Connect agents behind a proxy
You can watch Deep Security 12 - Scoping Environment Pt2 - Network Communication on YouTube to review the network communication related to the different Deep Security components.
To protect computers that require a proxy to access the Internet, Deep Security Manager, or relays, you need to configure Deep Security Manager with the proxy's address. It will give this information to agents. (Alternatively, you can use the CLI to configure proxy settings locally on the agent.)
In this topic:
- Requirements
- Register the proxy in Deep Security Manager
- Connect agents, appliances, and relays to security updates via proxy
- Connect agents to security services via proxy
- Connect agents to a relay via proxy
- Remove a proxy setting
- Subsequent agent deployments
Requirements
Deep Security Agent 10.0 or later (not GA) is required if connecting agents to a relay or manager via proxy (especially for application control rulesets).
Register the proxy in Deep Security Manager
- In Deep Security Manager, go to Administration > System Settings > Proxies.
- In the Proxy Servers area, create a new HTTP proxy by clicking New in the menu bar.
- Enter the protocol, IP Address, port number, user name and password.
Connect agents, appliances, and relays to security updates via proxy
Alternatively, you can use the command line to configure proxy use instead.
- Still on the Proxies tab, in the Proxy Server Use area, change the Primary Security Update Proxy used by Agents, Appliances, and Relays setting to point to the new proxy.
- Click Save.
Connect agents to security services via proxy
- On Deep Security Manager, click Policies at the top.
- On the left, click Policies.
- In the main pane, double-click the policy that you use to protect computers that are behind the proxy.
- Set up a proxy to the Global Census, Good File Reputation, and Predictive Machine Learning Services as follows:
- Click Settings on the left.
- In the main pane, click the General tab.
- In the main pane, look for the Network Setting for Census and Good File Reputation Service, and Predictive Machine Learning section.
- If the Inherited check box is selected, the proxy settings are inherited from the parent policy. To change the settings for this policy or computer, clear the check box.
- Select When accessing Global Server, use proxy and in the list, select your proxy, or select New to specify another proxy.
- Save your settings.
- Set up a proxy to the Smart Protection Network for use with anti-malware:
- Click Anti-Malware on the left.
- In the main pane, click the Smart Protection tab.
- Under Smart Protection Server for File Reputation Service, if the Inherited check box is selected, the proxy settings are inherited from the parent policy. To change the settings for this policy or computer, clear the check box.
- Select Connect directly to Global Smart Protection Service.
- Select When accessing Global Smart Protection Service, use proxy and in the list, select your proxy or select New to specify another proxy.
- Specify your proxy settings and click OK.
- Save your settings.
-
Set up a proxy to the Smart Protection Network for use with web reputation:
- Click Web Reputation on the left.
- In the main pane, click the Smart Protection tab.
- Under Smart Protection Server for Web Reputation Service, set up your proxy, the same way you did under Anti-Malware in a previous step.
- With Web Reputation still selected on the left, click the Advanced tab.
- In the Ports section, select a group of port numbers that includes your proxy's listening port number, and then click Save. For example, if you’re using a Squid proxy server, you would select the Port List Squid Web Server. If you don’t see an appropriate group of port numbers, go to Policies > Common Objects > Lists > Port Lists and then click New to set up your ports.
- Save your settings.
Your agents can now connect to Trend Micro security services over the Internet through a proxy.
Connect agents to a relay via proxy
- In the top right-hand corner of Deep Security Manager, click Support > Deployment Scripts.
- From Proxy to contact Relay(s), select a proxy.
- Copy the script or save it.
- Run the script on the computer.
Connect agents to a relay's private IP address
If your relay has an elastic IP address, agents within an AWS VPC may not be able to reach the relay via that IP address. Instead, they must use the private IP address of the relay group.
- Go to Administration > System Settings.
- In the System Settings area, click the Updates tab.
- Under Software Updates, in the window Alternate software update distribution server(s) to replace Deep Security Relays , type:
https://<IP>:<port>/
where<IP>
is the private network IP address of the relay, and<port>
is the relay port number - Click Add.
- Click Save.
Remove a proxy setting
If you've installed an agent with a deployment script that adds proxy settings that you no longer require, you can remove the setting by entering the following commands in a command line:
Windows
>C:\Program Files\Trend Micro\Deep Security\dsa_control -x ""
C:\Program Files\Trend Micro\Deep Security\dsa_control -y ""
Linux
/opt/ds_agent/dsa_control -x ""
/opt/ds_agent/dsa_control -y ""
Subsequent agent deployments
After your initial deployment, if you add more agents, modify their deployment scripts to use the proxy in the Deployment Scripts Generator.