Full Proxy Setup

The Full Proxy Setup guides you through the process of configuring ETP Proxy as a full web proxy that scans all web traffic. This configuration allows ETP Proxy to act as a Secure Web Gateway (SWG) that performs URL filtering and anti-malware scanning in your current network configuration.

You configure ETP Proxy as a full web proxy with one of these methods:
  • Proxy chaining. Directs all HTTP and HTTPS traffic from your organization’s on-premises web proxy to ETP Proxy. For more information, see Proxy chaining.
  • ETP Client. With version 3.0.4 or later of the client, you can forward all HTTP and HTTPS traffic to ETP Proxy. This occurs when you set ETP Client as the local web proxy on the user’s machine or you use ETP Client with an existing enterprise proxy. For more information, see ETP Client.

As part of this setup process, you must configure these features:

3a. ETP Proxy Certificate

ETP Proxy is a “trusted intermediary” that is able to decrypt, inspect, and re-encrypt all TLS traffic from enterprise managed computers. This gives ETP visibility into TLS encrypted traffic and allows it to protect an enterprise from threats, while preserving confidentiality and integrity of traffic to origin web sites.

For ETP Proxy to decrypt and inspect traffic, a MITM certificate authority (CA) TLS certificate is required. This certificate must be distributed to an organization’s trust store or TLS clients in your network.

You can generate this certificate in ETP or you can upload an intermediate certificate. You upload an intermediate certificate if your organization already has a public key infrastructure and maintains an internal Certificate Authority (CA) root certificate. For more information, see ETP Proxy as a TLS intermediary.

To complete this step in the workflow, you must do one of the following:
  • Generate a certificate in ETP, distribute it to TLS clients, and activate it in ETP. For instructions, see Create an Akamai certificate.
  • Generate a certificate signing request (CSR) in ETP, sign the request with your organization’s CA, and upload the certificate to ETP. You can then distribute the certificate to TLS clients and activate it in ETP. For instructions, see Create a non-Akamai certificate.

For more information on certificate distribution, see Certificate distribution.

3b. Network Configuration

If there are domains, IP addresses, and DNS suffixes that you don’t want directed to ETP Proxy, such as domains for internal websites, you can configure them in the ETP Network Configuration. For instructions, see Configure internal IP addresses and DNS suffixes.

3c. ETP Client

If you set up the full web proxy with ETP Client, you must deploy version 3.0.4 or later of the client on computers in your enterprise. With this version, you can configure ETP client as a local web proxy that forwards requests to ETP Proxy or if your enterprise includes an on-premises proxy, you can also configure proxy chaining to forward requests from the on-premises proxy to ETP Proxy. ETP client supports this scenario and continues to protect the user’s machine. For more information, see ETP Client for web traffic.

If you plan to use ETP Client as a local web proxy, make sure you enable these settings.
  • Enable ETP Client as Proxy. This is a policy setting where you can modify the local web proxy settings on the user’s machine and in turn, enable ETP Client as the local web proxy.
    In addition to choosing whether to enable or not enable this setting, you can also choose to modify the local web proxy only when no web proxy is configured on the user’s machine.
    Note: You can also enable the Configure ETP Client as local computer web proxy setting in the client configuration. For more information, see ETP Client configuration settings. The Enable ETP Client as Proxy setting in the policy takes precedence over the client configuration setting.
  • Proxy Port: If ETP Client modifies the local web proxy settings on the user’s computer, it listens for traffic on port 8080 by default. If this port is used by another process in your network, you can enter a new port into this field. You enable this setting in the client configuration settings. For more information, see ETP Client configuration settings.
To complete the ETP Client step in the workflow, download, test, and approve ETP Client. For more information on setting up ETP Client in your enterprise, see Set up ETP Client.
Note: Using ETP Client for a full web proxy configuration is optional only if you plan to implement a proxy chaining configuration. To set up a full web proxy, you must either set up ETP Client for web traffic or you must set up proxy chaining.

3d. Proxy Chaining

Allows you to forward HTTP and HTTPS traffic from your enterprise on-premises web proxy to ETP Proxy.

To set up proxy chaining, you must enable these policy settings:
  • Trust X-Forwarded-For (XFF) header. The XFF header contains the client IP address. It prevents users from anonymizing their IP address or configuring their browser to inject a fake XFF with a fake IP address. Make sure you enable the Trust X-Forwarded-For (XFF) setting only if the on-premises proxy is configured to add this header and your firewall blocks direct access to outbound port 443 for users who attempt to bypass the proxy.
  • Proxy authorization. Requires that ETP Proxy authorize connections from the on-premises web proxy. You must configure proxy credentials in ETP and configure these credentials in the on-premises proxy. For more information, see Proxy authorization.

The Proxy host information that you use to configure the on-premises proxy to send all traffic to ETP Proxy is available in a policy configuration.

The setup workflow considers this step complete after you configure proxy credentials.

Note: Proxy chaining is an optional step in the workflow only if you plan to set up ETP Client. To set up a full web proxy, you must either set up ETP Client for web traffic or implement proxy chaining.

3e. Policies

In addition to enabling ETP Proxy and the settings that are required for ETP Client or a proxy chaining configuration, you also must do the following:
  • Select Classify in the Default Action menu. The classify action allows ETP Proxy to analyze domains that are not in ETP Threat Intelligence, custom lists, or in an Acceptable Use Policy (AUP). This action is also used for AUP categories that have no action assigned.
  • Select Classify for risky and file sharing domains. ETP proxy scans requests, responses, threat URLs, and performs payload analysis on downloaded files based on the policy settings. When a threat is detected, the threat is assigned the category and the policy action of the corresponding threat category. For example, if a phishing threat is detected, the threat is assigned the policy action of known phishing threats.

For instructions on configuring the policy, see Enable full web proxy.

3f. Deploy

For your policy configuration to take effect, you must deploy it to the ETP network. To complete this step, see Deploy configuration changes.