Release notes
TrainingSupportCommunity
Back to All

Feb 4, 2020 — Secure Web Gateway beta launch

almost 5 years ago by jacabral@akamai.com

​SIA​'s Secure Web Gateway (SWG) performs URL filtering and anti-malware scanning on all web traffic.

It’s available with any one of these features:

  • Proxy chaining. Allows you to forward all web traffic from your existing on-premises proxy server to ​SIA​. You can enable this feature with the new Enable Forward Proxy and the Trust XFF Header policy settings. The proxy host information that you use to configure traffic forwarding from the on-premises proxy to ​SIA​ is shown in the ​SIA​ policy.

  • ​ETP Client​ 3.0.4. New version of the client that allows you to forward web traffic from user machines to ​SIA​. You can configure ​ETP Client​ as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy. Depending on your ​SIA​ license, you can also configure ​ETP Client​ to forward only DNS and risky web traffic.

This beta also offers these features:

  • Authentication policy. An authentication policy defines the users or user groups that can access websites in an acceptable use policy (AUP) after they authenticate. You can require that users authenticate before accessing a website or you can make authentication optional. If a user is authenticated, then all web requests are logged in the Proxy Activity report (Monitoring > Activity) with username, group information, and the machine IP address. If a user does not authenticate, the username and group information are not logged.

    To implement authentication, you need to set up:

    • Identity providers. A service that creates, manages, and saves user and group identity information for authentication. You can create an identity provider (IdP) or integrate a third-party IdP such as Okta, PingOne, and Active Directory Federation Services (AD FS). In an IdP configuration, you can enable multi-factor authentication, define sessions settings, design the login page, and more.

      Note: If your organization is licensed for Enterprise Application Access (EAA), you can use your existing IdP configuration in ​SIA​. In this situation, make sure you manage the IdP configuration in EAA. Do not modify these settings in the ​SIA​ UI to avoid conflicting configuration changes.

    • Directories. A service that your enterprise uses to manage users and user groups. You must associate a directory to an IdP.

      These directory services are supported:

      • Active Directory
      • Lightweight Directory Access Protocol (LDAP)
      • Active Directory Lightweight Directory Services (AD LDS)
      • ​SIA​ also offers Cloud Directory, an internal Akamai directory that you can use for testing purposes only.

      The Identity Provider and Directory configuration pages in ​SIA​ are available from a new area of the navigation menu called Identity.

    • Identity connectors (Optional). If your directory service is located in a data center that’s not accessible from the Internet, you can deploy an identity connector to grant IdP access to the directory. An identity connector is a virtual appliance that you download from the Utilities page in ​SIA​ and deploy behind the firewall in your data centers or hybrid cloud environments.

  • Proxy Activity. New Proxy Activity tab on the Activity page reports traffic that’s directed to ​SIA​ Proxy. You can view data about traffic and events, including the username of the user who made the request, the internal IP address of the user’s machine, and the applied policy action.

  • DNS Activity. New DNS Activity tab on the Activity page reports DNS traffic that’s directed to ​SIA​. You can view detailed data about traffic such as applied policy action and the internal client IP address. This tab allows administrators to investigate suspicious activity and review requests to a specific domain.

  • Static malware analysis for large files. Allows ​SIA​ to scan files that are 5 MB to 2 GB in size. ​SIA​ scans these files after they are downloaded. If ​SIA​ detects malware, a threat event is reported. In the the ​SIA​ threat event on the Event Analysis page, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files.

  • Dynamic malware analysis with Sandbox. Scans files in a secure sandbox environment that’s isolated from your network. In this environment, files are executed and analyzed to determine whether malicious code or activity is detected.

    This feature:

    • Analyzes files that are up to 64 MB in size.
    • Automatically scans files offline (after they are downloaded).
    • Publishes a deep scan report in ​SIA​ when it detects a threat. You can download the report in PDF format from the corresponding event in ​SIA​.

    To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox.

    To try any of these features, contact your Akamai representative.

Known Issues and Limitations

These limitations apply to this beta release:

  • Windows apps are not supported on Windows machines where ​ETP Client​ 3.0.4 is installed.
  • If a user skips authentication, they are prompted to authenticate every 15 minutes.
  • ​ETP Client​ 3.0.4 is not supported on Mac OS X El Capitan.
  • If you are setting up Active Directory Federation Services (AD FS) as a third-party SAML identity provider, you must deploy an identity connector and associate it with AD.

