Enable full web proxy

Before you begin

  1. Create certificates and distribute the certificates to devices and TLS clients on your network. For more information, see ETP Proxy as a TLS intermediary.
  2. If you are configuring proxy chaining to forward web traffic to ETP Proxy, see Set up on-premises proxy for ETP full web proxy.
  3. If you want ETP Proxy to authorize connections from the on-premises proxy, make sure you configure proxy credentials in ETP and in the on-premises proxy. For instructions, see Create a proxy credential.
  4. If you are configuring ETP Client to forward web traffic to ETP Proxy, see Set up ETP Client.

Complete this procedure to enable the full web proxy. The full web proxy is available with proxy chaining or with ETP Client 3.0.4 or later. For more information, see Proxy chaining and ETP Client for web traffic.

To enable the full web proxy, your organization must be licensed for ETP Advanced Threat.

How to

  1. In the navigation menu, select Configuration > Policies.
    Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Policies > Policies.
  2. If you are adding a new policy:
    1. On the Policies page, click the plus sign icon.
    2. Enter a name and description for the policy in the Name and Description field.
    3. To configure a policy with settings from a predefined template, select one of these templates and click Continue:
      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
      • Custom. Lets you define policy actions for known and suspected threats.
    4. To assign a location, click the link icon, select a location or multiple locations, and click Associate.
  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.
  4. Click the Settings tab.
  5. Enable ETP Proxy:
    1. In the Proxy Settings area, toggle Enable Proxy to on.
    2. To require that ETP Proxy authorizes connections from the on-premises proxy, enable Proxy Authorization. To use this setting, you must configure proxy credentials in ETP and in the on-premises proxy. For more information, see Proxy authorization.
    3. If you want to allow outbound traffic on a new origin port, in the Origin Ports field, enter the port number or port range. Separate each port number or range with a comma. By default, ETP opens ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
    4. If you are configuring proxy chaining or the full web proxy, enable Trust XFF Header. Your organization must be licensed for ETP Advanced Threat.
    5. To optimize traffic to Microsoft 365 apps and services, enable Optimize Microsoft 365 Traffic.
    6. To change the logging mode for ETP Proxy, click the Proxy Logging Mode menu and select a new logging mode. By default, Level 1 is selected to ensure that detailed data such as response or request headers are logged in HTTP or HTTPS threat events. For more information, see Proxy logging mode.
    7. If you want to apply the policy action of a threat category to risky domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the Risky Domains menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to risky domains without analysis.
    8. If you want to apply the policy action of a threat category to file sharing domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the File Sharing menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to file sharing domains.
      Note: If you block the File Sharing AUP category, the File Sharing field is not available.
    9. In the Default Action menu, select Classify.
      Note: If your organization is participating in the application visibility and control (AVC) beta, the default action setting is not available in the Settings tab. You configure this setting as part of an AVC configuration in the Access Control area.
  6. If you want to enable ETP Client as a proxy on the client computer or device, in the Overwrite Device Proxy Settings menu, select Yes or Only if there’s no local proxy. Otherwise, you can select No.
  7. In the Payload Analysis area, toggle Enable Inline Payload Analysis to on.
  8. If you want to block files that cannot be scanned with ETP Proxy as part of inline payload analysis, enable Block Unscannable Files.
  9. If your organization is enabled for Advanced Sandbox, complete these steps:
    1. For downloads that range from 5 MB to 2 GB in size (large files), select an action. You can select the Block - Error Page, Allow, or the Allow and Scan action. For more information, see Static malware analysis of large files.
    2. If you selected Allow and Scan action for large files, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.
    3. For files that are greater than 2 GB (huge files), select an action. You can select either the Block - Error Page or the Allow action. For more information, see Payload analysis.
  10. In the Other Settings area, enable the Forward Public IP to Origin toggle to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. If you enabled the Optimize Microsoft 365 Traffic option, make sure you also enable this setting.
  11. In the Threat tab, select policy actions for threat categories. For more information on policy actions, see Policy actions.
  12. To configure custom headers, see Add a custom header.
  13. To assign a list to a policy, see Add a list to a policy.
  14. If your organization is participating in the data loss prevention (DLP) beta and you want to associate a DLP dictionary, complete these steps:
    1. Go to the Access Control tab.
    2. In the DLP tab, click the link icon and select a dictionary or multiple dictionaries.
    3. Click Associate. By default, DLP dictionaries are assigned the Monitor action.
    4. To assign the Block - Error Page action, select it from the Action menu.
      Note: You must have enabled ETP Proxy and inline payload analysis to complete this step. This feature is in beta and available to organizations that are licensed for ETP Advanced Threat.
  15. If your organization is participating in the application visibility and control (AVC) beta, see Configure application visibility and control. Otherwise, see Configure an Acceptable Use Policy to configure an acceptable use policy.
  16. Click Save.

Next steps

  1. Deploy the policy to the ETP network. For instructions, see Deploy configuration changes.
  2. If you are configuring proxy chaining:
    1. Configure the on-premises proxy to forward traffic to ETP proxy. For more information, see the documentation of your on-premises proxy. If your organization uses Squid as an on-premises proxy, see Configure Squid to forward traffic to ETP Proxy.
    2. Configure the on-premises proxy to forward XFF headers. For more information, see the documentation of your on-premises proxy. If your organization uses Squid as an on-premises proxy, see Configure Squid to forward traffic to ETP Proxy.
    3. Test that traffic arrives at ETP Proxy. You can create a custom list with a domain and in a policy configuration, assign the monitor policy action to the custom list. In the browser, you can confirm that the certificate you generated or uploaded into ETP (TLS MITM certificate) is used.
  3. If you are configuring ETP Client to forward web traffic to ETP Proxy, see Assign a policy to the off-network location.