Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Redirection Workflow in Client Proxy and GRM

The Global Routing Manager (GRM) intelligently routes traffic to the closest Point of Presence (PoP). SCP and GRM use the following redirection workflow. 

  1. SCP issues a DNS query for to the DNS server configured on the endpoint.
  2. The user's DNS server queries Skyhigh Security's NS servers (anycast GRM).
  3. GRM sees the IP address of the user's DNS server.
  4. GRM applies the policy set in the back end.
  5. GRM calculates the best response based on back end policy and the user's DNS info (IP address and eDNS, if it exists).
  6. GRM provides the response to the endpoint.
  7. SCP connects to the provided IP address and starts the authorization process with SWG. 
  8. SWG provides the endpoint with the IP address that is seen on SWG as the client public IP (endpoint egress IP).
  9. SCP hex encodes the egress IP address provided by SWG, places the proxy server address in the form of c123456789.<client public IP> on the top of the redirection list (POP enhancement feature).
  10. SCP sends a DNS query for c0123456789.<client public IP> to GRM.
  11. GRM reads the IP4 header and runs the policy set in the back end again.
  12. GRM provides the best response to the endpoint.
  13. SCP connects to the IP address provided in Step 12.


  • eDNS. An extension for DNS servers that allows sending additional data, such as “requesting this domain for this client public IP”. 
  • POP enhancement feature. Geographical data is used in the proxy domain name so that GRM can provide a POP IP nearer to the endpoint.
  • Was this article helpful?