You can establish a secure communication channel between Client Proxy and Skyhigh Web Security Gateway Service. When you enable the Secure Channel option, the software validates the cloud proxy server certificate against the device certificate store and establishes a secure connection. When you enable Secure Channel, Client Proxy uses the 8081 port to check cloud proxy connectivity. However, you can continue to configure the 8080 port and proxy server hostname when adding a cloud proxy server. To establish secure connection with the cloud proxy server, Client Proxy uses Transport Layer Security (TLS) 1.2 or later and all traffic forwarded through the secure channel remains private.
You can use Port 443 for the Secure Channel on Client Proxy 4.5.0. and later. The auto update of policy changes and traffic redirections fails when you enable Secure Channel on port 443 on the earlier versions of Client Proxy (<4.5.0).
- On the Skyhigh SSE navigation bar, click Settings.
- Select Infrastructure | Client Proxy Management.
- In the policy tree, select Configuration Policies.
- Select a policy from the policy tree.
- In Secure Channel for Cloud Proxies, select the Enable Secure Channel checkbox to establish a secure connection between Client Proxy and WGCS. When you select this checkbox, the software validates the cloud proxy certificate against the device certificate store and establishes a secure connection. Client Proxy uses port 8081 for Secure Channel by default.
When you enable Secure Channel with at least one cloud proxy configured in the proxy server list, Client Proxy ignores on-premise proxy servers and considers only cloud proxy servers in the list. Depending on the availability of cloud proxy server and port, Client Proxy applies redirect, block, or fallback (Allow Connection without Secure Channel) option. Proxies with domains like c*******.wgcs.skyhigh.cloud and c*******.saasprotection.com are considered as cloud proxies. Additionally, the domains like, c*******.hybrid.skyhigh.cloud are not currently supported as they are not a pure cloud solution. (For details, see SCP Common Issues)
- Block connection if certificate verification fails — Select this checkbox to block traffic to the cloud proxy server when the certificate validation fails.
When the certification validation for a proxy server fails, then traffic to that proxy (primary or alternate) server is blocked.
- When you have connectivity issues with port 8081 (Secure Channel port), you can decide whether to allow or block the connection. Select one of the following:
- Block connection — Select this checkbox to block the connection.
- Allow connection without Secure Channel — Select this to allow the connection through the configured proxy port (8080) without establishing a secure connection between Client Proxy and WGCS.
- When the certification validation for a proxy server fails, then traffic to that proxy (primary or alternate) server is blocked.
- When you select this option, all the configured (both on-premise and cloud) proxy servers are considered for filtering traffic. The order to select a proxy server depends on the option you have selected (First Available or Fastest Response Time) while configuring the proxy server list.
- Click Save.
You can publish saved changes to the cloud now or keep working and publish later.