Configuring for Proxy Servers

FlexNet Manager Suite 2019 R2 (On-Premises Edition)
When an inventory beacon must access the Internet in order to reach the central application server, it is common to protect the communications channel using a proxy server. Proxy support in FlexNet Beacon has the following limitations:
  • Authenticating proxies that require a user name and password are not supported. FlexNet Beacon supports proxies with anonymous authentication.
  • Use of a proxy auto-configuration (PAC) script is not supported. This may require modifications to the Microsoft Internet Explorer settings on the inventory beacon, as explained in the process below.
Typical implementations may have a single proxy server between an inventory beacon and the Internet. However, very large implementations may have implemented the central application server as three (or more) distinct machines, which may therefore provide separate end-points for communications from an inventory beacon. In theory, it would be possible to have separate proxy servers mediating communications with each of these distinct end-points. There is also a choice of the HTTP protocol and the HTTPS protocol. For these reasons, there are many different settings possible for proxy servers. If you have just one proxy server for an inventory beacon, it is unfortunately necessary to configure several of the settings, as explained in this process, even though they may all have a common value.

This process must be completed on the inventory beacon.

To configure communications through a proxy server:

  1. Using regedit on the inventory beacon, configure the following registry settings (for additional details, see Registry Keys for Inventory Beacon).
    Choose either of the following settings to match the protocol configured for your inventory server (or application server for a single-server implementation). You must set exactly one, and ensure the other is not set:
    • For HTTPS: [Registry]\Common\https_proxy = https://proxyServerURL:portNumber
    • For HTTP: [Registry]\Common\http_proxy = http://proxyServerURL:portNumber
    Next, set the following two values, in each case using the protocol (http or https) appropriate to your environment:
    • [Registry]\Common\DownloadSettings\ReplicatorParent\Proxy = https://proxyServerURL:portNumber
    • [Registry]\Common\UploadSettings\ReplicatorParent\Proxy = https://proxyServerURL:portNumber
    Finally, the package retriever and Launcher use the following setting to collect adoption and upgrade packages from the inventory server (or application server in a single server implementation). Again, observing the choice of protocol, set exactly one of these two, and omit the other:
    • For HTTPS: [Registry]\Launcher\CurrentVersion\https_proxy = http://proxyServerURL:portNumber
      Important: This is not a typographical error. The HTTPS proxy for the Launcher must be specified with the leading protocol value of http://.
    • For HTTP: [Registry]\Launcher\CurrentVersion\http_proxy = http://proxyServerURL:portNumber
  2. Identify (and if necessary create) a named account that will run batch processes on the inventory beacon.
    The account must have the following rights on the inventory beacon server:
    • Local administrator rights — Required for operation of the FlexNet Beacon software
    • Logon interactively — Required to logon and run Microsoft Internet Explorer to configure the proxy (and thereafter, this right may be removed if required)
    • Logon as a service — Required for running the FlexNet Beacon engine as a service
    • Logon as a batch job — Required for running scheduled tasks.
    You can check Microsoft Service Manager on the inventory beacon to see which account is running the FlexNet Beacon engine service. By default, the FlexNet Beacon engine is configured to run as local SYSTEM user. (If you are creating a different account, be aware that an upgrade to FlexNet Beacon may reset the account to local SYSTEM, and you may need to reset the account as part of the upgrade process.)
  3. Log in as the named account, and run Internet Explorer:
    1. In Internet Explorer, navigate to Tools > Internet Options.
    2. In the Internet Options dialog, select the Connections tab.
    3. Click LAN settings.
    4. In the Local Area Network (LAN) Settings dialog:
      • Leave the default selected setting for the Automatically detect settings check box.
      • Ensure that the Use automatic configuration script check box is cleared (this option is not supported for inventory beacon communications).
      • In the Proxy server section, select the Use a proxy server for your LAN check box.
      • Click Advanced, and complete the further required details in the Proxy Settings dialog.
    5. Click OK enough times to close all the dialogs.
      These settings in Internet Explorer are used for communications to the batch server end point (or, on smaller implementations, to the processing server or application server).
  4. Only if FlexNet Beacon stalls while checking certificates on HTTPS transmissions, you may wish to add [Registry]\Common\CheckCertificateRevocation and set it to false.
    When transferring data between an inventory beacon and the application server using the HTTPS protocol, a web server certificate is applied to the data being transferred. When receiving web server certificates from servers, the appropriate agent checks the CA (certification authority) server to ensure that the certificates are not on the CRL (certificate revocation list). If an agent cannot check the CRL (for example, the CA server is firewalled and cannot be contacted, or a proxy server prevents access), the system can stall. To avoid this stalling, you can add the Common\CheckCertificateRevocation preference and set it to False to prevent code agents performing the CRL check.
    Important: From a security perspective, it is not good practice to disable the CRL check, since this means you can no longer tell when a certificate has been revoked (which happens after the authority recognizes that a server should no longer be trusted, or when a private key is believed to be compromised). It is far preferable that you instead resolve the issues that are preventing access to the CA server for the CRL check.
  5. Configure the following to run under your chosen named account:
    • FlexNet Beacon Engine service
    • Upload third party inventory data scheduled task
    • Upload Flexera logs and inventories scheduled task.
  6. Restart the FlexNet Beacon Engine service.
  7. In the web interface for FlexNet Manager Suite, navigate to Discovery & Inventory > Settings, and in the Beacon settings section, ensure that the Beacon version approved for use control is not showing Always use the latest version (currently release-number).
    An automatic upgrade that happens as soon as a new version of the inventory beacon is available would result in the named account used for the service and scheduled tasks described above being removed in an uncontrolled manner. When you do decide to allow an upgrade to inventory beacons, check the service and tasks noted above and restore their configurations to run using the named account.
When both the proxy server and the inventory beacon have been configured as described above, communications between FlexNet Beacon and the central application server operate as normal, allowing for downloads of rules and update packages for installed FlexNet inventory agents, and uploads of gathered inventory files.