Client Proxy Deployment

About Skyhigh Client Proxy

Skyhigh Client Proxy helps protect your endpoint users from security threats when they access the web from inside or outside their network.

You need to configure Trellix ePO and authenticate Skyhigh Web Gateway to deploy Skyhigh Client Proxy using Trellix ePO Cloud and Skyhigh On-Prem ePO server respectively. You can also deploy Client Proxy using third party Mobile Device Management tools such as JAMF. For standalone points, you can configure policy and apply Client Proxy policy.

Check out here for Client Proxy workflow :

​​​​​

To deploy and manage the policies, you must configure Trellix ePO. We have both On-prem and Cloud ePO within ePO. 

It is necessary to push Trellix Agent from ePO to the client while deploying Client Proxy using Trellix ePO. You need to install SCP software on the client after pushing the Trellix Agent. Once the Client Proxy policy is configured, deploy the policy.

▼ Client Proxy Deployment using ePO Cloud

1. Configure Trellix ePO

1. Login to ePO Cloud. Click the menu on the top-left and go to Policy Catalog.
2. In the Product drop-down, select Skyhigh Client Proxy 4.8.x.
3. You should see a single policy called Skyhigh Default. This is a read-only policy that we cannot use, so click Duplicate to create a new policy that we can modify.
4. Name the new policy My Default and click OK.
5. Click on My Default to open your new policy.  If you see a message that says "The Skyhigh Client Proxy ePO Extension is still doing some background work to set the correct permissions to the linked Common Catalog," then click Cancel and wait a few minutes.  This can sometimes take 10 minutes or more to complete.  Keep checking back by re-opening the My Default policy until that message is gone.
6. Click on Client Configuration on the left.  On the top of the page, set and confirm a shared passphrase.  Then click Save on the bottom-right corner of the screen.
7. Click My Default again to re-open the policy, and go back to the Client Configuration page.  Then, click the Export Customer Credentials button at the top.  If the file opens in a new tab rather than downloading, then just right-click in the browser and Save As to save the XML file.
8. In ePO Cloud, click the menu at the top-left and select Getting Started under the Web Protection heading. Record the Customer ID number for the next section.

2. Deploy Trellix Agent 

1. In ePO, click on System Tree at the top of the page, and then click the New Systems button at the top of the System Tree.
2. In the How to add systems section at the top, select the radio button labeled Create and download agent installation package. 
3. In the Agent version, for Windows, select the Windows radio button, and for Mac, select the Non-Windows radio button, and select the required Trellix Agent versions. Then, click OK in the bottom-right corner of the page.
4. When ePO is done generating the package, click the Agent Package link to download the installation package, and then click Close.
5. Copy the FramePkg.exe (for Windows) and agentPackages.zip (for MacOS, it will have install.sh within the package) file to the endpoint you intend to manage, and then execute it.
6. Go back to the ePO system tree, select the root of the tree (My Organization), and then select This Group and All Subgroups in the Preset drop-down.  This will let you see all managed endpoints in the entire system tree.  You should see the hostname of your endpoint in the list.  If it does not appear, then wait for the agent to check in and refresh the page.

3. Pushing Cloud-ePO

The current RTW build will be pushed from the Trellix to the cloud-ePO.

1. In ePO Cloud, go to the Menu  > Software >Advanced Deployment.
2. Click New Deployment at the top of the page.
3. Name the deployment Deploy SCP, and select the latest SCP Version in the Package drop-down. 
4. Set the Action to Install.
5. Select the systems: Total for which system will be fetched from the System Tree.
6. Set the Start Time drop-down to Run Immediately. 
7. Click Save.
8. To add the policy, go to the EPO > Policy Catalog.
9. Under Products, select Skyhigh Client Proxy.
10. Select the existing policy from the list, or you can create a new policy.
11. To create a new policy, click New Policy.
    1. In Create a new policy,
    2. Select Category: SCP Policy
    3. Create a Policy based on this existing policy: Skyhigh Default
    4. Enter a Policy Name. Click OK.
12. In the Policy Catalog, go to the respective policy, under Actions, and click Edit
13. Under Client Proxy Settings, in the Proxy Servers page, you can assign the Proxy Server by entering the IP or Hostname of the proxy and the Proxy Port. Click Add.
14. Under Client Configuration, in Traffic Redirection Settings, enable the required options using the radio button.
15. Go to System Tree, under System Name, and select your system.
16. Click the Policies tab. In Product select the Skyhigh Client Proxy.
17. In Actions, select Edit the Assignment.
18. In Inherit from, select Break inheritance and assign the policy and settings below.
19. Select the created policy in Assigned Policy.
20. Click Save.
21. To push the policy, Click System Tree at the top of the ePO interface, select your endpoint, and then click Wake Up Agents.  This will cause ePO to attempt to connect to the client.  To follow the status of the wake-up call go to Menu > Automation > Server Task Log.   
    If the task fails to complete successfully, then you can manually update with the following steps:
    1. Open a command prompt on the client machine.
    2. Change directory to C:\Program Files\SCP\Agent.
    3. Run the command cmdagent -s (for Windows) and /Library/McAfee/agent/bin/cmdagent -s (for MacOS).  This should open the Skyhigh Agent Status Monitor window.
    4. Click the top four buttons to kick off an agent synchronization.  (Collect and Send Props, Send Events, Check New Policies, and Enforce Policies)
22. Once the task is completed, confirm on the endpoint by navigating to the Start menu and looking for an SCP folder. 
23. In Windows, you will find two shortcuts for About Skyhigh Client Proxy and Bypass Skyhigh Client Proxy.  Open About Skyhigh Client Proxy and check if you have a Policy Name and Policy Revision value.  If these are blank, then repeat step 4 to do another agent communication to pull the policy.
24. In MacOS, you will see the symbol (what to refer to) at the top right corner. Click About. Under Protection, select Client Proxy to find the details.
25. Review About Skyhigh Client Proxy to confirm that the policy has been updated.  You should see the policy along with the status is Always Redirecting, and you can see the Active Proxy field which will show where proxy requests are being sent.

