ETP Client with an on-premises proxy

This graphic shows the flow of a request when ETP Client forwards requests to an on-premises proxy. In this scenario, the on-premises proxy forwards requests to ETP Proxy. For more information, see ETP Client for web traffic.

If your network has an existing on-premises proxy, you can configure that ETP Client does not override these settings. ETP Client detects that the on-premises proxy is chained to ETP Proxy and in turn, the client avoids intercepting web traffic. If ETP Client detects that the on-premises proxy forwards traffic to ETP Proxy, the client shows a protected status.

In this graphic:
  1. Requests from the users in the corporate network are forwarded to the on-premises proxy. Off-network requests are directed to ETP Proxy. As configured in the network, all requests are sent to the on-premises proxy.
  2. As a result of the proxy chaining configuration, the on-premises proxy forwards traffic to ETP Proxy. DNS requests are forwarded to ETP DNS. ETP Proxy performs TLS MITM decryption.
  3. If authentication is required or optional in the associated policy, the user is prompted to authenticate based on the identity provider configuration. The request proceeds as long as authentication is successful.
  4. Based on the policy, an action is applied to traffic. If the traffic is allowed, the request is directed to the origin and the user is granted access. Otherwise, it is blocked and an error page is shown to the user.
    Note: If the bypass action is configured, the request bypasses TLS man-in-the-middle (MITM) decryption and it’s sent directly to the origin IP address or the destination web server.
  5. If the request is allowed and you enabled payload analysis for large files, you can scan website content after it's downloaded by your browser. If your organization is licensed for Advanced Sandbox and you also enabled Dynamic Analysis, this content is directed to a secure sandbox environment.