Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Alternate Proxy Support for Explicit Proxy Mode

Overview

Environment

  • Customer has B2B services to which we need to connect from the centralised location. 
    • DNS services may or may not be available for some of the B2B services (internal or external).
    • There is no DNS available for external browsing traffic, i.e., non-B2B services.
    • For all the traffic that doesn't have DNS service, the same would be directed to an external proxy. (IP;Port)

Requirement

  • There are two gateways that are in scope: the primary gateway and the alternate gateway.
  • The traffic that is directed to an external proxy should be a proxy-styled HTTP request, and the same should be intercepted by the Client Proxy.
  • Client Proxy compares the traffic with the configured policy (alternate redirection domain and IP list).
  • If there is a match for the traffic, it should be redirected to the configured alternate gateway, and the rest of the traffic should be redirected to the primary gateway.
  • Skyhigh Client Proxy does not redirect traffic destined to ports 80 and 443 when explicit proxy mode is on. Skyhigh Client Proxy only intercepts traffic destined for the explicit proxy

NOTE:

  • Explicit Proxy Mode is supported only in Skyhigh Client Proxy v4.8.2.
  • In explicit proxy mode, bypass rules are not applicable; instead, they must 
    be configured via the PAC file.
  • When the new feature is enabled: 
    • When the Primary Gateway is not available SCP only redirects Alternate Redirection List traffic to Alternate Gateway and the Primary Gateway traffic would be dropped.
    • When the Alternate Gateway is unavailable SCP drops Alternate Redirection List traffic and the traffic meant for Primary Gateway would be redirected to Primary Gateway.

Configuration

1. Configuring Primary Gateway and Alternate Gateway 

You can configure a gateway list and rules to redirect traffic.

  1. Go to Settings Infrastructure > Client Proxy Management.
  2. In the policy tree, select Gateway List
  3. Click the highlighted menu icon (...) next to the branch, then select Add New Gateway List.
  4. Provide a name for the gateway.
    Optionally, you can add additional information about the gateway in the Add Description.
    clipboard_e3e2a703b74735a31337d4cd7ba1df354.png
  5. From the Add Gateway drop-down list, select Add Inline and complete the following:
    • Gateway Hostname or IPv4 Address — Provide an IP address or host name for the gateway list.
    • Listening Port — Provide the port number of the Gateway List.
    • Gateway Name: There are two gateways: the primary gateway and the alternate gateway.
  6. The remaining fields take the default value.
  7. Click Save.

You can publish saved changes to the cloud now or keep working and publish later.

2. Policy Configuration

Please follow the below -mentioned policy configurations to run Skyhigh Client Proxy in an explicit proxy environment.

  1. To create a Skyhigh Client Proxy policy, follow the below-mentioned steps.
    • On the Skyhigh SSE navigation bar, click Settings.
    • Select Infrastructure > Client Proxy Management.
    • In the policy tree, select Configuration Policies.
    • Click the highlighted menu icon (...) next to the branch, then select Create New Policy.
    • Provide a name for the policy.
    • Optionally, provide a description of the policy to help interpret it.
    • Select Primary Gateway and Alternate Gateway.
    • In Check for Policy Update Frequency (5–1440 mins), specify how often the software must check and update the policy changes. The default value is 15 minutes. You can specify a value from 5–1440 minutes.
    • You can configure the new policy now or edit the policy from the policy tree later.
    • Click Save.
  2. You need to configure an explicit proxy port in List of configured ports to redirect as HTTP/HTTPS traffic.
  3. To configure domains and IP address list redirection, click on the List Redirection tab and enable the Explicit Proxy Mode checkbox.

clipboard_ed0ea0330af489735501a1cde995bd49a.png

  1. Click Send traffic for these domains to the alternate proxy server to configure the list of domains that should be forwarded to the alternate gateway.
  2. Click Send traffic for these IP Addresses to the alternate proxy server to configure the list of IP addresses that should be forwarded to the alternate gateway.

clipboard_e1e826004d97d7425252eb2a800e81fb7.png

  • Was this article helpful?