ETP Client no on-premises proxy

This graphic shows the flow of a request when the ETP Client machine is configured as a local web proxy. When this configuration is in place, web requests are directed from ETP Client to ETP Proxy for analysis. For more information, see ETP Client for web traffic.
In this graphic:
  1. Regardless if a user is on or off the corporate network, this applies:
    • All DNS requests are directed from ETP Client to ETP DNS.
    • All HTTP and HTTPS requests are directed from ETP Client to ETP Proxy.
  2. Depending on the request, this applies:
    • ETP Client forwards web requests to ETP Proxy where the proxy performs TLS MITM decryption.
    • ETP Client forwards internal requests to the internal network based on an ETP network configuration or an exception list. Internal requests bypass ETP Proxy and are forwarded to their destination.
  3. If authentication is required or optional in the associated policy, the user is prompted to authenticate based on the identity provider configuration. The request proceeds as long as authentication is successful.
  4. Based on the policy, an action is applied to traffic. If the traffic is allowed, the request is directed to the origin and the user is granted access. Otherwise, it is blocked and an error page is shown to the user.
    Note: If the bypass action is configured, the request bypasses TLS man-in-the-middle (MITM) decryption and it’s sent directly to the origin IP address or the destination web server.
  5. If the request is allowed and you enabled payload analysis for large files, you can scan website content after it's downloaded by your browser. If your organization is licensed for Advanced Sandbox and you also enabled Dynamic Analysis, this content is directed to a secure sandbox environment.