Proxied Environments

This topic only applies to Secret Server On-Premises.

If your Secret Server has outbound access through a proxy, its web.config must be modified to specify the proxy configuration.

If Secret Server is also clustered and has multiple worker roles enabled, the web.config must be updated for each Secret Server in the cluster.

Microsoft has more information on this.

The other option in a clustered environment is to specify a remote site for the data upload, and upload data through a Distributed Engine. If the distributed engine’s host server is also behind a proxy, however, the engine’s Delinea.DistributedEngine.Service.exe.config must be modified similarly to the web.config in order to specify the proxy settings.

For Secret Server v10.4 or later, the web-proxy.config can be uncommented and updated to specify the proxy settings.

For Secret Server v10.3.000015 or earlier, you must add proxy-related XML to the web.config file immediately following the file’s closing \</configSections\> tag, as depicted here:

Copy 
</configsections>
    <system.net>
        <defaultproxy enabled="true" usedefaultcredentials="true">
             <proxy usesystemdefault="false" proxyaddress="https://proxy:port" bypassonlocal="true"/>
        </defaultproxy>
    </system.net>
<configuration type="thycotic.foundation.configuration, thycotic.foundation">

Using Webnode with Proxied Environments

If using a webnode you will need to add the following code:

Copy 
<system.net>
    <defaultProxy configSource="web-proxy.config" />
</system.net>

DE Configuration

Please note it is suggested the customer create an exception in the proxy for both webnodes and DEs to bypass since the configuration files will be overwritten with product updates and changes will be need to be implemented again. There is a FR for proxy settings to retain, but as of 9/21/2022 it had not been implemented.

When Secret Server and distributed engines are behind a proxy certain settings need to be added to webnodes and DEs is they exist in the environment.

To use with the Distributed Engine through a proxy, you will need to add proxy info to Thycotic.DistributedEngine.Service.exe.config between </system.serviceModel> and located in the C:\Program Files\Thycotic Software Ltd\Distributed Engine\ folder on the distributed engine. You may need to refer to the below article for other proxy related settings.

Element (Network Settings)

Copy 
<system.net>
    <defaultProxy>
        <proxy usesystemdefault="true" />
    </defaultProxy>
</system.net>

You will need to restart the DE service afterwards and the setting will need to be reapplied after any Distributed Engine upgrade.

Webnode Configuration

Main Proxy settings are stored in the web-proxy.config file in the Secret Server folder on each webnode. Microsoft’s article on Proxy configuration explains all settings.

Element (Network Settings)

A few examples below:

Example #1

Copy 
<?xml version="1.0" encoding="utf-8" ?>
<defaultProxy enabled="true">
<proxy
    usesystemdefault="true"
    proxyaddress="http://192.168.1.1:8080"
    bypassonlocal="true"
  />
</defaultProxy>

Example #2

Copy 
<defaultProxy enabled="true">
    <proxy proxyaddress—"http://proxy.domain.com:80" bypassonlocal-"true" / >
</defaultProxy>

Now the following files need to be edited to point to the web-proxy.config file.

  • web-embeddedRole-backgroundScheduler.config

  • web-embeddedRole-backgroundWorker.config

  • web-embeddedRole-engineWorker.config

  • web-embeddedRole-messageBroker.config

  • web-embeddedRole-sessionRecordingWorker.config

The code used in these files can be as follows:

Copy 
<system.net>
    <defaultProxy configSource="web-proxy.config" />
</system.net>

Placement of this setting may affect connection. I have confirmed success when the code is placed before the section.

These will need to be edited after each update until the aforementioned FR is implemented keeping proxy settings.