Skip to main content

Welcome to our updated site!

Skyhigh Security

Advanced Settings for Proxies

Settings for advanced proxy functions.

Option Definition
Maximum number of client connections

Limits the number of connections between a proxy on an appliance and its clients.

Specifying 0 means that no limit is configured.

Default: 50000 connections

Handle responses from server (content-encoding)

Provides options for handling the content in the body of a response from a web server that is forwarded to a client by Web Gateway.

The content can be handled differently depending on whether it is compressed, for example, when GZIP encoding has been applied, or not.

Compressed content can be extracted to allow access, inspection, and other treatment according to the rules that are configured on Web Gateway.

Forwarding to the client is only performed if and to the extent that the rules allow it.

  • Extract but do not compress — Compressed content is extracted and forwarded uncompressed to the client.
    Uncompressed content is forwarded as it is.
  • Extract and compress if server response is compressed — Compressed content is extracted and compressed again before forwarding it to the client.
    Uncompressed content is forwarded as it is.
  • Extract and compress if client supports compression — Compressed content is extracted and compressed again before forwarding to the client if the client supports compression. Otherwise it is forwarded uncompressed.
    Uncompressed content is compressed and then forwarded if the client supports compression. Otherwise it is forwarded uncompressed.
  • Do not extract and not compress — Compressed content is not extracted and forwarded to the client compressed.
    Uncompressed content is forwarded uncompressed.

Not extracting compressed content reduces load in content forwarding. This option is therefore useful when content inspection or other treatment is not required.

For example, if you only want to apply URL filtering to web traffic, content extraction is unnecessary. Compressed content is, however, extracted under this option if the Dynamic

Content Classifier (DCC) is called in case a URL could not be rated using Trusted Source information.

To call the DCC, the following setting within the URL settings must be selected: Enable the Dynamic Content Classifier if GTI web categorization yields no result.

The extracted content is forwarded uncompressed to the client.

Handle compressed requests from client

Provides options for handling requests that were received in compressed format from a client of Web Gateway.

  • Ignore — The compressed content is not extracted and filtered, and the request is forwarded to the web server in compressed format.
  • Extract — The compressed content is extracted, so it can be filtered, but not compressed again before it is eventually forwarded to the web server.
  • Extract and compress again — The compressed content is extracted, so it can be filtered, and compressed again before it is eventually forwarded to the web server.

Number of working threads

Specifies the number of threads used for filtering and transmitting web objects when a proxy is run on an appliance.

Number of threads for AV scanning

Specifies the number of threads used to scan web objects for infections by viruses and other malware when a proxy is run on an appliance.

Use TCP no delay

When selected, delays on a proxy connection are avoided by not using the Nagle algorithm to assemble data packets.

This algorithm enforces that packets are not sent before a certain amount of data has been collected.

Maximum TTL for DNS cache in seconds

Limits the time (in seconds) that host name information is stored in the DNS cache.

Timeout for errors for long running connections

Sets the time (in hours) that a long-running connection to another network component is allowed to remain inactive before Web Gateway closes the connection.

The default time is 24 hours.

This setting prevents the performance of a Web Gateway appliance from being impacted by long-running connections that run extremely long.

Time is measured as follows for the different connection protocols to determine whether the timeout has been reached.

  • HTTP, HTTPS (with content inspection), ICAP, and similar protocols: Time is measured for every request that is sent on a connection.
  • SOCKS (when the embedded protocol is not followed), tunneled HTTP, HTTPS (without content inspection), and similar protocols: Time is measured for a connection as a whole.
  • FTP: Time is measured for the control connection.

When the connection is closed, an error is generated, which can be handled by the rules in an Error Handler rule set.

Check interval for long running connections

Sets the time (in minutes) that elapses between check messages sent over a long-running connection.

Maximum amount of data per connection or request

Sets the amount of data (in MB) that can be sent on a long-running connection to another network component before Web Gateway closes the connection.

The default amount is 10,240 MB.

This setting prevents the performance of a Web Gateway appliance from being impacted by long-running connections that carry a very high data load.

