Deploy and Roll Out PTC
Deploy Package Traffic Controller (PTC) in order: Artifactory, workstation trust, then SASE redirect rules, with phased rollout guidance for SaaS consumption.
Deployment Sequence
Deploy PTC in the following order. Enabling interception before Artifactory and workstation trust are ready can break package installs.
flowchart LR
Step1["1. Configure JFrog Artifactory<br>(repos, Package Reroute API,<br>anonymous access, redirect)"]
Step2["2. Install SASE CA<br>and trust configuration<br>on workstations"]
Step3["3. New terminal sessions<br>/ IDE restart<br>(pick up env vars)"]
Step4["4. Activate SASE redirect rules<br>(intercept registries +<br>redirect to Artifactory)"]
Step1 --> Step2 --> Step3 --> Step4
Required Order of Operations
To deploy PTC in the required order:
- Configure JFrog Artifactory: Create a remote repository for each ecosystem, ensure Curation is enabled in Artifactory, then complete Step 3: Register repositories with Package Reroute using Update Registry Configuration (
PUT /artifactory/api/package-reroute/config/{type}) for each package type. PTC does not work without this API request. Therepo_keymust be a remote repository. Configure anonymous access and verify/package-rerouteas described in Configure Artifactory for PTC. Artifactory must be ready before the SASE redirects traffic. Otherwise, installs fail after interception starts. - Set up the SASE CA and application trust on developer workstations for each client and OS in scope. MDM is optional. Use your endpoint deployment approach. Follow Configure Workstation for PTC and your SASE trust-store guidance. Trust must be in place before SSL inspection is enabled.
- Ask developers to open new terminal sessions or restart IDEs after certificate and environment-variable changes. Most client-specific environment variables are read when a new shell starts, and existing shells keep the old environment.
- Configure and activate your SASE provider's redirect rules (intercept the registry hostnames and redirect them to Artifactory; the exact objects differ per vendor — see your SASE provider's guide in Supported Security Edges). Enable interception only after Artifactory and workstation trust are fully ready.
Warning: If SASE redirect rules are activated before Artifactory is configured or before certificate trust works for your package clients, installs can fail with SSL errors or HTTP errors. New terminal sessions or an IDE restart are usually required after env updates.
Gradual Rollout Recommendation
To reduce risk, deploy PTC gradually rather than to the entire organization at once. Phase by audience (pilot groups first) and by package ecosystem (for example npm first, then PyPI, then Docker) so each path can be validated before wider rollout.
Gradual Rollout Readiness Before SASE Activation
The Deployment Sequence still applies during phased rollout. Prepare endpoints first, then enable interception for the same cohort.
Practical pattern:
- Start with a pilot group and a single ecosystem (commonly npm).
- Confirm trust and successful installs before enabling redirect rules for additional users.
- Expand in controlled waves using your SASE group controls.
- Add additional registry domains only after endpoint trust and smoke tests are complete for that stack.
Why Gradual Rollout Is Important
Rolling out every user and every package client at the same time carries risk:
- Endpoint trust or environment gaps may affect only specific client stacks.
- Existing network and security policies can behave differently across teams.
- A phased rollout reduces blast radius and shortens troubleshooting cycles.
- Different package managers have different TLS and client behaviors.
A phased approach by audience, by registry domains in your SASE, and by configured ecosystems in Artifactory lets you identify and resolve issues with minimal disruption.
Recommended Rollout Phases
| Phase | Scope | Purpose |
|---|---|---|
| Phase 1: Lab and Test Environment | A controlled lab environment or a small number of test workstations | Validate the full deployment end-to-end: certificate distribution, SASE redirect rule activation, package install via Artifactory, and Curation policy and audit behavior when enabled. |
| Phase 2: Pilot Group | A small group of developers (e.g., 5–10 volunteers from a single team) | Confirm that the solution works in a real-world environment with real developer workflows, IDEs, and projects. Collect feedback on any issues. |
| Phase 3: Expanded Rollout | A larger team or department (e.g., the full R&D group) | Scale the deployment while monitoring for issues. Use your SASE scoped deployment (group filter) to control which users are affected. |
| Phase 4: Organization-Wide | All developer workstations | Full production deployment after confirming stability in earlier phases. |
Phasing by package type (optional): Within any phase above, you can keep your SASE intercept list minimal (e.g., only registry.npmjs.org until npm is stable), then add domains for PyPI, container registries, Hugging Face, and so on as you validate each stack. Align Artifactory Package Reroute repo_key settings so only ecosystems you intend to govern are in the path. This is independent of JFrog vs. SASE ownership: the SASE controls which hostnames are intercepted; JFrog controls which repository serves each type.
