Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Access updated (SSE) Policy Through Trellix ePO - OnPrem

Guidelines to access SSE Policy from the endpoints managed by Trellix ePO - OnPrem

To access SSE Policy from the endpoints managed by ePO, the Client Proxy extension must be installed on ePO and Client Proxy package should be deployed to the endpoints.

Export the tenant credentials

Do the following to export the tenant credentials from SSE to an .xml file:

  1. Go to Settings > Infrastructure > Client Proxy Management.
  2. In the policy tree, select Global Configuration.
  3. Click Tenant Authentication to open Tenant Authentication and Global Settings.
  4. From the Actions drop-down list, select Export Credentials.
    Download the tenant credentials to a .xml file.
Install the Client Proxy extension on Trellix ePO on-premise
  1. On the Trellix ePO console, select Menu > Software > Extensions.
  2. Click Install Extension.


  1. Click Choose File to navigate to the latest version of the extension file.
  2. Select the extension file and click OK
    The Client Proxy extension software is installed on the Trellix ePO server.

MicrosoftTeams-image (14).png

  1. Go to the Policy Catalog > Skyhigh Client proxy and click New Policy.
  2. Enter the policy name in the Create a new policy dialog box.

MicrosoftTeams-image (15).png

  1. Go to the Proxy Servers tab and configure the proxy server address. 

MicrosoftTeams-image (17).png

  1. Go to Client Configuration tab:
  • In the Customer Identifier, import the tenant credentials (exported from SSE) to ePO. 
  • In the Apply Policy From Skyhigh SSE setting, select the Download Policy from Skyhigh SSE checkbox. 
    • When you select this checkbox and push the policy to all endpoints, the endpoints will synchronize with the SSE SCP and ePO policies.
  • (Optional) In the Secure Channel for Cloud Proxies setting, select the Enable Secure Channel checkbox. 
  • (Otional) In the Traffic Redirection Settings, select the Always redirect network traffic to proxy servers checkbox.

Note: To push an updated (SSE) policy using Trellix ePO. Select the Download Policy From Skyhigh SSE checkbox and use a different policy name, which is different than the earlier SSE policy names. This pushes the policy to all endpoints, and the endpoints will synchronize with the SSE SCP and ePO policies.

MicrosoftTeams-image (18).png

  1. Click Save.
  2. Displays the saved Client Proxy policy on the Policy Catalog page.
  3. Select the policy and click Edit.
  4. From the Actions drop-down list, select Export Policy to File.
    MicrosoftTeams-image (19).png
  5. Select Skyhigh Client Proxy Policy Client File to download the SCP client file. You need to import this file to the SSE UI.

MicrosoftTeams-image (20).png

  1. Select Systems > System Tree > My Organization.
  2. Select the organizational level where you want to assign Client Proxy policy to all endpoints.
  3. Go to the Assigned Policies tab.
  4. Select Edit Assignment.

MicrosoftTeams-image (21).png

  1. From the Assigned policy drop-down list, select the policy.

MicrosoftTeams-image (22)_2.png

  1. You can push the policy through ePO to the client or client will pull this policy through Trellix Agent.

Create or import ePO policy on Skyhigh SSE
  1. Go to Settings > Infrastructure > Client Proxy Management.
  2. In the policy tree, select Configuration Policies.
    You can create a new policy or import the policy exported from ePO.
  3. Click the highlighted menu icon (...) next to the branch, select Create New Policy or Import Policy
  • Import Policy - Imports the policy to SSE UI. Export the policy from SSE and importing this policy on ePO is not supported for private applications.
  • Create New Policy - Enter the same name as the policy name on ePO. The name is case sensitive. Also, make sure to complete all Client Proxy configurations such as block list, bypass list and so on.


  1. Configure the private applications and connector groups. 


  1. Once ePO and SCP endpoints synchronize, verify the Policy Revision number in the About Skyhigh Client Proxy window, which should be same as the SSE policy revision number. 

It may take up to 5 minutes to get SSE policy to get enforced.

MicrosoftTeams-image (13).png

  1. Endpoints can now access private applications.