Client Proxy Set up For the First Time
You need to first configure the Client Proxy software to steer traffic to Cloud Firewall. This includes the configuration of tenant credentials, primary proxy gateway, gateway selection method (how a Client Proxy software selects the active gateway from the list), and create a Client Proxy policy with the default values.
Skyhigh Client Proxy System Requirements for Optimized Cloud Firewall Performance
The minimum requirement is 4 vCPUs and 8 GB of RAM. For optimal performance, Skyhigh recommends to use 8 vCPUs and 16 GB of RAM.
Once you successfully deploy Client Proxy on the endpoints, the administrators can customize the Client Proxy policy on the SCP Configuration page on the UI.
Configure the Client Proxy Software
Make sure to download the policy and deploy it to the endpoints. Once you successfully deploy Client Proxy on the endpoints, the administrators can customize the Client Proxy policy on the SCP Configuration page on the UI.
Complete the following to configure the Client Proxy software:
- On the Skyhigh SSE navigation bar, click Settings.
- Select Infrastructure > Web Gateway Setup.
- Click Get Started.
- In Enter Tenant Authentication Credentials, click Configure.
- In the New Shared Secret field, enter the new shared secret. The shared secret is the password that secures communication between Client Proxy and Skyhigh WGCS.
- In the Confirm New Shared Secret field, confirm the new shared secret.
- Click Save.
- In Define Gateway Server Address, click Configure.
- From the Add Gateway drop-down list, enter gateway hostname or IPv4 address of the gateway, and listening port. Best practice is to configure two gateways, using fully qualified domain names (FQDN) for the host names and specifying port 8080 for one gateway and 80 to the other gateway.
- Click the + icon to configure another gateway.
- (Optional), From the Import CSV drop-down list, you can import the proxy server details from the .csv file.
- (Optional), From the Export CSV drop-down list, you can download the configured proxy server list to the .csv file.
- Click Save.
- From the Add Gateway drop-down list, enter gateway hostname or IPv4 address of the gateway, and listening port. Best practice is to configure two gateways, using fully qualified domain names (FQDN) for the host names and specifying port 8080 for one gateway and 80 to the other gateway.
- In Determine Proxy Selection Method, click Configure.
- First Available — Select this to connect to the first accessible gateway from the list that you configure. This option is useful when you prefer to select a specific gateway.
- Automatic Switch Over — Select this to automatically switch to the next available gateway when the first accessible gateway is down.
For example, if you have two gateways in the list and when the first server is down and second gateway is reachable, Client Proxy automatically selects the second gateway as the active gateway to redirect the endpoint traffic. In addition, when you select this option, Client Proxy checks for the availability of the first configured gateway periodically based on the interval set in the Polling Interval field. When the first configured gateway becomes available, Client Proxy elects the first configured gateway as the active gateway to redirect the traffic. If this option is not selected, Client Proxy does not check for the active gateway periodically. This option is available only when you select First Available. - In Polling Interval (10 to 3600 seconds), specify the interval the Client Proxy software checks for the active gateway in the configured gateway list.
- Automatic Switch Over — Select this to automatically switch to the next available gateway when the first accessible gateway is down.
- Fastest Response Time — Select this to connect to the gateway that has the fastest response time in the list that you configure.
- Click Save.
- First Available — Select this to connect to the first accessible gateway from the list that you configure. This option is useful when you prefer to select a specific gateway.
- In Name and Publish Policy, click Configure.
- Provide a name for the policy.
- Click Save Policy.
- Click the yellow badge to publish the saved changes.
- Click Download to download the Client Proxy policy file saved to an .opg file. Once Client Proxy software is installed on endpoints, the Client Proxy clients need its first policy configuration to communicate to Skyhigh Web Security Gateway Service.
Rename the .opg file to SCPPolicy.opg and copy it to this location on the client computers. The Client Proxy establishes trust and redirect traffic to Skyhigh Web Security Gateway Service using tenant Information and shared secret.
Location to copy the .opg file on the- Windows-based systems — C:\ProgramData\Skyhigh\SCP\Policy\Temp
- macOS systems — /usr/local/McAfee/Scp/policy
Click the yellow badge to publish all your locally saved changes. When you complete the Client Proxy configuration, the administrators can add gateway and customize the Client Proxy policy on the SCP Configuration UI page.