Web proxy support for workloads

Workloads protected from Xshield can be set up to use a Web proxy server to relay communication between the agents and the Xshield instance. Web proxy servers help you protect your workloads from attacks such as Distributed Denial-of-Service (DDoS) and Man in the Middle (MITM), and leverage other Web proxy features such as Web caching and SSL inspection for the internal networks.

Before you begin

• If you have enabled SSL interception for the Web proxy server, see Enable mTLS authentication for Web proxy with SSL interception before setting workloads to use the Web proxy server.

• If you are using Squid Proxy and want to enable High Availability (HA) for the Web Proxy setup, we recommend using the ColorTokens-tested High Availability for Squid Proxy with Pacemaker, Fencing, and Floating IP address. The Squid Proxy HA setup was tested to work on CentOS 7 HA nodes.

  Also, you must factor in the virtual IP (Floating IP) of the Squid Proxy HA cluster and the port you select for the Squid Proxy service in the CLI installation commands and/or scripts to install the agents on the assets.

Set workloads to use Web proxy server

You can set existing workloads or workloads you plan to add to use the Web proxy server. After you successfully set the workloads, all communication between the agents and the instance is relayed through the Web proxy server.

For workloads that use agent versions 8.6.0.7 and later

For agent versions 8.6.0.7 and later, the Settings > Agent Download page lists the CLI commands to install the workload agents (of supported OS families) with the parameters of the Web proxy server.

1. Go to Settings > Agent Download.

2. Click View CLI to see the instructions to install the agent from the CLI of the workload. The commands differ by the OS on which you want to install the agent. 

3. Use the Copy icon to copy the command listed in the Single command to install (with proxy) textbox.

4. Revise the command by replacing the values of the last 4 parameters in the command (PROXY_URL, PROXY_PORT, PROXY_USER, PROXY_PASSWORD) with the details of the Web proxy server.

   PROXY_USER and PROXY_PASSWORD are optional parameters.

5. Run the revised command on the workload's CLI.

   When the agent is installed successfully, and the workload is registered with the instance, you will see the workload on the Assets page.

For workloads upgraded to agent version 8.6.0.7

For workloads that are upgraded to agent version 8.6.0.7, you must use an agent utility command to update the details of the Web proxy server to the agent configuration.

1. Revise the agent utility command by adding the details of the Web proxy server.

   • For Windows workloads, use the "C:\Program Files\ColorTokens\LGM\ct-lgm.exe" update-proxy-params <PROXY_URL> <PROXY_PORT> <PROXY_USERNAME> <PROXY_PASSWORD> command.

   • For workloads of other supported OSes, use the sudo ct-lgm-util update-proxy-params <PROXY_URL> <PROXY_PORT> <PROXY_USERNAME> <PROXY_PASSWORD> command.

   Ensure that you separate the proxy details with single spaces. For example, "C:\Program Files\ColorTokens\LGM\ct-lgm.exe" update-proxy-params 10.0.1.10 8080 colortokens abc@1234.

2. Run the revised command in the workload's CLI.

• Run the "C:\Program Files\ColorTokens\LGM\ct-lgm.exe" read-proxy-params or sudo ct-lgm-util read-proxy-params command to see the existing proxy parameters.

Enable mTLS authentication for Web proxy server with SSL interception

Setting up workloads to relay communication through a Web proxy server disables the built-in mTLS authentication between the agents and the Xshield instance. Enable/re-enable mTLS authentication between the agents and the Xshield instance from Xshield.

1. Generate the proxy server certificate in .cer or .cert format.

2. Go to Settings > Configure > Account settings and scroll down to the Advanced agent communication option tile.

3. Upload the proxy server certificate.