Set Up a Secure Next-hop Proxy to Secure Traffic on a Hybrid Connection

You can set up a secure next-hop proxy on the Secure Web Gateway on-prem product to ensure traffic going to the Secure Web Gateway cloud product is secure.

When a secure next-hop proxy is in place, traffic on the connection to the cloud product follows the TLS protocol. Under this protocol, a certificate is presented at the initial handshake from the server side and verified.

The on-prem product then authenticates as client to Security Service Edge (SSE), using the authentication method that you have configured for Skyhigh Client Proxy (SCP). Any authentication information that has been collected on-prem, for example, LDAP or NTLM user and user group information, is transformed into Client Proxy information and submitted.

1. On the user interface for the Secure Web Gateway on-prem product, select Policy > Rule Sets.

2. Import a rule set with a rule where an event for enabling a next-hop proxy can be inserted.

   1. Under Rule Sets, click Add, then select Top-Level Rule Set.

   2. In the window that opens, click Import Rule Set from Rule Set Library.

   3. In the library window, expand Next-Hop Proxy on the library rule set tree and select the Next-Hop Proxy rule set.

   4. Click OK.
      
      The imported rule set is added at the bottom of the rule set tree in the navigation area.

3. Create an event that enables a next-hop proxy.

   1. Select the imported Next-Hop Proxy rule set and click Unlock View on the right. When prompted, confirm with Yes.
      
      The rule that is included in the rule set appears. It is the only rule here.

   2. Select the rule and click Show Details.
      
      The rule elements, including an event, show up.

   3. Click Edit immediately above the rule, then select Events in the window that opens.

   4. Click Add and select Event from the drop-down list.

   5. In the Event field of the window that opens, scroll down the list to Enable Next-Hop Proxy and select this event.

4. Configure settings for the event that make the next-hop proxy that is enabled a secure next-hop proxy.

   1. With the event selected, click Add under Settings.

   2. In the window that opens, make sure you are on the Add Settings tab and type a name for the settings in the Name field, for example, Hybrid.

   3. Under Next-Hop Proxy Server, select a list of next-hop proxies from the list of lists that is provided here, for example, the Internal proxies list.

   4. Click Edit, and in the window that opens, click the Add icon.
      
      A window for creating a next-hop proxy opens.

   5. Create a next-hop proxy with the following settings.

      • Host — Host name of the device that presents a server-side certificate under the TLS protocol
        
        This name is the host name for Skyhigh Security Service Edge, for example, c1234.wgcs.mcafee-cloud.com. Be sure
        to enter this host name here, not an IP address.
        
        Otherwise the certificate will not match when it is verified.

      • Port — 8081
        
        This port is where the TLS connection terminates under this Hybrid solution.
        
        To see the next relevant option, you must scroll further down. It is provided under UCE Specific Parameters.

      • Use secure connection to next-hop proxy — Select this option

      • Validate X-SWEB headers. Block non-matching customer ID and user name — Select this option as needed.
        
        This option is only available when UCE Hybrid and Secure NHP are enabled.

   6. Click OK in this window and in the others that are open, except for the last of them. Click Finish here.
      
      You have now created a secure next-hop proxy for the Hybrid solution and an event that enables it in a rule.

5. Modify the Certificate Verification rule set to ensure the server-side certificate is properly verified.

   1. On the rule set tree, select HTTPS Scanning, then select Enable on the right and click Unlock View. When prompted, confirm with Yes.

   2. Select the nested Certificate Verification rule set and click Edit on the right.

   3. In the window that opens, configure settings as follows:

      • Scroll down the list of properties on the left and select Command.Name.

      • Select equals from the list in the middle.

      • Enter the following in the field on the right: 
        
        CERTVERIFY_SECURECHANNEL

      • Click OK here and in the other window that is open.
        
        The nested Certificate Verification rule set is still displayed. The rule set criteria in the top right corner reads like this now:
        
        Command.Name equals "CERTVERIFY" OR
        Command.Name equals "CERTVERIFY_SECURECHANNEL"

6. Configure settings for the Hybrid solution.

   1. Select the Configuration top-level menu.

   2. On the appliances tree, select the appliance where you want to configure settings for the Hybrid solution, then select Cluster > UCE Hybrid for this appliance.

   3. Under UCE Hybrid Configuration in the configuration area on the right, enable UCE Hybrid Settings.

   4. Under Customer ID, enter your Customer ID.

   5. Under Shared Password, set a password.
                

7. Click Save Changes.

You have now set up a secure next-hop proxy for the traffic that goes from the Secure Web Gateway on-prem to the cloud product.