About SIA Proxy

In addition to identifying and mitigating DNS threats, you can also use ‚ÄčSIA‚Äč to protect an enterprise network from threats that target HTTP or HTTPS traffic.

You enable ‚ÄčSIA‚Äč Proxy in a policy when you set the Policy Type setting. The DNS + Proxy setting enables ‚ÄčSIA‚Äč Proxy, as well as DNS protection. As part of your access control settings, you can further select the proxy type when configuring the operating mode for ‚ÄčSIA‚Äč. This setting defines how traffic is handled by default in your organization. ‚ÄčSIA‚Äč policy also lets you select a proxy type for your mobile devices. These proxy types are available:

  • Selective proxy. Analyzes risky web traffic. The selective proxy examines the domain and full URL of the request to determine if it's risky. The selective proxy is available with an ‚ÄčSIA‚Äč Intelligence license.

    ‚ÄčETP Client‚Äč supports the selective proxy. You can also use the selective ‚ÄčSIA‚Äč Proxy with an on-premises proxy. For more information, see About ‚ÄčETP Client‚Äč and Support of an on-premises HTTP forward proxy.

  • Full web proxy. Analyzes all web traffic. The full proxy is available to organizations that use ‚ÄčETP Client‚Äč, already use an on-premises proxy, configure Security Connector as an HTTP Forwarder, set their browsers or computer proxy settings to direct traffic to ‚ÄčSIA‚Äč Proxy, or want to use their SD-WAN solution or router to configure IPsec tunnels from their branches. For more information, see Full web proxy.

If your enterprise is licensed for ‚ÄčSIA‚Äč Advanced Threat, you can perform payload analysis. ‚ÄčSIA‚Äč payload analysis uses malware scanners to determine which websites are safe to access. For more information, see Payload analysis.

The proxy acts as a MITM to intercept TLS/SSL traffic. An ‚ÄčSIA‚Äč administrator generates an ‚ÄčAkamai‚Äč certificate or a certificate signed by their company's CA. An IT or Desktop administrator deploys the certificate across the enterprise network. This is necessary to establish trust between the client (browser) and the proxy, and further allows ‚ÄčAkamai‚Äč to create a short-lived, dynamically generated certificate that is used to communicate with the destination server. For more information, see ‚ÄčSIA‚Äč Proxy MITM certificate.

‚ÄčSIA‚Äč Proxy inspects the URL path of the requests and checks if a URL is a known threat. If it is a threat, the threat is handled based on the policy action that is assigned to the threat category, either Malware, C&C, or Phishing. The ‚ÄčSIA‚Äč proxy then forwards the request to the origin server and returns the payload to the client.


To prevent the inspection of specific domains (for example, a known malicious website), ‚ÄčSIA‚Äč administrators can configure an exception list.

If DLP is set up in your enterprise, you can scan files or data that's uploaded by users for sensitive information. For more information, see Data loss prevention.

Before enabling ‚ÄčSIA‚Äč Proxy:

  • Make sure that you deploy trusted CA certificates in your network devices, such as guest computers or mobile phones.

  • If your organization has separate networks for guest and managed devices, configure those networks as two separate locations in ‚ÄčSIA‚Äč. This ensures that each network's traffic is mapped to a different public IP address. You can then enable ‚ÄčSIA‚Äč Proxy in the network with managed devices and leave ‚ÄčSIA‚Äč Proxy disabled in the network with guest devices.

Note these conditions:

  • Some limitations apply to traffic that's forwarded to ‚ÄčSIA‚Äč Proxy. For a list of limitations or unsupported features, see Limitations of ‚ÄčSIA‚Äč Proxy.

  • The ‚ÄčSIA‚Äč Dashboard, events and activity reports allow ‚ÄčSIA‚Äč administrators to review and analyze HTTP or HTTPS threat events, ‚ÄčSIA‚Äč Proxy and network activity, threat events, and access control events.

  • When a company uses a VPN to secure communications between a field office and company headquarters, the company headquarters is typically configured as a location in the policy. If the field office is also configured as a separate location in the policy, ensure that the policy associated with these locations do not have conflicting settings.

  • ‚ÄčAkamai‚Äč maintains a list of domains that bypass ‚ÄčSIA‚Äč Proxy. For more information, see Bypass list.

  • In a policy, you can select to bypass Microsoft 365 traffic. This option allows domains and IP addresses that are associated with Microsoft Office apps, Outlook, and cloud storage to bypass ‚ÄčSIA‚Äč Proxy scanning and resolve to Microsoft data centers that are closest to your enterprise DNS resolver. ‚ÄčSIA‚Äč retrieves this data from Microsoft every 24 hours. For more information, see Bypass Microsoft 365 traffic.