Views:

Learn how to minimize service disruption during Forward Proxy Service port changes.

The Forward Proxy Service (FPS) enables on-premises Trend Micro products to securely connect to Trend Micro services. By default, FPS uses port 8080, but you can configure a custom port to meet your organization's network policies.
To minimize service disruption when changing the FPS port, Trend Micro recommends a phased deployment strategy. This approach ensures that endpoints remain connected to Trend Micro services throughout the transition.
By following this phased approach of deploying a new Service Gateway with Forward Proxy Service on the target port before disabling the old one, you can change the FPS port without causing major temporary endpoint disconnections. If redundancy is required, keeping multiple Service Gateways active can prevent connectivity disruptions in case of failures.

Procedure

  1. Deploy a secondary Service Gateway with the new port.
    1. If you have only one Service Gateway (SG-A) on your network, deploy a second Service Gateway (SG-B). If multiple Service Gateways are already deployed, skip this step.
    2. Refer to Deployment guides to install and register SG-B to the Service Gateway Management app.
    3. Install the Forward Proxy Service on SG-B and configure it to use a new port (for example, 8081 instead of the default 8080).
      FPS_Custom_Port_1=a996cfa1-e0df-4af7-b988-477eca10556a.png
    4. Ensure the status of the Forward Proxy Service on SG-B is healthy.
  2. Ensure the proxy policy includes both Service Gateways.
    1. After deploying SG-B with the Forward Proxy Service installed, confirm that both SG-A and SG-B are included in the Runtime Proxy policy.
      FPS_Custom_Port_2=b1293413-8e7d-44bb-87c8-d6d096916f24.png
      FPS_Custom_Port_3=00be26a2-c842-4d23-9955-5d9d73f8437d.png
      By default, the policy uses all available Service Gateways and it is recommended to keep this setting. This step only uses the selected Service Gateways to ensure the new Service Gateway (SG-B) has been included.
      For more information, see Configuring Runtime Proxy policies.
    2. Upon the next policy synchronization, the endpoints will automatically receive the policy update and recognize both SG-A and SG-B as valid proxies.
      The expected policy update should now include the following:
      • SG-A:8080 (existing)
      • SG-B:8081 (new)
  3. Power off SG-A.
    1. Once the endpoints are confirmed to be using SG-B:8081, power off SG-A instead of directly removing SG-A.
    2. Confirm that the endpoints can connect to SG-B:8081 without issues.
    3. If you experience persistent endpoint disconnects, you can power on SG-A for rapid mitigation.
  4. Decommission SG-A.
    1. Ensure that all endpoints have successfully switched over to SG-B:8081.
    2. If everything is functioning correctly, safely uninstall the Forward Proxy Service from SG-A or disconnect SG-A from the network as needed.