Enable Remote Browser Isolation for SWG On-Prem and Hybrid
The idea is to forward traffic from Secure Web Gateway (On-Prem) to the Secure Web Gateway Cloud through SWG policies. The websites are isolated by configuring simple rules on the Web Gateway.
Firstly, configure the Websocket rule (an important rule) as the RBI uses Websocket to stream the pixel byte down to the client. Ensure that SWG receives the websocket data by configuring Tunnel host List and NHP to SWG rules.
Do the following:
- On the Web Gateway user interface, select Policy > Rule Sets.
Expand the Forward Proxy with Connection to SSE rule set. - Click Websockets and go to the Show details tab.
- Configure
skyhigh.clouddomains in the Websockets for SSE domains. These are the domains used by SWG in the cloud. - Expand HTTPS scanning > Handle Connect Call > Tunnel Host list. These rules are important to make initial connection.
-
Configure skyhigh.cloud and the required domains to send data securely and do not perform HTTPS scanning.
-
-
Expand NHP to Skyhigh SWG to forward the proxy to SWG.
-
In the Next Hop Proxy Definition dialog box, configure the proxy name in the cloud (for example Host can be - xx.c.89071.wgcs.skyhigh-cloud.com) with port 8081. The port 8081 is essential to use Client Proxy secure channel to communicate securely with the Cloud. The Client Proxy will authenticate the request and transfer the user information from SWG to the Cloud.
-
-
Navigate to Configuration| Web Hybrid to provide the customer ID and shared password.
The customer ID and shared password should be same as it is set in the SSE Configuration page. - From the Skyhigh CASB navigation bar, select Policy > Web Policy > Policy.
- From the policy tree, select Browser Isolation > Full Isolation.
- Under Always Isolate, select All traffic. Note that this option is available only if you have license for the Skyhigh SSE capabilities.
You have now enabled browser isolation to any website that the users request access to.