For vRealize Automation installations on isolated networks with no direct Internet access, you can use an Internet proxy server to allow Internet by proxy functionality. The Internet proxy server supports HTTP and HTTPS.
To configure and use public cloud providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) as well as external integration points such as IPAM, Ansible, and Puppet, with vRealize Automation, you must configure an Internet proxy server to access the internal vRealize Automation Internet proxy server.
vRealize Automation contains an internal proxy server that communicates with your Internet proxy server. This server communicates with your proxy server if it has been configured with the vracli proxy set ...
command. If you have not configured an Internet proxy server for your organization, then the vRealize Automation internal proxy server attempts to connect directly to the Internet.
You can set up vRealize Automation to use an Internet proxy server by using the supplied vracli command line utility. Information about how to use the vracli API is available by using the --help
argument in the vracli command line, for examplevracli proxy –-help
.
Access to the Internet proxy server requires use of the actions-based extensibility (ABX) On-Prem Embedded controls that are built into vRealize Automation.
Access to Workspace ONE Access (previously named VMware Identity Manager) is not supported by way of the Internet proxy. You cannot use the vracli set vidm
command to access Workspace ONE Access through the Internet proxy server.
The internal proxy server requires IPv4 as its default IP format. It doesn't require Internet protocol restrictions, authentication or man-in-the-middle actions on TLS (HTTPS) certificate traffic.
Prerequisites
- Verify that you have an existing HTTP or HTTPS server, that you can use as the Internet proxy server, in the vRealize Automation network that is able to pass outgoing traffic to external sites. The connection must be configured for IPv4.
- Verify that the target Internet proxy server is configured to support IPv4 as its default IP format and not IPv6.
- If the Internet proxy server uses TLS and requires an HTTPS connection with its clients, you must import the server certificate by using one of the following commands, prior to setting the proxy configuration.
vracli certificate proxy --set path_to_proxy_certificate.pem
vracli certificate proxy --set stdin
Use the
stdin
parameter for interactive input.
Procedure
Example: Sample Squid configuration
Relative to step 1, if you are setting up a Squid proxy, you can tune your configuration in /etc/squid/squid.conf by adapting it to the following sample:
acl localnet src 192.168.11.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow !Safe_ports http_access allow CONNECT !SSL_ports http_access allow localnet http_port 0.0.0.0:3128 maximum_object_size 5 GB cache_dir ufs /var/spool/squid 20000 16 256 coredump_dir /var/spool/squid refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern (Release|Packages(.gz)*)$ 0 20% 2880 refresh_pattern . 0 20% 4320 client_persistent_connections on server_persistent_connections on