About using an HTTP proxy

Trust Protection Platform uses HTTP to communicate with several other systems, including certain certificate authorities, certificate revocation list distribution points, and online certificate status protocol responders. Trust Protection Platform supports communication through one or more HTTP proxies if they are required to access HTTP resources.

An HTTP proxy can be configured at the root of the Platforms tree, where it will apply to all Trust Protection Platform engines, or it can be applied to an individual Trust Protection Platform engine.

  • If an HTTP proxy is configured on an individual Trust Protection Platform engine, that setting will override the setting at the root of the Platforms tree.
  • If HTTP proxy settings are locked at the root of the Platforms tree, they cannot be overridden on individual Trust Protection Platform engines.

TIP  If your organization has multiple proxy servers with a different addresses and access to different resources, use partitioning and the proxy settings on individual Trust Protection Platform engines to communicate with specific proxies. At the root of the Platforms tree, configure the proxy that will be used by most of the Trust Protection Platform engines but do not lock the proxy settings at the root. Configure one or more Trust Protection Platform engines to use a different proxy. Ensure that the CA Template objects that require access to the different proxies are in the portion of the policy tree that is serviced by these Trust Protection Platform engines.

JWT Mappings operate in tandem with the central proxy configurations set at the root of the Platforms tree. See About JWT Mappings.

Use Windows Configured Proxy

Configures Trust Protection Platform to use the Windows default proxy server as configured on the Trust Protection Platform engine. If you select this option, you do not have to configure the Proxy Host, Port, or Credential fields. If this value is set at the root of the Platforms tree, each Trust Protection Platform engine will use the proxy settings configured on its local Windows system.

Host

 

Fully qualified domain name, Hostname, or IP address of the proxy.

Venafi TLS Protect supports both IPv4 and IPv6 connections.

Port

IP Port of the proxy

Credential

 

Username Credential required to connect to the proxy server. If your proxy server uses domain authentication, make sure the Username Credential object is defined using Domain Name or User Principal Name syntax.

To select the Username Credential:

Click the Browse button.

The Credential Selector dialog appears.

Select the Username Credential that stores the username and password required to access the proxy server, and then click Select.

Bypass for Local

 

Configures Trust Protection Platform to bypass the proxy server for connections to local CAs. Trust Protection Platform uses the following criteria to identify local and external addresses:

  • Hostname is considered as a local address. Everything else is an external address.
  • URL with a hostname is considered as a local address. For example, http://intranet is a local address.
  • URL with a domain name is considered as a Fully Qualified Domain Name and is passed through the proxy server, even if it is a local address. For example, http://intranet.mynetwork.local still passes through the proxy server, even if Bypass for Local is selected.
  • URL with an IP address is considered as an external resource, even if it is in the local subnet, and will be passed through the proxy server, even if Bypass for Local is selected. For example, http://192.168.0.100 (which is the same as http://intranet) is considered as an external resource and is passed through the proxy server.

For information about configuring an HTTP proxy, see Configuring an HTTP proxy.