Skip to main content

Running Tests with Sauce IPSec Proxy Tunnels

Internet Protocol Security VPN (IPSec VPN) is a technology that connects two private networks securely over the public internet. If your company has firewall rules that limit your ability to run tests on Sauce Labs, you can use our IPSec Proxy feature to connect to Sauce Labs in the cloud without exposing your company's IT infrastructure to security risks.

Sauce IPSec Proxy is an enterprise-grade IPSec VPN solution that enables a secure connection between apps hosted on a customer's private network (or local machine) and Sauce Labs cloud virtual machines and real devices. Topics in this section include architecture, setup information, and troubleshooting tips.

What You'll Need#

Enterprise Plans Only

  • Sauce IPSec Proxy is an enterprise-only feature. Contact your Sauce Labs Sales Engineer or Customer Success Manager to learn more about how this solution can meet your business needs. We'll guide you through the tunnel setup and configuration process. Once you're up and running, you'll be able to connect to Sauce Labs virtual machines and real cloud devices.
  • If you're an organization admin, see Security Settings for information on configuring tunnel access for users.
  • You'll need authorization (if you don't have it already) to use your organization's Sauce IPSec Proxy tunnel. Contact your Sauce Labs account organization admin, who controls access.

Verifying Access#

To verify that you have access to your organization's Sauce IPSec Proxy tunnel, head to the Tunnels menu. If the tunnel name and details are displayed here, this means you have access.

High-Level Network Architecture#

The Sauce IPSec Proxy solution consists of a VPN connection and two IPSec tunnel gateways: one running on your network, and the other on Sauce Labs.

This connection allows secure communication between the gateways, which provide rules for DNS resolution, routing, and security.

Sauce IPSec Proxy Network Architecture

Bandwidth Recommendations#

General guidelines for Sauce IPSec Proxy tunnels described in the table below ensure that your tunnel can support your desired number of concurrent sessions.


We set up all Sauce IPSec Proxy customers with a redundant, High Availability (HA) tunnel pool with two tunnel gateways.

Number of Concurrent SessionsRecommended Number of IPSec TunnelsRecommended Total Bandwidth

Bandwidth recommendations for testing depend on the number of pages downloaded by each test, and the approximate size of each page. To estimate your requirements, we recommend running 25-40 concurrent sessions through a proxy while observing network usage patterns. You should have enough bandwidth to download a page in 3 to 5 seconds.

Multiple users can run different tests simultaneously through the same tunnel, as long as the number is within the threshold of your concurrency limits/allocations.


Tunnel Gateway Security Features#

The Sauce Labs infrastructure is configured so that our virtual machines and real devices running tests are fully, securely isolated from each other through traffic filtering. They are prohibited from cross-communicating. This means that a Sauce Labs VM and/or real device being accessed through your tunnel will send only traffic owned by your organization.

The only exception for this rule is tunnel gateway VMs. While VMs and devices are allowed to connect to the internet, Sauce Labs also offers a "lockdown" feature that locks traffic down to that particular user’s tunnels only.

Additionally, Sauce Labs only permits internal services necessary for allowlisting, such as monitoring services or firewall controllers, to communicate with VMs, real devices, and control plane services running on tunnel gateways. Each tunnel gateway VM is customized at the time of provisioning per your specifications and configured to direct all traffic via Sauce IPSec Proxy.

Tunnel gateway firewalls restrict access so that only your pre-authorized test VMs can connect. Authorized test VMs include:

  • Test VMs that run jobs started by the Sauce IPSec Proxy tunnel owner
  • Test VMs that run jobs started by accounts with which the tunnel is shared

Firewall Ports and Protocols#

The firewall allows the following ports and protocols through the Sauce IPSec Proxy connection:

Inbound from customer networkBGP (TCP/179)
Inbound and OutboundICMP
Outbound from SauceHTTP (TCP/80, TCP/8080), HTTPS (TCP/443, TCP/8443)
Outbound from SauceDNS (UDP/53, TCP/53, TCP/853)

To request additional ports and protocols to be opened, contact Sauce Labs Support.

Self-Signed Certificates#

The tunnel gateway acts as a man-in-the-middle proxy, re-encrypting all SSL connections with Sauce Labs certificate by default. If your tests don't require access to servers with self-signed certificates, we strongly recommend disabling SSL re-encryption.

SSL re-encryption can be disabled for all domains or selected domains with no-ssl-bump-domains.

WebSocket servers with self-signed certificates are not supported.

Testing with Sauce IPSec Proxy Tunnels#

The Sauce IPSec Proxy solution provides you with a static, secure connection, through which you can run live and automated tests on all Sauce Labs virtual machines and real devices.

Depending on the type of test you want to run, you may need to include certain capabilities in your test script. See below for use case examples.

Automated Testing#

To connect to Sauce Labs real and virtual devices, assign your Sauce IPSec Proxy tunnel to the appropriate Data Center Endpoint in your test automation script.

Appium and Selenium#

  • Set the tunnelName desired capability to the name of your organization's Sauce IPSec Proxy tunnel
  • Set the tunnelOwner capability to the username of your organization admin
Java example
MutableCapabilities caps = new MutableCapabilities();caps.setCapability("tunnelName", "{TUNNEL_NAME}");caps.setCapability("tunnelOwner","{SAUCE_USERNAME}");

Espresso Tests#

Specify the applicable tunnel settings in your saucectl config.yml file, or use the --tunnel-name and --tunnel-owner flags with the saucectl run command at test runtime.

Live Testing#

Cross Browser App Testing#

For cross browser app testing, on Sauce Labs, click LIVE and then click Cross Browser. In the Sauce Connect Proxy dropdown, select your Sauce IPSec Proxy tunnel.

Mobile Device Testing#

For mobile device testing, on Sauce Labs, click LIVE > Mobile App. Choose your app from the list, and then, in the Sauce Connect Proxy dropdown, select your Sauce IPSec Proxy tunnel.


To ensure compliance with your company's settings and network policy, we recommend checking with your organization admin before running tests on virtual and real devices over a Sauce IPSec Proxy connection.

Public Real Device Testing#

To run tests on public real devices in the Sauce Labs cloud using Sauce IPSec Proxy, your organization admin must switch on Enable Sauce Connect Proxy/IPSec VPN for Public Cloud Devices (see Security Settings), a security setting that is disabled by default.

The setting enables all users across your organization to run live and automated tests on public devices over Sauce IPSec Proxy.

Each time you initiate a test, you'll see a temporary pop-up alert window with a reminder that the utilization of a trusted Sauce IPSec Proxy connection combined with RDC public real device tests may not be compliant with your organization's network policy.

Setting Tunnel Permissions#

As part of our initial Sauce IPSec Proxy tunnel setup and configuration on your network, we'll ask your organization to choose from two sharing settings:

  • Restricted: Only organization admins can access Sauce IPSec Proxy tunnels
  • Organization-Wide: All users in your organization can utilize Sauce IPSec Proxy tunnels

At this time, we don't support granting permissions to individual users.

If you're an organization admin who would like to change your sharing settings, please reach out to our Support Team.

Monitoring and Troubleshooting#

To monitor tunnel stability, we recommend pinging the tunnel gateway or checking the status of the VPN connection from the IPSec gateway itself.

Additional Resources#

If you need help with your tunnel(s) or are interested in getting set up, contact your CSM, SE, or Sauce Labs Support.