What to Monitor at Each Phase
- Package installs succeed without SSL errors
- Download and install time stays acceptable for your teams (throughput may differ from a direct path to the public registry—for example on first fetch, cache miss, or extra redirect hops—so compare against your own baseline and adjust capacity or caching if installs feel too slow)
- Packages appear in Artifactory's cached artifacts
- Curation audit log shows expected entries (only if JFrog Curation is enabled on the resolving remotes)
- Artifactory system logs show package reroute lines (user, original and target URLs, registry type, user agent)—see Package Reroute Logs for PTC
npm auditand other POST-based commands continue to work normally- Lock file behavior is acceptable (see Lock File Considerations for npm. Minor URL differences are expected and not a blocking issue.)
- No unexpected workstation or application breakage from the installation script
- When you add another registry domain or package client to the rollout, re-run targeted smoke tests for that client (install, lock files, TLS) before expanding scope further
You can use the following command during pilot verification to confirm package installation behavior from a workstation:
npm install <PACKAGE_NAME> --loglevel verboseWhere:
<PACKAGE_NAME>is the public package name used for your pilot smoke test.
For example:
npm install express --loglevel verboseScoped Versus Unscoped Deployment
You can apply PTC to everyone who hits the configured registries, or scope it to selected users or groups with your SASE rules. Group construction, identity membership, and policy precedence are managed by your SASE.
Rollout recommendation: JFrog recommends a gradual rollout using scoped rules first (pilot or departmental groups), then expanding. See Gradual Rollout Recommendation. Your SASE group filter is the standard way to keep blast radius small until you are ready for organization-wide coverage.
Unscoped (Organization-Wide): All users' traffic matching the configured registries is intercepted and redirected. Inspection and redirect rules apply globally (subject to your other SASE policies).
Scoped (Group-Specific): Both the inspection rule and the redirect rule include a group filter (e.g., "R&D") in your SASE. This means:
| User Group | Action | Result |
|---|---|---|
R&D User runs npm install | Intercepted | SASE decrypts and redirects requests to JFrog Artifactory |
Other User runs npm install | Ignored | Traffic flows directly to registry.npmjs.org via default SASE policy |
Consumption Impact for SaaS Customers
If your JFrog Artifactory instance is a SaaS (cloud-hosted) subscription, be aware that deploying PTC will affect your consumption metrics.
How Consumption Is Affected
When PTC is active, all developer workstations that install packages through the redirected flow will generate traffic against your JFrog Artifactory instance. This means:
- Every package download that was previously going directly to the public registry will now be routed through and served by your Artifactory instance.
- Each workstation added to the PTC deployment increases the total volume of requests and data transfer against your Artifactory subscription.
- Cached packages reduce repeated upstream fetches, but the initial download of each package version will count toward consumption.
Recommendation
Before deploying PTC across your organization, review your current SaaS subscription limits and projected consumption increase with your JFrog account team. The gradual rollout approach (see Gradual Rollout Recommendation) also helps you monitor consumption growth incrementally rather than experiencing a sudden spike.
Rollback Process
Rollback steps are vendor-specific. Follow the rollback section on the page for the SASE you use:
- Zscaler ZIA: Rollback Process
- Netskope: Rollback Process
In both cases the JFrog Artifactory configuration (repositories, Curation policies, anonymous access) does not need to be rolled back — it can stay in place without affecting developers once the SASE redirect is disabled.
Frequently Asked Questions
This section provides answers to frequently asked questions about deploying Package Traffic Controller (PTC).
FAQs
Q: What is the required deployment order for PTC?
A: Configure JFrog Artifactory and Package Reroute first, deploy workstation trust for the SASE CA, have developers open new terminal sessions, then activate your SASE redirect rules. See Deployment Sequence.
Q: Why deploy PTC gradually instead of org-wide on day one?
A: Phased rollout limits blast radius when certificate trust, client quirks, or SASE policy issues appear. Use your SASE group controls and narrow the intercept list per ecosystem. See Gradual Rollout Recommendation.
Q: Does PTC increase JFrog Cloud consumption?
A: Yes. Redirected package downloads count against your Artifactory SaaS subscription because traffic is served through your instance. Review limits with your JFrog account team before org-wide rollout. See Consumption Impact for SaaS Customers.
Q: Do developers need a full machine reboot after certificate changes?
A: No. New terminal sessions or an IDE restart pick up updated environment variables. Mandatory fleet-wide reboots alone do not fix TLS trust issues.
