Configuring a web proxy on a connection manager

Edit online

The IBM StorageĀ® DefenderĀ® connection manager requires outbound internet access to connect to the Data Resiliency Service. If your on-premises network uses a proxy server for internet access, you can configure proxy settings in the connection manager. The proxy is used to communicate with the Data Resiliency Service for inventory, recovery, and other operations. It is also used to download packages from the online repository to update the connection manager.

Before you begin

  • The proxy server must support HTTP CONNECT requests originating from the connection manager in order to establish a tunnel, and the response from the proxy must be compatible with the HTTP/1.1 standard.
  • Proxy server authentication is not supported. The proxy server must be configured to allow unauthenticated requests from the connection manager.
  • WebSocket support on proxy servers is required. The proxy server must be configured to allow HTTP Upgrade and WebSocket protocol for requests originating from the connection manager.

Procedure

To configure a connection manager to use a web proxy, complete the following steps:
  1. Log in to the connection manager by using SSH as the defender user. Use the cmadm CLI tool to manage the proxy and to test network connectivity.
  2. To run health checks related to the configuration and services of the connection manager, issue the following command: 
    cmadm check
    Tip: The cmadm CLI tool is issued by specifying subcommands, which helps to complete various actions such as managing a proxy and testing network connectivity.
    Review the Network Configuration section in the output. The status of the checks indicate if the connection manager is able to connect to the internet resources. If the connection manager requires a proxy and it is not configured, the checks (such as connectivity to DRS or connectivity to update repository) will fail.
  3. To view the current proxy settings, issue the following command: 
    cmadm proxy show
    By default, no proxy is configured and the command output is None.
  4. To specify a new proxy or to update the existing proxy, issue the following command: 
    cmadm proxy set --addr <host>:<port>
    Specify the proxy's hostname or IP address and port number using the --addr argument. For example: 
    cmadm proxy set --addr proxy.example.com:8080
    If your proxy server performs HTTPS or TLS inspection and uses a private Certificate Authority (CA) to generate certificates, you must specify the public certificate of the root CA when adding the proxy. Use the following syntax: 
    cmadm proxy set --addr <host>:<port> --cacert <filename>
    The filename must specify the path to a text file that contains the root CA certificate in PEM format. For example: 
    cmadm proxy set --addr proxy.example.com:8080 --cacert /home/defender/proxy-ca.crt
    Note: If your proxy is configured for TLS inspection, it must support inspection of WebSocket connections. If WebSocket inspection is not supported, configure the proxy to exclude inspection for the following hostnames: 
    *.storage-defender.ibm.com
  5. To examine the Network Configuration health checks, verify that the proxy is set and connectivity to internet resources are successful, issue the following command: 
    cmadm check
    Note: If you want to remove the proxy configuration and revert to the default state, issue the following command: 
    cmadm proxy clear