Enable selective proxy

Before you begin

Create certificates and distribute the certificates to devices and TLS clients on your network. For more information, see ETP Proxy as a TLS intermediary.

Complete this procedure to enable the selective proxy. The selective ETP Proxy analyzes risky web traffic.

How to

  1. In the navigation menu, select Configuration > Policies.
    Note: If you are trying the new Enterprise Center interface, in the navigation menu, select Policies > Policies.
  2. If you are adding a new policy:
    1. On the Policies page, click the plus sign icon.
    2. Enter a name and description for the policy in the Name and Description field.
    3. To configure a policy with settings from a predefined template, select one of these templates and click Continue:
      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
      • Custom. Lets you define policy actions for known and suspected threats.
    4. To assign a location, click the link icon, select a location or multiple locations, and click Associate.
  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.
  4. Click the Settings tab.
  5. Enable ETP Proxy:
    1. In the Proxy Settings area, toggle Enable Proxy to on.
    2. To optimize traffic to Microsoft 365 apps and services, enable Optimize Microsoft 365 Traffic. Your organization must be licensed for ETP Advanced Threat to use this feature.
    3. If you want to apply the policy action of a threat category to risky domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the Risky Domains menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to risky domains without analysis.
    4. If you want to apply the policy action of a threat to file sharing domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the File Sharing menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to file sharing domains.
      Note: If you block the File Sharing AUP category, the File Sharing field is not available.
    5. If your organization is licensed for ETP Advanced Threat, in the Default Action menu, select Bypass.
  6. In the Other Settings area, enable the Forward Public IP to Origin toggle to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. If you enabled the Optimize Microsoft 365 Traffic option, make sure you also enable this setting.
  7. In the Payload Analysis area of the page, toggle the Enable Inline Payload Analysis to on.
  8. In the Threats tab, select policy actions for threat categories. For more information on policy actions, see Policy actions for lists and threat categories.
  9. To assign a list to a policy, see Add a list to a policy.
  10. If you are participating in the data loss prevention (DLP) beta and you want to associate a DLP dictionary, complete these steps:
    1. In the DLP tab, click the link icon and select a dictionary or multiple dictionaries.
    2. Click Associate. By default, DLP dictionaries are assigned the Monitor action.
    3. To assign the Monitor action, select Block - Error Page from the Action menu.
    Note: You must have enabled ETP Proxy and inline payload analysis to complete this step. This feature is in beta and available to organizations that are licensed for ETP Advanced Threat.
  11. To configure the Acceptable Use Policy (AUP):
    1. In the Acceptable Use Policy tab, click the arrow icon to expand categories that contain subcategories.
    2. To allow content for any AUP category or subcategory, make sure that the Block option is deselected.
    3. To block content in any of the provided categories or subcategories, select Block. If ETP Proxy is not enabled, do one of the following to select the response to the user:
      • To show an end user a custom error page, select Error Page.
      • To show an end user a browser-specific error page and direct traffic to a custom response that’s already configured in ETP, select the custom response from the list. To configure a custom response, see Add a custom response.
    4. If you want a category to bypass ETP or ETP Proxy, select the bypass action. This action is useful when you want to protect user privacy in categories that are associated with sensitive information, such as the Finance & Investing and the Healthcare categories.
  12. Click Save.

Next steps

Deploy the policy to the ETP network. For instructions, see Deploy configuration changes.