Complete this procedure to enable the full
web proxy. The full web proxy is available with proxy chaining or with ETP Client 3.0.4
or later. For more information, see Proxy chaining and ETP Client for web traffic.To enable the full web proxy, your organization must be licensed for
ETP Advanced Threat.
How to
-
In the navigation menu, select
.
Note: If you are trying the new
Enterprise Center interface, in the navigation menu, select .
-
If you are adding a new policy:
-
On the Policies page, click the plus sign icon.
-
Enter a name and
description for the policy in the Name and
Description fields.
-
To configure a policy with settings from a predefined template, select
one of these templates and click Continue:
- Strict. Contains settings that block
known and most suspected threat categories. Select this template
to apply settings that are a best practice for a policy.
- Monitor-only. Logs and reports threats
but it does not block them. This template is ideal for testing
or assessing policy impact before using the Strict template.
This template assigns the monitor policy action to all known and
suspected threat categories.
- Custom. Lets you define policy actions for
known and suspected threats.
-
To assign a location, click the link icon, select a location or
multiple locations, and click Associate.
-
If you are modifying a policy, click the name of the policy that you want to
edit or click the edit icon that appears when you hover over the policy.
-
Click the Settings tab and
complete the following fields:
-
Enable
Proxy. Toggle on to the enable the ETP Proxy.
-
Proxy
Authorization. Toggle on to require that ETP Proxy
authorizes connections from the on-premises proxy. To use this setting,
you must configure proxy credentials in ETP and in the on-premises
proxy. For more information, see Proxy authorization.
-
Origin
Ports. If you want to allow outbound traffic on a new
origin port, enter the port number or port range. Separate each port
number or range with a comma. By default, the full web proxy allows
outbound traffic to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.
-
Trust XFF
Header. Toggle on if you are configuring proxy chaining
or the full web proxy. Your organization must be licensed for ETP Advanced Threat.
-
Proxy Logging
Mode. To change the ETP Proxy logging mode, select a
different level. The default Level 1 ensures that detailed data is
logged, such as response or request headers in HTTP or HTTPS threat
events. For more information, see Proxy logging mode.
-
Bypass Microsoft 365
Traffic. Toggle on to optimize traffic to Microsoft 365
apps and services.
-
Block Incompatible
Domains. Toggle on to block domains that are not
compatible with TLS encryption. Otherwise, the ETP Proxy is bypassed for
these domains.
-
Risky
Domains. Select Classify
to apply the policy action of a threat category to risky domains that
ETP Proxy detects as threats (for example,
malware, phishing, or C&C threats). Otherwise, select Allow to
permit traffic to risky domains without analysis.
-
File Sharing
. Select Classify
if you want to apply the policy action of a threat category to file
sharing domains that ETP Proxy detected are threats (for example,
malware, phishing, or C&C threats). Otherwise, select Allow to
permit traffic to file sharing domains. Note: This field is not
available if you block the File Sharing AUP category.
-
Invalid Certificate
Response. Select Block - Error
Page to block a request if the ETP Proxy cannot verify a
website's origin certificate. Otherwise, select Bypass to
bypass ETP Proxy.
-
Enable Inline Payload
Analysis. Toggle on if ETP Proxy is enabled and your
organization is licensed for Advanced Threat.
-
Block Unscannable
Files. Toggle on if you want to block files that cannot
be scanned with ETP Proxy as part of inline payload analysis.
-
Block On Upload Scan
Timeout. Toggle on if you want to block requests that
cause scanning to take longer than expected. Note: This setting applies
to DLP and File Type blocking.
-
Risky Files Handling
- by file size. If your organization is enabled for
Advanced Sandbox:
- For downloads
that range from 5 MB to 2 GB in size, select Allow or Allow and
Scan. Otherwise, select Block - Error
Page. For more information, see Static malware analysis of large files.
- If you select
Allow and Scan, the Dynamic Analysis toggle is
available. To enable dynamic analysis, toggle this setting to
on. For more information, see Dynamic malware analysis.
- For files that
are greater than 2 GB (huge files), select an action. You can
select Block - Error Page or Allow. For more information, see Payload analysis.
-
Overwrite Device
Proxy Settings. Select Yes or
Only if
there’s no local proxy if you want to enable ETP Client
as a proxy on the client computer or device. Otherwise, select
No.
-
Forward Public IP to
Origin. Toggle on to forward the user’s public IP
address to authoritative DNS servers and web servers. This setting
identifies the geolocation of clients. Make sure you also enable this
setting if you enabled the Optimize Microsoft 365 Traffic option.
-
Authentication Mode. Select
Require to require authentication,
Optional to give users the option to skip
authentication, or None. This mode defines
whether users are prompted to authenticate when accessing allowed
websites in an Acceptable Use Policy (AUP).
-
Identity Provider. Select an identity provider
if you selected Require or Optional in the previous field.
-
To define policy actions for a
threat category, complete the fields on the Threat tab:
-
Known. If
you want to assign the same policy action to all known threat
categories, select an action in the Action
column. Otherwise, make sure the Known option is expanded to show the
threat categories.
- For each threat
category, select an action. For more information, see Policy actions.
- If you select
Block, select a specific response to the user. The Response to
User column is available when the Block action
is selected.
- If Error Page is
selected and you want to direct traffic to Security Connector,
select a security connector in the Security
Connector field. Otherwise, select None.
-
Suspected. If you want to assign the same policy action to
all suspected threat categories, select an action in the Action
column. Otherwise, make sure the Suspected option is expanded to show
the threat categories and complete the fields as described in the
previous step .
-
Click the Access Control
tab and complete the following fields:
-
For application
visibility and control (AVC) , click the AUP & Shadow
IT sub tab and complete the steps described in Configure application visibility and control.
-
If your organization is
participating in the data loss prevention (DLP) beta, click the
DLP subtab and complete the steps described in Select user and group exceptions for DLP scanning and Assign a DLP dictionary to a policy.
-
If you are not using
DLP, see Configure an Acceptable Use Policy to configure an acceptable use
policy.
-
To enable alerts for a
security category or list, toggle the Send
Alert setting for each category or list on the Threat
tab.
-
To configure custom headers,
click the Custom
Header tab and following the instructions in Add a custom header.
-
To assign a list to the policy,
click the Custom
Lists tab and following the instructions in Add a Block list to a policy.
-
Click Save.
Next steps
- Deploy the policy to the ETP
network. For instructions, see Deploy configuration changes.
- If you are configuring proxy chaining:
- Configure the on-premises
proxy to forward traffic to ETP proxy. For more information, see the documentation of your
on-premises proxy. If your organization uses Squid as an on-premises
proxy, see Configure Squid to forward traffic to ETP Proxy.
- Configure the on-premises
proxy to forward XFF headers. For more information, see the
documentation of your on-premises proxy. If your organization uses Squid
as an on-premises proxy, see Configure Squid to forward traffic to ETP Proxy.
- Test that traffic arrives
at ETP Proxy. You can create a custom list with a domain and in a
policy configuration, assign the monitor policy action to the custom
list. In the browser, you can confirm that the certificate you generated
or uploaded into ETP (TLS MITM certificate) is used.
- If you are configuring ETP
Client to forward web traffic to ETP
Proxy, see Assign a policy to the off-network location.