Support of an on-premises HTTP forward proxy

If your organization already uses an HTTP forward proxy, such as a Data Leakage Prevention or a Unified Threat Management appliance to protect your network, the ETP proxy can coexist with these solutions.
Note: If your organization is licensed for ETP Advanced Threat and you want to configure ETP Proxy as a full web proxy, you can direct traffic from the on-premises proxy to ETP Proxy. For more information, see Full web proxy.

In the case where the on-premises proxy performs TLS verification and decryption, you must configure your organization’s proxy to accept traffic from ETP Proxy, which also performs TLS decryption and resigns the traffic with its own certificates. This is done by configuring the on-premise proxy to trust the same man-in-the-middle (MITM) TLS certificates as computers in your organization. For instructions on how to add additional trusted root certificate to the existing proxy server, see the documentation of your on-premise proxy solution.

Most on-premise proxies allow you to send the X-Forwarded-For (XFF) header to the downstream proxy. ETP captures this HTTP header for threat events. You can view the internal IP address of the client computer in the Request Headers information that’s reported on the Event Details window of the HTTP or HTTPS threat event. This data is available on the Details subtab of the Event Details window.

The following graphic shows the flow in a network that contains an on-premises proxy. As shown, the proxy forwards traffic to the ETP proxy.

The security connector uses an internal IP address in the internal network. When instructed, the user’s browser contacts Security Connector directly. As a result, requests bypass the local proxy.