Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Connection Settings

  1. Last updated
  2. Save as PDF

The connection settings enable you to configure ports for redirecting web traffic to the upstream Skyhigh Secure Web Gateway. 

NOTE: The rules in the policy are applied to the redirection ports only.

To configure connection settings:

  1. Navigate to Policy > Skyhigh Client > Configuration.
  2. From the Settings list, select Client Profile.
  3. Select a profile from the list of profiles.
    The Connection Settings tab displays by default.

    clipboard_e8b91924a313218b4103957f1670d28a9.png
  1. To add an interception port: 
    1. From the Add Ports drop-down, select Add Inline:

      clipboard_ee5a448e9b3a73c3d45406efa0af8ac5a.png
      1. Port. Specify the port to redirect traffic to a proxy server.
      2. Comments. Enter applicable information.

        clipboard_e4346b000958f33008ca271bbc4296189.png
         
  2. To import port numbers from the CSV file:
    1. From the Add Ports drop-down, select Import CSV

      clipboard_e4caa4da164245054703f084d503d4a00.png
       
    2. Navigate to the folder containing the port list, select the file, and click Open.
      The ports are added to the list.
  3. To export configured port numbers to the CSV file:
    1. From the Add Port drop-down, select Export CSV.

      clipboard_e80664e080cc25ea3d2756bce92c290e6.png
      The configured domain list is downloaded in the CSV file format. 
For traffic on non-redirected ports
  1. To channelize traffic on a non-redirected port, select one of the following options:
    • Allow all traffic except for processes in the list
    • Block all traffic except for processes in the list

      clipboard_ea99279ea8f2a8f79574f679a359671c0.png
       
  2. Click the selected option and select one of the following from the Add Process drop-down:
    • Add Inline. Add a process to the list
    • Import CSV. Import a process list
    • Export CSV. Export the process list

      clipboard_ef707d3e7961571039908ba649e1face2.png
      clipboard_ec48527a1e1dd0dc35f23a360c6b55fbc.png
Local Proxy Settings

For handling the intercepted web traffic from local applications, Skyhigh Client Proxy used to internally expose a listener port on the loopback interface, which was dynamic in nature. With the new Skyhigh Client, this local proxy port is made static and can be configured through a Client Profile.

  • Local Proxy Port. 8080 is set by default. 

NOTE: Skyhigh Client will use this TCP Port by default for internally handling intercepted web traffic. A service restart is required if the port number is changed.

  • Enable local proxy. Select this checkbox to use the local proxy.

    When enabled, the Enable Local Proxy option allows other applications running on the endpoint to configure the local proxy to be an explicit proxy as part of the respective application-specific proxy configuration settings. For example: browsers

    clipboard_e82c5e209eda3c8bac864878e37f4e090.png
On-Premise Bypass
  1. To add an On-Premise IP address: 
    1. In the On-Premise IP Addresses section:
      1. From the Add Address drop-down, select Add Inline:
        • Hostname/IP Address. Enter the hostname or IP address of an endpoint.
        • Port. Enter the port number.
      2. From the Add Address drop-down, select Import CSV.
        The CSV file is imported.
      3. From the Add Address drop-down, select Export CSV
        The CSV file is exported.

        clipboard_e1d591b25a8e09ff4d4c568368f9415d4.png
  2. To add a Corporate VPN Address Space: 
    1. In the Corporate VPN Address Space section:
      1. From the Add Address drop-down, select Add Inline:
        • Hostname/IP Address. Enter the hostname or IP address of an endpoint.
        • Port. Enter the port number.
      2. From the Add Address drop-down, select Import CSV.
        The CSV file is imported.
      3. From the Add Address drop-down, select Export CSV.
        The CSV file is exported.

        clipboard_ecaaec041e50032c4d8b819e8492c7d54.png
Security Settings
  • Allow connection to proxy if mutual authentication fails. Select this checkbox to allow connection to the proxy when mutual authentication fails.

NOTE: 

When mutual authentication fails, traffic is not forwarded to a remote gateway. The mutual authentication option allows the Client and Skyhigh gateway to verify each other's identity, ensuring the Client connects only to a legitimate gateway.

  • Enable Secure Channel. Select this checkbox to establish a secure connection between the Skyhigh Client and the Skyhigh Security WGCS. When selected, the software validates the cloud proxy certificate against the device certificate store and establishes a secure connection.
    • Select Port. Select one of the following ports for establishing secure connection
      • 8081
      • 443
    • If user cannot connect to the selected secure channel port
      • Allow Connection without Secure Channel. Select this checkbox to allow the connection through the configured proxy port without establishing a secure connection between the Skyhigh Client and the Skyhigh Security WGCS.
    • Certificate Validation Settings
      • Validate using the certificate list on the device. By default, this checkbox is selected. This ensures device certificate validation occurs continuously.
      • Allow connection to secure channel if certificate verification fails. Select this checkbox to allow traffic to the cloud proxy server when the certificate verification fails.

clipboard_e61358e6a4397dfd419bab274912f5f43.png

Cloud Firewall Settings

When the Cloud Firewall setting is enabled in the Client profile, it enforces the relevant Cloud Firewall rules under the Network section of the mapped policy.

NOTE: When you enable Cloud Firewall, the Client sends all IP traffic to the Cloud gateway by default. However, sending system traffic to the Cloud gateway is not advised because it may produce undesirable effects like network connectivity failures. Therefore, Skyhigh recommends that you bypass such traffic based on your network configuration needs.

           Examples: 

  • Traffic from windows processes
    • system.exe, alg.exe, dns.exe, lsass.exe, services.exe, spoolsv.exe, svchost.exe, userinit.exe, winlogon.exe
  • ICMP (protocol number 0) Traffic
  • UDP Traffic on Port
    • 53 (DNS)
    • 123 (Network Time Protocol (NTP))
    • 67 (Dynamic Host Configuration Protocol (DHCP) servers)
    • 500 (Internet Key Exchange (IKE))
    • 389, 636, 3268-3269 (Lightweight Directory Access Protocol (LDAP))
    • 445 (SMB)
  • TCP Traffic on Port
    • 389, 636, 3268-3269 (Lightweight Directory Access Protocol (LDAP))
    • 445 (SMB)
  • IPSEC ESP (protocol number 50) Traffic
  • GRE (protocol number 47) Traffic

 

On the SSE UI:

  • Use HTTP proxy to authenticate with Cloud Firewall. Select this checkbox to enable the Skyhigh Client to authenticate with Cloud Firewall over TLS when using a corporate web proxy. But, when a user is connected outside the corporate network, a direct connection to the Internet is used to authenticate with Cloud Firewall:
    • Hostname or IPv4. Enter the hostname of the corporate web proxy.
    • Port. Enter the port number.
  • Enable SOCKS proxy. Select this checkbox to ensure that your on-premise SWG acts as a SOCKS proxy and relays the tunneled traffic to the Cloud Firewall:
    • Hostname or IPv4. Enter the hostname of the on-premise SWG.
    • Port. Enter the port number.

clipboard_eac2b191d6d208037e892005baf7672e7.png

Enter a value that ranges from 5 minutes to 1440 minutes to direct Skyhigh Client to check the policy update according to the specified interval.

clipboard_e6f34967b6b40b0a3e8333f6c9a2b4ac3.png

  1. Click Save.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    1. TOPIC ID 831
    2. TOPIC ID 846
    3. TOPIC ID 847
    4. TOPIC ID 931
    5. TOPIC ID 932