Considerations For NXRM 3 Inside Air-Gapped, Restricted, Firewalled, and DMZ Networks


Running Nexus Repository Manager 3 (NXRM3) successfully inside an air-gapped network is possible. This article offers considerations for administrators when direct external network access is not available.

Configure an HTTP Proxy Server

All NXRM originating outbound connections can be configured to use a HTTP proxy server. The HTTP proxy server can act as a gate to other networks.

Learn how to configure a global HTTP proxy server.

Features That May Trigger Outbound Requests

You should disable any features that require external network access to function, but that you intend or expect to be blocked. Some of these features are enabled by default.

Disabling these features prevents verbose WARN and ERROR messages in the nexus.log and can reduce overhead inside the application.

Disable Creating Default Repositories

By default NXRM3 includes a default set of proxy repositories that are allowed to make outbound requests if queried.

Disable creating default repositories on first start of a new install:

  1. Before NXRM is started for the first time, create a $data-dir/etc/ directory and a file inside that directory.
  2. Edit the file you created and add this line:
  3. On first startup, the default set of repositories will not be created.

Disable Proxy Repositories Outbound Connections

You may have proxy repositories that you cannot remove because they contain cached content you still want served to inbound requests. At the same time you need to block any outbound requests from this proxy repository.

Prevent a proxy repository sending any outbound requests:

  1. Under the Repositories page, select a repository of type "proxy".
  2. Under the Settings tab Proxy section, find the field labeled Blocked: . Check the box next to Block outbound connections on the repository.
  3. Scroll to the bottom of the Settings page and click Save to save your changes.

Disable Welcome Content ( aka Outreach )

The content displayed on the Welcome view in the UI is retrieved periodically from Sonatype hosted servers. This content is informational but not critical to primary features of the repository mananger.

To disable Welcome content from being retrieved from Sonatype servers:

  1. Sign-in to the Administration UI and navigate to System -> Capabilities
  2. Select the Outreach: Management capability.
  3. Click the Disable button at the top of the page to disable the feature.

Disable Repository Health Check (RHC)

Repository Health Check (RHC) requires access to either (OSS) or (Pro) in order to provide value. If the feature is enabled in an air-gapped network, it will create a lot of log noise and not provide value. It should not be enabled.

If your NXRM instance has no repositories of type "proxy", then RHC is not in use.


How to disable Repository Health Check:

  1. Sign-in to the Administration UI and navigate to System -> Capabilities
  2. If the Health Check: Configuration capability is present in the list of capabilities:
    1. Select it.
    2. Click the Disable button at the top of the page to disable the feature.
  3. If the Health Check: Configuration capability is NOT present in the list of capabilities:
    1. Click Create Capability. Choose Health Check: Configuration .
    2. Uncheck the Configure for all proxy repositories option. Leave Enable this capability checked.
    3. Click Create capability button to save the capability.
    4. Back at the capability list, click the now present  Health Check: Configuration capability.
    5. Click the Disable button at the top of the page to disable the feature.
  4. Navigate to Administration -> System -> Tasks
  5. For each task in the tasks list that includes the name System - Repository health Check, select the task, then click Delete Task button.

Disabling OSS Index Vulnerability Check (OSS Index)

When Nexus RM is running in OSS mode then it will try to connect to in order to fetch the components vulnerability details.
So while browsing the components we may see the OSS index vulnerability details as following:


It can be disabled by adding the following property inside the "" file , followed by nexus restart.



Have more questions? Submit a request


Article is closed for comments.