Proxy Servers and Communication Resilience
Overviewβ
The Xshield agent plays a critical role in maintaining host security posture by communicating with the Xshield Security Platform. This communication includes sending periodic heartbeat messages, host and network telemetry, and receiving security policy updates.
To support secure and resilient communication, especially in environments with restricted internet access, the Xshield agent provides robust proxy support with failover and fallback mechanisms.
Agent Communication Workflowβ
-
The Xshield agent sends the following at regular intervals to the Xshield Security Platform:
- Heartbeat messages
- Host telemetry (e.g., system properties, software inventory)
- Network telemetry (e.g., open ports, active communication paths)
-
The heartbeat response from the platform also acts as a notification channel for any pending policy updates.
-
Upon receiving such a notification, the agent:
- Fetches the updated security policy from the platform.
- Applies the policy by programming the host firewall.
β It is essential that this communication remains uninterrupted to ensure timely policy enforcement and maintain accurate visibility on the platform.
Proxy Server Supportβ
π Purpose and Benefitsβ
The proxy capability allows agents to communicate with the Xshield Security Platform without requiring unrestricted outbound internet access. This containment strategy helps to limit the blast radius in the event of a compromise, as all outbound traffic is forced through controlled proxy infrastructure.
π Redundant Proxy Configurationβ
- The Xshield agent supports configuration of multiple proxy servers for communication redundancy.
- The agent attempts connection in the order listed in the configuration file.
Failover Logicβ
- The agent tries to communicate through the first proxy server.
- If the attempt fails, it retries using the next proxy in the list.
- This process continues until a working proxy is found.
- Once successful, the agent sticks with the working proxy and does not switch unless communication fails again.
This ensures high availability and prevents the agent from going offline on the platform due to a single point of failure.
π« Proxy Bypass Fallbackβ
If none of the configured proxies are reachable, the agent attempts to bypass the proxy configuration and communicate directly with the Xshield Security Platform.
This fallback is especially useful in environments where:
- Temporary routing rules or firewall exceptions are created to allow direct access.
- IT may intentionally enable internet access on a limited-time basis for recovery or bootstrapping.
Proxy Configurationβ
- Proxy servers must be configured in the
config.yamlfile located in the agent's configuration directory. - The file supports an ordered list of proxy server IP addresses with corresponding ports.
- FQDNs (Fully Qualified Domain Names) are not supported.
The proxy configuration can be updated using the ctagent or ctagentcmd utility.
ctagent example for multiple proxies:
updateProxy --proxy=http://10.10.6.4:3128,http://10.10.4.5:4128 --proxyUser=ctuser1,ctuser2 --proxyPassword=Y29sb3JzMzIxMQ==,Y29sb3JzMzIxMg==
ctagentcmd example for multiple proxies:
updateConfig --param configuration.proxy;configuration.proxy-user;configuration.proxy-password --value http://10.10.6.4:3128,http://10.10.4.5:4128;ctuser1,ctuser2;Y29sb3JzMzIxMQ==,Y29sb3JzMzIxMg== [--skipRestart]
Passwords must be base64 encoded. Use the Installation command page to convert passwords to the correct format.
π Applying Configurationβ
- After modifying the
config.yamlfile, the Xshield agent service must be restarted for the new proxy settings to take effect.
Summaryβ
The Xshield agent's multi-proxy and proxy bypass capabilities ensure reliable, secure, and resilient communication with the Xshield Security Platformβeven in complex, controlled network environments. This design allows for robust enforcement of security policies and consistent telemetry, minimizing operational risk due to network outages or misconfigured proxies.