Enable full web proxy

Before you begin

  1. Create certificates and distribute the certificates to devices and TLS clients on your network. For more information, see ‚ÄčSIA‚Äč Proxy MITM certificate.

  2. If you're configuring proxy chaining to forward web traffic to ‚ÄčSIA‚Äč Proxy, see Set up on-premises proxy for ‚ÄčSIA‚Äč full web proxy.

  3. If you want ‚ÄčSIA‚Äč Proxy to authorize connections from the on-premises proxy, make sure you configure proxy credentials in ‚ÄčSIA‚Äč and in the on-premises proxy. For instructions, see Create a proxy credential.

  4. If you're configuring ‚ÄčETP Client‚Äč to forward web traffic to ‚ÄčSIA‚Äč Proxy, see Prepare for ‚ÄčETP Client‚Äč setup.

  5. If you're configuring Security Connector to forward web traffic to ‚ÄčSIA‚Äč Proxy, see Set up the security connector.

  6. Make sure your organization is licensed for ‚ÄčSIA‚Äč Advanced Threat.

The full web proxy is available with proxy chaining, ‚ÄčETP Client‚Äč, and Security Connector as an HTTP Forwarder. For more information, see Set up proxy chaining, ‚ÄčETP Client‚Äč for web traffic, and Security Connector as an HTTP Forwarder.

To enable the full web proxy:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. If you are adding a new policy:

    1. On the Policies page, click the plus sign icon.

    2. Enter a name and description for the policy in the Name and Description fields.

    3. In the Policy Type menu, select DNS + Proxy.

    4. To configure a policy with settings from a predefined template, select one of these templates and click Continue:

      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.

      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.

      • Custom. Lets you define policy actions for known and suspected threats.

    5. To assign a location or sub-location, click the link icon for locations or sub-locations, and select one or more. Then click Associate.

  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.

  4. Click the Settings tab.

  5. In the Proxy Settings section, complete the steps for these fields:

    1. Proxy Type. Make sure DNS + Proxy is selected.

    2. Proxy Authorization. Toggle on to require that ‚ÄčSIA‚Äč Proxy authorizes connections from the on-premises proxy. To use this setting, you need to configure proxy credentials in ‚ÄčSIA‚Äč and in the on-premises proxy. For more information, see Configure proxy authorization.

    3. Origin Ports. If you want to allow outbound traffic on a new origin port, enter the port number or port range. Separate each port number or range with a comma. By default, the full web proxy allows outbound traffic to ports 80 to 84, 443, 4443, 8080, 8443, and 8888.

    4. Trust XFF Header. Toggle on if you are configuring proxy chaining or the full web proxy. Your organization needs to be licensed for ‚ÄčSIA‚Äč Advanced Threat.

    5. Proxy Logging Mode. To change the ‚ÄčSIA‚Äč Proxy logging mode, select a different level. The default Level 1 ensures that detailed data is logged, such as response or request headers in HTTP or HTTPS threat events. For more information, see Proxy logging mode.

    6. Bypass Microsoft 365 Traffic. Toggle on to bypass traffic to Microsoft 365 apps and services.

    7. Block Incompatible Domains. Toggle on to block domains that are not compatible with TLS encryption. Otherwise, these domains bypass ‚ÄčSIA‚Äč Proxy.

    8. Invalid Certificate Response. Select Block - Error Page to block a request if ‚ÄčSIA‚Äč Proxy cannot verify a website's origin certificate. Otherwise, select Bypass to bypass ‚ÄčSIA‚Äč Proxy.

    9. Local Breakout for Bypass Domains. Disable this option only if your network has no default route to the Internet, and it cannot directly access origins that are configured for bypass.

  6. In the Payload Analysis section, enable inline payload analysis to scan files that are up to 5 MB before they are downloaded. You need to enable ‚ÄčSIA‚Äč Proxy to use payload analysis. Complete the steps for these fields:

    1. Block Unscannable Files. Toggle on if you want to block files that cannot be scanned with ‚ÄčSIA‚Äč Proxy as part of inline payload analysis.

    2. Block On Upload Scan Timeout. Toggle on if you want to block requests that cause scanning to take longer than expected. Note: This setting applies to DLP and File Type blocking.

    3. Risky File Handling - by file size. If your organization is enabled for Advanced Sandbox:

      • For downloads that range from 5 MB to 2 GB in size, select Allow or Allow and Scan. Otherwise, select Block - Error Page. For more information, see Static malware analysis of large files.

      • If you select Allow and Scan, the Dynamic Analysis toggle is available. To enable dynamic analysis, toggle this setting to on. For more information, see Dynamic malware analysis.

      • For files that are greater than 2 GB (huge files), select an action. You can select Block - Error Page or Allow. For more information, see Payload analysis.

  7. In the Other Settings section, complete the steps for these fields:

    1. Forward Public IP to Origin. Toggle on to forward the user's public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. Make sure you also enable this setting if you enabled the Bypass Microsoft 365 Traffic option.

    2. Authentication Mode. Select Require to require authentication, Optional to give users the option to skip authentication, or None. This mode defines whether users are prompted to authenticate when accessing allowed websites or web applications.

