Configure Proxy Servers on On-premise Environments
Configure at least one of the Web Gateway appliances installed on your network as the proxy server to redirect web traffic. When configuring the proxy server list, consider whether Client Proxy is deployed with Trellix ePO, Trellix ePO Cloud, or the Trellix ePO.
Before you begin
You must be logged on to the Trellix ePO, Trellix ePO Cloud, or the Trellix ePO server as an administrator.
- Before you can save the policy, you must provide the IP address or host name of at least one proxy server and a port number.
- When you enable the Secure Channel setting with at least one cloud proxy configured in the proxy server list, Client Proxy ignores on-premise proxy servers and considers only cloud proxy servers in the list. Depending on the availability of cloud proxy server and port, Client Proxy applies redirect, block, or fallback (Allow Connection without Secure Channel) option. Proxy with domain like c*******.wgcs.skyhigh.cloud is considered as cloud proxy.
Complete the following:
- From the main menu, select Policy | Policy Catalog.
- From the Products list, select the current version of Client Proxy.
- Click SCP Policy to view the policy list.
- Click Edit on the same row as the policy you want to configure.
- From the Client Proxy Settings menu, select Proxy Servers.
- To specify how the software selects a proxy server from the list, select an option:
- connect to the first accessible Proxy Server based on their order in the list below — The software selects the next proxy server from the list that you configure.
- connect to the Proxy Server that has the fastest response time — The software selects the next proxy server from the list that it maintains, which is based on response time.
- To add proxy servers to the Proxy Server List, configure these settings, then click Add.
- Proxy Server Address (IP or Hostname) — Specifies the IP address or host name of the proxy server.
- Proxy Port — Specifies the port number of the proxy server.
- HTTP/HTTPS — Select this checkbox to redirect traffic sent to ports 80 and 443 to a proxy server.
- Non-HTTP/HTTPS Redirected Ports — Specifies the port numbers of protocols other than HTTP/HTTPS whose traffic you want redirected. Verify that the proxy server supports these protocols. You can enter up to 1024 characters in this field.
- Select Enable Auto proxy switch over for Alternate Proxy, then specify a value for the Polling interval in this range: 10–3600 seconds. The recommended value is 60 seconds.
The auto-proxy switchover option is available only when connect to the first accessible Proxy Server based on their order in the list below is selected.
NOTE: While using the Secure Channel feature, the Enable Auto proxy switch over setting is not applicable for a proxy server list.
- In the Specify additional ports that you would like to redirect as HTTP/HTTPS traffic field, specify the numbers of other ports whose traffic you want redirected like HTTP/HTTPS traffic. For example, you can redirect traffic sent to an application. You can enter up to 1024 characters in this field.
- Optionally, select Block Traffic on configured Ports if none of the Primary Proxy servers is reachable.
When none of the configured proxy servers can be reached, all traffic to the configured ports and default ports 80 and 443 is blocked.
- Select Block Traffic on configured Ports until MCP is Ready to protect the endpoint while Client Proxy is starting.
All traffic to the configured ports and default ports 80 and 443 is blocked from the time the user has internet access until Client Proxy exits bypass mode and starts redirecting traffic.
- Select Block IPv6 Traffic on configured Ports to require web browsers to fall back to IPv4.
- Select Block Traffic when Mutual Authentication with Primary Proxy Failed to make sure that Client Proxy only redirects web requests when it can authenticate the proxy server.
- Deselect Bypass proxy server for local addresses to redirect all traffic, including traffic sent to local addresses inside your organization's subnet network, to a proxy server. You can configure an IP address, IP address range, subnet, or CIDR. For example, 192.168.1.1, 172.31.255.10-172.31.255.20, 10.50.0.0/255.255.128.0 or 10.50.0.0/17.
- Select Block UDP Traffic on Ports 80/443 for IPv4 and IPv6 to block this traffic.
- Click Save.
The proxy servers list is saved with the policy.