Enable selective proxy

Before you begin

Create certificates and distribute the certificates to devices and TLS clients on your network. For more information, see ​SIA​ Proxy MITM certificate.

Complete this procedure to enable the selective proxy. The selective ​SIA​ Proxy analyzes risky web traffic.

To enable selective proxy:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Policies.

  2. If you are adding a new policy:

    1. On the Policies page, click the plus sign icon.

    2. Enter a name and description for the policy in the Name and Description field.

    3. In the Policy Type menu, select DNS + Proxy.

    4. To configure a policy with settings from a predefined template, select one of these templates and click Continue:

      • Strict. Contains settings that block known and most suspected threat categories. Select this template to apply settings that are a best practice for a policy.

      • Monitor-only. Logs and reports threats but it does not block them. This template is ideal for testing or assessing policy impact before using the Strict template. This template assigns the monitor policy action to all known and suspected threat categories.

      • Custom. Lets you define policy actions for known and suspected threats.

    5. To assign a location or sub-location, click the link icon for locations or sub-locations, and select one or more. Then click Associate.

  3. If you are modifying a policy, click the name of the policy that you want to edit or click the edit icon that appears when you hover over the policy.

  4. Click the Settings tab.

  5. In the Proxy Settings section, complete the steps for these fields.

    1. Policy Type. Make sure DNS + Proxy is enabled.

    2. Bypass Microsoft 365 Traffic. Toggle on to bypass traffic to Microsoft 365 apps and services. Your organization needs to be licensed for ​SIA​ Advanced Threat to use this feature.

    3. Local Breakout for Bypass Domains. Disable this option only if your network has no default route to the Internet, and it cannot directly access origins that are configured for bypass.

  6. In the Payload Analysis section, complete the steps for these fields:

    1. Enable Inline Payload Analysis. Toggle on to scan files that are up to 5 MB before they are downloaded.

    2. Block Unscannable Files. Toggle on if you want to block files that cannot be scanned with ​SIA​ Proxy as part of inline payload analysis.

    3. Block On Upload Scan Timeout. Toggle on if you want to block requests that cause scanning to take longer than expected. Note: This setting applies to DLP and File Type blocking.

  7. In the Other Settings area, enable the Forward Public IP to Origin toggle to forward the user's public IP address to authoritative DNS servers and web servers. This setting identifies the geolocation of clients. If you enabled the Bypass Microsoft 365 Traffic option, make sure you also enable this setting.

  8. If you've installed ​ETP Client​ on devices in your network, you can complete the steps for these fields:

    1. Disable Client. Enable this option to disable the client in the locations that are associated with the policy.

    2. Avoid Local DNS Resolvers. Enable this option to have ​ETP Client​ query the local DNS resolver only for domains that are configured on the Local Bypass Settings page. All other traffic is directed to ​SIA​ instead of the local resolver. To configure the domains that you prefer bypass ​SIA​, see Configure local bypass settings.

    📘

    It's recommended that you don’t enable this setting when the client is on the network. When the client is on the network, local traffic should be directed to the local resolvers.

    1. DNS-over-TLS Mode. Defines whether ​ETP Client​ uses DNS over TLS (DoT) to protect DNS traffic it forwards to ​SIA​. Select one of these modes:

      • Attempt. Indicates ​ETP Client​ always attempts to use DoT. If DoT is not available, ​ETP Client​ falls back to plain DNS.

      • Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ​ETP Client​ to the local DNS resolver.

      • Disabled. Indicates that DoT is not used to secure DNS traffic from ​ETP Client​.

    2. DNS-over-TLS Port. Select the port that's used for DoT connections.

  9. Define policy actions for a threat category, click the Threat tab, then complete the action based on these threat types:

    1. Known. If you want to assign the same policy action to all known threat categories, select an action in the Action column. Otherwise, make sure the Known option is expanded to show the threat categories.

      • For each threat category, select an action. For more information, see Policy actions.

      • If you select Block, select a specific response to the user. The Response to User column is available when the Block action is selected.

      • If Error Page is selected and you want to direct traffic to Security Connector, select a security connector in the Security Connector field. Otherwise, select None.

    2. Suspected. If you want to assign the same policy action to all suspected threat categories, select an action in the Action column. Otherwise, make sure the Suspected option is expanded to show the threat categories, and select an action for the individual categories.

  10. Click the Access Control tab. and complete these steps:

    1. Click the AUP & Shadow IT tab.

    2. Select Selective Proxy as the Operating Mode and as the mode for mobile devices. Complete the steps described in Configure application visibility and control.

    3. Click the DLP tab and complete the steps described in Select user and group exceptions for DLP scanning and Assign a DLP dictionary to a policy.

    4. If you want to block or monitor the download or upload of specific file types, click the File Types tab and follow the instructions described in Access by file type.

  11. To assign a list to a policy, see Add a block list to a policy and Add an exception list to a policy.

  12. To configure Firewall rules, click the Firewall tab and complete the steps in Create firewall rules.

  13. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next steps

If you haven’t deployed the policy, make sure you deploy it to the ​SIA​ network. For instructions, see Deploy configuration changes.