How to make ACC use a proxy for all trafficNote: ACC-F is not fully certified for running with proxies as of March 2025, verification and testing is currently in progress with full proxy support targeted in a future ACC-F release. For most customers, a proxy for Agent Client Collector is not needed: network traffic from ACC agents is routed through a MID server. MID server proxy configuration is detailed in KB0744474. If you are using ACC for DEX or ACC-V without a MID server, sometimes you may need to configure ACC to proxy HTTP(S) traffic to an internal proxy server sits between the ACC agent and the ServiceNow cloud accessible over the public internet. This is done by setting environment variables. Before starting... Sometimes, even within a single corporate network, different proxies, VPNs, firewalls, and network restrictions can apply. It's important to check with your internal network teams to verify correct configurations across every endpoint and server where you will be deploying ACC. Below are some key questions to ask your network team before ACC deployment: What network ports and protocols need to be allowed for the ServiceNow Agent Client Collector to communicate with ServiceNow’s cloud services across all endpoints and servers, and are there any firewall or proxy configurations required? ServiceNow ACC, when used with DEX, establishes a mTLS connection on port 443 to endpoints on the service-now.com domain over the public internet.Are there any network-based security tools (e.g., IDS/IPS, proxy servers, SSL interception, or NAC solutions) that could potentially block or interfere with the ACC's connectivity, and how can we allow list it? ACC uses mTLS and will need additional network configuration changes if SSL interception enabled on a corporate network.What are the best practices for configuring network routing and DNS resolution to ensure the ACC can reliably connect to ServiceNow’s cloud, even in the event of failover scenarios? Test for basic connectivity It's a good idea to run some basic diagnostics from an endpoint to verify network configuration before changing ACC configuration. Windows (PowerShell) We have attached to this KB a diagnostic Powershell that will check for basic connectivity, print any existing proxy configuration, and output network configuration. .\servicenow-net-check.ps1 Unix (Linux/macOS) # See if DNS resolution succeeds nslookup itomcnc-prod-gateway-amer.sncapps.service-now.com # See if you can ping ITOM cloud services ping -c 5 itomcnc-prod-gateway-amer.sncapps.service-now.com # See if you can establish a TCP connection nc -zv itomcnc-prod-gateway-amer.sncapps.service-now.com 443 # See if you can make a HTTP request to the ServiceNow install server curl -i https://install.service-now.com/ Supported ACC proxy environment variables Below are environment variables that are respected by ACC. As all network traffic from ACC goes through HTTPS, use the HTTPS_PROXY environment variable. Environment variableDescriptionExampleHTTPS_PROXYHTTPS proxy (host:port) accessible from the ACC agent. (required)intproxy0.your-corp.com:8080NO_PROXYUnlikely you will need this if using a proxy with ACC. Comma-separated list of hosts to not proxy (optional)localhost Testing a mTLS request to ITOM Cloud Services with your internal proxy Note the above is tested on cURL 8.12+, older versions have known issues with mTLS. openssl is also used to retrieve the server certificate for the test cURL commands. Replace intproxy0.your-corp.com and the port number (8080) with your internal proxy and port configuration. The following cURL command tests connectivity via a proxy server with mTLS used by ITOM Cloud Services. You'll need the following files from your local endpoint: cacert.pem - Certificate Authority certificate file used to validate the server identity (downloaded from ServiceNow) cnc_chain.crt - client certificate file to present to the server for mutual TLS authentication (located in the agent-client-collector/cert/cnc folder on the endpoint).priv_key.pem - private key associated with the client certificate (located in the agent-client-collector/cert/cnc folder on the endpoint). Download the ServiceNow server certificate file on macOS / Linux with openssl openssl s_client -showcerts -connect itomcnc-prod-gateway-amer.sncapps.service-now.com:443 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cacert.pem Download ServiceNow server certificate on Windows with openssl openssl s_client -showcerts -connect itomcnc-prod-gateway-amer.sncapps.service-now.com:443 <NUL | findstr /B /C:"-----BEGIN CERTIFICATE-----" /C:"-----END CERTIFICATE-----" > cacert.pem Attempt to fetch assets via a proxy with mTLS # Will attempt to fetch an asset used by ACC-V using a proxy. The file is not saved. # Remember, replace intproxy0.your-corp.com:8080 with your internal host and port. curl -v --proxy intproxy0.your-corp.com:8080 --cacert cacert.pem --cert cnc_chain.crt --key priv_key.pem --request GET --output NUL https://itomcnc-prod-gateway-amer.sncapps.service-now.com:443/content/v1/assets/afaa52edc32f7150f640f2ff050131c8/a4ef65d00adbab1659f460f8d4e311d8db65f519994f63d176951ce1e0297e08 Inspect the output of the cURL to see if the command succeeded via the proxy. To test without a proxy, remove the --proxy option in the command above. Proxy authentication If a proxy needs basic authentication, set the username and password in the environment variable itself: HTTPS_PROXY="http://username:password@intproxy0.your-corp.com:8080" Setting environment variables Setting environment variables will depend on how the agent is deployed to endpoints (GUI installer on Windows, one-line installer, custom scripts, custom image, etc). Always verify connectivity from a test endpoint before adjusting proxy settings or the agent will not be able to connect. Replace intproxy0.your-corp.com and the port number (8080) with your correct internal proxy and port configuration. Windows In Windows, setting the environment variables will depend on how your ACC agent is deployed. # Note: if using setx, make sure it's set for the user account running ACC setx HTTPS_PROXY "intproxy0.your-corp.com:8080" In a new terminal, verify the environment variable is set across sessions: echo %HTTPS_PROXY% Restart the agent after the change. macOS If using the default macOS installer, add the following line under the EnvironmentVariables section in the file /Library/LaunchDaemons/com.sn.acc.plist <key>HTTPS_PROXY</key><string>intproxy0.your-corp.com:8080</string> Restart the agent after the change. Linux If using the default Linux installer, edit the /etc/systemd/system/acc.service file to add an additional environment variable: Environment=HTTPS_PROXY=intproxy0.your-corp.com:8080 Restart the agent after the change. Troubleshooting Run the connectivity tests above and verify DNS and TCP connections can be make to service-now.com.Share the output of the above tests and acc.yml with ServiceNow support.Involve your network team early and verify correct setup and configuration for best practices to establish a successful connection to ServiceNow's cloud.