In certain environments where direct communication between endpoints and the internet is disallowed, Carbon Black Response sensors can be configured to communicate with the Response server via an explicit, unauthenticated web proxy. 

Note: due to proxy inconsistencies, this configuration method is not officially supported by Carbon Black, though we are using this configuration in many environments with minimal issues.

Step 1: Download your sensor package from the Red Canary Portal

Select Sensor Installer, then the icon for your desired platform

Step 2: Add your proxy information to the sensor bundle

Extract the sensor installer ZIP file you downloaded and open the sensorsettings.ini file in a text editor.

Append the following information to the bottom of the file:

Proxy=<IP>:<PORT>   OR   Proxy=<NAME>:<PORT> 

Step 3: Install the Response sensor 

Install the sensor as normal with the newly modified INI file. If you need to change this setting, simply deploy a package with a new directive and it will overwrite. 

Considerations

Endpoint Isolation

When using a proxy, sensor isolation can be set but cannot be removed from the server. This is a function of the network driver’s isolation logic. 

Sensor Upgrade Process

To maintain proxy settings through a sensor upgrade, these same steps to download, edit, and install a proxy-configured sensor must be followed again. If you trigger a sensor upgrade via the Carbon Black UI, the sensor will lose its proxy settings.

Appearance to Network Monitoring Tools

Network connections from any endpoint traversing the proxy to servers external to your network will appear with an IP of 0.0.0.0, rather than the actual server address. However, the targeted domain name remains accurate.

Did this answer your question?