The proxy servers configured on the management Console are further used to route traffic from/to agents.
Basically it's used for two traffic flows: between agents and management Console, and between agents in a job.
Traffic between Agents and Management Console
By default, first proxy server from the list of configured proxies is used by Agents to connect to the Management Console. Agents that are connected through other proxies will appear offline on the MC. As a workaround add "mc_proxy":"address:port"
to these Agents' configuration file with the corresponding address of the proxy server. Please contact support for assistance.
Depending on how Agent is launched, with a configuration file or not, see below
For newly connected agents:
- replace the direct address of Management Console with the address of the proxy server in the Agent UI, including the port
- or replace "host" address in an already saved configuration file, including the port
For the agents that are already have connection to the MC:
no need to adjust the agent UI or configuration file. Configure the proxy server on MC while the agent is connected to it. If direct connection becomes not possible at a moment (for example, the Agent is moved to WAN), the Agent will switch to the proxy server it received.
Only one proxy server is supported for this connection, and this is going to be the first in the list of configured proxies on the MC. The Agent does not accept two configured proxies and does not switch from one to another if necessary.
The Agent won't automatically switch to a second proxy in the list of configured proxies.
This tunnel will be used for all communication between agents and the Console - jobs configuration, statistics, recourses usage, etc.
For each Agent, connected to MC through Proxy, a new socket is opened on the MC's host.
If the Agent has been connected to MC through proxy over WAN (never was connected directly) and then is moved to LAN, the Agent won't switch to MC's local address automatically even after changing the MC's address in Agent UI or config file. Reinstall of the Agent with wiping of its storage folder is required.
Agent <-> Agent traffic
In the Agent profile enable option Use proxy. However, Agents always prefer direct connection when it is available. If a direct connection is not available, traffic will be routed via proxy.
The agent will be using the proxy servers from MC settings > Auxiliary servers, that were configured in advance. Agents in already configured Synchronization jobs will re-evaluate network settings and will also try a proxy tunnel. Agents in Distribution and Consolidation jobs will probe proxy tunnel on next job run. Make sure that all agents in the job are configured to "Use proxy".
Proxy servers, if several are configured, work in ‘load balancing’ mode: agents distribute their requests to proxies for different jobs. High availability of Proxy is not supported.
By default proxy only routes traffic from/to LAN per "subnet" setting in its configuration. WAN to WAN traffic routing shall be enabled using "Advanced settings" above the table on Auxiliary servers tab.
Proxy can route TCP and ZGT protocols only. Be sure to have these enabled in the Agent profile. Otherwise only proxied tunnel will be possible for a non-selected protocol (as was previously mentioned, agents will try direct connection first). This also means - to force agents to connect only through proxy, uncheck all protocols in the Agent profile.
Proxy connection is reflected in Connectivity map of the Agent. On the example below direct connection to the (external) address discovered by tracker is not available on all protocols, so connection is established through proxy 192.168.56.200.
Note, since proxy is used per whole agent, the map may show all proxy connection, not necessarily related to this particular job.
Proxied connection is not reported in the Agent UI.
Introducing a proxy into the environment will also have its impact on other Resilio Connect functionality, as described below
Proxied connection is also limited by Bandwidth scheduler.
Since real IP addresses of remote agents are hidden behind the proxy, Known hosts parameter in the Agent profile won't work for a proxied tunnel. In order to preserve the functionality, new parameter was introduced - Allowed peers. It accepts only AgentID as value, multiples lines are supported. AgentID can be learned from the Agent details. For this parameter to work, tracker must be enabled and reachable for the agents involved.
Speed test can also be run through a proxy tunnel. For speed test through a proxy tunnel to be successful, corresponding tunnel shall be enabled in the Agent profile. For example, for speed test to run through Proxy_TCP tunnel, TCP tunnel protocol must be checked in selected agents' profiles. Otherwise speed test will give error "Network is unreachable:"