Configuring for Proxy Servers

When an inventory beacon must access the Internet in order to reach the central application server, it is common to protect the communications channel using a proxy server. Proxy support in FlexNet Beacon has the following limitation:

Use of a proxy auto-configuration (PAC) script is not supported. This may require modifications to the Microsoft Internet Explorer settings on the inventory beacon, as explained in the process below.

Typical implementations may have a single proxy server between an inventory beacon and the Internet. However, very large implementations may have implemented the central application server as three (or more) distinct machines, which may therefore provide separate end-points for communications from an inventory beacon. In theory, it would be possible to have separate proxy servers mediating communications with each of these distinct end-points. There is also a choice of the HTTP protocol and the HTTPS protocol. For these reasons, there are many different settings possible for proxy servers. If you have just one proxy server for an inventory beacon, it is unfortunately necessary to configure several of the settings, as explained in this process, even though they may all have a common value.

This process must be completed on the inventory beacon.

To configure communications through a proxy server:

1. Configure the proxy connection in the FlexNet Beacon software.
a. Go to the Parent Connection tab.
b. In the Configure inventory beacon connection section, select Enter proxy details. The Proxy connection dialog displays.
c. In the Proxy connection dialog, select Enable proxy connection, enter the value for the proxy server URL, and choose either Anonymous Authentication or Basic Authentication. If you choose Basic Authentication, enter the User Name and Password for the proxy server.

Important:The proxy server URL must be specified with the leading protocol value of http://.

d. To test the connection, select Test Connection. You will see messages indicating whether the connection is successful.
e. Select OK to save the proxy settings or Cancel to cancel the changes.
2. Identify (and if necessary create) a named account that will run batch processes on the inventory beacon.

The account must have the following rights on the inventory beacon server:

Local administrator rights—Required for operation of the FlexNet Beacon software
Logon interactively—Required to logon and run Microsoft Internet Explorer to configure the proxy (and thereafter, this right may be removed if required)
Logon as a service—Required for running the FlexNet Beacon engine as a service
Logon as a batch job—Required for running scheduled tasks.

You can check Microsoft Service Manager on the inventory beacon to see which account is running the FlexNet Beacon engine service. By default, the FlexNet Beacon engine is configured to run as local SYSTEM user. (If you are creating a different account, be aware that an upgrade to FlexNet Beacon may reset the account to local SYSTEM, and you may need to reset the account as part of the upgrade process.)

3. Log in as the named account, and run Internet Explorer:
a. In Internet Explorer, navigate to Tools > Internet Options.
b. In the Internet Options dialog, select the Connections tab.
c. Click LAN settings.
d. In the Local Area Network (LAN) Settings dialog:
Leave the default selected setting for the Automatically detect settings check box.
Ensure that the Use automatic configuration script check box is cleared (this option is not supported for inventory beacon communications).
In the Proxy server section, select the Use a proxy server for your LAN check box.
Click Advanced, and complete the further required details in the Proxy Settings dialog.
e. Click OK multiple times until all the dialogs are closed.

These settings in Internet Explorer are used for communications to the batch server end point.

4. Only if FlexNet Beacon stalls while checking certificates on HTTPS transmissions, you may wish to add [Registry]\Common\CheckCertificateRevocation and set it to false.

When transferring data between an inventory beacon and the application server using the HTTPS protocol, a web server certificate is applied to the data being transferred. When receiving web server certificates from servers, the appropriate agent checks the CA (certification authority) server to ensure that the certificates are not on the CRL (certificate revocation list). If an agent cannot check the CRL (for example, the CA server is firewalled and cannot be contacted, or a proxy server prevents access), the system can stall. To avoid this stalling, you can add the Common\CheckCertificateRevocation preference and set it to False to prevent code agents performing the CRL check.

Important:From a security perspective, it is not good practice to disable the CRL check, since this means you can no longer tell when a certificate has been revoked (which happens after the authority recognizes that a server should no longer be trusted, or when a private key is believed to be compromised). It is far preferable that you instead resolve the issues that are preventing access to the CA server for the CRL check.

5. Configure the following to run under your chosen named account:
FlexNet Beacon Engine service
Upload third party inventory data scheduled task
Upload Flexera logs and inventories scheduled task.
6. Restart the FlexNet Beacon Engine service.
7. Go to the Inventory Settings page (Data Collection > IT Assets Inventory Tasks > Inventory Settings). In the Beacon settings section, ensure that the Beacon version approved for use control is not showing Always use the latest version (currently release-number).

An automatic upgrade that happens as soon as a new version of the inventory beacon is available would result in the named account used for the service and scheduled tasks described above being removed in an uncontrolled manner. When you do decide to allow an upgrade to inventory beacons, check the service and tasks noted above and restore their configurations to run using the named account.

When both the proxy server and the inventory beacon have been configured as described above, communications between FlexNet Beacon and the central application server operate as normal, allowing for downloads of rules and update packages for installed Inventory Agents, and uploads of gathered inventory files.