Cisco Catalyst SD-WAN Control Components and Device Management Guide, Releases 26.x and Later

PDF

Proxy server for SD-WAN Manager HTTP and HTTPS traffic with external servers

Want to summarize with AI?

Log in

Describes configuration and restrictions for proxy servers handling HTTP and HTTPS traffic between SD-WAN Manager and external servers.


You can configure a proxy server to handle HTTP and HTTPS traffic between Cisco SD-WAN Manager and external servers.

Traffic

Here's some of the HTTP and HTTPS traffic SD-WAN Manager directs through a proxy, if configured:

  • HTTPS connection for Symantec or Cisco automated certificate request or renewal

  • REST API calls to URLs of these domains:

    • cisco.com

    • amazonaws.com

    • microsoft.com

    • office.com

    • microsoftonline.com

Each 24 hours, SD-WAN Manager checks whether the proxy server is reachable. If the proxy server is unreachable, SD-WAN Manager raises an alarm: HTTPS proxy server {IP} not reachable

Benefits

Cisco SD-WAN Manager uses an HTTP or HTTPS connection to an external server for certain traffic, including:

  • Certificate request or renewal

  • Cisco Plug and Play integration

  • Smart Licensing Using Policy

  • Cloud OnRamp

  • Software image download

  • Data upload to Cisco SD-WAN Analytics

In releases earlier than Cisco vManage Release 20.5.1, you must permit this HTTP and HTTPS traffic in the firewall configured on your on-premises Cisco SD-WAN Manager instance. From Cisco vManage Release 20.5.1, you can channel HTTP and HTTPS traffic through a proxy server. With the proxy server configured, you can restrict HTTP and HTTPS communication with external servers while configuring the firewall and secure the system further.


Restrictions for a proxy server for HTTP and HTTPS traffic

These restrictions apply to using a proxy server for HTTP and HTTPS traffic between Cisco SD-WAN Manager and external servers.

Domain name resolution

When configured to communicate with external servers via an HTTP/HTTPS proxy server, SD-WAN Manager resolves fully qualified domain names (FQDNs) locally or through configured DNS servers, bypassing the proxy server.

SD-WAN Manager then sends the HTTP or HTTPS connections resulting from the resolution to the proxy server. DNS queries for the resolution of external server FQDNs must be successful before SD-WAN Manager can send the resulting connections to the proxy server for HTTP and HTTPS traffic.

SD-AVC container

There is no support for using the proxy server for traffic between the SD-AVC container, which operates as part of SD-WAN Manager, and external services.


Configure a proxy server for HTTP and HTTPS traffic

Configure a proxy server for HTTP and HTTPS traffic between Cisco SD-WAN Manager and external servers.

SD-WAN Manager verifies that the proxy server for HTTP and HTTPS traffic is reachable, and saves the server details in the configuration database. SD-WAN Manager then directs HTTP and HTTPS connections and REST API calls to external servers through the proxy server.

If the HTTP/HTTPS proxy server is not reachable, Cisco SD-WAN Manager displays an error message on the GUI indicating the reason for failure.

Before you begin

  • SD-WAN Manager uses HTTPs connection to www.cisco.com (previously, TCP port 7 echo request was used) to validate reachability of the proxy server. Ensure that you configure your firewall and proxy server to allow the echo requests to make the destination host ports accessible.

  • Enable out of band interface on single node using Administration > Cluster Management before configuring proxy server.

Perform these steps to configure a proxy server for HTTP and HTTPS traffic.

Procedure

1.

From the Cisco SD-WAN Manager menu, choose Administration > Settings.

2.

Open HTTP/HTTPS Proxy.

3.

For the Enable HTTP/HTTPS Proxy setting, click Enabled.

4.

Enter the HTTP/HTTPS Proxy IP Address and Port number.

For releases before Cisco Catalyst SD-WAN Manager Release 20.13.1, enter an IPv4 address. For releases from Cisco Catalyst SD-WAN Manager Release 20.13.1, enter an IPv4 or IPv6 address.

5.

Enter a Non Proxy Host/IP List of IP addresses or hostnames to exclude from use with the proxy server.

Use the pipe (|) character to separate items in the list.

6.

Click Save.