Data load is measured as follows for the different connection protocols to determine whether the maximum amount has been reached.

  • HTTP, HTTPS (with content inspection), ICAP, and similar protocols: Data load is measured for every request that is sent on a connection.
  • SOCKS (when the underlying protocol is not followed), tunneled HTTP, HTTPS (without content inspection), and similar protocols: Data load is measured for a connection as a whole.
  • FTP: Data load is measured for the data connection.

When the connection is closed, an error is generated, which can be handled by the rules in an Error Handler rule set.

The following properties are then set to the value of the measured data to be available for the error handling rules: Bytes.ToClient, Bytes.ToServer, Bytes.FromClient, Bytes.FromServer.

Volume interval for connections

Sets the volume interval for long-running connections.

Internal path ID

Identifies the path an appliance follows to forward internal requests (not requests received from clients), for example, requests for style sheets used to display error messages.

Bypass RESPmod for responses that must not contain a body

When selected, responses sent in communication under the ICAP protocol are not modified according to the RESPMOD mode if they do not include a body.

Call log handler for progress page updates and objects embedded in error templates

When selected, the rules in the log handler rule set that is implemented on the appliance are processed to deal with the specified updates and objects.

Allow connections to use local ports using proxy

When selected, local ports can be used for requests on an appliance that a proxy is run on.

Use virtual IP as the Proxy.IP property value

When selected, the value for the Proxy.IP property in High Availability mode is a virtual IP address for all nodes in a configuration.

It is the virtual IP address that is used by clients to connect to the proxy.

When the director node redirects a request sent from a client to a scanning node, this address is the value of the Proxy.IP property also on the scanning node (not the physical address of the scanning node).

HTTP(S): Remove all hop-by-hop headers

When selected, hop-by-hop headers are removed from requests received on an appliance that an HTTP or HTTPs proxy is run on.

HTTP(S): Inspect via headers to detect proxy loops

When selected, via headers in requests received on the appliance that an HTTP or HTTPS proxy is run on are inspected to detect loops.

HTTP(S): Host from absolute URL has priority over host header

When selected, the host names corresponding to absolute URLs in requests received on an appliance that an HTTP or HTTPS proxy is run on are preferred to the host names contained in the request headers.

Encode own IP address in progress page ID to enable non-sticky load balancers

When selected the own IP address is encoded in the progress page ID.

HTTP(S): Maximum size of a header

Sets a limit to the size (in MB) for the header of a request or response sent in HTTP(S) traffic.

Default: 10 MB

Listen backlog

Specifies a value for the listen backlog.

Default: 128

Limit for working threads doing IO in web cache

Sets a limit to the number of working threads for the web cache.

Default: 25

Progress page limit

Sets a limit to the size (in KB) of the progress page.

Default: 40,000 KB

Enable TCP window scaling

When selected, the initial size of the window for receiving TCP data packets can be increased up to a maximum value that depends on a scaling factor.

This factor is configured under TCP window scale.

With a larger window size, Web Gateway can receive more data from a web server or client on a given connection before an acknowledge (ACK) packet must be sent.

Benefit: Improved network throughput, especially on high-latency connections

Risk: If routers or firewalls do not accept a larger window size, window scaling might break up, leading to slow or no throughput.

Recommended: Reduce the window to a size that results in an acceptable performance.

Default: Enabled

NOTE: When this option is disabled, no window scaling is performed. Disable the option with caution.

TCP window scale

Sets the scaling factor that determines the maximum size of the window for receiving TCP data packets.

If window scaling is enabled, the initial window size can be increased using this scaling factor, which is calculated by taking base 2 to the power of the value that you specify here.

For example, if you specify 1, the scaling factor is 2^1 = 2, so the maximum window size is doubled.

If you specify 0 for a scaling factor 1, the initial window size is kept for Web

Gateway. Window scaling can still be used then for the receive window of the communication partner.

Range of values: 0–4

Default: 7

NOTE: With this default, the receive window can be increased to a maximum size of 8192 KB.

 

  • Was this article helpful?