▼ Client Proxy Deployment using ePO On-Prem

Client Proxy deployment can be done On-prem and standalone.

ePO On-Prem

1. Authenticate the Secure Web Gateway (On-prem)

We need to enable authentication for SCP in SWG (on-prem)

1. Login to SWG and click Policy at the top of the interface.
2. In the policy pane on the left, click Add > Rule Set from Library.
3. Go to Authentication > Authentication With Skyhigh Client Proxy.
4. Click Auto-Solve Conflict. Click Solve by referring to existing objects. Click OK.
5. Click on Show details and then click the Authenticate: Skyhigh Client Proxy link on that rule.
6. Enter your customer ID number in the Customer ID field, and then click the Change... button to enter the shared passphrase.
7. Click OK to save the settings object, and then Save Changes on the top-right.

2. Deploy Trellix Agent 

1. In ePO, click on System Tree at the top of the page, and then click the New Systems button at the top of the System Tree.
2. In the How to add systems section at the top, select the radio button labeled Create and download agent installation package.  Then, click OK in the bottom-right corner of the page.
3. When ePO is done generating the package, click the Agent Package link to download the installation package, and then click Close.
4. Copy the FramePkg.exe (for Windows) and agentPackages.zip (for MacOS, it will have install.sh within the package) file to the endpoint you intend to manage, and then execute it.
5. Go back to the ePO system tree, select the root of the tree ("My Organization"), and then select This Group and All Subgroups in the Preset drop-down.  This will let you see all managed endpoints in the entire system tree.  You should see the hostname of your endpoint in the list.  If it does not appear, then wait for the agent to check in and refresh the page.

3. Checking the SCP Package into the ePO main repo

• You can install Client Proxy using the cloud security portal or through downloads or policy downloads.
• You can check the SCP package into the ePO main repository in two ways:

1. Go to main (three lines) >Main Repository>Check In Package.  In Check In Package, choose the required build in the File path. Click Ok, and then Next.

• Package Info: contains build details such as Name, Version, Minor Version, Type, and Language of the build you're checkin
• Choose the branch however you want to post it as Current, Previous, or an Evaluation branch
  • Current: Current build is what we want to post to all the clients
  • Previous: Earlier version of current build
  • Evaluation: Any build that needed to be tested or the older version of build
• Options: Enable the Options to move the existing package to the Previous branch using 

2. You can follow these steps to checkin the SCP package:

• Navigate to Software > Catalog Utilities & Connectors > Packages.

• Select the required package in Actions > Check in at another branch to check in.

• Select the required client package branch.

• Click Check In.

1. In ePO on Prem, go to the Menu > Software > Product Deployment.
2. Click New Deployment at the top of the page.
3. Name the deployment Deploy SCP, and select the latest SCP Version (Skyhigh Client Proxy 4.8.x) in the Package drop-down. 
4. Set the Action to Install.
5. Set the Start Time drop-down to Run Immediately. 
6. Click Save.
7. Click System Tree at the top of the ePO interface, select your endpoint, and then click Wake Up Agents.  This will cause ePO to attempt to connect to the client.  To follow the status of the wake-up call go to Menu > Automation > Server Task Log.   
   If the task fails to complete successfully, then you can manually update with the following steps:
   1. Open a command prompt on the client machine.
   2. Change directory to C:\Program Files\SCP\Agent.
   3. Run the command cmdagent /s.  This should open the Skyhigh Agent Status Monitor window.
   4. Click the top four buttons to kick off an agent synchronization.  (Collect and Send Props, Send Events, Check New Policies, and Enforce Policies)
8. Once the task is completed, confirm on the endpoint by navigating to the Start menu and looking for an SCP folder.  You will find two shortcuts for About Skyhigh Client Proxy and Bypass Skyhigh Client Proxy.  Open About Skyhigh Client Proxy and check if you have a Policy Name and Policy Revision value.  If these are blank, then repeat step 4 to do another agent communication to pull the policy.
9. Review About Skyhigh Client Proxy to confirm that the policy has been updated.  You should see the policy along with the status is Always Redirecting, and you can see the Active Proxy field which will show where proxy requests are being sent.

NOTE: Skyhigh Client Proxy can also be deployed on macOS using Jamf. For more details, see Configure Skyhigh Client Proxy on macOS.