Protect workloads requiring a proxy for outbound connection

To protect computers that require a proxy to access the Internet, you need to configure Deep Security Manager with the proxy's address (it will give this information to agents).

In this article:

Requirements

You must be using Deep Security 9.6 Agents. Earlier versions won’t be able to make outbound connections via the proxy.

Register the proxy in the Deep Security Manager

  1. In the Deep Security Manager, go to Administration > System Settings > Proxies.
  2. In the Proxy Servers area, create a new HTTP proxy by clicking New in the menu bar and set the protocol, IP Address, port number, and authentication credentials as required.

Configure Agents, Appliances, and Relays to use the new proxy

  1. Still on the Proxies tab, in the Proxy Server Use area, change the Primary Security Update Proxy used by Agents, Appliances, and Relays setting to point to the new proxy.
  2. Click Save.

Configure Security Services to use the new proxy

  1. On Deep Security Manager, go to Policies.
  2. Double-click to edit the policy that you use to protect computers that are behind the proxy.
  3. Go to Anti-Malware > Smart Protection.
  4. In the Smart Protection Server for File Reputation Service section, Default (if it's the policy named "Base Policy") or Inherited.
  5. Select When accessing Global Smart Protection service, use proxy, then select the name of the proxy.
  6. Click Save.
  7. Go to Web Reputation > Smart Protection.
  8. In the Smart Protection Server for Web Reputation Service section, deselect the Default (if it's the policy named "Base Policy") or Inherited.
  9. Select When accessing Global Smart Protection service, use proxy, then select the name of the proxy.
  10. Click Save.
  11. Go to the Advanced tab.
  12. In the Ports section, select a group of port number that includes your proxy's listening port number, and then click Save.

    For example, if you’re using a Squid proxy server, you would select the Port List Squid Web Server. If you don’t see an appropriate group of port numbers, go to Policies > Common Objects > Lists > Port Lists and then click New.

Deploy a Relay-enabled Agent on your network

  1. In the top right-hand corner of Deep Security Manager, click Support > Deployment Scripts to display the Deployment Script Generator.
  2. After you’ve selected a platform in the Deployment Scripts Generator, the deployment script will appear.
  3. In the deployment script, locate the string "dsa_control -a".
    This is the Agent-initiated activation command.

  4. Above the Agent-initiated activation command, add a new line and type (or copy and paste) the following proxy command:

    dsa_control -x dsm_proxy://host_or_ip:port/

    where "dsm_proxy://host_or_ip:port/" is the IP address of the proxy server. When used in the context of Agent-initiated activation, the proxy command must be issued first, followed by the Agent-initiated activation command.
  5. Copy the script and save it locally.
  6. Close the Deployment Script Generator.
  7. Run the script on the machine intended to act as the Relay.
  8. After the Agent is activated and online (the computer status on the Computers page will read “Managed (online)” ), open the Details page for computer, and go to Overview > Actions > Software, select Enable Relay.
  9. Wait for the update to complete. This should take approximately 20 minutes.

Configure a Relay Group

  1. In the Deep Security Manager, go to Administration > Updates > Relay Groups.
  2. Create a new Relay Group, and assign the newly created Relay to it.


What if my Relay Group has an Elastic IP Address?

If your Relay has an Elastic IP address, the Agents may not be able to reach the Relay from within the VPC. To ensure download and distribution of software, add the private IP address of the Relay Group to Deep Security.

  1. Go to Administration > System Settings.
  2. In the System Settings area, click the Updates tab.
  3. Under Software Updates, in the window Alternate software update distribution server(s) to replace Deep Security Relays type the following:

    https://<private relay IP>:<portnumber>/

    where <private relay IP> is the private IP address of the relay, and <portnumber> is the relay port number

  4. Click Add.
  5. Click Save.

Note: If your Relay Group’s private IP changes, you must manually update this setting, it will not be updated automatically.

Subsequent Agent Deployments

In subsequent Agent deployments, you will need to modify the deployment scripts to make use of the proxy

Your deployment scripts for new Agents need to be modified to make use the proxy (as you did above for the Relay):

  • Above the Agent-initiated activation command, add a new line and type (or copy and paste) the following proxy command:

    dsa_control –x dsm_proxy://host_or_ip:port/

    where "dsm_proxy://host_or_ip:port" is the IP address of the proxy server. When used in the context of Agent-initiated activation, the proxy command must be issued first, followed by the Agent-initiated activation command.