    3. Identity Provider. Select an IdP if you selected Require or Optional as an authentication mode.

  8. If you've installed ‚ÄčETP Client‚Äč on devices in your network, you can complete the steps for these fields:

    1. Disable Client. Enable this option to disable the client in the locations that are associated with the policy.

    2. Avoid Local DNS Resolvers. Enable this option to have ‚ÄčETP Client‚Äč query the local DNS resolver only for domains that are configured on the Local Bypass Settings page. All other traffic is directed to ‚ÄčSIA‚Äč instead of the local resolver. To configure the domains that you prefer bypass ‚ÄčSIA‚Äč, see Configure local bypass settings.

    ūüďė

    It's recommended that you don’t enable this setting when the client is on the network. When the client is on the network, local traffic should be directed to the local resolvers.

    1. Walled Garden Exceptions. Enable this option to block all traffic when ‚ÄčETP Client‚Äč is in an unprotected state. Only the domains and IP addresses that are specified as walled garden exceptions in the network configuration are allowed when walled garden is enabled. This setting also makes ‚ÄčETP Client‚Äč the device web proxy. As a result, Yes is automatically selected for Overwrite Device Proxy Settings. To configure the domains and IP addresses that are exceptions to a walled garden, see Configure walled garden exceptions.

    2. Overwrite Device Proxy Settings. Select Yes or Only if there's no local proxy if you want to enable ‚ÄčETP Client‚Äč as a proxy on the client computer or device. Otherwise, select No.

      If you prefer to use transparent traffic interception to forward web traffic from ‚ÄčETP Client‚Äč to ‚ÄčSIA‚Äč Proxy, see Enable transparent traffic interception

    3. DNS-over-TLS Mode. Defines whether ‚ÄčETP Client‚Äč uses DNS over TLS (DoT) to protect DNS traffic it forwards to ‚ÄčSIA‚Äč. Select one of these modes:

      • Attempt. Indicates ‚ÄčETP Client‚Äč always attempts to use DoT. If DoT is not available, ‚ÄčETP Client‚Äč falls back to plain DNS.

      • Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ‚ÄčETP Client‚Äč to the local DNS resolver.

      • Disabled. Indicates that DoT is not used to secure DNS traffic from ‚ÄčETP Client‚Äč.

    4. DNS-over-TLS Port. Select the port that's used for DoT connections.

  9. Define policy actions for a threat category, click the Threat tab, then complete the action based on these threat type:

    1. Known. If you want to assign the same policy action to all known threat categories, select an action in the Action column. Otherwise, make sure the Known option is expanded to show the threat categories.

      • For each threat category, select an action. For more information, see Policy actions.

      • If you select Block, select a specific response to the user. The Response to User column is available when the Block action is selected.

      • If Error Page is selected and you want to direct traffic to Security Connector, select a security connector in the Security Connector field. Otherwise, select None.

    2. Suspected. If you want to assign the same policy action to all suspected threat categories, select an action in the Action column. Otherwise, make sure the Suspected option is expanded to show the threat categories and complete the fields as described in the previous step.

    3. Risky. If you want to assign the same policy action to all risky categories, select an action in the Action column. Otherwise, make sure the Risky option is expanded to show categories, and select an action for the individual categories.

  10. Click the Access Control tab and complete these steps:

    1. Click the AUP & Shadow IT tab.

    2. Select Full Proxy as the Operating Mode and as the mode for your mobile devices. Complete the steps described in Configure application visibility and control.

    3. Click the DLP tab and complete the steps described in Select user and group exceptions for DLP scanning and Assign a DLP dictionary to a policy.

    4. If you want to block or monitor the download or upload of specific file types, click the File Types tab and follow the instructions described in Access by file type.

  11. To configure custom headers, click the Custom Header tab and follow the instructions in Add a custom header.

  12. To assign a list to the policy, click the Custom Lists tab and depending on the type of list you are adding, see Add a block list to a policy and Add an exception list to a policy.

  13. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps

  1. If you haven‚Äôt deployed the policy, make sure you deploy it to the ‚ÄčSIA‚Äč network. For instructions, see Deploy configuration changes.

  2. If you are configuring proxy chaining:

    1. Configure the on-premises proxy to forward traffic to ‚ÄčSIA‚Äč proxy. For more information, see the documentation of your on-premises proxy. If your organization uses Squid as an on-premises proxy, see Configure Squid to forward traffic to ‚ÄčSIA‚Äč Proxy.

    2. Configure the on-premises proxy to forward XFF headers. For more information, see the documentation of your on-premises proxy. If your organization uses Squid as an on-premises proxy, see Configure Squid to forward traffic to ‚ÄčSIA‚Äč Proxy.

    3. Test that traffic arrives at ‚ÄčSIA‚Äč Proxy. You can create a custom list with a domain and in a policy configuration, assign the monitor policy action to the custom list. In the browser, you can confirm that the certificate you generated or uploaded into ‚ÄčSIA‚Äč (TLS MITM certificate) is used.

  3. If you are configuring ‚ÄčETP Client‚Äč to forward web traffic to ‚ÄčSIA‚Äč Proxy, see Prepare for ‚ÄčETP Client‚Äč setup.

  4. If you are configuring Security Connector to forward web traffic to ‚ÄčSIA‚Äč Proxy, see Configure HTTP Forwarder.