Enable selective proxy
Create certificates and distribute the certificates to devices and TLS clients on your network. For more information, see ETP Proxy as a TLS intermediary.
Before you begin
Complete this procedure to enable the selective proxy. The selective ETP Proxy analyzes risky web traffic.
In the navigation menu, select
.Note: If you are trying the new Enterprise Center interface, in the navigation menu, select .
If you are adding a new policy:
- On the Policies page, click the plus sign icon.
- Enter a name and description for the policy in the Name and Description field.
To configure a policy with settings
from a predefined template, select one of these templates and click Continue:
- Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.
- Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.
- Custom. Lets you define policy actions for known and suspected threats.
- To assign a location, click the link icon, select a location or multiple locations, and click Associate.
- If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.
- Click the Settings tab.
Enable ETP Proxy:
- In the Proxy Settings area, toggle Enable Proxy to on.
- To bypass traffic to Microsoft 365 apps and services, enable Bypass Microsoft 365 Traffic. Your organization must be licensed for ETP Advanced Threat to use this feature.
- If you want to apply the policy action of a threat category to risky domains that ETP Proxy detected are threats (for example, malware, phishing, or C&C threats), in the Risky Domains menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic to risky domains without analysis.
If you want to apply the policy
action of a threat to file sharing domains that ETP Proxy
detected are threats (for example, malware, phishing, or C&C threats), in the File
Sharing menu, make sure Classify is selected. Otherwise, you can select Allow to permit traffic
to file sharing domains.
Note: If you block the File Sharing AUP category, the File Sharing field is not available.
- If your organization is licensed for ETP Advanced Threat, in the Default Action menu, select Bypass.
- In the Other Settings area, enable the Forward Public IP to Origin toggle to forward the user’s public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. If you enabled the Optimize Microsoft 365 Traffic option, make sure you also enable this setting.
- In the Payload Analysis area of the page, toggle the Enable Inline Payload Analysis to on.
- If you want to block files that cannot be scanned with ETP Proxy as part of inline payload analysis, enable Block Unscannable Files.
- In the Threats tab, select policy actions for threat categories. For more information on policy actions, see Policy actions.
- To assign a list to a policy, see Add a Block list to a policy and Add an Exception list to a policy.
If you are participating in the data loss prevention (DLP) beta and you want to
associate a DLP dictionary, complete these steps:
Note: You must have enabled ETP Proxy and inline payload analysis to complete this step. This feature is in beta and available to organizations that are licensed for ETP Advanced Threat.
- Go to the Access Control tab.
- In the DLP tab, click the link icon and select a dictionary or multiple dictionaries.
- Click Associate. By default, DLP dictionaries are assigned the Monitor action.
- To assign the Monitor action, select Block - Error Page from the Action menu.
- To configure the Acceptable Use Policy (AUP), see Configure an Acceptable Use Policy.
- Click Save.
Deploy the policy to the ETP network. For instructions, see Deploy configuration changes.