Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
dehaasm
Collaborator

Check Point Identity Awareness identity collector agent proxy bypass explicit proxy

Hi All,

I am trying to deploy a Identity Awareness identity collector agent on a server and to bypass the proxy server.

When we try to exclude the agent from the proxy traffic using command it does not work.

netsh winhttp set proxy proxy.company.com:80 "10.0.0.0/8"

Current WinHTTP proxy settings:

Proxy Server(s) : proxy.company.com:80
Bypass List : 10.0.0.0/8

Only when we configure netsh winhttp reset proxy to completely shutdown the proxy on OS level the agent connects successfully to the gateway.

I there any supported documented configuration possibly to exclude the only the IA identity collector agent from proxy traffic using netsh?

 

 

0 Kudos
8 Replies
Sorin_Gogean
Advisor

Hello,

I don't remember seeing proxy options when I tested the Identity Client (still it was 1 year ago).
Anyway, is the FQDN that you are addressing your client covered by the 10.0.0.0/8 ? You might try to skip some domain or full FQDN, still I'm not convinced netsh supports that.

Thank you,

0 Kudos
dehaasm
Collaborator

Hi Sorin,

Yes it is covered with that, only disabling the explicit proxy completely works, hence the reason for the question. If it is not (yet) supported by Check Point I would like to hear that.

0 Kudos
Sorin_Gogean
Advisor

And with that set-up, you are seeing the Client traffic in the proxy logs ?
Can you try and do that exception at the user level, same time with the machine level. 

Could be that the Identity Client is started by user and not machine (just an ideea).

 

Ty,

0 Kudos
dehaasm
Collaborator

Yes with the netsh http proxy reset command we see the logs coming into the gateway and the trust is established.

0 Kudos
Sorin_Gogean
Advisor

No, no, no, I was asking if you are seeing traffic towards the GW from Identity client in the proxy logs. 

Also you did not tell me anything if you have set the proxy on User ?

 

Ty,

PS: according to some, the domains or FQDN can be also in the bypass list... 'could use this format. netsh winhttp set proxy proxy-server="192.168.2.2:8080" bypass-list="*.ourdomain.com;*.yourdomain.com*"'
So give that a try....

 

0 Kudos
PhoneBoy
Admin
Admin

@Royi_Priov can you have someone on your team comment on this?

0 Kudos
dehaasm
Collaborator

no answer from internally is it supported to have explicit proxy with IA agent installed?

0 Kudos
PhoneBoy
Admin
Admin

I tagged the wrong person.
@Liel_Shaish can you or someone on the team comment on this?

I would also ask the TAC if you haven't already.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events