These graphics show how ETP Client 3.0.4 or later behaves when the forward proxy setting is enabled in a policy. These graphics illustrate the network flow when there’s no on-premises proxy and when there's an on-premises proxy.
ETP Client in a network without on-premises proxy
In this scenario, ETP Client is configured as the local web proxy on the machine where the client is installed.
In this graphic:
- Traffic to local websites is split from remote traffic. Based on the network configuration in ETP, requests to internal websites go directly to their destination.
- ETP Client checks whether some remote websites should bypass the proxy.
- ETP Client directs web traffic that’s configured to bypass ETP Proxy to its destination. These domains and IP addresses were configured in an exception list and assigned to a policy with the bypass policy action.
- Web traffic that is not specifically defined in an exception list or in the ETP Network Configuration is directed to ETP Proxy for analysis.
ETP Client in a network with an existing on-premises proxy
In this scenario, ETP Client is not configured as the local web proxy on the machine where the client is installed. This occurs when the Configure ETP Client as local computer web proxy setting is set to None or to the Only if there’s no local proxy option when there’s an existing proxy.
Depending on whether the on-premises proxy forwards traffic to ETP Proxy, ETP Client shows a protected or not protected status.
Protected by local network
- ETP Client sends requests to the enterprise proxy. ETP Client allows the enterprise proxy to decide whether requests to internal websites or resources are handled by the enterprise proxy or by ETP Client.
- In this scenario, ETP Client does not overwrite local web proxy settings. As a result, ETP Client probes the enterprise proxy to determine what status to show. The protected status appears because proxy chaining is configured and the enterprise proxy forwards traffic to ETP Proxy.
In this situation, while ETP client forwards requests to enterprise proxy, it shows a Your device is NOT protected status because the enterprise proxy does not forward the request to ETP Proxy.
When ETP Client is not configured to overwrite local web proxy settings, the client probes ETP Proxy to determine what status to show. The status indicates the user’s machine is not protected because proxy chaining is not set up.
For more information on the statuses, see ETP Client on corporate machines.