ETP Client for web traffic

With ETP Client 3.0.4 or later, you can:
  • Direct all web traffic to ETP Proxy and scan it for malware. This version of the client supports users who are on or off the corporate network.
  • Provide single sign-on (SSO) to all applications on the client computer after a user authenticates to access websites or applications on the web. This configuration is based on ETP policy and identity provider settings. ETP Client also authenticates devices to ETP Proxy. As a result, HTTP traffic from a specific device is tied to the user’s identity. For more information, see Authentication policy.
  • Split traffic to ensure that users can directly access websites on the local network and these requests are not forwarded to ETP Proxy.
  • If an exception list with a bypass action is configured in a policy or there's an internal network configuration in ETP, ETP Client directs this traffic to its destination. Akamai also maintains a list of traffic that’s not directed to ETP Proxy for compliance and performance reasons. For more information, see Akamai bypass list.

As part of the setup for ETP Client, you enable the proxy and perform the setup that’s required for the proxy such as generating or uploading the man-in-the-middle (MITM) certificate in ETP for Transport Layer Security (TLS) decryption. For more information, see Set up ETP Proxy.

To forward all web traffic to ETP Client, you must enable these settings:
  • Overwrite Device Proxy Settings. Setting where you choose to modify the local web proxy settings on the user’s device and in turn, enable ETP Client as the local web proxy. You enable this setting in a policy configuration.

    You can choose to modify or not modify these settings, or you can only modify these settings when no web proxy is configured on the user’s device. If ETP Client acts as the local web proxy, it forwards all traffic to ETP Proxy.

    You can also enable the Configure ETP Client as local computer web proxy setting in the client configuration. For more information, see ETP Client configuration settings. However, the Overwrite Device Proxy Settings setting in the policy takes precedence over the client configuration setting.

  • Proxy Port: If ETP Client modifies the local web proxy settings on the user’s device, it listens for traffic on port 8080 by default. If this port is used by another process in your network, you can enter a new port into this field. You enable this setting in the client configuration.
  • Classify as the Default Action. When you select Classify in the Default Action menu of a policy, you allow ETP Proxy to analyze domains that are not in ETP Threat Intelligence, custom lists, or part of an acceptable use policy (AUP) or application visibility and control (AVC) category. This action is also used for categories that have no action assigned.

Configuring ETP client as a local web proxy allows you to forward requests to ETP Proxy. However, if your enterprise includes an on-premises proxy, you can also configure proxy chaining to forward requests from the on-premises proxy to ETP Proxy. ETP client supports this scenario and continues to protect the user’s device.

Depending on ETP proxy configuration, version 3.0.4 or later also supports ETP Proxy when it’s configured to scan only risky web traffic. For more information, see ETP Client for DNS only.

Like previous versions of the client, ETP Client 3.0.4 or later:
  • Detects an end user's network conditions.
  • Sends DNS requests to ETP. With version 3.2.0 or later, you can protect user privacy by using TLS to encrypt connections. To learn more about DoT, see DNS over TLS.
  • Applies an ETP policy and other configuration settings to DNS requests.
  • Logs user information. In ETP, user information appears on the event reporting pages when a policy is violated and an event is logged. ETP Client also includes its own logs. By default, ETP Client is set with the Info Only log type. This log type records system errors, while the Debug and Verbose log types record additional information, such as DNS lookup queries. For more information, see Troubleshooting logs.
  • Identifies clients by device name. This information also means an enterprise may not need to deploy a security connector in their network to discover the machine name of an infected machine. When the Trust XFF header is enabled, version 3.0.4 identifies the internal client IP address of web traffic. It also identifies the client request ID.
To use ETP Client in your network, make sure these conditions apply:
  • ETP Client locations on the corporate network are configured in ETP. This includes public IP addresses of all exit points or gateways in the corporate network. These addresses allow ETP to identify the location where traffic is coming from and apply the policy that corresponds to this location.
  • When ETP Client is off the corporate network and connects from an IP address that is not configured as a location in ETP, the pre-defined Off Network ETP Clients location is applied. Similarly, if a user is visiting a network, ETP Client applies the policy of the user’s corporate network. It does not apply the policy of the visiting network. In this case, the policy associated with the Off Network ETP Clients location in the user’s corporate network takes effect.
  • Configure the DNS suffixes and IPv4 and IPv6 addresses ranges of internal corporate network resources and websites. This is done in the ETP Network Configuration. ETP Client directs traffic to these websites to their destination and in turn, bypasses ETP Proxy. If your organization also uses Enterprise Application Access (EAA), you can provide the hostnames of EAA applications.

    Similarly, you can create an exception list with the domains and IP addresses that you prefer bypass ETP Proxy. You can then assign this list to an ETP policy. For more information, see Create an exception list.

  • On Windows machines where ETP Client will be installed, make sure Web Proxy Auto-Discovery (WPAD) for WinHTTP is running. For more information, see Web Proxy Auto-Discovery (WPAD) on Windows.
  • Harden devices in your network to prevent users from changing proxy settings.
  • Do not enable authentication on ETP client devices that are shared by more than one user. Keep in mind that after a user authenticates on a client device, ETP Client grants single sign-on (SSO) to applications and websites based on that user’s identity.
  • Enable ETP Proxy in the policy associated with the Off Network ETP Clients location.
  • In addition to installing ETP Client on user computers, laptops, and supported mobile devices, you can also install it on server machines.
  • If there is another proxy deployed between ETP Client and the on-premises proxy, make sure you don't configure this proxy with the TLS man-in-the-middle (MITM) certificate. Avoiding this improves performance.
Note: The default settings on Mozilla Firefox and Microsoft Edge browsers may not support ETP Client:
  • Mozilla Firefox does not automatically use the proxy settings on the user's device. If you configure ETP Client as a local web proxy or you set up proxy chaining, you must configure Firefox to use the system proxy settings. For more information, see Configure Mozilla Firefox to use system proxy settings.
  • By default, Microsoft does not allow Universal Windows Platform (UWP) apps such as Microsoft Edge to communicate with a network server that's listening on the localhost. When the proxy is enabled, communication with the localhost is necessary. To allow the use of Edge when ETP Proxy is enabled, see Allow ETP Client connections on Microsoft Edge.