Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Access Private Applications Through Trellix ePO -SaaS

Guidelines to access Private Applications from the endpoints managed by Trellix ePO -SaaS

To access private applications from the endpoints managed by ePO, the Client Proxy extension must be installed on ePO and Client Proxy package should be deployed to the endpoints.

Export the tenant credentials

Do the following to export the tenant credentials from SSE to an .xml file:

  1. Go to Settings > Infrastructure > Client Proxy Management.
  2. In the policy tree, select Global Configuration.
  3. Click Tenant Authentication to open Tenant Authentication and Global Settings.
  4. From the Actions drop-down list, select Export Credentials.
    Downloads the tenant credentials to an .xml file.
  1. On the Trellix ePO-SaaS console, select Menu > Configuration SCP Administration.

MicrosoftTeams-image (25).png

  1. In the Customer Identifier setting, import the tenant credentials (exported from SSE) to ePO. 

MicrosoftTeams-image (26).png

  1. Click Save.
  2. Go to Policy Catalog > Skyhigh Client Proxy > click New Policy.
  3. Enter the policy name in the Create a new policy dialog box.

MicrosoftTeams-image (27).png

  1. Once the policy is created, select the policy and click Edit.

MicrosoftTeams-image (28).png

  1.  Go to the Proxy Servers tab and configure the proxy server address. 

MicrosoftTeams-image (29).png

  1. Go to Client Configuration tab:
    1. Select the Download Policy from Skyhigh SSE checkbox
      • When you select this checkbox and push the policy to all endpoints, the endpoints will synchronize with the SSE SCP policy.
    2. In the Secure Channel for Cloud Proxies, make sure to the Enable Secure Channel checkbox.
    3. In the Traffic Redirection Settings, make sure to select Always redirect network traffic to proxy servers.

Note: After synchronization between SSE and ePO, the endpoints will start applying only the SSE SCP policy. Even if you clear this checkbox, endpoints will honor only the SSE SCP policy and not the ePO SCP policy.

MicrosoftTeams-image (31).png

  1. Click Save.
    Displays the saved Client Proxy policy on the Policy Catalog page.
  2. Select the policy and click Edit.
  3. From the Actions drop-down list, select Export Policy to File.

MicrosoftTeams-image (32).png

  1. Select Skyhigh Client Proxy Policy Client File to download the SCP client file. You need to import this file to the SSE UI.

MicrosoftTeams-image (33).png

  1. Select System Tree 
  2. Select the organizational level where you want to assign Client Proxy policy to all endpoints.
  3. Go to the Policies tab.
  4. Select Edit Assignment.

MicrosoftTeams-image (34).png

  1. From the Assigned policy drop-down list, select the policy.

MicrosoftTeams-image (35).png

  1. You can push the policy through ePO to the client or client will pull this policy through Trellix Agent.

Create or import ePO policy on Skyhigh SSE
  1. On the Skyhigh SSE navigation bar, click Settings.
  2. Select Infrastructure > Client Proxy Management.
  3. In the policy tree, select Configuration Policies.
    You can create a new policy or import the policy exported from ePO.
  4. Click the highlighted menu icon (...) next to the branch, select Create New Policy or Import Policy
  • Import Policy - Imports the policy to SSE UI. Export the policy from SSE and importing this policy on ePO is not supported for private applications.
  • Create New Policy - Enter the same name as the policy name on ePO. The name is case sensitive. Also, make sure to complete all Client Proxy configurations such as block list, bypass list and so on.


  1. Configure the private applications and connector groups. 


  1. Once ePO and SCP endpoints synchronize, verify the Policy Revision number in the About Skyhigh Client Proxy window, which should be same as the SSE policy revision number. 

It may take up to 5 minutes to get SSE policy to get enforced.

MicrosoftTeams-image (13).png

  1. Endpoints can now access the private applications.