Summary

Inventory Beacons running in a proxy environment require both inventory settings and MSIE configuration.

Synopsis

Configuration of the FlexNet Beacon software (that operates on an inventory beacon server) is normally completed by the installer or may be configured manually, as described below.
Proxy support in FlexNet Beacon has the following limitations:

• Authenticating proxies that require a user name and password are not supported. FlexNet Beacon supports proxies with anonymous authentication. (The only time that authenticated proxies are supported is for an interactive user accessing the web interface, such as www.flexnetmanager.com/Suite, through a proxy. All services interactions require anonymous authentication.)
• Use of a proxy auto-configuration (PAC) script is not supported. This may require modifications to the Microsoft Internet Explorer settings on the inventory beacon, as explained in the process below.

Discussion

There are several possible settings affecting inventory beacon operation with proxy servers. This is because:

• Very large implementations may have implemented the central application server as three (or more) distinct machines, which may therefore provide separate end-points for communications from an inventory beacon. In theory, it would be possible to have separate proxy servers mediating communications with each of these distinct end-points.
• Some settings are made independently for either the HTTP or HTTPS protocol. In these cases, only one of the paired settings must be implemented, and the other left clear, as described in the process below.

In smaller implementations that have only a single proxy server managing Internet access for an inventory beacon, it remains necessary to configure these multiple settings as described below.

Place-holders explained

The following process shows placeholders proxyServerURL and portNumber that must be replaced with the appropriate values for your implementation. As well, the special case [Registry] has the following default values on different systems:

• On 32-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\ManageSoft Corp\ManageSoft\
• On 64-bit systems: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\ManageSoft Corp\ManageSoft\
  If a user runs any executable manually, the necessary corresponding registry keys are created on-demand under the hive.

Making Configuration changes

This process must be completed on the inventory beacon.

1. Using regedit on the inventory beacon, configure the following registry settings, based on your FNMS environment. (All the settings in this step are used for communications to the inventory server in either a multi-server on-premises implementation or a cloud implementation):
   
   
   1. For FNMS Cloud Environments:
      All central servers in the Flexera cloud implementation are configured for HTTPS communications. For a top-level inventory beacon accessing the central inventory server, ensure that none of these settings use the HTTP protocol.
      • [Registry]\Common\https_proxy = https://proxyServerURL:portNumber
      • [Registry]\Common\DownloadSettings\ReplicatorParent\Proxy = https://proxyServerURL:portNumber
      • [Registry]\Common\UploadSettings\ReplicatorParent\Proxy = https://proxyServerURL:portNumber
      • [Registry]\Launcher\CurrentVersion\https_proxy = http://proxyServerURL:portNumber
      NOTE: This is not a typographical error. The HTTPS proxy for the Launcher must be specified with the leading protocol value of http://.
      
      
   2. For FNMS On-Premises Environments:
      Choose one of the following settings to match the protocol configured for your inventory server (or application server for a single-server implementation)
      • For HTTPS: [Registry]\Common\https_proxy = https://proxyServerURL:portNumber
      • For HTTP: [Registry]\Common\http_proxy = http://proxyServerURL:portNumber
      
      Next, set the following two values, in each case using the protocol (http or https) appropriate to your environment:
      • [Registry]\Common\DownloadSettings\ReplicatorParent\Proxy = https://proxyServerURL:portNumber
      • [Registry]\Common\UploadSettings\ReplicatorParent\Proxy = https://proxyServerURL:portNumber
      
      Finally, choose one of the following settings to match the protocol configured for your inventory server (or application server in a single server implementation).
      • For HTTPS: [Registry]\Launcher\CurrentVersion\https_proxy = http://proxyServerURL:portNumber
      • For HTTP: [Registry]\Launcher\CurrentVersion\http_proxy = http://proxyServerURL:portNumber
      
      NOTE: This is not a typographical error. The HTTPS proxy for the Launcher must be specified with the leading protocol value of http://.
      
