skillsSource-backedReview first Safety ✓ Privacy ✓
Claude Code Enterprise Network Config Capability Pack Skill
Expert Claude Code enterprise network configuration capability pack for auditing proxy settings, custom CA trust, mTLS client certificates, URL allowlists, and provider-specific routing in restricted corporate networks.
HarnessClaude CodeCodexWindsurfGeminiCursorCLI
Level:expertType:capability-packVerified:validated
Review first — review before installing
Open the source and read safety notes before installing.
Safety notes
- This skill recommends network configuration changes; it must not edit proxy credentials, certificate files, or settings without showing proposed diffs first.
- Avoid hardcoding proxy passwords in scripts or committed settings; use secure credential storage or managed env injection.
- Claude Code does not support SOCKS proxies; do not recommend SOCKS-only egress paths.
- Changing CLAUDE_CODE_CERT_STORE from the default can break trust for TLS-inspection proxies if the OS store is removed unintentionally.
- mTLS client keys and passphrases are sensitive; store them outside repositories and restrict filesystem permissions.
- Disabling telemetry requires explicit env configuration before finalizing allowlists; do not assume zero outbound telemetry by default.
Privacy notes
- Proxy URLs, client certificate paths, NO_PROXY lists, and settings.json env blocks can expose internal hostnames, service names, and network topology.
- Enterprise TLS inspection means traffic content may be visible to the proxy operator even when Anthropic ZDR or retention policies apply upstream.
- Troubleshooting logs, `/doctor` output, and install traces may include usernames, internal domains, and certificate issuer details.
- Public rollout docs should summarize required domains and config categories, not paste complete proxy credentials or private CA bundles.
Prerequisites
- Claude Code installed in an enterprise network with proxy, TLS inspection, or outbound firewall controls.
- Permission to review redacted proxy URLs, certificate files, settings.json env blocks, and firewall allowlist drafts.
- Knowledge of whether the deployment uses direct Anthropic API access, Amazon Bedrock, Google Vertex AI, or Microsoft Foundry.
- A concrete failure symptom such as login errors, plugin download failures, MCP connection timeouts, or certificate trust errors.
Schema details
- Install type
- package
- Reading time
- 9 min
- Difficulty score
- 80
- Troubleshooting
- Yes
- Breaking changes
- No
Source repository stats
- Scope
- Source repo
Package metadata
Skill and platform metadata
- Skill type
- capability-pack
- Skill level
- expert
- Verification
- validated
- Verified at
- 2026-06-13
Retrieval sources
https://code.claude.com/docs/en/network-confighttps://code.claude.com/docs/en/env-varshttps://code.claude.com/docs/en/settingshttps://code.claude.com/docs/en/troubleshoot-installhttps://code.claude.com/docs/en/third-party-integrationshttps://code.claude.com/docs/en/skillshttps://github.com/anthropics/claude-codehttps://developers.google.com/search/docs/fundamentals/creating-helpful-content
Tested platforms
ClaudeClaude CodeCodexCursorWindsurfGeneric AGENTS
| Platform | Support | Install path |
|---|---|---|
| claude-code | Native | .claude/skills/<skill-name>/SKILL.md |
| codex | Native | .agents/skills/<skill-name>/SKILL.md |
| windsurf | Native | .windsurf/skills/<skill-name>/SKILL.md |
| gemini | Native | .gemini/skills/<skill-name>/SKILL.md or .agents/skills/<skill-name>/SKILL.md |
| cursor | Adapter | .cursor/rules/<skill-name>.mdc |
| cli | Manual | AGENTS.md or tool-specific context file |
Full copyable content
# Trigger
"Apply the Claude Code enterprise network config capability pack to this environment."
# Required output
1) Network topology and failure lane inventory
2) Proxy, CA store, and mTLS configuration review
3) Required URL allowlist with provider-specific notes
4) Verification commands and rollback plan
5) Privacy-safe summary of redacted settings reviewedAbout this resource
Knowledge Freshness
This capability pack is grounded in Claude Code enterprise network configuration, environment variables, settings, troubleshooting, third-party integrations, and skills documentation verified on 2026-06-13. Prefer live official docs and current firewall guidance when validating new Claude Code releases or provider routes.
Retrieval Sources
- https://code.claude.com/docs/en/network-config
- https://code.claude.com/docs/en/env-vars
- https://code.claude.com/docs/en/settings
- https://code.claude.com/docs/en/troubleshoot-install
- https://code.claude.com/docs/en/third-party-integrations
- https://code.claude.com/docs/en/skills
- https://github.com/anthropics/claude-code
- https://developers.google.com/search/docs/fundamentals/creating-helpful-content
Source Verification Notes
Verified against official Claude Code enterprise network configuration documentation on 2026-06-13:
- Claude Code respects standard
HTTPS_PROXY,HTTP_PROXY, andNO_PROXYenvironment variables; SOCKS proxies are not supported. - Default
CLAUDE_CODE_CERT_STORE=bundled,systemtrusts Mozilla bundled CAs plus the OS store; useNODE_EXTRA_CA_CERTSfor private inspection roots. - Enterprise mTLS uses
CLAUDE_CODE_CLIENT_CERT,CLAUDE_CODE_CLIENT_KEY, and optionalCLAUDE_CODE_CLIENT_KEY_PASSPHRASE. - Required outbound hosts include
api.anthropic.com,claude.ai,platform.claude.com, anddownloads.claude.aifor direct Anthropic routes. - Bedrock, Vertex, and Foundry deployments route model traffic to the provider instead
of
api.anthropic.com.
