A proxy server is an intermediary “message-forwarding agent” selected by a client through its local configuration for outbound HTTPS requests for security or shared caching. Add a proxy server configuration in HCX Manager to send HTTPS requests to a proxy server in the environment.

Outbound Proxy Server connections for HCX sites activated in Connected Mode or Local Mode.

When configuring a proxy server, refer to the following considerations and best practices:

  • HCX Manager systems make various HTTPS requests during normal operation. For outbound connections, these requests can vary based on the HCX Manager activation mode: Connected Mode or Local Mode/Evaluation Mode. See Activating New HCX Systems.
    Outbound Connections (Connected Mode):
    • HCX Manager to connect.hcx.vmware.com (for activation /entitlement)
    • HCX Manager to hybridity-depot.vmware.com (for updates/downloads)
    • HCX Manager to Remote HCX Manager (for site pairing)
    Outbound Connections (Local Mode):
    • HCX Manager to vcsa.vmware.com (for sites participating in the HCX Customer Experience Improvement Program [CEIP])
    • HCX Manager to Remote HCX Manager (for site pairing)
    Local Connections:
    • HCX Manager to Registered vCenter Server
    • HCX Manager to Registered vCenter Server’s ESXi Hosts
    • HCX Manager to Registered NSX Manager system
    • HCX Manager to Migration and Network Extension Service Mesh appliances deployed by this HCX Manager
  • A proxy server is usually intended to handle internet-bound connections from internal systems (to endpoints that resolve to public IP addresses).
  • Use the Proxy Server field to enable proxy operation.
  • For HCX to function correctly when a proxy server is configured, local connections must be explicitly excluded from proxy operation. Use the Proxy Exclusions field.
  • The destination HCX Manager for site pairing must be configured with the Local Connection when the IP address is internally reachable without traversing the proxy.
  • Use the Proxy Exclusions field for broad or granular configurations.

    A simple way to restrict Local Connections is to enter one large subnet that includes all internal IP address space for the data center in the Proxy Exclusions field. Alternatively, restrict Local Connections by specifying granular subnets in the Proxy Exclusions field.

  • Kerberos and Windows NTLM Proxy Servers are not supported.
Important: Configuring a proxy server without the local exclusions typically results in migration failures and errors during HCX operation. See VMware KB 89180.
Note: HCX Service Mesh does not support proxy server configuration.

Procedure

  1. Log in to the management interface: https://hcx-ip-or-fqdn:9443.
  2. Navigate to the Administration tab, and select Proxy.
  3. Enter or edit the proxy server settings:
    1. Proxy Server IP address or FQDN.
    2. Proxy Server Port.
    3. Proxy Server User.
    4. Proxy Server Password.
    5. Proxy Exclusions.

      Using a comma separated list to define all related proxy server exclusions, enter any IP, subnet, host, and/or domain names. Use * for wildcard values and do not include complete URLs (no https://).

  4. To verify the configuration, click Test Connection and enter the test URL.
  5. Click Save.
  6. Restart the HCX Manager services.

    Restarting HCX Manager services is required for the proxy exclusions to take effect. For more information, see Monitoring HCX Services from the Appliance Management Interface.