diff --git a/probe/appclient/app_client.go b/probe/appclient/app_client.go
index a99a42fde1..67672bb979 100644
--- a/probe/appclient/app_client.go
+++ b/probe/appclient/app_client.go
@@ -82,7 +82,8 @@ func NewAppClient(pc ProbeConfig, hostname string, target url.URL, control xfer.
 			Timeout:   httpClientTimeout,
 		},
 		wsDialer: websocket.Dialer{
-			TLSClientConfig: httpTransport.TLSClientConfig,
+			TLSClientConfig:  httpTransport.TLSClientConfig,
+			HandshakeTimeout: httpClientTimeout,
 		},
 		conns:   map[string]xfer.Websocket{},
 		readers: make(chan io.Reader, 2),
diff --git a/probe/appclient/probe_config.go b/probe/appclient/probe_config.go
index 04d6533c2e..9c2b1d9aca 100644
--- a/probe/appclient/probe_config.go
+++ b/probe/appclient/probe_config.go
@@ -44,16 +44,24 @@ func (pc ProbeConfig) authorizedRequest(method string, urlStr string, body io.Re
 }
 
 func (pc ProbeConfig) getHTTPTransport(hostname string) (*http.Transport, error) {
+	var tlsConfig *tls.Config
 	if pc.Insecure {
-		return &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-		}, nil
-	}
-
-	return &http.Transport{
-		TLSClientConfig: &tls.Config{
+		tlsConfig = &tls.Config{InsecureSkipVerify: true}
+	} else {
+		tlsConfig = &tls.Config{
 			RootCAs:    certPool,
 			ServerName: hostname,
-		},
-	}, nil
+		}
+	}
+	return &http.Transport{
+		TLSClientConfig: tlsConfig,
+
+		DialContext: (&net.Dialer{
+			Timeout:   30 * time.Second,
+			KeepAlive: 30 * time.Second,
+		}).DialContext,
+		IdleConnTimeout:       http.DefaultTransport.IdleConnTimeout,
+		TLSHandshakeTimeout:   http.DefaultTransport.TLSHandshakeTimeout,
+		ExpectContinueTimeout: http.DefaultTransport.ExpectContinueTimeout,
+	}
 }