Customer Edge Registration and Upgrades Proxy Options Reference

Published April 5, 2023 | Last modified May 1, 2026

Objective

This guide lists the different proxy options for CE registration and upgrades that enterprises can use with the new Secure Mesh Site v2. It also shows example configurations.

Prerequisite

See the F5 Customer Edge IP Address and Domain Reference for Firewall or Proxy Settings reference guide for the list of IP addresses and domain names that you must allowlist in your environment.

Option 1: Using a Single F5 IP Address Endpoint

Using this option, you can use the F5 single anycast IP address endpoint as a proxy for CE registration and upgrades hosted on the F5 Distributed Cloud Global Network.

As part of Secure Mesh Site v2 deployment workflow, you generate a JWT-based node token that encodes this IP address endpoint. You can find the registration endpoint information by entering the generated site token into any JWT decoder, like jwt.io.

Option 2: Using a Custom Forward Proxy

When using a custom proxy, you must provide the custom proxy with the information during the creation of a Secure Mesh Site v2. You need to provide the proxy IP address and port along with the user ID and password, if your proxy requires authentication.

Refer to Step 8.6 in the Secure Mesh Site v2 deployment guide.

Figure: Custom Enterprise Proxy Configuration

Once this configuration is saved, the proxy details are encoded in a JWT token, which is used to create the CE Site similar to Option 1 above.

Your custom proxy must allowlist the domains listed in the Egress Domain Rules section for CE registration to succeed.

Below is an example of how to configure Squid as a custom proxy:

cat /etc/squid/conf.d/f5xc.conf 
#
# F5XC proxy
#
cache_peer 159.60.141.140 parent 443 0 no-query
acl f5xc_domains dstdomain "/etc/squid/f5xcdomains.txt"
cache_peer_access 159.60.141.140 allow f5xc_domains
never_direct allow f5xc_domains

Copied!