How to configure Proxy Settings for vCenter Server
search cancel

How to configure Proxy Settings for vCenter Server

book

Article ID: 370265

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This is how to configure proxy settings for vCenter Server to allow communication through a proxy server. These settings are also normally inherited by Workload Management

 

Environment

vCenter Server 7.0.x

vCenter Server 8.0.x

Resolution

There are 2 option to configure a proxy for the vCenter Server Appliance. Either use the VAMI user interface, available on https://<vcenter_fqdn>:5480, or manually edit the proxy configuration file /etc/sysconfig/proxy.

Note: Not all possible configuration settings are exposed via VAMI UI. While the graphical interface allows setting a dedicated URLs for HTTP, HTTPS and FTP traffic, there is no way to set any exclusions for traffic to dedicated system to be routed directly, as there is no access to the required NO_PROXY option.

In addition, When configuring proxy settings, it's essential to set both HTTP_PROXY and HTTPS_PROXY variables to the same proxy URL. These environment variables ensure that both HTTP and HTTPS traffic are correctly forwarded through the proxy server..

Proxy configuration is case-sensitive. Ensure the hostname URL for the proxy server is entered correctly using FQDN (proxy.example.com) or use server IP address instead.

The UI may not properly reflect proxy status. Use curl to test the proxy settings:

vcsa# curl -v https://dl.broadcom.com:443

Note, the ssh session will need to be restarted to pick up any proxy configuration changes.

Option 1 - setting proxy URLs using the VAMI GUI:

  1. Open to the VAMI URL https://<vcenter_fqdn>:5480 in a web browser and log in using either the root account, or the default administrator (administrator@<sso-domain>)
  2. Open the Networking page and click on the [EDIT] button for the proxy settings:

  1. Select the type of traffic to configure the proxy for:

  1. Provide the proxy URL and port, as well as the the user credentials, if the proxy requires authentication, then click on [SAVE]:

  1. Reboot the VCSA VM or restart service with the command: 
    # service-control --stop --all && service-control --start --all

 

Option 2 - setting the proxy by manually editing the proxy configuration file /etc/sysconfig/proxy

  1. Open an SSH connection to the vCenter Server Appliance and log in as root
  2. Navigate to the directory /etc/sysconfig/proxy: 
    # cd /etc/sysconfig
  3. Create a backup copy of the proxy configuration file (aptly named proxy): 
    # cp proxy proxy.bak
  4. Open the proxy configuration file using the VI editor: 
    # vi proxy
  5. To enable the proxy usage, find the line starting with PROXY_ENABLED and set it to "yes" ((use small lower case):

PROXY_ENABLED="yes"

  1. To set the proxy for HTTP and HTTPS traffic, find the lines starting with HTTP_PROXY and HTTPS_PROXY and edit them. Keep in mind that this does not define Again, if the proxy is using the same port for both HTTP and HTTPS, ensure to use the same http:// URL for both:

# Example: HTTP_PROXY="http://example.com:3128/"
HTTP_PROXY="http://proxy.example.com:8080"

# Example: HTTPS_PROXY="https://example.com:3128/"
HTTPS_PROXY="https://proxy.example.com:8443"

Depending on the configuration of the proxy, it might be using the same port to accept both HTTP and HTTPS traffic. If this is the case, you well need to use the exact same URL for HTTPS_PROXY as is set for HTTP_PROXY, including the protocol, so both should be set as http://... as in the following example:

# Example: HTTP_PROXY="http://example.com:3128/"
HTTP_PROXY="http://proxy.example.com:8080"

# Example: HTTPS_PROXY="https://example.com:3128/"
HTTPS_PROXY="http://proxy.example.com:8080"

  1. To exclude traffic to specific systems from being routed via the proxy, edit the NO_PROXY option to include both the FQDN an IP address of the system. Be aware though, that NO_PROXY requires specific syntax. To separate entries in this option, use a comma (,), without spaces between entries:

# Example: NO_PROXY="www.example.com,example.com,localhost"
NO_PROXY="localhost,127.0.0.1,vc.example.com,<ip-address>"

Alternatively, domains or CIDR notation (e.g. 192.168.0.0/24), for example to exclude the traffic for the complete local AD domain or subnet, can be used. Please note that this requires vCenter 7.0 U1c or later. The entries needs to be like this:

# Example: NO_PROXY="www.example.com, example.com, localhost"
NO_PROXY="localhost,127.0.0.1,example.com,<CIDR range>/24,<ip-address>"

In this case, for example.com, any URLs ending in example.com will not go through the proxy, including www.example.com and example.com

  1. Reboot the VCSA VM or restart service with the command: 
    # service-control --stop --all && service-control --start --all

 

In both cases, either when using the VAMI UI or when editing the proxy configuration file by hand, the format to be used for entries in NO_PROXY is determined by libcurl:

The string consists of a comma separated list of hostnames that do not require a proxy to get reached, even if one is specified. The only wildcard available is a single * character, which matches all hosts, and effectively disables the proxy. Each name in this list is matched as either a domain which contains the hostname, or the hostname itself. For example, "ample.com" would match ample.com, ample.com:80, and www.ample.com, but not www.example.com or ample.com.org. IP addresses specified to this option can be provided using CIDR notation: an appended slash and number specifies the number of "network bits" out of the address to use in the comparison. For example "192.168.0.0/16" would match all addresses starting with "192.168".

Regex is not supported.

 



Powered by Wolken Software