      
2. Identify (and if necessary, create) a named account that will run batch processes on the inventory beacon.
   The account must have the following rights on the inventory beacon server:
   • Local administrator rights — Required for operation of the FlexNet Beacon software
   • Logon interactively — Required to logon and run Microsoft Internet Explorer to configure the proxy (and thereafter, this right may be removed if required)
   • Logon as a service — Required for running the FlexNet Beacon engine as a service
   • Logon as a batch job — Required for running scheduled tasks.
   
   You can check Microsoft Service Manager on the inventory beacon to see which account is running the FlexNet Beacon engine service. By default, the FlexNet Beacon engine is configured to run as local SYSTEM user. (If you are creating a different account, be aware that an upgrade to FlexNet Beacon may reset the account to local SYSTEM, and you may need to reset the account as part of the upgrade process.)
   
   
3. Log in as the named account, and run Internet Explorer: (This may be optional depending on how your proxy was set up)
   1. In Internet Explorer, navigate to Tools > Internet Options.
   2. In the Internet Options dialog, select the Connections tab.
   3. Click LAN settings.
   4. In the Local Area Network (LAN) Settings dialog:
      • Leave the default selected setting for the Automatically detect settings check box.
      • Ensure that the Use automatic configuration script check box is cleared (this option is not supported for inventory beacon communications).
      • In the Proxy server section, select the Use a proxy server for your LAN check box.
      • Click Advanced, and complete the further required details in the Proxy Settings dialog.
   5. Click OK enough times to close all the dialogs.
   
   These settings in Internet Explorer are used for communications to the batch server endpoint.
   
   
4. Only if FlexNet Beacon stalls while checking certificates on HTTPS transmissions, you may wish to add [Registry]\Common\CheckCertificateRevocation and set it to false.
   
   When transferring data between an inventory beacon and the application server using the HTTPS protocol, a web server certificate is applied to the data being transferred. When receiving web server certificates from servers, the appropriate agent checks the CA (certification authority) server to ensure that the certificates are not on the CRL (certificate revocation list). If an agent cannot check the CRL (for example, the CA server is firewalled and cannot be contacted, or a proxy server prevents access), the system can stall. To avoid this stalling, you can add the Common\CheckCertificateRevocation preference and set it to False to prevents the CRL check.
   
   NOTE: From a security perspective, it is not good practice to disable the CRL check, since this means you can no longer tell when a certificate has been revoked (which happens after the authority recognizes that a server should no longer be trusted, or when a private key is believed to be compromised). It is far preferable that you instead resolve the issues that are preventing access to the CA server for the CRL check.
   
   
5. Configure the following to run under your chosen named account:
   • FlexNet Beacon Engine service
   • Upload third party inventory data scheduled task
   • Upload Flexera logs and inventories scheduled task.
     
     
6. Restart the FlexNet Beacon Engine service.
   
   
7. In the web interface for FlexNet Manager Suite, navigate to Discovery & Inventory > Settings, and in the Beacon settings section, ensure that the Beacon version approved for use control is not showing Always use the latest version (currently release-number).
   
   An automatic upgrade that happens as soon as a new version of the inventory beacon is available would result in the named account used for the service and scheduled tasks described above being removed in an uncontrolled manner. When you do decide to allow an upgrade to inventory beacons, check the service and tasks noted above and restore their configurations to run using the named account.

When both the proxy server and the inventory beacon have been configured as described above, communications between FlexNet Beacon and the central application server operate as normal, allowing for downloads of rules and update packages for installed FlexNet inventory agents, and uploads of gathered inventory files.

Related Documents

This information is partially replicated from the online help for FlexNet Manager Suite. The online help is available both in FNMS and the Documentation Center.  Note that the online help is customized for either on-premises or cloud implementation so that each type shows only the information relevant to the appropriate audience. In both cases, the relevant topic is available at FlexNet Manager Suite Help > Inventory Beacons > Inventory Beacon Reference > Configuring for Proxy Servers.

Documentation Center: 
https://docs.flexera.com/

FNMS Cloud Online Help:
https://docs.flexera.com/fnms/EN/WebHelp/index.html#tasks/FIB-Proxies.html