Reference Material | Configure Proxy for Specops Arbiter

The Specops Arbiter ​service connects to the Breached Password Protection Cloud API over the Internet. Organizations that have locked down their environment can enforce usage of a proxy server for outgoing traffic.

By default, the Arbiter service uses IE’s proxy settings for the service account (Network Service by default). One alternative to enabling proxy is to configure IE’s proxy settings for the service account.

​The default setting can be overridden by modifying registry on each computer where the Arbiter is installed. Another alternative is to specify the proxy in registry.

To override proxy in registry, configure the ProxyUrl string in registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist\Arbiter]

If ProxyUrl is set, it must be an http URL (https will not work).
If ProxyUrl is set, it will be used as proxy (and has preference if a IE proxy is configured).
If ProxyUrl is not set, IE proxy settings for network service will be used (and obviously, if not configured in IE, no proxy will be used).

ProxyUrl is read at Arbiter startup, so if changed, the Arbiter service must be restarted.


  • The Specops Password Policy Admin Tools does not have a corresponding registry override. IE proxy settings for the user’s account will be used (if not configured in IE, no proxy will be used).
  • SSL interception/inspection is not supported. Traffic to and should be excluded from any MITM SSL inspection on the proxy.