proxy. VEN restart needed.
[root@ven-rhel illumio_ven]# ./illumio-ven-ctl restart
Shutting down illumio-control: 
 - venAgentMonitor Stopping venAgentMonitor:               [  OK  ]
<snip>
Starting illumio-control: 
 - Environment Setting up Illumio VEN Environment:         [  OK  ]
<snip>
[root@ven-rhel illumio_ven]# ./illumio-ven-ctl show-proxy
No proxy is set
  3. Restart the VEN after the proxy is set, modified, or cleared, except when the proxy is enabled using --proxy-server during activation. Query your current proxy setting using the illumio-ven-ctl show-proxy command.

  4. Use the proxy string format: [<scheme>"://"]<server>[":"<port>]

    In the string format, [] indicates optional values in the command and <> indicates required values in the command; therefore, specifying either --proxy-server 172.24.88.114:3128 or http://172.24.88.114:3128 are both valid.

    NOTE:

    When specified, only the “http” scheme is supported. Schemes such as “https” or any other schemes are not supported. For example, http://myproxy:8080 or http://10.0.0.2:80.

For Linux RPM (or AIX installp) installation, you can set the proxy string by setting and exporting the proxy string from the VEN_PROXY_SERVER shell variable before invoking the RPM (or installp) command.

For Solaris pkgadd, you can set the proxy string by setting the VEN_PROXY_SERVER variable to an answer file (typically created using the pkgask command).

Linux Pairing Script Activation for Proxy Servers

Typically, VENs are paired with the PCE directly. However, if a workload is behind a Web Proxy, you must follow these steps to enable your Linux/Unix VEN to successfully pair to your PCE:

  1. From the PCE web console main menu, choose Workloads and VENs > Pairing Profile.
  2. Copy the pairing line from the Linux/Unix OS Pairing Script window.
  3. Paste this pairing line into a text file so that you can edit it.

  4. Edit the pairing line to make the following two changes (displayed in bold):

    1. Add –x <proxy-string> to the curl command to indicate the proxy string.

    2. Add --proxy-server <proxy-string> to the switch to pass the proxy string to the pairing script.

      rm -fr /opt/illumio_ven_data/tmp && umask 026 && mkdir -p /opt/illumio_ven_data/tmp && curl –x <proxy-string> --tlsv1 "https://example.com:8443/api/v18/software/ven/image?pair_script=pair.sh&profile_id=1" -o /opt/illumio_ven_data/tmp/pair.sh && chmod +x /opt/illumio_ven_data/tmp/pair.sh && /opt/illumio_ven_data/tmp/pair.sh --management-server <server fqdn> --proxy-server <proxy-string>

  5. Paste the revised script into the Linux/Unix terminal and press Enter.

The workload starts the pairing process. As the pairing script runs, you will see success messages appear. Wait until you see the message “Workload has been SUCCESSFULLY paired with Illumio,” which means your VEN (behind a proxy server) and the PCE are paired.