Configuring TCP-UDP Proxy Servers

The TCP/UDP Proxy Servers table lets you configure up to 10 TCP/UDP proxy servers. This table allows you to configure the device as a proxy for other applications that are not based on HTTP. For example, it can be used to intermediate between clients and a DNS server for DNS lookup, or between clients and an NTP server for clock synchronization.

As the 'Bind To Device' feature (see Configuring HTTP Proxy Servers) is not available for TCP/UDP servers, if you are experiencing issues with routing relating to TCP/UDP servers, you should add static routes (see Configuring Static IP Routes) for these upstream servers.

The following procedure describes how to configure a TCP-UDP Proxy Server through the Web interface. You can also configure it through ini file [TcpUdpServer] or CLI (configure network > http-proxy > tcp-udp-server).

To configure a TCP/UDP Proxy Server:
1. Enable the HTTP Proxy application, as described in Enabling the HTTP Proxy Application.
2. Open the TCP/UDP Proxy Servers table (Setup menu > IP Network tab > HTTP Proxy folder > TCP/UDP Proxy Servers).
3. Click New; the following dialog box appears:

4. Configure a TCP/UDP Proxy Server according to the parameters described in the table below.
5. Click Apply, and then save your settings to flash memory.

TCP/UDP Proxy Servers Table Parameter Descriptions

Parameter

Description
General  

'Index'

[Index]

Defines an index number for the new table row.

Note:

Each row must be configured with a unique index.
The parameter is mandatory.

'Name'

name

[Name]

Defines a descriptive name, which is used when associating the row in other tables.

The valid value is a string of up to 40 characters. By default, no value is defined.

Note:

Configure each row with a unique name.
The parameter is mandatory.

'Additional Directive Set'

directive-set

[AdditionalDirectiveSet]

Assigns an NGINX Directive Set for the HTTP service. To configure HTTP Directive Sets, see Configuring HTTP Directive Sets.

Listen Parameters

'Listening Interface'

listen-interface

[ListeningInterface]

Assigns a local IP network interface for the listening (source) interface for communication with the TCP-UDP proxy server. To configure IP Interfaces, see Configuring IP Network Interfaces.

By default, no value is defined.

Note:

The parameter is mandatory.
The NGINX directive for this parameter is "listen ip".

'TCP Listening Port'

tcp-port

[TCPListeningPort]

Defines the TCP port of the listening interface.

Note:

You must configure a TCP and/or UDP port.
The NGINX directive for this parameter is "listen ip:port".
The source ports used for outgoing TCP connections are not configurable and are dynamically determined by the device in the range of 32,768-61,000.

'UDP Listening Port'

udp-port

[UDPListeningPort]

Defines the TCP port of the listening interface.

Note:

You must configure a TCP and/or UDP port.
The NGINX directive for this parameter is "listen ip:port udp".

'Listen Side SSL'

listen-use-ssl

[ListenUseSSL]

Enables TLS on the listening side (i.e., listening to incoming connection requests).

[0] Disable (default)
[1] Enable

Note: The NGINX directive for this parameter is "listen ip:port ssl".

'Listen TLS Context'

listen-tls-context

[ListenTLSContext]

Assigns a TLS Context (TLS certificate) for the listening side. This is required if you have configured the 'Listen Side SSL' parameter to Enable (see above). To configure TLS Contexts, see Configuring TLS Certificate Contexts.

Note: The NGINX directives for this parameter is "ssl_certificate", "ssl_certificate_key", "ssl_ciphers", "ssl_protocols", and "ssl_password_file".

Upstream Parameters

'Upstream Group'

upstream-group

[UpstreamGroup]

Assigns a group of servers (Upstream Group) to which to forward connection requests. To configure Upstream Groups, see Configuring Upstream Groups.

Note:

Only Upstream Groups with TCP/UDP interfaces can be assigned.
The NGINX directive for this parameter is "proxy_pass upstream".

'Outbound Interface'

outbound-interface

[OutboundInterface]

Assigns a local, IP network interface for communicating with the Upstream Group. To configure IP network interfaces, see Configuring IP Network Interfaces.

By default, no value is defined.

Note:

The parameter is mandatory.
The NGINX directive for this parameter is "proxy_bind".

'Upstream Side SSL'

upstream-use-ssl

[UpstreamUseSSL]

Enables TLS for securing connection requests with the Upstream Group.

[0] Disable (default)
[1] Enable

Note:

If configured to Enable, you must assign a TLS Context (see the 'Upstream TLS Context' parameter below).
The NGINX directive for this parameter is "proxy_ssl on".

'Upstream TLS Context'

upstream-tls-context

[UpstreamTLSContext]

Assigns a TLS Context for the TLS connection with the HTTP location. To configure TLS Contexts, see Configuring TLS Certificate Contexts.

Note:

The parameter is applicable only if the 'Upstream Side SSL' parameter is configured to Enable (see above).
The NGINX directives for this parameter are "proxy_ssl_certificate", "proxy_ssl_certificate_key", "proxy_ssl_ciphers", "proxy_ssl_protocols", and "proxy_ssl_password_file".

'Upstream Verify Certificate'

upstream-verify-cert

[UpstreamVerifyCertificate]

Enables TLS certificate verification of the Upstream Host on outgoing connection requests to the Upstream Group, when the connection is TLS.

[0] No = (Default) No certificate verification is done.
[1] Yes = The device verifies the authentication of the certificate received from the host. The device authenticates the certificate against the trusted root certificate store associated with the assigned TLS Context (see 'Upstream TLS Context' parameter above) and if ok, allows communication with the host. If authentication fails, the device denies communication (i.e., handshake fails). The device can also authenticate the certificate by querying with an Online Certificate Status Protocol (OCSP) server whether the certificate has been revoked. This is also configured for the associated TLS Context.

Note:

The parameter is applicable only if the 'Upstream Side SSL' parameter is configured to Enable (see above).
The NGINX directive for this parameter is "proxy_ssl_verify".