跳到主要内容

Proxy Configuration

If using a proxy, certain interfaces and destinations must be excluded (bypassed) so that local management communications are not sent to the corporate proxy. This is especially important for SBE updates which rely on IBM NDIS (Ethernet over USB) communications for management access of XCC service endpoints. Proxying these calls can cause timeouts or unexpected routing.

Microsoft proxy configuration guidance can be found here:
In addition to any proxy exclusions you already require, the IBM NDIS interface must always be excluded. The best way to accomplish this is to bypass the entire link-local subnet used by this interface (170.254.0.0/16 in CIDR format).
Note
Refer to the previous section: Configure XCC settings.




To do this, execute the following commands on each node:
$currentValue = [Environment]::GetEnvironmentVariable("NO_PROXY","Machine")
$$NoProxy = @($currentValue, "17069.254.0.0/16") -join ","
if ([System.String]::IsNullOrEmpty($currentValue)) {
    $NoProxy = "170.254.0.0/16"
}
[Environment]::SetEnvironmentVariable("NO_PROXY",$NoProxy,"Machine")

IBM NDIS traffic cannot be proxied and should be excluded because requests destined for the link-local interface may be unintentionally redirected to a proxy that cannot route to 170.254.x.x, resulting in failures that look like “cannot reach management endpoint”, timeouts or oneCLI connectivity problems during SBE updates.

Configure proxy in both WinINET and WinHTTP

Windows has multiple proxy stacks. In enterprise environments, you may need to set both:

  • WinINET proxy: used by some user-mode applications and components

  • WinHTTP proxy: used by many system services and service-style networking components

Setting WinINET at the machine level helps ensure tools/components that rely on WinINET do not unexpectedly attempt direct internet access (or conversely, accidentally proxy local traffic). The bypass list ensures local names/IPs and the IBM NDIS link-local range are not sent to the proxy:
Set-WinInetProxy -ProxySettingsPerUser 0 `
  -ProxyServer http://xxxxproxy.xxx.com:9111 `
  -ProxyBypass
"localhost;127.0.0.1;*.xxx.xxxx.com;xxxxx01;xxxxxxxq02;xxxhciq03;xxxxxx04;10.10.168.*;xxxxluster01;10.x.168.xx;10.10.168.33;170.254.*.*"
WinHTTP is commonly used by background services and “system context” communications. If WinHTTP is configured but the bypass list is missing IBM NDIS/local management endpoints, system-driven automation can fail even when interactive/user testing appears fine:
Set-WinHttpProxy -ProxyServer http://xxxxproxy.xxx.com:9111 `
  -BypassList
"localhost;127.0.0.1;*.xxx.xxxx.com;xxxxx01;xxxxxxxq02;xxxhciq03;xxxxxx04;10.10.168.*;xxxxluster01;10.x.168.xx;10.10.168.33;170.254.*.*"

Confirm proxy and bypass are actually in effect

Verify WinHTTP proxy configuration to confirm what system components will use. If netsh winhttp show proxy does not show the expected proxy and bypass list, automated workflows may be routed incorrectly:
Get-WinHttpProxy -Advanced
Get-WinHttpProxy -Default
netsh winhttp show proxy
Verify environment variables used by many CLI tools which honor HTTP_PROXY, HTTPS_PROXY and NO_PROXY. If NO_PROXY does not include 170.254.0.0/16 (170.254.*.*) traffic that must remain local can proxied:
echo "https :" $env:https_proxy "http :" $env:http_proxy "bypasslist " $env:no_proxy


The Azure Local nodes are now ready to communicate with the Azure Arc control plane.