Forward Proxy Support

The Linux Agent supports configuration that enables the Agent to connect to the F5 Distributed Cloud App Infrastructure Protection (AIP) backend via a forward proxy.

Forward Proxy at Registration

To configure forward proxy support at the time of Agent registration, provide the forward proxy address in the tsagent setup command. For example:

tsagent setup --proxy=my-proxy --deploy-key=MyDeployKey

Once specified, the authentication request to the Distributed Cloud AIP backend proxies through the specified proxy URL. For this request, the proxy only needs to support a single HTTP/1.1 request.

Forward Proxy at Startup

Once the Agent registers and starts, it uses the registration response data to authenticate to the Distributed Cloud AIP backend. If you find that event data is not reaching the Distributed Cloud AIP platform, you may also need to connect to the backend. This is more common in older Agents.

In order to configure the Agent to connect to the Distributed Cloud AIP backend through a forward proxy, you must set the backend.proxy configuration value to the URL of a forward proxy. To do this, run a command similar to the following:

tsagent config --set backend.proxy 'https://my.forward.proxy'
tsagent config --get backend.proxy

Once that configuration is set, the Agent connects to the backend using the specified forward proxy. For this request, the forward proxy itself must be able to support proxying websocket connections as well as standard HTTP/1.1 CONNECT requests.


If you experience issues getting event data from a host into the Distributed Cloud AIP backend while using a forward proxy, ensure that the forward proxy supports the websocket protocol as specified in RFC6455. Certain forward proxies do not support the websocket connection upgrade, which can result in dead Agent connections and ultimately prevent event data from reaching the Distributed Cloud AIP backend.

Was this article helpful?
0 out of 0 found this helpful