DCE-IP Feature Enablement Support for Skyhigh Secure Web Gateway: Hybrid Mode
Considering the current implementation for DCE-IP Use Case Feature Enablement and Support, dedicated IPs are not supported for Web Hybrid (WP2) customers or when customers manage Web Policy from an on-premises SWG and synchronise it to the Cloud. However, with the help of specific routing provisioning, the DCE-IP feature can be activated and controlled in hybrid mode. The configuration entails defining a particular exception for rule evaluation via an SCP Policy managed gateway object list with a List Redirect Rule. The following are thorough methods that might assist the customer in provisioning the DCE-IP Web Policy Ruleset for evaluation and management via SWG Cloud in Hybrid Mode via traffic routing exception. Below are the detailed methods to configure and allow the DCE-IP Web Policy Ruleset to be supported in Hybrid Mode.
DCE-IP Feature Enablement Traffic Route Workflow
SCP Policy Traffic Flow
Main traffic gets sent to the primary gateway (c.hybrid.skyhigh.cloud) where hybrid policy from Classic SWG applies. However, any traffic going to domains listed in your STRING list gets redirected to the alternate gateway (c.wgcs.skyhigh.cloud) instead. This alternate route enables dedicated egress IP addresses for those specific domains.
This configuration creates two traffic pathways:
- Main Path: SCP traffic goes to the primary gateway (Classic SWG) and follows hybrid policy rules.
- Exception Path: For specific domains in your STRING list, traffic routes to alternate gateway (SSE/MOWGLI SWG) to use dedicated IP addresses.
Steps to Configure DCE-IP Feature Support in Hybrid Mode:
Step 1: Login to SWG Cloud Console
- Navigate to Setting > Infrastructure > Web Gateway Setup > Manage SCP Option.
- Click on Gateway Object List (...) and create two new Gateway Objects (for testing purposes, can be changed for production users):
Gateway 1(Admin: Primary Gateway) :c<CustomerID>.hybrid.skyhigh.cloud
Gateway 2 (Admin: Alternate Gateway):c
<CustomerID>.wgcs.skyhigh.cloud
- After creating the two Gateway Objects, navigate to Configuration Policies.
- Click on (...) to create a new SCP Policy.
- Add Gateway 1 as the Primary Gateway and Gateway 2 as the Alternate Gateway.
- Click Save to complete the process.
Example: Below screenshot shows DEV_DCEIP_Testing and the SCP Policy which include Primary Gateway Object as c<CustomerID>.hybrid.skyhigh.cloud and Alternate Gateway Proxy as c<CustomerID>.wgcs.skyhigh.cloud (FQDN).
Step 2: Create List Catalog Exception
DCE-IP Hostname List to be routed via Alternate Proxy at the time of Egressing and Evaluating via SWG Cloud (SSE/Mowgli).
- Navigate to Policy > Web Policy > List Catalog > String.
- Click on (...) to create a new String List.
- Name the String List as Dedicated Egress IP Host List.
- Add the list of Hosts that need to egress via Dedicated Egress IP.
- On the top right corner, click Actions > Add New Items to add hostnames.
- Click Save to complete the process.
Step 3: Add a DCE-IP Hostname String List to SCP Policy
- Navigate to Settings > Infrastructure > Web Gateway Setup > Manage SCP option.
- Go to the SCP Policy where the Gateway Object List was created and mapped as Gateway 1 (Admin: Primary Gateway: c<CustomerID>.hybrud.skyhigh.cloud. and Gateway 2(Admin: Alternate Gateway: c<CustomerID>.wgcs.skyhigh.cloud) in step 1.
- Navigate to List Redirection option > Lists from Web Policy List Catalog.
- Click Add List option.
- Navigate to the DCE-IP Hostname string List created in step 2.
- Select the String List
- Click Save to complete the process.
Step 4: DCE-IP Web Policy Configuration via Rule Builder
- Proceed with configuring the DCE-IP Web Policy Ruleset Condition for the Selected DCE-IP Hostname List from the String List created in Step 2.
- Refer to the technical reference guide for DCE-IP Web Policy Ruleset Configuration (DCE-IP) for more details and examples.
- Navigate to Policy > Web Policy > Policy.
- Click on the hybrid Web Policy Ruleset.
- Navigate to the Hybrid Policy All Traffic Condition.
- On the extreme right corner, click on the three dots option.
- Select Add Policy Via Rule Builder Option.
- Follow the Ruleset Condition example provided to configure the DCE-IP Ruleset Condition.
NOTE: Place the Final Policy above the Hybrid Routing Web Policy Ruleset Condition to create an exception for DCE-IP rule evaluation via the Alternate Gateway (c<CustomerID>.wgcs.skyhigh.cloud) in Hybrid Mode.
Now the end user traffic for DCE-IP Hostname List will be evaluated via Alternate Gateway i.e. (WGCS Cloud) considering top-bottom ruleset evaluation and thus Hybrid Routing Policy will work as expected in hybrid mode, policy synchronized via SWG On-Prem.
Scope of the feature : All traffic value conditions in Hybrid Mode for DCE-IP Web Policy Ruleset are not suggested/required, only specific DCE-IP hostname lists can be defined under the String List based on customer specific requirement in hybrid mode setup.