Hi,
I am currently attempting to resolve a couple of issues where workflows run correctly on Designer on our developer's Citrix desktops but do not run when they are published to our Private Gallery.
The crux of this issue seems to be the different proxy servers that are used in these two instances. The desktops use zScaler, the severs use Bluecoat.
It would appear that the Bluecoat proxies are refusing the requests because they are not authenticated.
What I need to know is whether there is actually a way to authenticate with the Bluecoat proxy when running a workflow which uses the Download tool on our server or if the URL would need to be added to a "Bypass Authentication" list.
I can see a number of other threads discussing proxy configuration but most of them simply say the proxy needs to be configured for the requests and are not clear if that configuration is simply whitelisting the URL (for the client IP/Mac) or, indeed, means having to add the URL to a "Bypass Authentication" list?
If I can get firm confirmation that the Download tool cannot be configured to provide authentication then we do have a route with our security team to get a URL added to a "Bypass Authentication" list provided that it passes certain other criteria. However I cannot even begin this process if I cannot prove that authentication is not possible.
I can also see a number of Ideas presented asking for various enhancements, mostly around NTLM, which I do not have the technical background to know if they apply to my case. Sadly I can see some of these marked as inactive because they have not received the required 10 likes, even though across all of the (duplicate?) ideas there are far more than 10 likes 😞
EDIT:
To assist others when searching the error that we get from the Workflow is as follows:
Where # is the id of the relevant Download tool.
Hello @Paul_Holden
I will start off by saying it's curious to me that your citrix instances and server are managed by proxies that aren't aligned or used different whitelists. I am not a network person. I have not worked with Bluecoat.
However, I have done with with Alteryx and Mulesoft (using mTLS) which seems to work similarly. It was a middle API layer between Alteryx and whatever we were querying. Essentially what happened in that environment is that we had to query mulesoft with a certificate and credentials, it sent back the authorization, then we hit Mulesoft with the query we actually wanted to make, which it then queried the platform and it sent info back to Mulesoft, which sent info back to us. This had to be done in Python because the download tool wouldn't work with the certificate we had to send.
If your process only requires credentials and it works from another proxy layer, it sounds to me like it just needs to be whitelisted. I would imagine someone within your organization should also be able to better answer this question.
I hope this helps.
Thanks @Treyson
"If your process only requires credentials"
As the Download tool is currently configured in the workflow it only works on Alteryx Server if the URL is both whitelisted and added to a ByPass Authentication list on the proxy.
"and it works from another proxy layer"
Because we have a different proxy setup for desktop (and no, I don't know either and I'm not really in a position to query that) I cannot use the fact that it works in Designer to say much about the server situation (for all I know the desktop proxy never uses Auth or maybe Auth is established at some other lever e.g. for the Citrix session?).
So what would help at this point is some confirmation that it is not possible to provide authentication to the proxy via the Download tool or if we need to use some other work around e.g. calling script to perform an authenticated request. I don't know about R but I do know how to make an authenticated request via PowerShell so I understand the principal. I'd just like to avoid such things if it's a matter of better understanding the Download tool.
User | Count |
---|---|
19 | |
14 | |
13 | |
9 | |
8 |