Wazuh proxy server
12 views
Skip to first unread message
Emar Flix
Apr 8, 2026, 3:11:10 PM (yesterday) Apr 8
to Wazuh | Mailing List
Hello,
I have some agents on different network location and they don't have direct access to my wazuh managers. I want to know if I can build a proxy server for wazuh on their network which has two network interface (one interface see their nwtwork and other interface see our network) and use it as a proxy server?
thanks.
I have some agents on different network location and they don't have direct access to my wazuh managers. I want to know if I can build a proxy server for wazuh on their network which has two network interface (one interface see their nwtwork and other interface see our network) and use it as a proxy server?
thanks.
J. Rome
Apr 8, 2026, 4:50:30 PM (yesterday) Apr 8
to Wazuh | Mailing List
Hello,
Yes, that setup is possible.
What you would need is a TCP forwarding proxy or load balancer, not a regular HTTP proxy. Wazuh agents communicate with the manager over secure TCP, so a dual-homed server with one interface in the agents' network and the other in the network that can reach the Wazuh manager is a valid design.
The usual ports involved are:
- 1514/TCP for agent-manager communication
- 1515/TCP for agent enrollment
- 55000/TCP only if you are using API-based enrollment
For a single manager, simple TCP forwarding is usually enough. For clustered deployments, Wazuh documents using NGINX or HAProxy in front of the managers and having agents connect to that address.
One thing to keep in mind is source IP handling during enrollment. If you rely on source-IP validation, NAT or proxying can affect that behavior, so review the `use_source_ip` setting on the manager side.
Relevant documentation:
https://documentation.wazuh.com/current/cloud-service/your-environment/agents-without-internet.html
https://documentation.wazuh.com/current/getting-started/architecture.html
https://documentation.wazuh.com/current/user-manual/manager/wazuh-manager.html
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/agent-connections.html
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/load-balancers.html
Best regards
Yes, that setup is possible.
What you would need is a TCP forwarding proxy or load balancer, not a regular HTTP proxy. Wazuh agents communicate with the manager over secure TCP, so a dual-homed server with one interface in the agents' network and the other in the network that can reach the Wazuh manager is a valid design.
The usual ports involved are:
- 1514/TCP for agent-manager communication
- 1515/TCP for agent enrollment
- 55000/TCP only if you are using API-based enrollment
For a single manager, simple TCP forwarding is usually enough. For clustered deployments, Wazuh documents using NGINX or HAProxy in front of the managers and having agents connect to that address.
One thing to keep in mind is source IP handling during enrollment. If you rely on source-IP validation, NAT or proxying can affect that behavior, so review the `use_source_ip` setting on the manager side.
Relevant documentation:
https://documentation.wazuh.com/current/cloud-service/your-environment/agents-without-internet.html
https://documentation.wazuh.com/current/getting-started/architecture.html
https://documentation.wazuh.com/current/user-manual/manager/wazuh-manager.html
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/agent-connections.html
https://documentation.wazuh.com/current/user-manual/wazuh-server-cluster/load-balancers.html
Best regards
Reply all
Reply to author
Forward
0 new messages