Prepare for HTTP Forwarder setup

To prepare for HTTP Forwarder setup, make sure you:

Determine whether you will set up a transparent or explicit proxy. For more information, see Security Connector as an HTTP Forwarder.
Review the best practices and limitations. See Best practices for setting up HTTP Forwarder and Limitations of HTTP Forwarder.
Review setup and virtual machine requirements. See Setup and virtual machine requirements.
Before you configure a Security Connector, consider:
- The ports that you configure for HTTP Forwarder. Traffic is accepted from ports that are configured in a policy for a transparent proxy and in the Security Connector console for an explicit proxy. If traffic arrives from other ports, the traffic is dropped.
- A permanent IP address for the en1 interface of the Security Connector configuration. The IP address that you provide for the en1 interface is the IP address of HTTP Forwarder. Depending on whether HTTP Forwarder is configured as an explicit or transparent proxy, you will configure this IP address on a user device or in a network router or switch. As a result, consider a permanent IP address for this interface such as a static IP address. If you use a dynamic IP address, consider a sticky MAC address assignment.
- For the Security Connector, configure DNS servers that are capable of resolving domains for Akamai services. If the proxy is not reachable, HTTP Forwarder uses these servers to resolve domains.

Configure HTTP Forwarder

Before you begin

Prepare for HTTP Forwarder setup.
Add, download, and activate Security Connector. For more information, see Set up the security connector.
Make sure the operation mode for Security Connector is HTTP Forwarder. To change it, see Change Security Connector operation mode.

Complete these steps to configure Security Connector as an HTTP Forwarder.

To configure HTTP Forwarder:

Create a policy where SIA proxy is enabled. For instructions, see Enable full web proxy.
Create a location with the en1 interface IP address. This allows you to identify traffic from the HTTP forwarder.
To have HTTP Forwarder bypass domains, IP addresses, or CIDRs, do the following:
1. In Security Connector, configure a local DNS server. For instructions, see Configure local DNS servers.
2. In the Local Bypass Settings, enter the domains, IP addresses, and CIDRS that you want HTTP Forwarder to bypass. Users can access this traffic. For instructions, see Configure internal IP addresses, DNS suffixes, and email domains.
If you would like HTTP Forwarder to be an explicit proxy:
1. In the Security Connector console, configure the port for the explicit proxy. By default, the port is 8000. If you need to modify the port, see Modify explicit proxy port in Security Connector.
2. Make HTTP Forwarder the proxy on enterprise devices. Modify the system and browser proxy settings to configure HTTP Forwarder as the proxy. You can configure a PAC file or use your device management solution to modify the system settings. The IP address of the en1 interface is the IP address of HTTP Forwarder.
  
  For more information on configuring and distributing a PAC file configuration, see Distribute the PAC FIle URL.
If you would like HTTP Forwarder to be a transparent proxy:
1. Configure policy-based routing rules on your router. For more information, see Configure policy-based routing.
2. Configure the origin ports for the transparent proxy in an SIA policy. For instructions, see Configure origin ports.
Disable DNS Forwarder in the Security Connector console. For instructions, see Enable or disable DNS Forwarder.

Configure an explicit proxy

These procedures are required to configure HTTP Forwarder as an explicit proxy.

For more information on setting up HTTP Forwarder, see Configure HTTP Forwarder.

Modify the explicit proxy port in Security Connector

By default, the explicit proxy port is 8000. However, you can modify this setting based on the needs of your network.

To modify the explicit proxy port in Security Connector:

In the Security Connector console menu, press 7 or use the arrow keys to select Manage HTTP Forwarder, and press Enter.
Press 2 or use the arrow key to select Modify Explicit Proxy Port, and press Enter.
Press C to edit the port.
Enter the new port number and press Enter.
Enter y to confirm the changes and press Enter.

Configure and distribute a PAC file

If you're configuring Security Connector as an explicit proxy, you may need to create a proxy auto-configuration (PAC) file. This file is used to direct traffic from your enterprise devices or browser to HTTP Forwarder. A PAC file is hosted on a server. You can do one of the following:

Provide the URL of the PAC file in a browser or in the system proxy settings.
Manually enter the IP address and port of HTTP Forwarder in the system proxy settings.

The IP address of HTTP Forwarder is the IP address that you provide for the en1 interface.

Depending on how your organization manages devices and system configurations, you need to manually distribute this update with the solution your enterprise uses. For example, your enterprise may distribute PAC files or proxy settings with device management software or as a group policy object.

Create or modify a PAC file

If you need to create a new PAC file or update an existing PAC file, make sure the PAC file includes the IP addresses of HTTP Forwarder. This procedure includes the function and return statement that you can use in your PAC file.

To create or modify a PAC file:

Open a simple text editor such as Notepad. If you are updating an existing file, open the file in the simple text editor.
To send traffic to HTTP Forwarder, you can use this function definition and return statement:
```
function FindProxyForURL(url, host)
{
      // Security Connector as HTTP Forwarder
      return "PROXY <IP_ADDRESS>:<PORT>; PROXY <IP_ADDRESS>:<PORT>; ";
}
```
where:
- <IP_ADDRESS> is the IP address of an HTTP Forwarder. This is the IP address that you configured for the en1 interface.
- <PORT> is the port for HTTP Forwarder.
Save the file. If you are creating a new PAC file, make sure you save it with a .pac extension.

Next steps

Test that the PAC file is working. You can use an open source solution such as the pactester utility by Google to confirm there is no error with the PAC file configuration.
Make sure the PAC file is hosted on a web server. You need the PAC file URL to distribute the PAC file configuration.
Distribute the proxy file configuration. For instructions, see Distribute the PAC file URL.

