In the vSphere Client, vSAN Skyline Health displays a warning: vSAN Support Insight - Issue with internet connectivity. The health check details report: "Failed to connect VMware's Analytics Cloud".

In the vCenter Server Appliance logs located at /var/log/vmware/vsan-health/vmware-vsan-health-service.log, the error similar to below is observed:


INFO vsan-mgmt 1254### [vc@#### tid="#######" func="VsanCloudHealthUtil::checkNetworkConnection"] Internet is not connected. Reason:  <urlopen error Tunnel connection failed: 407 authenticationrequired>

When testing connectivity from the vCenter command line using:

curl -kvv -u 'proxyuser:proxypassword' -x "http://proxyserver.local.lan:proxy-port>" "https://vcsa.vmware.com"

the verbose output shows a 407 response where NTLM is advertised alongside Basic authentication:

< Proxy-Authenticate: NTLM                               
< Proxy-Authenticate: Basic realm="<web gateway advertisement string>"   
* Basic authentication problem, ignoring.
* CONNECT tunnel failed, response 407

vCenter Server Appliance 8.x

vCenter Server Appliance 9.x 

The vCenter Server Appliance (VCSA) is a Linux-based (Photon OS) appliance and does not support NTLM proxy authentication for cloud-based telemetry services.

When a proxy server advertises both NTLM and Basic authentication, the client (curl/python) typically selects the most secure scheme offered (NTLM). Because the VCSA lacks the Windows-specific SSPI/session tokens required for the NTLM cryptographic challenge, the handshake fails. The client ignores the "Basic" header once it has committed to the NTLM strategy, resulting in a dropped connection and a 407 authenticationrequired error.

Key Technical Constraints:

NTLM is a proprietary Microsoft protocol that is officially deprecated.
Photon OS-based appliances (including vCenter and Aria Operations for Networks) primarily support Basic Authentication or Unauthenticated web proxies for outbound cloud communication.

Configure the proxy server to allow the vCenter Server Appliance to use Basic Authentication or bypass authentication for VMware endpoints.

1. Restrict Proxy Advertisement: Modify the proxy policy for the VCSA source IP so that it only offers Basic Authentication. Removing NTLM from the handshake offer for this specific client will allow the VCSA to successfully negotiate the connection.
   
   
   
2. Exempt VMware Endpoints: Add the following destinations to the proxy's "Allow List" to permit unauthenticated traffic:
   
   https://vcsa.vmware.com:443
http://www.vmware.com:80
   
   
3. Verify Configuration: After modifying the proxy settings, run the following command from the VCSA to confirm the tunnel is established: curl -v https://vcsa.vmware.com:443/ph/api/

Aria Operations for Networks: Configuring Web Proxies: https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations-for-networks/6-10/vrealize-network-insight-ug-4-1-and-later-6-10/configuration/configuing-web-proxies.html

Platform Automation Toolkit: Configuring Proxy Authentication: https://techdocs.broadcom.com/us/en/vmware-tanzu/platform/platform-automation-toolkit-for-tanzu/5-5/vmware-automation-toolkit/docs-how-to-guides-configuring-proxy-authentication.html