Implicit/transparent and HTTP MITM (man-in-the-middle) proxies are not supported by SSP.
Article ID: 409144
Updated On:
Products
VMware vDefend Firewall
VMware vDefend Firewall with Advanced Threat Prevention
Issue/Introduction
A MITM (man-in-the-middle) proxy is a proxy that performs an analysis of the SSL/TLS connection by decrypting and inspecting the encrypted contents. In case a customer uses an implicit/transparent MITM proxy or an HTTP MITM proxy, SSP verticals that rely on connectivity to the cloud, such as Malware Prevention, will fail installation and won't be able to work successfully if already installed.
- Installation of features that rely on connectivity to the cloud will fail because they cannot connect to the cloud. For example the Malware Prevention setup will fail and throws below error message:
enable malware prevention it fails with error "Unable to get cloud regions: Fetching available cloud regions from nsx.lastline.com failed"
- In the cluster-api pod logs you can see errors such as:
\"level\":\"ERROR\",\"prefix\":\"-\",\"file\":\"cloud.go\",\"line\":\"87\",\"message\":\"Fetching cloud regions from nsx.lastline.com failed: Get \\\"https://nsx.lastline.com/nsx/cloud-connector/api/v1/papi/accounting/nsx/get_cloud_regions.json\\\": tls: failed to verify certificate: x509: certificate signed by unknown authority\"}"
Environment
SSP 5.0
SSP 5.1
Cause
SSP components do not trust the certificate of the implicit/transparent MITM (man-in-the-middle) Proxy or the HTTP MITM Proxy.
Resolution
Customer needs to configure the proxy to bypass the MITM (man-in-the-middle) functionality for selected domains:
- nsx.lastline.com: this bypass can be temporary for just the feature setup process.
- depending on the cloud region selected during setup:
(a) "nsx.west.us.lastline.com" for the "United States 1" cloud region
(b) "nsx.nl.emea.lastline.com" for the "European Union 1" cloud region - api.prod.nsxti.vmware.com
Feedback
Yes
No
Powered by
