Configuring a proxy server for the secure client
Establishing a connection between the secure client and the SaaS server might require the use of a proxy server. Unlike the Turbonomic probes, the secure client establishes a mTLS connection over TCP (Mutual Transport Layer Security over Transmission Control Protocol), which has additional requirements when configuring a proxy server.
The secure client does not support configured proxies or proxy servers that support
http
only. Transparent proxies (implicit proxies) that support TLS over TCP are
supported.
Requirements
- TLS passthrough:
The proxy server must not terminate the TLS session originating from the secure client. This is sometimes called TLS passthrough mode as opposed to the re-encrypt mode.
With mTLS passthrough, encrypted traffic from the secure clients is passed on to the SaaS server without undergoing decryption in the proxy server. As the data packets are only decrypted on the SaaS server, the encrypted traffic is secure from the malicious attacks.
- Server name indication:
The proxy server must support server name indication (SNI).
SNI is an extension of the TLS protocol that reads the domain name of the SaaS server during the TLS handshake. This enables the proxy server to direct the data to the SaaS server.
Determining the proxy server settings
Open the Turbonomic user interface. Navigate to Settings > Secure Client Management, and then click Server Details tab. The fully qualified domain name (FQDN) and port combinations are required to configure your proxy server.

If you do not have the URL or login credentials of your SaaS server, contact your Turbonomic representative.
claims-turbonomic.apps.acme.com
skupper-edge-turbonomic.apps.acme.com
skupper-inter-router-turbonomic.apps.acme.com
Example proxy server configuration
A sample HAProxy configuration file is provided to illustrate the two requirements:
# Use SNI to send the request to the appropriate backend
frontend public_ssl
bind :443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend be_claims if { req.ssl_sni -i claims-turbonomic.apps.acme.com }
use_backend be_skupper-edge if { req.ssl_sni -i skupper-edge-turbonomic.apps.acme.com }
use_backend be_skupper-inter-router if { req.ssl_sni -i skupper-inter-router-turbonomic.apps.acme.com }
# TLS passthrough for claims route
backend be_claims
balance source
hash-type consistent
timeout check 5000ms
server skupper-claims claims-turbonomic.apps.acme.com:443 weight 1 check
# TLS passthrough for skupper-edge route
backend be_skupper-edge
balance source
hash-type consistent
timeout check 5000ms
server skupper-router skupper-edge-turbonomic.apps.acme.com:443 weight 1 check
# TLS passthrough for skupper-inter-router route
backend be_skupper-inter-router
balance source
hash-type consistent
timeout check 5000ms
server skupper-inter-router skupper-inter-router-turbonomic.apps.acme.com:443 weight 1 check