Aurora Endpoint Security proxy prerequisites
Aurora Endpoint Security agents and Aurora Protect Mobile apps can be configured to use a proxy server for outbound communication to Arctic Wolf servers.
Configuring a proxy for the Aurora Protect Desktop and Aurora Focus agents
Optionally configure the Aurora Protect Desktop and Aurora Focus to use a proxy server based on your platform requirements:
- Windows: Configure the Aurora Protect Desktop and Aurora Focus agents to use a proxy server
- Windows and macOS: Configure the Aurora Protect Desktop and Aurora Focus agents to use a proxy server
- Linux: Configure the Aurora Protect Desktop and Aurora Focus agents to use a proxy server
- If you want to configure both the Aurora Protect Desktop agent and the Aurora Focus agent on a device to use a proxy server for outbound communication to Arctic Wolf servers, in the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Cylance\Desktop and create String Value REG_SZ:
- Value Name = ProxyServer
- Value Data = proxyIP:port (for example, http://123.45.67.89:8080)
- The proxy must accept unauthorized requests. SSL inspection is not supported and must be bypassed for all agent traffic (*.cylance.com).
- For Windows environments, if you configured system wide proxy settings in HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings, you must specify the ProxyServer registry key value using proxyIP:port, or the value must start with http:// instead of https:// (HTTPS proxy connections are supported but the registry value must not start with https://).
Windows and macOS: Proxy options for the Aurora Focus agent
- The Aurora Focus agent is proxy aware and will query the .NET framework to identify and use the available proxy settings. If you configured the ProxyServer value in the registry, the Aurora Focus agent will use the specified proxy. The Aurora Focus agent will try to communicate first as the Local System, then as the currently logged in user.
- If you configure the Aurora Focus agent to use a proxy and the agent cannot communicate with the cloud services, the agent will attempt to bypass the proxy to make a direct connection. On Windows and macOS devices, you can disable this proxy bypass. Do these actions before you install the Aurora Focus agent:
Platform
Steps
Windows
In HKLM\SOFTWARE\Cylance\Optics\, create String Value REG_SZ:- Value Name = DisableProxyBypass
- Value Data = True
macOS
- In /Library/Application Support/Cylance/Desktop/registry/LocalMachine/Software/Cylance/Desktop/, add this to the values.xml file:
<value name=“ProxyServer” type=“string”>http://proxy_server_IP:port</value> - In /Library/Application Support/Cylance/Optics/Configuration, create an ExternalConfig.xml file with this:
<?xml version=“1.0” encoding=“utf-8”?><EnforceProxyServer>true</EnforceProxyServer>
- When Aurora Focus creates a detection event that involves a signed file as an artifact, it uses a command from the Windows API to validate the signature or certificate. The command sends a validation request to an OCSP server. The OCSP server address is determined by Windows. If your proxy server reports attempts to send external traffic to an OCSP server, update the proxy settings on devices to allow connections with the OCSP server.
Linux: Proxy options for the Aurora Protect Desktop and Aurora Focus agents
On supported versions of RHEL, CentOS, Ubuntu, Amazon Linux 2, and SUSE 15, use these commands to configure the agents to use an unauthenticated or authenticated proxy. You can use these commands before you install the agents. The commands below configure a proxy for the Aurora Protect Desktop agent. To set a proxy for the Aurora Focus agent:
- Replace all instances of "cylancesvc" with "cyoptics"
- Duplicate each http_proxy line and replace "http_proxy" with "https_proxy". In most cases https_proxy will use the same value as http_proxy because HTTPS traffic is tunneled using TCP Connect, but if your organization uses an HTTPS termination proxy server, specify the appropriate value for https_proxy.
Unauthenticated proxy:
CODE
mkdir /etc/systemd/system/cylancesvc.service.d
echo "[Service]" > /etc/systemd/system/cylancesvc.service.d/proxy.conf
echo "Environment=http_proxy=http://proxyaddress:port" >> /etc/systemd/system/cylancesvc.service.d/proxy.conf
systemctl stop cylancesvc
systemctl daemon-reload
systemctl start cylancesvcAuthenticated proxy:
CODE
mkdir /etc/systemd/system/cylancesvc.service.d
echo "[Service]" > /etc/systemd/system/cylancesvc.service.d/proxy.conf
echo "Environment=http_proxy=user:password@proxyaddress:port" >> /etc/systemd/system/cylancesvc.service.d/proxy.conf
systemctl stop cylancesvc
systemctl daemon-reload
systemctl start cylancesvc