Proxy Support for Agents

Proxy support for Linux and Windows Agents are now available with Ivanti Neurons Platform.

Proxy for Linux Agents

Adding a Proxy

To add a new proxy server, enter
stagentctl proxy --add http://host:port

Only HTTP proxies without credentials are supported.

Listing Configured Proxies

To display all configured proxies and exclusions, enter
stagentctl proxy --list

Removing a Proxy

  • To remove a specific proxy from the configuration, enter
    stagentctl proxy --remove http://host:port

  • To remove all configured proxies, enter
    stagentctl proxy --remove all

  • Command returns a configuration state after execution

    If the result is 'No proxy configured' it means that after command execution there are no proxies left.

Managing Proxy Exclusion

  • To manage hosts that should be accessed directly use the following command to exclude a specific hostname, such as "host.com',
    stagentctl proxy --addexclusion host.com

  • For suffix match exclusions, use the following command to exclude all hosts that end with '.org'.
    For example, adding '.com' excludes all hosts ending with '.com'.
    stagentctl proxy --addexclusion .org

  • The leading dot in the exclusion command, for example '.org' serves as a wildcard, indicating that any host ending with the specified suffix should be excluded.

  • To completely disable the proxy for all hosts use the following command:
    stagentctl proxy --addexclusion "*"

  • To remove a specific host exclusion use the following command:
    stagentctl proxy --removeexclusion host.com

  • To clear all exclusions use the following command:
    stagentctl proxy --removeexclusion all

Registering with Proxy Configuration

  • When registering the agent, add --addproxy parameter such as
    stagentctl register --addproxy http://host:port.
    This proxy is used for the registration and saved for use in future communications.

  • Additionally, at the moment of registration, configuration is gathered from http_proxy or HTTP_PROXY environment variables and saved.

  • It is also possible to add proxies and exclusions with proxy --add and proxy --addexclusion commands before registration attempt.

Important Notes

  • The application does not automatically utilize proxies defined in environment variables, except during the registration request.

  • A list of proxies is supported. In case of connection failure, the next proxy in the list is tried, eventually attempting a connection without a proxy. The application cycles back to the first proxy after exhausting all options or when a timeout occurs, prioritizing the initial entries.

  • The register --addproxy command adds a proxy to the top of the list, giving priority to the provided proxy.

  • Proxies gathered from environment variables are added to the end of the proxy list.

  • http_proxy and HTTP_PROXY are used for proxy configuration (the first available is used)

Security and Communication

The application ensures that all communication via proxies is securely tunneled using the CONNECT method, suitable for encrypted communications where the proxy only acts as a tunnel provider. All proxy configurations are validated to ensure the use of the HTTP scheme without credentials and may include a port number.

Proxy for Windows Agents

The web proxy for Windows Agents can be set in several ways. All methods have the same available proxy properties and differ by point of entry. Select the method appropriately.

  • Method 1: Set proxy settings as part of an agent installation.

  • Method 2: Set proxy settings for an installed agent that is registering, or reregistering.

  • Method 3: Set proxy settings for an agent that is already installed and registered.

An Agent’s existing proxy config is overwritten when any of these methods are used.
For example, an Agent that has explicit proxy settings set using proxyConfig, have those proxy settings overwritten by subsequent registration.

Method 1: During initial installation and registration

Use this method when the proxy configuration is well known at the time of agent setup, such as mass deployment of new agents. The proxy properties may be set in the silent command in the case of mass deployment, or in the registration GUI or accompanying options file that for one-off installations.

  • A silent (unattended) installation initiated in Neurons requires proxy properties to be added to the command.

For example: IvantiCloudAgent.exe --tenantid 11111… --activationkey BLtwU… --cloudhost https://xxx.ivanticloud.com --mode unattended --proxyMode Custom -serverList ProxyServer.localdomain.com:8080 --bypassList contoso.org;acme.com --proxyAuthType Basic --proxyUsername admin1 --proxyPassword password1

  • An interactive installation initiated in Neurons requires proxy properties to be added in the accompanying options file.

For example :

tenantid=1111….

activationkey=BLtwU….

cloudhost=https://xxx.ivanticloud.com

proxyMode=Custom

serverList=ProxyServer.localdomain.com:8080

bypassList=contoso.org;acme.com

proxyAuthType=Basic

proxyUsername=admin1

proxyPassword=password1

  • Alternative to an interactive installation, specify the settings in the registration GUI under Configure proxy.

Method 2: Explicit registration configuration

Use this method when (re)registration is required, and reinstallation is not required. That is, the agent is already installed but registration requires changes. This approach requires also having registration information in addition to the proxy information.

The STAgentManagement tool is available with installed agents in C:\Program Files\Ivanti\Ivanti Cloud Agent.

Run ./STAgentManagement.exe directly for help documentation.

  • Use the silent flag to use the command line only

STAgentManagement.exe -register -p silent=true -p proxyMode=Custom -p serverList=ProxyServer.localdomain.com:8080 -p proxyAuthType=Basic proxyUsername=admin1

proxyPassword=password1 <and additional arguments for registration>

  • Run the register command to bring up the registration and Proxy Configuration GUIs.

STAgentManagement.exe -register

Method 3: Explicit proxy configuration

Use this method when web proxy updates are required without changes to registration or installation.
For example, the proxy credentials or proxy server changed.

The STAgentManagement tool is found for installed agents in C:\Program Files\Ivanti\Ivanti Cloud Agent.

Run ./STAgentManagement.exe directly for help documentation.

  • Use the silent flag to use only the command line.

STAgentManagement.exe -proxyConfig -p silent=true -p proxyMode=Custom -p serverList=ProxyServer.localdomain.com:8080 -p proxyAuthType=Basic proxyUsername=admin1 proxyPassword=password1

  • Run the proxyConfig command to bring up ‘Proxy Configuration’ GUI.

STAgentManagement.exe -proxyConfig

Properties for Proxy on Windows Clients:

  1. Proxy Mode
    Description: Sets the proxy mode.

    • ‘None’ refers that no proxy is used.

    • ‘Auto’ refers to the proxy mode that is detected from current OS settings. It is the Default mode.

    • ‘Custom’ refers to other proxy properties are used.

  2. Server List
    Description: The proxy server name and corresponding port; multiple servers may be specified.

  3. Bypass List
    Description: The addresses that are allowed to be bypassed by the proxy.

  4. Auth Type
    Description: Sets the authentication type for the proxy.

    • 'Basic' requires a username and password to be defined which are used.

    • Other options are 'Digest', 'NTLM', 'Negotiate', and 'None' which means no credentials are used.

    • 'None' is the default value.

  5. Username and password
    Description: Credentials are securely stored to be used with auth types of ‘Basic’.

  6. Update WinHttp Proxy
    Description: This is only available via the command line and not in any GUI. Only customers that require the agent to not interfere with the WinHTTP proxy settings should set this. For more details, see Opting Out of WinHTTP Proxy Settings.