Redirect HTTPS communication through proxies

Overview

You can redirect connections from management servers and nodes that are on different networks through a proxy. The figure below shows connections between a management server and node through a proxy as follows:

• The management server (1) opens connections to the proxy (2), for example to deploy policies and instrumentation, for heartbeat polling, or to launch actions. The proxy opens connections to the node (3) on behalf of the management server, and forwards communication between them.
• The node (3) opens connections to the proxy (2), for example to send messages, and action responses. The proxy opens connections to the management server (1) on behalf of the node.

You can also redirect communication through proxies in more complex environments as follows:

• Each management server and node can use different a proxy server to communicate with each other.
• You can configure management servers and nodes to select the correct proxy according to the host they need to connect to.

The figure below shows connections between a management server and nodes through multiple proxies as follows:

• The management server (1) opens connections to a proxy (2). The proxy opens connections to the node (3) on behalf of the management server.
• The node (3) opens connections to a different proxy (4). The proxy opens connections to the management server (1) on behalf of the node.
• The network allows management server (1) to make outbound HTTP connections directly through the firewall (5) to another node (6). (The nodes (3, 6) are on different networks.)
• The firewall (5) does not allow inbound HTTP connections. Therefore, node (6) opens connections to the management server through a proxy (7).

PROXY parameter syntax

You redirect outbound HTTPS communication through proxies by setting the PROXY parameter in the bbc.http name space on the management servers and nodes. You can configure this parameter in the following ways:

• Configure the values in the HTTPS agent installation defaults. This is recommended if you need to configure proxies for large numbers of nodes. You must plan and configure the installation defaults before you create or migrate your nodes.
• Use ovconfchg or ovconfpar at a command prompt.

The value of the PROXY parameter can contain one or more proxy definitions. Specify each proxy in the following format:

<proxy_hostname>:<proxy_port>+(<included hosts>)-(<excluded hosts>)

Replace <included_hosts> with a comma-separated list of hostnames or IP addresses to which the proxy enables communication. Replace <excluded hosts> with a comma-separated list of hostnames or IP addresses to which the proxy cannot connect. Asterisks (*) are wild cards in hostnames and IP addresses. Both <included_hosts> and <excluded hosts> are optional.

To specify multiple proxies, separate each proxy with a semicolon (;). The first suitable proxy in the list takes precedence.

Example PROXY parameter values

To configure a node to use proxy1.example.com port 8080 for all outbound connections, you would use the following value:

proxy1.example.com:8080

To configure a management server to use proxy2.example.com:8080 to connect to any host with a hostname that matches *.example.com or *example.org except hosts with an IP address in the range 192.168.0.0 to 192.168.255.255, you would use the following value:

proxy2.example.com:8080+(*.example.com,*.example.org)-(192.168.*.*)

To extend the above example to use proxy3.example.com to connect to backup.example.com only, you would use the following value:

proxy3.example.com:8080+(backup.example.com); proxy2.example.com:8080+(*.example.com,*.example.org)-(192.168.*.*)

In the above example, proxy3.example.com:8080+(backup.example.com) must be first, because the include list for proxy2.example.com contains *.example.com.

To redirect HTTPS communication through proxies using ovconfchg

1. Log in to the management server or node as a user with administrative rights and open a command prompt or shell.
2. On nodes that run a UNIX or Linux operating system, ensure that the PATH variable contains the path to the agent commands.
   • On HP-UX, Solaris, or Linux, type export PATH=/opt/OV/bin:$PATH and then press Enter.
   • On AIX, type export PATH=/usr/lpp/OV/bin:$PATH and then press Enter.
   • On Tru64, type export PATH=/usr/opt/OV/bin:$PATH and then press Enter.

3. Specify the proxies that the node should use. You can specify different proxies to use depending on the host that the agent wants to connect to. Type the following command:

   ovconfchg -ns bbc.http -set PROXY <proxy>

NOTE:
When you use the command ovconfchg on a management server that runs in a cluster, add the parameter -ovrg server.

Related Topics:

• Configure HTTPS agent installation defaults
• ovconfchg
• ovconfpar