Set up on-premises proxy for ETP full web proxy

To enable the full web proxy, in addition to settings you enable in ETP, you configure the on-premises proxy to forward traffic to ETP Proxy. ETP displays the ETP Proxy URL that you use to configure the on-premises proxy to send all traffic. You can also configure the on-premises proxy to include the X-Forwarded-For header in requests to identify traffic in ETP reporting.

You can require that ETP Proxy authorizes connections from the on-premises proxy. If you enable proxy authorization in a policy, you must configure proxy credentials in ETP, and you must configure these same proxy credentials in the on-premises proxy. For more information, see Proxy authorization.

If your local DNS resolver is not in the same office branch or network location as the on-premise proxy, the on-premises proxy directs traffic to an ETP Proxy that is nearest to the DNS resolver. ETP Proxy is hosted on the Akamai Intelligent Edge Security Platform. The Intelligent Edge Security Platform has many points of presence (PoP). In this case, configure the on-premises proxy to use the ETP DNS servers as the DNS resolver. For more information about this set up, see the official documentation of the on-premises proxy. To review how this is configured on Squid 3.5 or later, see Configure Squid to forward traffic to ETP Proxy.

As part of this setup, confirm that this applies:
  • Local DNS resolvers forward requests to ETP to make sure that non-web traffic is protected by ETP.
  • Your enterprise firewall settings block clients or traffic that bypasses the on-premises proxy and ETP Proxy. For more information on configuring the firewall, see Configure your enterprise firewall.
  • Add Enterprise CA root or Akamai MITM TLS CA certificate to list of trusted certificates on your on-premises proxy. This is the same certificate that you deployed on enterprise computers for ETP Proxy.
To secure traffic between users and an on-premises proxy, make sure your enterprise follows these best practices:
  • Require user authentication on the on-premises proxy. This allows you to control and secure web access.
  • Use secure proxy configuration and detection methods on end user machines. For example, you can do this through the Group Policy on Windows. Do not use the Web Proxy Auto Discovery (WPAD) protocol or the Dynamic Host Configuration Protocol (DHCP). These protocols are prone to man-in-the-middle attacks.
  • Generate and deploy TLS certificate to on-premises proxy and configure devices to connect to enterprise proxy using TLS (for example, https://<on-prem-proxy>:8443) and not plain HTTP.

If your organization uses a proxy auto-configuration (PAC) file to direct internal traffic to its destination and external traffic to the on-premises proxy, see PAC file configuration.