Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure the Client Settings

Configure the settings that Client Proxy uses to determine the location of the endpoint and when to redirect web traffic. The client software tests for connectivity by using a TCP three-way handshake to connect, then closing the connection. The endpoint can be located inside the network, outside the network, or connected to the network by VPN.

Before you begin
You must be logged on to the Trellix ePO, Trellix ePO Cloud, Trellix ePO SaaS or the  server as an administrator.

NOTE: Before you can save the policy, you must provide values for the customer ID and shared password.

  1. From the main menu, select Policy > Policy Catalog.
  2. From the Products list, select the current version of Client Proxy.
  3. Click SCP Policy to view the policy list.
  4. Click Edit on the same row as the policy you want to configure.
  5. From the Client Proxy Settings list, select Client Configuration.
  6. Select an option based on your management platform:
    • Trellix ePO — In the Customer Identifier section, click Browse to locate, then open the customer ID .xml file provided by the Web Gateway or Skyhigh Security WGCS administrator. The values in this file automatically populate the Unique Customer ID and Shared Password fields.
    • Trellix ePO Cloud — In the Configure Shared Password section, enter, and confirm the password that Client Proxy shares with Skyhigh Security WGCS. You also have the options of resetting or exporting the password.
    • Trellix ePO SaaS (settings are done outside the policy)   Go to Menu > Configuration > SCP Administration to import the client identifier settingsBefore creating Client Proxy policies on Trellix ePO or migrating policies to Trellix ePO, import your customer ID and shared password on the SCP Administration page. After you import them successfully, all existing and new Client Proxy policies are updated with the imported customer ID and shared password.

NOTE: The migration of Client Proxy policies from on-premises to Trellix ePO SaaS is supported from Client Proxy on-premises 3.0.0 and later. For information about how to migrate Trellix ePO on-premises to Trellix ePO, see Migration to Trellix ePO SaaS Quick Start Guide on the  product documentation portal (

  1. Select a Secure Channel for Cloud Proxies setting:

NOTE: This option is applicable only for Skyhigh Security WGCS.

  • Enable Secure Channel — Select this checkbox to establish a secure connection between Client Proxy and Skyhigh Security WGCS. When you select this checkbox, the software validates the cloud proxy certificate against the device certificate store and establishes a secure connection.

NOTE: When you enable Secure Channel, Client Proxy uses the 8081 port to check cloud proxy connectivity. However, you can continue to configure the 8080 port and proxy server hostname when adding a cloud proxy server. To establish secure connection with the cloud proxy server, Client Proxy uses Transport Layer Security (TLS) 1.2 and later and all traffic forwarded through the secure channel remains private. 

  • Block connection if certificate validation fails — Select this checkbox to block traffic to the cloud proxy server when the certificate validation fails.

Note: When the certification validation for a proxy server fails, then traffic to that proxy (primary or alternate) server is blocked.

  • When you have connectivity issues with port 8081 (Secure Channel port), you can decide whether to allow or block the connection. Select one of the following:
    • Block Connection — Select this to block the connection.
      Note: When the certification validation for a proxy server fails, then traffic to that proxy (primary or alternate) server is blocked.
    • Allow Connection without Secure Channel — Select this to allow the connection through the configured proxy port (8080) without establishing a secure connection between Client Proxy and Skyhigh Security WGCS.

NOTE: When you select this option, all the configured (both on-premises and cloud) proxy servers are considered for filtering traffic. The order to select a proxy server depends on the option you have selected (connect to the first accessible Proxy Server based on their order in the list below or connect to the Proxy Server that has the fastest response time) while configuring the proxy server list.

  1. Select a Traffic Redirection setting:
    • Redirect network traffic when computer is not connected to corporate network and not working through VPN — Redirects web requests to a proxy server when users are working outside your organization's network and are not connected by VPN.
    • Always redirect network traffic to proxy servers — Redirects all web requests to a proxy server, including requests from users working inside the network, outside the network, or working connected to the network by VPN.
  2. Select a Corporate Network Detection setting:
    • by testing connectivity to ePO — If the client software can connect to the Trellix ePO server, the endpoint is located inside the network.
    • by testing connectivity to any of the following corporate servers — If the client software can connect to the configured network servers, the endpoint is located inside the network.
  3. To configure Corporate VPN Detection, specify the addresses and port numbers of one or more VPN servers. If the client software can connect to a configured VPN, the endpoint is connected to the network by VPN.
  4. Using regular expressions, configure the Active Directory Groups Filter to limit the groups in the header that the client software adds to web requests before redirecting them to the proxy server. Group membership information must not exceed 4096 characters.
    Format: <domain_name>\\<group_name>
  5. (macOS) Select a Log File setting:
    •  Log messages with Error and Critical priority
    •  Log messages with Error, Critical, Information, and Warning priority
    • Log all messages (recommended for troubleshooting and debugging)
    • Don't log any messages

On endpoints running Windows, log files are located in this folder: C:\Program Data\Skyhigh\SCP\Logs. Critical error messages are saved to a file named scp.log.  The Client Proxy events like connectivity check failures, redirection errors, auto-policy-download failures, policy change, network change, captive portal check are now logged in a human readable text. 

  1.  (Windows) Configure the Access Protection settings:
    • Enable access protection — When selected, users cannot disable the client software using Windows Task Manager, edit or delete files, and change registry values.
    • Request release key for manual uninstall — When selected, users can request a release code from an administrator and use it to uninstall the client software. When deselected, users must use the Windows uninstall feature to uninstall the software. Best practice is to use a release code to uninstall the software.
  2. Click Save.

The client settings are saved with the Client Proxy policy.