Global Forward Proxy Configuration

Depending on your deployment, you may require that communication between Solace event brokers and endpoint servers goes through a global forward proxy. This is often the case if the event broker sits behind a firewall and egress traffic needs to connect to a proxy server to go outside the firewall.

In this scenario, you can create a global forward proxy configuration object on the event broker to direct traffic to the proxy server before it is forwarded to the endpoint server. Global forward proxies differ from Message VPN forward proxies in that they handle system-level communication such as management user authentication.

To create a global forward proxy, enter the following commands:

solace(configure)#
solace(configure)# create proxy <proxy-name>

To enable a global forward proxy once it has been configured, enter the following command:

solace(configure/proxy)# no shutdown

To remove a global forward proxy, enter the following command:

solace(configure)# no proxy <proxy-name>

Where:

<proxy-name> specifies the name of the global forward proxy configuration object. This name is used in the configuration of other broker objects (for example OAuth profiles) to refer to the global forward proxy. You can configure up to five global forward proxy objects on an event broker.

Global forward proxy configuration objects are only synchronized in high-availability (HA) deployments, and not disaster recover (DR) deployments as different sites may need different proxy configurations. The proxy reference (the reference in the OAuth profile for example) is both HA and replication synchronized, so that once the appropriate proxies are set up on each site, each referencing object doesn’t need any special handling on replicated sites.

You can configure the following parameters for a global forward proxy:

Configuring the Global Forward Proxy Authentication Scheme
Configuring the Global Forward Proxy IP Address or Hostname
Configuring the Global Forward Proxy Port
Configuring the Global Forward Proxy Type

Configuring the Global Forward Proxy Authentication Scheme

To configure the authentication scheme that the event broker will use to establish a connection to the proxy server, enter the following commands:

solace(configure/proxy)# authentication
solace(configure/proxy/authentication)# auth-scheme {none | basic}

Where:

none specifies to login with no authentication. This is the default authorization scheme. For more information, see None.

basic specifies to login with a username and password. For more information, see Basic Authentication.

The no version of this command, no auth-scheme, resets the authorization scheme to the default.

None

If no authentication scheme is configured, the event broker will not use an authentication scheme when connecting to the proxy server. This may be useful for anonymous connections or when a proxy server does not require authentication.

Basic Authentication

If you configure a basic authentication scheme, the event broker authenticates to the proxy server with a username and password combination.

To configure settings for an basic authentication scheme, enter the following commands:

solace(configure/proxy)# authentication
solace(configure/proxy/authentication)# basic
solace(configure/proxy/authentication/basic)# username <value>
solace(configure/proxy/authentication/basic)# password <value>

Where:

username <value> is the client username to use for authentication to the proxy server.

password <value> is the password to use with the specified username.

The no version of either command removes any configured value.

Configuring the Global Forward Proxy IP Address or Hostname

To configure the IP address or hostname of the proxy server, enter the following commands:

solace(configure/proxy)# host <value>

Where:

<value> specifies the IP address or DNS name to which the event broker will connect. It can contain up to 253 characters.

The no version of this command, no host, removes any configured value.

Configuring the Global Forward Proxy Port

To configure the port to connect to on the proxy server, enter the following commands:

solace(configure/proxy)# port <value>

Where:

<value> specifies the port number. The valid range of values is 0 to 65535. The default is 0.

The no version of this command, no port, resets the value to the default.

Configuring the Global Forward Proxy Type

To configure the global forward proxy type, enter the following commands:

solace(configure/proxy)# proxy-type {direct | http}

Where:

direct specifies a direct connection to the endpoint server, in other words no proxy is used. If you configure this proxy type, the only other configuration that has effect is whether the proxy is enabled or not. This is useful when one replication site might need a proxy and another might not, so for the second site you would set the proxy type to direct. This is the default.

http specifies that the connection from the event broker to the proxy server is HTTP. Note that this applies only to communication between the event broker and the proxy server. Event broker objects that use the global forward proxy often provide the ability to configure TLS/SSL separately.

The no version of this command, no proxy-type, resets the value to the default.

Provide feedback