ETP proxy can act as a full web proxy that performs URL filtering and anti-malware scanning in your current network configuration. Proxy chaining allows you to forward traffic from your enterprise on-premises proxy to Akamai ETP Proxy. While forwarding DNS resolvers to ETP directs malicious and risky traffic to ETP Proxy, proxy chaining further allows your organization to direct all HTTP and HTTPS traffic to ETP Proxy and scan it for malware.
- Trust X-Forwarded-For (XFF) header. The XFF contains the
client IP address. It prevents users from anonymizing their IP address or
configuring their browser to inject a fake XFF with a fake IP address. You
should select the Trust X-Forwarded-For (XFF) option only if the on-premises
proxy is configured to add this header and your firewall blocks direct access to
outbound port 443 for users who attempt to bypass the proxy. As part of a proxy chaining configuration, you must set the on-premises proxy server to forward all web traffic to ETP Proxy. The X-Forwarded-For (XFF) header field contains the client IP address. This value is captured in the threat events details and allows you to identify the computer that made the request. After ETP extracts the client IP address, the XFF header is removed from the request and it’s not forwarded to the destination web server.Note: Make sure you enable XFF only if clients in your internal network use a unique IP address. If the network uses Network Address Translation (NAT), the XFF header cannot identify the client computer. For example, VMware or Windows terminal services may use unique IP addresses. In such network topologies, deploy a separate on-premises proxy behind each NAT implementation.
- Proxy authorization. Requires that ETP Proxy authorizes connections from the on-premises proxy. ETP Proxy extracts the Proxy-Authorization header from the request and validates credentials in the header before it allows connections from the on-premises proxy. For more information on proxy authorization, see Proxy authorization.
For more information on setting up an on-premises proxy, see Set up on-premises proxy for ETP full web proxy.
- Requests are directed to the on-premises proxy. If enabled to do so, the on-premises proxy adds the X-Forwarded-For header to identify the client IP address on the corporate network and provides a credential in the Proxy-Authorization header.
- If proxy authorization is enabled and proxy credentials are configured, ETP Proxy authorizes connections from the on-premises proxy based on the Proxy-Authorization header. This header contains the proxy credentials that are configured in the on-premises proxy. These credentials are validated against the proxy credentials in ETP.
- After your organization configures the on-premise proxy to forward traffic to the ETP proxy, all Internet requests are directed to ETP Proxy. If the XFF header is trusted, ETP Proxy can identify the client IP address. The client IP address is included in the reported threat events.
- Based on the policy configuration, a policy action is applied to the traffic. If the bypass action is configured, the request bypasses TLS man-in-the-middle (MITM) decryption and it’s sent directly to the origin IP address or the destination web server. In a policy, you define the trusted websites that do not require TLS MITM decryption and therefore, are not directed to ETP Proxy. For more information on policy actions, see Policy actions for lists and threat categories.