Connect agents behind a proxy

To protect computers that require a proxy to access the Internet, Deep Security Manager, or relays, you need to configure Deep Security Manager with the proxy's address. It will give this information to agents. (Alternatively, you can use the CLI to configure proxy settings locally on the agent.)

In this topic:

• Requirements
• Register the proxy in Deep Security Manager
• Connect agents, appliances, and relays to security updates via proxy
• Connect agents to security services via proxy
• Connect agents to a relay via proxy
• Remove a proxy setting
• Subsequent agent deployments

Requirements

Deep Security Agent 9.6 or later is to make outbound connections for security updates via the proxy.

Deep Security Agent 10.0 or later (not GA) is required if connecting agents to a relay or manager via proxy (especially for application control rulesets).

Register the proxy in Deep Security Manager

1. In Deep Security Manager, go to Administration > System Settings > Proxies.
2. In the Proxy Servers area, create a new HTTP proxy by clicking New in the menu bar.
3. Enter the protocol, IP Address, port number, user name and password.

Connect agents, appliances, and relays to security updates via proxy

Alternatively, you can use the command line to configure proxy use instead.

1. Still on the Proxies tab, in the Proxy Server Use area, change the Primary Security Update Proxy used by Agents, Appliances, and Relays setting to point to the new proxy.
2. Click Save.

Connect agents to security services via proxy

1. On Deep Security Manager, go to Policies.
2. Double-click to edit the policy that you use to protect computers that are behind the proxy.
3. Go to Anti-Malware > Smart Protection.
4. In the Smart Protection Server for File Reputation Service section, Default (if it's the policy named "Base Policy") or Inherited.
5. Select When accessing Global Smart Protection service, use proxy, then select the name of the proxy.
6. Click Save.
7. Go to Web Reputation > Smart Protection.
8. In the Smart Protection Server for Web Reputation Service section, deselect the Default (if it's the policy named "Base Policy") or Inherited.
9. Select When accessing Global Smart Protection service, use proxy, then select the name of the proxy.
10. Click Save.
11. Go to the Advanced tab.
12. In the Ports section, select a group of port number that includes your proxy's listening port number, and then click Save.

    For example, if you’re using a Squid proxy server, you would select the Port List Squid Web Server. If you don’t see an appropriate group of port numbers, go to Policies > Common Objects > Lists > Port Lists and then click New.

Connect agents to a relay via proxy

1. In the top right-hand corner of Deep Security Manager, click Support > Deployment Scripts to display the Deployment Script Generator.
2. After you’ve selected a platform in the Deployment Scripts Generator, the deployment script will appear.
3. In the deployment script, find the text dsa_control -a (if any).
   This is the agent-initiated activation command.
   
   
4. Before the agent-initiated activation command, add a new line and enter the proxy commands:
   dsa_control -u username:password
   dsa_control -x dsm_proxy://<host or IP>:<port>/
   dsa_control -w <username>:<password>
   dsa_control -y relay_proxy://<host or IP>:<port>
   
   where <host or IP> is the IP address or host name, <port> is the port number, and <username>:<password>is the colon (:) separated proxy user account and password.
5. Copy the script and save it locally.
6. Close the Deployment Script Generator.
7. Run the script on the relay computer.
8. After the Agent is activated and online (the computer status on the Computers page will read “Managed (online)” ), open the Details page for computer, and go to Overview > Actions > Software, select Enable Relay.
9. Wait for the update to complete. This should take approximately 20 minutes.
10. In Deep Security Manager, go to Administration > Updates > Relay Groups.
11. Edit or create a new relay group, and assign the newly created relay to it. Assign protected computers to this relay group.

Connect agents to a relay's private IP address

If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.

1. Go to Administration > System Settings.
2. In the System Settings area, click the Updates tab.
3. Under Software Updates, in the window Alternate software update distribution server(s) to replace Deep Security Relays , type:
   
   https://<IP>:<port>/
   
   where <IP> is the private network IP address of the relay, and <port> is the relay port number
   
   
4. Click Add.
5. Click Save.

Remove a proxy setting

If you've installed an agent with a deployment script that adds proxy settings that you no longer require, you can remove the setting by entering the following commands in a command line:

Windows

C:\Program Files\Trend Micro\Deep Security\dsa_control -x ""

C:\Program Files\Trend Micro\Deep Security\dsa_control -y ""

Linux

/opt/ds_agent/dsa_control -x ""

/opt/ds_agent/dsa_control -y ""

Subsequent agent deployments

After your initial deployment, if you add more agents, modify their deployment scripts to use the proxy

Before the agent-initiated activation command, add a new line and enter the proxy commands:

Before the agent-initiated activation command, add a new line and enter the proxy commands:
dsa_control -u username:password
dsa_control -x dsm_proxy://<host or IP>:<port>/
dsa_control -w <username>:<password>
dsa_control -y relay_proxy://<host or IP>:<port>

where <host or IP> is the IP address or host name, <port> is the port number, and <username>:<password>is the colon (:) separated proxy user account and password.