Release notes
TrainingSupportCommunity
Back to All

Apr 27, 2020 — Secure Web Gateway launch

over 4 years ago by jacabral@akamai.com

You can configure acceptable use policy Proxy as a Secure Web Gateway (SWG) that performs URL filtering, anti-malware scanning, and applies acceptable use policies to each user. To do this, you’ll need to send all web traffic to ​SIA​ Proxy.

The full web proxy is available with these features:

  • Proxy chaining. Directs all HTTP and HTTPS traffic from your organization’s on-premises proxy to ​SIA​ Proxy. As part of this feature, you enable specific settings in a policy and configure your on-premises proxy to forward traffic to ​SIA​. This feature is currently in beta. For more information, contact your ​Akamai​ representative.

  • ​ETP Client​. ​ETP Client​ 3.0.4 or later allows you to forward web traffic from user machines to ​SIA​. You can configure ​ETP Client​ as a local web proxy on the user’s machine. The client also supports networks that split internal traffic from external web traffic and use an on-premises proxy.

    With the full web proxy, you can further use the following features to secure website access and prevent users from accessing malicious content:

  • Authentication. You can define the users or user groups that can access websites in an acceptable use policy (AUP) after they authenticate.

To implement authentication, you must also set up:

  • Identity providers. A service that creates, manages, and saves user and group identity information for authentication. You can create an identity provider in ​SIA​ or integrate Okta or a third-party SAML IdP. Supported third-party SAML IdPs include Microsoft Active Directory Federation Services (AD FS) and Microsoft Azure AD. In an identity provider (IdP) configuration, you can enable multi-factor authentication, define session settings, design the login page, and more.

    Note: If your organization is licensed for Enterprise Application Access (EAA), you can create a PingOne identity service. You can also use your existing IdP configuration in ​SIA​. However, make sure that you use EAA to manage IdPs that were created in the EAA product. Do not modify these settings in the ​SIA​ UI to avoid conflicting configuration changes.

  • Directories. A service that your enterprise uses to manage users and user groups. You must associate a directory to an IdP. The following directory services are supported:

    • Active Directory

    • Lightweight Directory Access Protocol (LDAP)

    • Active Directory Lightweight Directory Services (AD LDS)

      ​SIA​ also offers Cloud Directory, an internal ​Akamai​ directory that you can use for testing purposes only.

  • Identity connectors. An identity connector is a virtual appliance that you download from the Utilities page in ​SIA​ and deploy behind the firewall in your data centers or hybrid cloud environments. You associate an identity connector to a directory. It allows ​SIA​ to synchronize with your directory service.

To use these features for authentication, contact your ​Akamai​ representative:

  • Scan unclassified traffic. In a policy, you can define an action for unclassified domains. Unclassified domains do not appear in any ​SIA​ list, such as a threat category list, custom lists, or the acceptable use policy (AUP). If the Classify action is selected for unclassified traffic, ​SIA​ Proxy scans and analyzes domains. After this analysis is completed, the traffic is assigned a category and a corresponding policy action.

  • Static malware analysis for large files. Allows ​SIA​ to scan files that are 5 MB to 2 GB in size. ​SIA​ scans these files after they are downloaded. If ​SIA​ detects malware, a threat event is reported. In the ​SIA​ threat event on the Event Analysis page, you can download a deep scan report in PDF format that includes more detailed information. To use this feature, in a policy, you must enable Inline Payload Analysis and select the Allow and Scan option for large files.

  • Dynamic malware analysis in a Sandbox environment. Scans files in a secure sandbox environment that’s isolated from your network. In this environment, files are executed and analyzed to determine whether malicious code or activity is detected. This feature:

    • Analyzes files that are up to 64 MB in size.
    • Automatically scans files offline (after they are downloaded).
    • Publishes a deep scan report in ​SIA​ when it detects a threat. You can download the report in PDF format from the corresponding event in ​SIA​.

To use this feature, in a policy, you must enable Inline Payload Analysis, select the Allow and Scan option for large files, and enable Dynamic Analysis. This feature is available to organizations that are licensed for Advanced Sandbox.

​SIA​ includes reports where you can view this detailed information about traffic. These reports are available to super administrators and users who are assigned a specific role permission:

  • DNS Activity. Shows data on DNS traffic that’s directed to ​SIA​ or ​SIA​ Proxy. This report allows you to:

    • Investigate suspicious activity.
    • Review requests made to a specific domain.
    • Check activity from a specific client internal IP address or machine name.
    • Troubleshoot a failed request based on connection ID or client request ID.

  • Proxy Summary. Includes the total number of proxy transactions and the top transactions based on policy action, autonomous system name, client port, destination IP, destination port, domain, geolocation, source IP address, and more.

  • Proxy Activity. Shows the traffic that’s directed to ​SIA​ Proxy. This report shows the requested domain, internal IP address of the user’s machine, the username of the user who made the request, the action that was applied to traffic, and more.

Known issues

These issues are currently known in this release:

  1. Issue: When ​ETP Client​ is installed on machines, users cannot access the Internet when both these conditions apply:

    • ​ETP Client​ 3.0.4 or later forwards all web traffic to ​SIA​ Proxy.
    • Pulse Secure VPN uses proxy server settings.

    Workaround: In the VPN tunneling connection profile of Pulse Secure VPN, make sure you or an IT administrator selects the No proxy server option. For more information on Pulse Secure VPN connection profiles, see documentation for Pulse Secure VPN.

  2. Issue: Universal Windows Platform apps downloaded from the Microsoft Windows store are not supported on machines where ​ETP Client​ is installed.
    Workaround: No workaround is available.

  3. Issue: If you upgrade ​ETP Client​ version 2.1.0 to version 3.0.4 or later, an upgrade notification incorrectly indicates that the client will upgrade to version 2.0.7.
    Workaround: Continue with the upgrade process. ​SIA​ correctly upgrades the client to version 3.0.4 or later.

  4. Issue: ​SIA​ Proxy may block the domains or URLs to bot or web application firewall services.
    Workaround. To make sure these services bypass ​SIA​ Proxy, add the domains to an exception list. ​Akamai​ is actively working to resolve this issue and add ​SIA​ Proxy support for these services.