CAS 5.2.6 http(s) web proxy for MFA

[JC]

Hello,

We are running CAS 5.2.6 using the embedded tomcat container on private IPs behind an application load balancer for public access. This is all in the cloud with VPN access back to campus. The only internet access is via a squid web proxy. 

My problem is that CAS uses the httpclient library, which does not seem to use the system proxy settings, and I get an "org.apache.http.conn.ConnectTimeoutException" in the logs. Is there a way to set a proxy address and port so the MFA (currently duo) can access the API URL? I have tried setting JAVA_OPTS="-Dhttp.proxyHost=http://proxy.example.com -Dhttp.proxyPort=3128 -Dhttps.proxyHost=http://proxy.example.com -Dhttps.proxyPort=3128", but that does not work. I found some settings for cas.httpclient.XXX in the documentation, but could not find anything about web proxy settings. 

Can CAS be set up to use a web proxy (and if so, how), or do we need to move the servers to public IPs? We may be able to set up a NAT gateway to allow traffic out, but because of the VPN, routing gets complicated.

Any help would be appreciated. Thanks

James