Selective Proxy Setup

The Selective Proxy Setup guides you through the process of configuring ETP Proxy as a selective proxy. The selective proxy is a configuration of ETP Proxy that scans only risky web traffic. With the selective proxy, ETP Threat Intelligence detects that a domain contains a suspicious URL. Traffic to risky domains is then sent to ETP Proxy where specific URLs are blocked, monitored, or analyzed in accordance with a policy. With the easy integration of the selective proxy, you can optimize security with minimal impact to users. If your enterprise needs to scan all web traffic, see Full Proxy Setup.

You must set up these features for the selective proxy.

2a. ETP Proxy Certificate

ETP Proxy is a “trusted intermediary” that decrypts, inspects, and re-encrypts all TLS traffic from enterprise managed computers. This gives ETP visibility into TLS encrypted traffic and allows it to protect an enterprise from threats, while preserving confidentiality and integrity of traffic to origin websites.

For ETP Proxy to decrypt and inspect traffic, a MITM certificate authority (CA) TLS certificate is required. This certificate must be distributed to an organization’s trust store or TLS clients in your network.

You can generate this certificate in ETP or you can upload an intermediate certificate. You upload an intermediate certificate if your organization already has a public key infrastructure and maintains an internal Certificate Authority (CA) root certificate. For more information, see ETP Proxy as a TLS intermediary.

To complete this step in the workflow, you must do one of the following:
  • Generate a certificate in ETP, distribute it to TLS clients, and activate it in ETP. For instructions, see Create an Akamai certificate.
  • Generate a certificate signing request (CSR) in ETP, sign the request with your organization’s CA, and upload the certificate to ETP. You can then distribute the certificate to TLS clients and activate it in ETP. For instructions, see Create a non-Akamai certificate.

For more information on certificate distribution, see Certificate distribution.

2b. Policies

You must configure a policy for the selective proxy. This process involves:
  • Enabling ETP Proxy
  • If your organization is licensed for ETP Advanced Threat, make sure you select Bypass as the default action for domains that are not in ETP Threat Intelligence, custom lists, or in an Acceptable Use Policy (AUP). This action is also used for AUP categories that have no action assigned. This setting means that this type of traffic bypasses ETP Proxy unless it is risky for your enterprise.

For instructions on configuring the policy, see Enable selective proxy.

2c. Deploy

For your policy configuration to take effect, you must deploy it to the ETP network.

To complete this step, see Deploy configuration changes.