Proxies are widely used, but are not supported by the Windows app. They prevent the Windows app from connecting to the Cloud FastPath resources it needs to function. Some of the errors that may be proxy related are:
- Peer connection lost
- SSL: CERTIFICATE_VERIFY_FAILED
Below is the explanation for why the Windows app cannot function in a proxy environment.
Cloud FastPath uses secure, high-performance WAN optimization and messaging technology to extract content from on-premises sources in the most efficient way possible. This technology is incompatible with HTTPS proxies. There are two separate communications paths that this affects.
The CFP Windows App establishes a secure orchestration messaging connection to the CFP service that provides for real-time control and telemetry for data migration jobs. This real time orchestration connection by default is made via outbound port 443, and is secured by TLS. However, it is a streaming protocol that is not HTTP based, which means that intercepting proxies can not interpret it. Additionally, TLS certificates are bundled with the application and any man-in-the-middle interception will be detected and the connection rejected.
When a data migration job starts, the Windows App will establish one or more direct streaming connections to a peer Point of Presence to facilitate optimized data transfer to the ultimate destination. All files transferred are multiplexed across these connections using Tervela’s proprietary streaming protocol. These connections are also made by default on outbound port 443, and are TLS protected. Like the messaging connection, the protocol is streaming, not HTTP-based, and thus can not be intercepted by a proxy. Additionally, these secure data connections are secured by ephemeral TLS certificates that are generated by the CFP service and sent to the Windows App in real time when the job is started. These certificates are used to ensure that only the intended Points of Presence can be used for the data migration, and prevent man-in-the-middle attacks.
In both of these cases, the default outbound port can be changed from port 443 if necessary. For more details, please see the Cloud FastPath Security Whitepaper.