Enable full web proxy

Before you begin

  1. Create certificates and distribute the certificates to devices and TLS clients on your network. For more information, see ETP Proxy as a TLS intermediary.
  2. If you are configuring proxy chaining to forward web traffic to ETP Proxy, see Set up on-premises proxy for ETP full web proxy.
  3. If you want ETP Proxy to authorize connections from the on-premises proxy, make sure you configure proxy credentials in ETP and in the on-premises proxy. For instructions, see Create a proxy credential.
  4. If you are configuring ETP Client to forward web traffic to ETP Proxy, see Set up ETP Client.

Complete this procedure to enable the full web proxy. The full web proxy is available with proxy chaining or with ETP Client 3.0.4 or later. For more information, see Proxy chaining and ETP Client for web traffic.

To enable the full web proxy, your organization must be licensed for ETP Advanced Threat.

How to

  1. In the navigation menu, select Configuration > Policies.
    Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Policies > Policies.
  2. If you are adding a new policy:
    1. On the Policies page, click the plus sign icon.
    2. Enter a name and description for the policy in the Name and Description fields.
    3. To configure a policy with settings from a predefined template, select one of these templates and click Continue:
      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
      • Custom. Lets you define policy actions for known and suspected threats.
    4. To assign a location, click the link icon, select a location or multiple locations, and click Associate.
  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.
  4. Click the Settings tab and complete the following fields:
    1. Enable Proxy. Toggle on to the enable the ETP Proxy.
    2. Proxy Authorization. Toggle on to require that ETP Proxy authorizes connections from the on-premises proxy. To use this setting, you must configure proxy credentials in ETP and in the on-premises proxy. For more information, see Proxy authorization.
    3. Origin Ports. If you want to allow outbound traffic on a new origin port, enter the port number or port range. Separate each port number or range with a comma. By default, the full web proxy allows outbound traffic to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
    4. Trust XFF Header. Toggle on if you are configuring proxy chaining or the full web proxy. Your organization must be licensed for ETP Advanced Threat.
    5. Proxy Logging Mode. To change the ETP Proxy logging mode, select a different level. The default Level 1 ensures that detailed data is logged, such as response or request headers in HTTP or HTTPS threat events. For more information, see Proxy logging mode.
    6. Bypass Microsoft 365 Traffic. Toggle on to optimize traffic to Microsoft 365 apps and services.
    7. Block Incompatible Domains. Toggle on to block domains that are not compatible with TLS encryption. Otherwise, the ETP Proxy is bypassed for these domains.
    8. Risky Domains. Select Classify to apply the policy action of a threat category to risky domains that ETP Proxy detects as threats (for example, malware, phishing, or C&C threats). Otherwise, select Allow to permit traffic to risky domains without analysis.
    9. File Sharing . Select Classify if you want to apply the policy action of a threat category to file sharing domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats). Otherwise, select Allow to permit traffic to file sharing domains. Note: This field is not available if you block the File Sharing AUP category.
    10. Invalid Certificate Response. Select Block - Error Page to block a request if the ETP Proxy cannot verify a website's origin certificate. Otherwise, select Bypass to bypass ETP Proxy.
    11. Enable Inline Payload Analysis. Toggle on if ETP Proxy is enabled and your organization is licensed for Advanced Threat.
    12. Block Unscannable Files. Toggle on if you want to block files that cannot be scanned with ETP Proxy as part of inline payload analysis.
    13. Block On Upload Scan Timeout. Toggle on if you want to block requests that cause scanning to take longer than expected. Note: This setting applies to DLP and File Type blocking.
    14. Risky Files Handling - by file size. If your organization is enabled for Advanced Sandbox:
      • For downloads that range from 5 MB to 2 GB in size, select Allow or Allow and Scan. Otherwise, select Block - Error Page. For more information, see Static malware analysis of large files.
      • If you select Allow and Scan, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.
      • For files that are greater than 2 GB (huge files), select an action. You can select Block - Error Page or Allow. For more information, see Payload analysis.
    15. Overwrite Device Proxy Settings. Select Yes or Only if there’s no local proxy if you want to enable ETP Client as a proxy on the client computer or device. Otherwise, select No.
    16. Forward Public IP to Origin. Toggle on to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. Make sure you also enable this setting if you enabled the Optimize Microsoft 365 Traffic option.
    17. Authentication Mode. Select Require to require authentication, Optional to give users the option to skip authentication, or None. This mode defines whether users are prompted to authenticate when accessing allowed websites in an Acceptable Use Policy (AUP).
    18. Identity Provider. Select an identity provider if you selected Require or Optional in the previous field.
  5. To define policy actions for a threat category, complete the fields on the Threat tab:
    1. Known. If you want to assign the same policy action to all known threat categories, select an action in the Action column. Otherwise, make sure the Known option is expanded to show the threat categories.
      • For each threat category, select an action. For more information, see Policy actions.
      • If you select Block, select a specific response to the user. The Response to User column is available when the Block action is selected.
      • If Error Page is selected and you want to direct traffic to Security Connector, select a security connector in the Security Connector field. Otherwise, select None.
    2. Suspected. If you want to assign the same policy action to all suspected threat categories, select an action in the Action column. Otherwise, make sure the Suspected option is expanded to show the threat categories and complete the fields as described in the previous step .
  6. Click the Access Control tab and complete the following fields:
    1. For application visibility and control (AVC) , click the AUP & Shadow IT sub tab and complete the steps described in Configure application visibility and control.
    2. If your organization is participating in the data loss prevention (DLP) beta, click the DLP subtab and complete the steps described in Select user and group exceptions for DLP scanning and Assign a DLP dictionary to a policy.
    3. If you are not using DLP, see Configure an Acceptable Use Policy to configure an acceptable use policy.
    4. To enable alerts for a security category or list, toggle the Send Alert setting for each category or list on the Threat tab.
  7. To configure custom headers, click the Custom Header tab and following the instructions in Add a custom header.
  8. To assign a list to the policy, click the Custom Lists tab and following the instructions in Add a Block list to a policy.
  9. Click Save.

Next steps

  1. Deploy the policy to the ETP network. For instructions, see Deploy configuration changes.
  2. If you are configuring proxy chaining:
    1. Configure the on-premises proxy to forward traffic to ETP proxy. For more information, see the documentation of your on-premises proxy. If your organization uses Squid as an on-premises proxy, see Configure Squid to forward traffic to ETP Proxy.
    2. Configure the on-premises proxy to forward XFF headers. For more information, see the documentation of your on-premises proxy. If your organization uses Squid as an on-premises proxy, see Configure Squid to forward traffic to ETP Proxy.
    3. Test that traffic arrives at ETP Proxy. You can create a custom list with a domain and in a policy configuration, assign the monitor policy action to the custom list. In the browser, you can confirm that the certificate you generated or uploaded into ETP (TLS MITM certificate) is used.
  3. If you are configuring ETP Client to forward web traffic to ETP Proxy, see Assign a policy to the off-network location.