2024-01-31 14:21:08.341264 [+0800]: [dsa.ProxyManager.Selector/5] | Got 0 proxies by URL: https://10.209.72.229:4122/ | dsa/ProxyManager/Selector.lua:476:fetchProxies | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.342263 [+0800]: [dsa.ProxyManager.Selector/5] | GetProxiesByUrl() by URL: https://10.209.72.229:4122/ from component: relay | dsa/ProxyManager/Selector.lua:581:GetProxiesByUrl | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.361260 [+0800]: [dsa.ProxyManager.Selector/5] | Allow list: *.trendmicro.com:443,*.trendmicro.co.jp:443 | dsa/ProxyManager/Selector.lua:170:getAllowListFromConfig | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.361260 [+0800]: [dsa.ProxyManager.Selector/5] | Start filtering service gateway forward proxy | dsa/ProxyManager/Selector.lua:225:handler | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.361260 [+0800]: [dsa.ProxyManager.Selector/5] | url https://10.209.72.229:4122/ isn't in the service gateway forward proxy allow list | dsa/ProxyManager/Selector.lua:215:isSGProxyAvailable | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: ServiceGateway, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: PAC, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: Relay, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: Configured, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.363260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: OS, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002 2024-01-31 14:21:08.363260 [+0800]: [dsa.ProxyManager.Selector/5] | Got 0 proxies by URL: https://10.209.72.229:4122/ | dsa/ProxyManager/Selector.lua:476:fetchProxies | 35A8:285C:dsa.Scheduler_0002

Enabling Allowed Domains feature when using Service Gateway Forward Proxy Service in Deep Security

Product / Version includes:

Deep SecurityAll

Last updated:

Solution ID: KA-0017013

Category: Configure

Summary

When integrating Trend Vision One’s Service Gateway Forward Proxy Service with Deep Security Manager (DSM), the Deep Security Agent (DSA) will use the Service Gateway Forward Proxy as the first priority to contact with other Trend Micro services. If the service is local relay, the network traffic flow may be observed as “Deep Security Agent > Service Gateway > local relay, and this may not align with some users' expectation. The general recommendation is as follows:

For local relay (not Trend Micro domain), the network traffic flow is “Deep Security Agent > local relay”.
For Trend Micro domain service, the network traffic flow is “Deep Security Agent > Service Gateway > Trend Micro domain service”.

Take note of the following prerequisites before enabling Allowed Domains feature:

Deep Security Manager version 20.0.893+
Deep Security Agent version 20.0.1.9400+

Follow these steps:

Go to Deep Security manager installation folder, run the following dsm_c command to confirm the Allowed Domains feature’s status. The default value is false which means it is not enabled.
```
dsm_c -action viewsetting -name settings.configuration.enableForwardProxyServiceAllowedDomains
```
Run the following dsm_c command to confirm the current allowed domains. The default value is ".trendmicro.com:443,.trendmicro.co.jp:443".
```
dsm_c -action viewsetting -name settings.configuration.forwardProxyServiceAllowedDomains
```

After confirmed the current status, run the following dsm_c command to enable the feature.

dsm_c -action changesetting -name settings.configuration.enableForwardProxyServiceAllowedDomains -value "true"

After enabling this feature, DSM will send policy to the DSA, instructing it to use Service Gateway proxy only when the service to connect is in the allowed domains. So if the destination is local relay (not Trend Micro domain service), DSA would be able to connect directly.

For troubleshooting, confirm that DSA already received the change in the policy. Follow these steps:

Go to the DSA installation folder, and run the following command to check the current received policy.

For Linux

sendCommand --get GetConfiguration | grep -i forwardProxyServiceAllowedDomains

For Windows

sendCommand --get GetConfiguration | findstr /I forwardProxyServiceAllowedDomains

From the output, the current configuration of the feature can be seen.

<AgentConfiguration forwardProxyServiceAllowedDomains='*.trendmicro.com:443,*.trendmicro.co.jp:443'
                    enableForwardProxyServiceAllowedDomains='true'

In the DSA’s log (ds_agent.log), check the log "[dsa.ProxyManager.Selector/5]” to observe if there are proxies used for the target service URL. Below is an example for local relay service (port: 4122), and it could be seen that there are 0 proxies used to connect to it.

2024-01-31 14:21:08.341264 [+0800]: [dsa.ProxyManager.Selector/5] | Got 0 proxies by URL: https://10.209.72.229:4122/ | dsa/ProxyManager/Selector.lua:476:fetchProxies | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.342263 [+0800]: [dsa.ProxyManager.Selector/5] | GetProxiesByUrl() by URL: https://10.209.72.229:4122/ from component: relay | dsa/ProxyManager/Selector.lua:581:GetProxiesByUrl | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.361260 [+0800]: [dsa.ProxyManager.Selector/5] | Allow list: *.trendmicro.com:443,*.trendmicro.co.jp:443 | dsa/ProxyManager/Selector.lua:170:getAllowListFromConfig | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.361260 [+0800]: [dsa.ProxyManager.Selector/5] | Start filtering service gateway forward proxy | dsa/ProxyManager/Selector.lua:225:handler | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.361260 [+0800]: [dsa.ProxyManager.Selector/5] | url https://10.209.72.229:4122/ isn't in the service gateway forward proxy allow list | dsa/ProxyManager/Selector.lua:215:isSGProxyAvailable | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: ServiceGateway, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: PAC, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: Relay, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.362260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: Configured, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.363260 [+0800]: [dsa.ProxyManager.Selector/5] | Query type: OS, proxy list count: 0 | dsa/ProxyManager/Selector.lua:454:fetchProxies | 35A8:285C:dsa.Scheduler_0002
2024-01-31 14:21:08.363260 [+0800]: [dsa.ProxyManager.Selector/5] | Got 0 proxies by URL: https://10.209.72.229:4122/ | dsa/ProxyManager/Selector.lua:476:fetchProxies | 35A8:285C:dsa.Scheduler_0002

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Enabling Allowed Domains feature when using Service Gateway Forward Proxy Service in Deep Security

Enabling Allowed Domains feature when using Service Gateway Forward Proxy Service in Deep Security

Product / Version includes:

Summary