Distribute the PAC file URL

To direct traffic from your enterprise devices to HTTP Forwarder, you must modify the proxy settings in user browsers and provide the PAC file URL. Depending on the browser and OS, the steps may vary.

These instructions provide steps on how to configure a single instance of browsers. If your organization uses a device management solution or Windows groups policy, you can distribute the PAC file URL to devices across your organization.

Operating System	Browser	Instructions
Windows, macOS	Google Chrome	See Distribute the PAC URL to Google Chrome
Windows, macOS	Mozilla Firefox	See Distribute the PAC URL to Mozilla Firefox
Windows, macOS	Microsoft Edge	See Distribute the PAC URL to Microsoft Edge
macOS	Safari	See Distribute the PAC URL to Safari

Distribute the PAC URL to Google Chrome

Complete these steps to distribute the PAC URL to an instance of Google Chrome.

To distribute the PAC URL:

In the Google Chrome menu, select Settings.
In the left navigation, select Advanced > System.
Click Open your computer’s proxy settings.
If you’re on Windows, complete these steps:
1. In the Automatic proxy setup section, toggle these settings to on.
  - Automatically detect settings
  - Use setup script
2. In the Script address field, enter the URL for the PAC file.
3. Click Save.
If you’re on Mac, complete these steps:
1. In the Proxies tab, select Automatic Proxy Configuration.
2. In the URL field, enter the URL of the PAC file.
3. Click OK.
4. Click Apply.

Distribute the PAC URL to Mozilla Firefox

Complete these steps to distribute the PAC URL to an instance of Mozilla Firefox.

To distribute the PAC URL:

In the Firefox menu, select Settings.
In the left navigation, click General.
Scroll down to the Network Setting section and click Settings.
Select Automatic proxy configuration URL.
In the provided field, enter the URL of the PAC file.
Click OK.

Distribute the PAC URL to Microsoft Edge

Complete these steps to distribute the PAC URL to an instance of Microsoft Edge.

To distribute the PAC URL:

In the Edge menu, select Settings.
In the Settings menu, select System and Performance.
Under System, click Open your computer's proxy settings.
If you’re on Windows, complete these steps:
1. In the Automatic proxy setup section, toggle these settings to on.
  - Automatically detect settings
  - Use setup script
2. In the Script address field, enter the URL for the PAC file.
3. Click Save.
If you’re on Mac, complete these steps:
1. In the Proxies tab, select Automatic Proxy Configuration.
2. In the URL field, enter the URL of the PAC file.
3. Click OK.
4. Click Apply.

Distribute the PAC URL to Safari

Complete these steps to distribute the PAC URL to an instance of Safari.

To distribute the PAC URL:

In the Safari menu, select Safari > Preferences.
Click Advanced.
For the Proxies field, click Change Settings.
Select the Proxies tab.
Select Automatic Proxy Configuration as the protocol.
In the URL field, enter the URL of the PAC file.
Click OK.
Click Apply.

Configure a transparent proxy

These procedures are required to configure HTTP Forwarder as a transparent proxy.

For more information on setting up HTTP Forwarder, see Configure HTTP Forwarder.

Configure policy-based routing

When policy-based routing is configured for a transparent proxy configuration, the router intercepts traffic from the device based on the provided origin ports and marks this traffic to ensure it's processed differently. This marked traffic is then routed to HTTP Forwarder.

Note the following:

If you’ve configured multiple forwarders in your network for high availability, you can create a group for multiple gateways.
If the security connector is in the same subnet as the router, make sure the Security Connector IP address is not included in these rules or configurations.

❗️
Configuring policy-based routing on your router can vary depending on your organization’s router and network requirements. Make sure you are aware of your organization’s requirements and consult the documentation of your router service for detailed instructions.

Router Service	Instructions
pfSense	Configure rules on pfSense routers
MikroTik	Configure rules on MikroTik routers

Configure rules on pfSense routers

Complete these steps to direct traffic from pfSense routers to HTTP Forwarder.

To configure rules on pfSense:

Open a browser and enter the IP address of your local area network (LAN).
In the pfSense login page, enter your credentials.
From the navigation menu, select System > Routing.
For Gateways, click Add.
Complete these steps to add HTTP Forwarder as a gateway:
1. For the Interface, select LAN.
2. For the Address Family, select IPv4.
3. In the Name field, enter the name of the Security Connector.
4. In the gateway field, enter the IP address of HTTP Forwarder.
5. Click Save.
Create a firewall rule to make sure that traffic can reach Security Connector. Complete these steps.
1. In the navigation menu, select Firewall > Rules.
2. In the LAN tab, click Add.
3. For Action, select PASS.
4. For the Interface, select LAN.
5. For the Address Family, select IPv4.
6. For the Protcol, select TCP.
7. In the Source section, select Single host or alias and in the provided field, enter the IP address of Security Connector.
8. Click Save.

Next steps
Make sure the system proxy settings of user devices are disabled. To do this, open the proxy settings in the OS or browser and verify the settings for a proxy server is disabled.

Configure rules on MikroTik routers

Complete these steps to direct traffic from MikroTik routers to HTTP Forwarder.

Establish an SSH connection to the MikroTik router.
Enter the username and password.
To mark traffic for HTTP forwarder as it reaches the router, enter this command:
```
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=ETP_SCHTTPFWDER passthrough=yes  
protocol=tcp port=<PORT>
```
where <PORT> is the port numbers that your organization uses for web traffic.
To route traffic to HTTP Forwarder, enter this command:
```
/ip route
add dst-address=0.0.0.0/0 routing-mark=ETP_SCHTTPFWDER gateway=<SC_IP>
```
where <SC_IP> is the IP address of HTTP Forwarder.