These issues are currently known in this beta release:

  • Authentication

    Issue: When defining the users and groups that can access websites for a blocked AUP category, you must manually enter the user IDs and group names. You cannot provide the username of the user.
    Workaround: If you are using a directory service such as Activity Directory, consult the user and group information in your directory service. You can also find the User ID and group name in a Proxy Activity report (Monitoring > Activity).

  • Identity Providers and Directories

  1. Issue: If your organization uses EAA or another cloud access solution for enterprise applications, these applications are not accessible when traffic is directed to ​SIA​ Proxy.
    Workaround: Enter the domains of your enterprise applications and EAA identity providers in the internal DNS suffixes field of the ​SIA​ network configuration:

    1. In the ​SIA​ navigation menu, select Configuration > Utilities.
    2. Click the Network Configuration tab.
    3. In the DNS suffixes field, enter the full domain of EAA identity providers and enterprise applications.
    4. Click Save.

  2. Issue: The email address associated with a user in the Cloud Directory is not editable.
    Workaround: You can delete the user and add a user with the new email address. If your organization also uses EAA, you can modify the user’s email address in EAA.

  3. Issue: When deleting a user in the Cloud Directory, the dialog that confirms the deletion shows inaccurate information about the user’s last login.
    Workaround: No workaround is available.

  4. Issue: If a user is deleted from a directory after they authenticate, the user is redirected to the IdP login page 30 minutes after the delete operation occurred.
    Workaround: No workaround is available.

  5. Issue: Changes to the URL of an identity server in ​SIA​ do not take effect for an identity provider that was previously deployed and assigned to a policy. After you deploy the modified identity provider, the change is not recognized by ​SIA​ policy.
    Workaround: In the policy where this identity provider is assigned:

    1. Change the authentication mode to another mode that uses authentication. For example, if this mode is set to Optional, select Require. If this mode is set to Require, select Optional.

    2. Save and deploy the policy.

    3. Return to the policy.

    4. Select the authentication mode that you want to use for the policy.

    5. Apply AUP exceptions.

    6. Save and deploy the policy.

      For detailed instructions on these operations, see the online help.

  6. Issue: If you modify an identity provider, you cannot deploy any policy that’s associated with the IdP until the IdP is deployed.
    Workaround: Deploy the IdP.

  • ​SIA​ Proxy

  1. Issue: A browser error appears to the user when ​SIA​ Proxy cannot verify the web server certificate. This occurs if the certificate chain is incomplete or its Certificate Authority (CA) is unknown to Akamai.
    Workaround: If users see this error for traffic or websites that you want to allow, add the domain or its IP address to an exception list. Exception lists bypass ​SIA​ Proxy. For more information on exception lists, see About lists. To create an exception list, see Create a list.

  2. Issue: Mozilla Firefox on Windows does not use the proxy settings or certificates that are on the system.
    Workaround: If you configure proxy chaining to direct traffic to ​SIA​ Proxy, configure the on-premises proxy as a proxy connection in the Firefox browser:

    1. Click Open menu and select Options.

    2. Navigate to Network Settings and click Settings.

    3. In the Connection Settings, select Use system proxy settings.

    4. Click OK.

      Note: On Windows, make sure that you configure Firefox to recognize the trusted root certificates that are in your enterprise Windows certificate store. For more information, see Enable enterprise trusted root certificate in Firefox and Distribute the ​SIA​ Proxy certificate.

  • ​ETP Client​

  1. Issue: Users cannot access the Internet when both these conditions apply:

    • ​ETP Client​ 3.0.4 forwards all web traffic to ​SIA​ Proxy
    • Pulse Secure VPN uses proxy server settings

    Workaround: In the VPN tunneling connection profile of Pulse Secure VPN, make sure you or an IT administrator selects the No proxy server option. For more information on Pulse Secure VPN connection profiles, see documentation for Pulse Secure VPN.

  2. Issue: If there are more than 40 DNS suffixes configured in the ​SIA​ network configuration, ​ETP Client​ may be unable to enter “Your device is protected” mode.
    Workaround: Instead of adding these domains or DNS suffixes to an ​SIA​ network configuration, create a custom exception list with this data. Exception lists bypass ​SIA​ Proxy. For more information on exception lists, see About lists. To create an exception list, see Create a list.