Setting up Policy Manager as proxy node

Setting up Policy Manager as proxy node - F-Secure Community

The following steps describe Policy Manager Proxy node installation for both Windows and Linux.

Install Policy Manager Server to act as a Proxy node, using the standard Policy Manager installer.
Stop the Policy Manager service.
1. Windows:
```
[net stop fsms]
```
2. Linux:
```
[/etc/init.d/fspms stop]
```
Fetch admin.pub from Master Policy Manager. You can either:
1. Download it from Master Policy Manager using your browser (
```
https://<policy manager server IP/host name>:<https port number>
```
  ). For example: https://127.0.0.1:443, https://policymanagerhost:443.
2. Export it from the Policy Manager Console.
3. Retrieve it from host if Policy Manager Proxy host is already running Server Security or Linux Security and is connected to the Master Policy Manager.
Go to the Policy Manager Server (proxy node) data folder, and place or replace (if any) the existing admin.pub file with the downloaded admin.pub file retrieved from the Master Policy Manager.
1. Windows:
```
C:\Program Files (x86)\F-Secure\Management Server 5\data\admin.pub
```
2. Linux:
```
/var/opt/f-secure/fspms/data/admin.pub
```
Edit additional_java_args in registry or conf file adding the following properties:
1. ```
-DupstreamPmHost=<master PM address>
```
  Example: -DupstreamPmHost=10.1.1.1
2. ```
-DupstreamPmPort=<usually 443>
```
  Example: -DupstreamPmPort=443
3. ```
-DadminPubLocation="<path to admin.pub location from previous step, including the name of the file>"
```
  Note: Path to admin.pub for Linux is written in single quote.
  Example:
  - -DadminPubLocation="C:\Program Files (x86)\F-Secure\Management Server 5\data\admin.pub" (Windows)
  - -DadminPubLocation='/var/opt/f-secure/fspms/data/admin.pub' (Linux)
4. ```
-Djetty.startServerAsPrivileged=true
```
  (Additional step for Policy Manager for Linux 12.30 and 12.31 only.)
Note: For Windows, edit String registry key "
```
HKEY_LOCAL_MACHINE\SOFTWARE(Wow6432Node)\Data Fellows\F-Secure\Management Server 5\additional_java_args
```
", and specify the above Java system properties using space as a delimiter. Property names and values are case sensitive.
Note: For Linux, use config file
```
/etc/opt/f-secure/fspms/fspms.conf
```
instead of registry. Edit line with parameter additional_java_args and specify the above Java system properties in its value in quotes using space as a delimiter. Property names and values are case sensitive.
Use fspmp-enroll-tls-certificate script to generate proxy node certificate. Run the script and authenticate yourself as root administrator of the Master Policy Manager:
1. Windows: Script location is
```
<F-Secure installation folder>/Management Server 5/bin/fspmp-enroll-tls-certificate.bat
```
2. Linux: Script location is
```
/opt/f-secure/fspms/bin/fspmp-enroll-tls-certificate
```
Start Policy Manager service.
1. Windows:
```
[net start fsms]
```
2. Linux:
```
[/etc/init.d/fspms start]
```

You can now configure endpoints to use proxy by specifying proxy node in priority order in Policy Manager Proxy table.

Note: Policy Manager Proxy table editor does not allow to modify HTTPs port, this it is always set to 443.