Scope Note
This is not a generic corporate VPN guide. Use it when Claude Code specifically needs proxy routing, custom CA trust, mTLS client auth, or outbound allowlist planning in enterprise environments.
Core Workflow
- Inventory the deployment lane: direct Anthropic API, Bedrock, Vertex, Foundry, self-hosted GHES, containerized agents, or developer laptops behind TLS inspection.
- Capture the failure symptom: auth failure, update/download failure, MCP remote timeout, WebFetch blocked, plugin marketplace fetch failure, or certificate validation error.
- Review proxy configuration:
- Prefer
HTTPS_PROXYoverHTTP_PROXY. - Validate
NO_PROXYfor localhost, internal services, and split-tunnel hosts. - Confirm SOCKS proxies are not in the path.
- Prefer
- Review certificate trust:
- Default
CLAUDE_CODE_CERT_STORE=bundled,systemtrusts Mozilla bundled CAs plus the OS store. - Use
NODE_EXTRA_CA_CERTSwhen a private inspection CA is not in the OS store.
- Default
- Review mTLS settings when required:
CLAUDE_CODE_CLIENT_CERTCLAUDE_CODE_CLIENT_KEYCLAUDE_CODE_CLIENT_KEY_PASSPHRASEfor encrypted keys
- Build the outbound allowlist from official requirements:
api.anthropic.com,claude.ai,platform.claude.comdownloads.claude.ai,bridge.claudeusercontent.comraw.githubusercontent.comfor release notes and marketplace counts- Provider-specific endpoints when not using direct Anthropic API
- Adjust for deployment mode:
- npm or self-managed binary installs may not need download domains.
- WebFetch domain safety checks still hit
api.anthropic.comunlessskipWebFetchPreflight: trueis set in settings. - GHES and GitHub Enterprise Cloud IP allowlisting may require Anthropic API IP ranges for web and code review features.
- Verify with minimal tests: login, plugin download if applicable, MCP remote
server connection, and
/doctoror install troubleshooting commands. - Document rollback paths for cert-store, proxy, and mTLS changes.
Capability Scope
- Proxy and NO_PROXY configuration review.
- Certificate store and custom CA planning.
- mTLS client certificate setup review.
- Required URL and IP allowlist drafting.
- Provider-route specific network notes.
- Privacy-safe enterprise rollout documentation.
Compatibility
Native
- Claude Code / Claude: use as an Agent Skill when diagnosing enterprise network failures or preparing security review packets.
Manual Adaptation
- Codex, Cursor, Windsurf, and Generic AGENTS workflows: use the workflow as a checklist for Claude Code network readiness reviews.
Required Inputs
- Failure symptom and affected surface (login, update, MCP, WebFetch, plugins).
- Redacted proxy settings, cert paths, and current env or settings.json blocks.
- Deployment provider route and whether GHES or GHEC is involved.
- Existing firewall, proxy, and TLS inspection architecture summary.
Production Rules
- Prefer OS trust store plus bundled CAs unless a documented reason requires
narrowing
CLAUDE_CODE_CERT_STORE. - Never commit proxy credentials, client keys, or private CA bundles to git.
- Document provider-specific endpoints instead of assuming
api.anthropic.comalone when using Bedrock, Vertex, or Foundry. - Review telemetry disablement requirements before calling the allowlist final.
- Treat TLS inspection as an additional data-handling surface in privacy review.
- Apply one reversible network change at a time during troubleshooting.
- Redact internal hostnames and credential paths in public documentation.
Review Matrix
| Symptom | First route | Safer first check |
|---|---|---|
| Certificate verify failed behind proxy | Custom CA | Confirm inspection root is in OS store or NODE_EXTRA_CA_CERTS |
| Auth works locally but not in CI | Proxy/NO_PROXY | Verify HTTPS_PROXY and bypass list for internal auth endpoints |
| Plugin or updater download fails | Allowlist | Confirm downloads.claude.ai and related domains |
| MCP remote server unreachable | Proxy/firewall | Check NO_PROXY and outbound rules for MCP host |
| Bedrock route still calls api.anthropic.com | WebFetch preflight | Review skipWebFetchPreflight setting deliberately |
| GHES clone/review blocked | IP allowlist | Review Anthropic API IP ranges for managed infrastructure |
Output Contract
- Network topology and failure lane summary.
- Proxy, CA, and mTLS configuration findings with redaction notes.
- Required allowlist domains and provider-specific additions.
- Minimal verification checklist and rollback plan.
- Privacy and TLS-inspection implications for security review.
- Privacy-safe summary suitable for rollout documentation.
Duplicate Check
Checked content/skills, content/guides, generated catalog text, and open
pull requests for Claude Code enterprise network config, proxy setup, mTLS, and
allowlist workflows. Official docs cover network configuration, but no skills
entry provides a reusable enterprise network audit capability pack with review
matrix and provider-route notes.
Editorial Disclosure
Submitted as an independent source-backed HeyClaude content entry by
kiannidev. It is based on public Claude Code documentation, the public
Anthropic claude-code repository, and Google Search Central helpful-content
guidance. No paid placement, referral link, affiliate link, or vendor
sponsorship is used.
Source citations
Add this badge to your README
Show that Claude Code Enterprise Network Config Capability Pack Skill is listed on HeyClaude. Paste this Markdown into your README — it renders the badge and links back to this page.
[](https://heyclau.de/entry/skills/claude-code-enterprise-network-config-capability-pack)Signals
Loading live community signals…
More like this, weekly
A short, calm digest of reviewed Claude resources. Unsubscribe any time.