Review PTC Prerequisites
Review prerequisites for Package Traffic Controller (PTC), including SASE and JFrog Artifactory requirements.
Prerequisites
Before configuring PTC, ensure the following requirements are met.
SASE Requirements
PTC requires SASE to intercept package traffic and redirect it to Artifactory. The vendor-specific requirements (admin portal access, client connector, SSL inspection eligibility, CA certificate placement, and scoped-deployment groups) are documented on each vendor's configuration page:
- Configure Zscaler ZIA — ZIA Admin Portal access, Zscaler Client Connector (ZCC), Z-Tunnel/SSL inspection, CA certificate, and target groups.
- Configure Netskope — Netskope client, certificate requirements, and policy profiles.
See your SASE provider's guide in Supported Security Edges for vendor-specific setup steps.
Workstation install scripts, environment variables, OS coverage, MDM notes, and “configure without the script” minimums are shared across SASE and are documented in Configure Workstation for PTC.
JFrog Artifactory Requirements
Artifactory Instance: You need a running JFrog Artifactory deployment. PTC (Package Reroute) availability follows your JFrog license and entitlements, often aligned with Enterprise X or Enterprise+, but verify your exact SKU and feature flags with your JFrog account team rather than assuming from tier names alone.
Hostname and URL: Use the same HTTPS host your developers and automation use to reach Artifactory. For JFrog Cloud this is typically https://<your-subdomain>.jfrog.io (for example https://acme.jfrog.io). Self-hosted installations use the hostname (and optional context path) your organization configured. That value is what you substitute for <YOUR_ARTIFACTORY_URL> elsewhere in this guide.
Artifactory must have the appropriate repository layout for each package type you intend to serve through PTC, not only npm. The npm registry below is one example. Repeat the same pattern (correct Artifactory package type, upstream URL, Package Reroute repo_key, and matching SASE intercept entries) for every ecosystem you enable (for example PyPI, Docker, and Hugging Face, per Supported Package Types (GA) and Package Reroute Config API).
A remote repository is required for PTC — it proxies the public registry upstream and is the target of the repo_key in the Package Reroute configuration. Virtual repositories are not supported as the PTC repo_key.
- Example — npm: A remote npm repository whose upstream is
https://registry.npmjs.org.
JFrog Curation: Curation must be enabled in your Artifactory instance before you call the Package Reroute API. The API auto-enrolls the target remote repository in Curation per call (linked_curation: true by default), so you do not need to connect individual repositories manually. To register the repository for reroute without enrolling it in Curation, send linked_curation: false in the API request body. See Configure JFrog Curation for how to enable Curation.
Anonymous Access: Enable Allow Anonymous Access at the platform level, then grant the anonymous user Read and Deploy/Cache (per package type) on the remote repository configured as repo_key in Package Reroute, so anonymous users can fetch and cache from the upstream registry. Use a permission target scoped to that remote (for example npm-remote-registry), not broad anonymous access.
Checklist
- SASE provider admin access confirmed (see Supported Security Edges)
- SASE client deployed on target developer workstations, with SSL inspection eligible for the registry traffic you intercept
- SASE CA certificate and client trust configuration applied on target workstations (MDM optional)
- Target group defined in your SASE (if using scoped deployment)
- JFrog Artifactory instance hostname known
- Repositories created for each package type you roll out (npm, PyPI, Docker, and Hugging Face)
- JFrog Curation enabled in Artifactory (auto-enrolled per repo by the Package Reroute API; opt out with
linked_curation: false) - Anonymous access configured on Artifactory
Frequently Asked Questions
This section provides answers to frequently asked questions about PTC prerequisites.
FAQs
Q: What SASE access do I need before configuring PTC?
A: You need admin access to your SASE provider to create the intercept, inspection, and redirect rules, and a way to forward workstation traffic to it (for example, Zscaler Client Connector or Netskope Client). See your SASE provider's guide in Supported Security Edges.
Q: Is JFrog Curation mandatory for PTC to work?
A: Yes by default — the Package Reroute API auto-enrolls the target remote repository in Curation when called (linked_curation: true). To run PTC without Curation, send linked_curation: false in the API request body. See Step 2: Ensure JFrog Curation Is Enabled.
Q: Where do workstation installation scripts live?
A: Workstation setup (CA certificate trust, environment variables, install scripts) is documented in Configure Workstation for PTC.
