Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Secure Channel for Cloud Proxies

You can establish a secure communication channel between Client Proxy and Skyhigh Web Security Gateway Service. When you enable the Secure Channel option, the software validates the cloud proxy server certificate against the device certificate store and establishes a secure connection. When you enable Secure Channel, Client Proxy uses the 8081 port to check cloud proxy connectivity. However, you can continue to configure the 8080 port and proxy server hostname when adding a cloud proxy server.  To establish secure connection with the cloud proxy server, Client Proxy uses Transport Layer Security (TLS) 1.2 or later and all traffic forwarded through the secure channel remains private.

 You can use Port 443 for the Secure Channel on Client Proxy 4.5.0. and later. The auto update of policy changes and traffic redirections fails when you enable Secure Channel on port 443 on the earlier versions of Client Proxy (<4.5.0).

IMPORTANT: Make sure *.wgcs.skyhigh.cloud, and 100.64.0.0/10 are not added to the proxy bypass list as adding these would interfere with Skyhigh Private Access functionality.

  1. Go to Settings > Infrastructure > Client Proxy Management.
  2. In the policy tree, select Configuration Policies.
  3. Select a policy from the policy tree.
  4. In Secure Channel for Cloud Proxies, select the Enable Secure Channel checkbox to establish a secure connection between Client Proxy and WGCS. When you select this checkbox, the software validates the cloud proxy certificate against the device certificate store and establishes a secure connection. Client Proxy uses port 8081 for Secure Channel by default. 

MicrosoftTeams-image (36).png

NOTE:

  • When you enable Secure Channel with at least one cloud proxy configured in the proxy server list, Client Proxy ignores on-premise proxy servers and considers only cloud proxy servers in the list. Depending on the availability of cloud proxy server and port, Client Proxy applies redirect, block, or fallback (Allow Connection without Secure Channel) option. Proxies with domains like c*******.wgcs.skyhigh.cloud are considered cloud proxies.
  • The Enable Secure Channel option only applies to Internet Apps. Disabling it does not affect Private Apps, as they are always routed through the secure channel.

 

  • Was this article helpful?