Proxy Configuration

TLS 1.2 must be enabled on client machines to communicate with Qualys Cloud Platform. TLS 1.2 is a more secure protocol. In the event, if it is impossible to enable TLS 1.2, you need to run communication through a proxy server that can convert the incoming communication to TLS 1.2 protocol before sending it to Qualys Cloud Platform.

Cloud Agent Windows proxy settings are stored in the Qualys registry hive, reference a PAC file URL stored in the Qualys registry hive, or determined if the system is configured to use WPAD.

Software distribution or systems management tools can set the proxy configuration for the agent while installing the agent or after the agent has been installed.

A companion utility installed with the Cloud Agent called QualysProxy.exe can be used optionally by software distribution tools, system management, or manually to set the proxy configuration for the agent. The QualysProxy.exe utility is the only method that can encrypt any required proxy authentication credentials during the setting of the proxy configuration.

QualysProxy allows you to:

  • Configure proxy server(s) and port
  • Configure proxy username and password credentials
  • Configure PAC file URLs for cases when WPAD is not available
  •  Enable/disable WPAD detection

 When a proxy connection to Qualys Cloud Platform fails then Cloud Agent attempts direct connection (Fail Open).

What do I need to know?

Proxy Installation

The QualysProxy tool and proxy tool updates are installed and updated with the Cloud Agent as required. The Qualys Proxy is located at the following location:

C:\Program Files\Qualys\QualysAgent\QualysProxy.exe

Running Proxy

You must run the proxy tool from the elevated command prompt.

ca-win-command-start-menu.png

You can also launch the proxy tool from the search/start menu:

ca-win-cmdexe.png

Systems management software and remote registry management can be used to set the proxy servers. The QualysProxy.exe command line interface (CLI) tool is designed to be used in shell scripts executed by systems management software. ERROR_LEVEL is set to 0 (zero) in case of successful execution and to non-zero in case of unsuccessful execution. No User Interface window is displayed to the user.

You are not required to restart the system to implement the proxy changes. You can verify the proxy changes at following location:

C:\ProgramData\Qualys\QualysAgent

On XP and Windows Server 2003, the Agents log.txt file is located at:

C:\Documents and Settings\All Users\Application Data\Qualys\QualysAgent

When Cloud Agent tries to connect to Qualys Cloud Platform, the system logs all the connection errors and achieves each proxy configuration.

QualysProxy syntax

  • QualysProxy [/u <proxy url> [/n <proxy username>] [/p <proxy password] [/a <PAC file url>]]
  • QualysProxy [/w on|off]
  • QualysProxy [/d]
  • QualysProxy [/h on|off]
  • QualysProxy [/c]
  • QualysProxy [/t on|off]

 

Option

Description

/u

Proxy URL. If set, do not set /x option.

/n

Username used to access proxy. If set, /u option must be set.

/p

Password used to access proxy. If set, /u option must be set.

/a

URL path to PAC file for proxy auto-configuration. If set, do not set /u option.

/d

Deletes all Qualys cloud agent proxy settings.

Note: This option does not make any changes to the System's proxy settings or Web Proxy AutoDiscovery (WPAD) settings.

/w

Enables or disables agent use of the host's WPAD settings.

/h

Enables or disables agent use of the system-wide winhttp(s) proxy setting.

/c

Prints current Qualys cloud agent proxy settings.

/t

Enables or disables direct connection to Qualys Cloud Platform after all proxy server failures. By default, direct connection after proxy failure is enabled.

  • If an argument contains spaces, please surround that argument with quotes.
  • If an argument contains a " character, precede that character with a backslash '\'.

Multiple Proxy Server support in Proxy URL and PAC Files

The Cloud Agent has support for multiple proxy servers defined in the Proxy URL and in PAC files for Windows Agent 3.1 or later. When you configure multiple proxies in a proxy URL, Cloud Agent use these proxies as a fallback option. When Cloud Agent fails to connect to Qualys Cloud Platform using the first proxy server, it tries the next server, and so on. If Cloud Agent fails to to connect Qualys Cloud Platform using all the proxy servers, it attempts Direct Connection bypassing proxy server configuration.

Each time the Cloud Agent connects to the Qualys Platform, it always uses the first proxy server in the ordered list. The agent does not maintain a history of the last proxy server used.

This proxy configuration can be used with the Qualys Gateway Service or third-party proxy servers. It is not mandatory that failover the proxy servers must be on the same subnet as that of the first proxy server. Cloud Agent uses any server if it is able to connect to it, even on a different subnet.

Define multiple proxy servers in the Proxy URL using semi-colon separated values. For PAC files, refer to the PAC file vendor's documentation that defines how to configure multiple proxy servers.

Use Cases

If cache or patch mode is enabled on the appliance, Cloud Agent should use the cache port while connecting through Qualys Gateway Service (QGS). You can not use QGS Cache if, cache or patch mode is not enabled.

Example 1 – Set proxy and port Number

The following example shows how to set a proxy and port number:

  • Any HTTP_CONNECT proxy using http connection: QualysProxy /u http://my-proxy:8080
  • QGS cache port using http connection: QualysProxy /u http://my-qgs:8080

Example 2 - Define multiple proxy servers used for failover

The following example shows how to set a proxy and port number:

  • Any 2 HTTP_CONNECT proxies using http connection: QualysProxy /u http://my-proxy-1:8080;http://my-proxy-2:8080
  • Any 2 QGS appliance cache ports using http connection: QualysProxy /u http://my-qgs-1:8080;http://my-qgs-2:8080

Example 3 - Define multiple ports on the same proxy server for failover

This can also be used to configure the Cloud Agent to use the Cache Port first and Proxy Port second (as failover) on a single Qualys Gateway Appliance.

The following example shows how to set different port numbers for the same proxy server:

  • Any HTTP_CONNECT proxy using http connectio: QualysProxy /u http://my-proxy:8080;http://my-proxy:1080
  • QGS using cache port using http connection, then proxy port using http connection: QualysProxy /u http://my-qgs:8080;http://my-qgs:1080

Example 4 – Set proxy and credentials

The following example show how to set a proxy (default port: xxx) along with proxy credentials:

Any HTTP_CONNECT proxy using http connection: QualysProxy /u http://my-proxy /n ProxyUsername /p ProxyPassword

Example 5 – Proxy configuration using PAC file

The following example shows how to use PAC file in proxy configuration if it can not be discovered by WPAD (assumes PAC file proxy uses http connection):

QualysProxy /a http://my-pac-file-server/QualysAgent.pac

Example 6 – Specify credentials for use with PAC file

The following example shows how to specify credentials for use with a PAC file. The credentials will get passed to the resulting proxy URL:

QualysProxy /n ProxyUsername /p ProxyPassword /a http://my-pac-file-server/QualysAgent.pac