Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

End to End Health Check

The End-to-End (E2E) health check feature monitors an endpoint to identify any failure scenarios in the Skyhigh Client that may prevent it from securing that endpoint. This feature will enable users to detect insecure and non-compliant endpoints, enables administrators to take corrective actions. If a health check fails, the Skyhigh Client will report the status as E2E health check failed and will automatically generate diagnostic logs. 

clipboard_ea543f78938a19c4faa1e7ee3a9baf42e.png

NOTE: The Skyhigh Client supports End-to-End Health Check only on macOS and Windows. 

How it Works?

The Skyhigh Client is built on three core components: the Client UI, the interception layer, and the Skyhigh Client daemon. In a standard workflow, the interception layer monitors web traffic, based on configured policies. It forwards applicable traffic to the Skyhigh Client daemon, which then relays it to a designated proxy server. Once the proxy processes the request, the return traffic flows back through the daemon to the interception layer, which finally delivers it to the original application (such as a web browser).

The End-to-End Health Check is designed to continuously validate this complete data flow. The Client UI generates a web request targeting a specific address defined within the interception layer's rules. If functioning correctly, the interception layer captures this request and forwards it to the Skyhigh Client daemon, which passes it along to the proxy server. When the Skyhigh Client daemon receives the response back from the proxy, it injects special headers uniquely designated for the Client UI's health check request. This modified response is routed back through the interception layer to the Client UI. The Client UI inspects the final response for the presence of these special headers. Based on this inspection, it notifies the Skyhigh Client daemon whether the health check has passed or failed.

Log Capture on E2E Check Failure 

When an End-to-End (E2E) health check fails, the Skyhigh Client automatically captures a failure log. A subsequent failure log is only generated if the system registers a successful health check prior to the next failure. If an existing failure log is less than one hour old, the system will not create a new one. Whenever a new failure log is successfully captured, any previous log older than one hour is automatically deleted. Together, these conditions ensure that only a single, relevant, and recent E2E failure log is retained on the system at any given time.

Disable or Enable the E2E Health Check

The health check is enabled by default. To disable it, add stop.scphealthcheck.internal to the any non-redirected ports process list. This mechanism works for both V1 and V2.

Navigate to Skyhigh Client > Configuration > Client Profile > For traffic on non-redirected ports. 

When is the E2E Health Check Skipped?

The Skyhigh Client will skip the E2E health check whenever any of the following scenarios apply:

  • Device Inactivity: The user's machine is currently in sleep or standby mode.
  • Firewall-Only Configuration: The client is operating under a restricted Pure FW (Firewall-only) policy.
  • Manual Bypass: The client has been explicitly disabled via a release code.
  • Corporate Network Connection: The user is already connected to the internal network (status displays as In Office or In Office VPN).
  • Disabled Web Section: The Web Section has been turned off within the V2 policy settings.
  • Disabled Web Forwarding: The specific Forward Internet Bound Web Traffic to Gateway option is deactivated in the V2 policy.
  • No Active Gateways: The client is unable to locate any active gateways required to execute the test.

    clipboard_eb0ab39af4437b54791a759b8c46c8f0e.png
  • Was this article helpful?