Configure Secure Channel for Cloud Proxies
You can establish a secure communication channel between Client Proxy and Skyhigh Web Security Gateway Service. When you enable the Secure Channel option, the software validates the cloud proxy server certificate against the device certificate store and establishes a secure connection. When you enable Secure Channel, Client Proxy uses the 8081 port to check cloud proxy connectivity. However, you can continue to configure the 8080 port and proxy server hostname when adding a cloud proxy server. To establish secure connection with the cloud proxy server, Client Proxy uses Transport Layer Security (TLS) 1.2 or later and all traffic forwarded through the secure channel remains private.
You can use Port 443 for the Secure Channel on Client Proxy 4.5.0. and later. The auto update of policy changes and traffic redirections fails when you enable Secure Channel on port 443 on the earlier versions of Client Proxy (<4.5.0).
- Go to Settings > Infrastructure > Client Proxy Management.
- In the policy tree, select Configuration Policies.
- Select a policy from the policy tree.
- In Secure Channel for Cloud Proxies, select the Enable Secure Channel checkbox to establish a secure connection between Client Proxy and WGCS. When you select this checkbox, the software validates the cloud proxy certificate against the device certificate store and establishes a secure connection. Client Proxy uses port 8081 for Secure Channel by default.
.png?revision=1)
Note: When you enable Secure Channel with at least one cloud proxy configured in the proxy server list, Client Proxy ignores on-premise proxy servers and considers only cloud proxy servers in the list. Depending on the availability of cloud proxy server and port, Client Proxy applies redirect, block, or fallback (Allow Connection without Secure Channel) option. Proxies with domains like c*******.wgcs.skyhigh.cloud are considered as cloud proxies.