You can configure ETP Client to forward DNS traffic when these conditions apply:

SIA Proxy is enabled as a selective proxy.
SIA Proxy is not enabled. In this situation, ETP Client forwards only DNS traffic to SIA.

Regardless of configuration, SIA policy is applied to DNS requests that are made on devices inside and outside the corporate network.

After ETP Client is installed, it changes the system's DNS and if configured to do so, the proxy settings. ETP Client directs traffic to the localhost (127.0.0.1). This configuration allows ETP Client to act as a DNS proxy. As a result, all DNS traffic is directed to ETP Client for resolution.

ETP Client allows or blocks traffic based on SIA policy and its associated locations. If a policy is configured to redirect traffic to Enterprise Security Connector or a custom response, ETP Client may also redirect traffic to the IP address of Security Connector or the custom response.

To use ETP Client in your network, make sure these conditions apply:

ETP Client locations on the corporate network are configured in SIA. This includes public IP addresses of all exit points or gateways in the corporate network. These addresses allow SIA to identify the location where traffic is coming from and apply the policy that corresponds to this location.
When ETP Client is off the corporate network and connects from an IP address that is not configured as a location in SIA, the policy for the Off Network Client Policy setting is applied.

You can also configure ETP Client to resolve internal domains with the DNS resolver on the corporate network. This is done without querying SIA DNS and requires that administrators specify corporate domain suffixes in the client configuration.

In some networks, depending on whether a client is connecting from inside or outside the network, a split-horizon DNS topology is used to ensure that domains resolve to different public and private IP addresses. You can specify your internal corporate network IPv4 and IPv6 address ranges and DNS suffixes, which ETP Client prefers in case a split DNS domain resolves to multiple IP addresses with different DNS resolvers.

📘
Security software such as a network firewall or adware and spyware removal programs may attempt to block ETP Client. To avoid this issue, access the settings of these programs and identify ETP Client as a safe or allowed application. Also, if client computers are installed with software that anonymizes DNS proxies, make sure you remove this software. This software likely bypasses SIA policy.

When an end user requests a domain:

Requests are forwarded to the closest Akamai SIA DNS server. If DoT is enabled, these requests are encrypted with TLS.
If the request is a threat, it's blocked or forwarded to Enterprise Security Connector or a custom response based on policy configuration. The policy configuration determines the specific policy action that's applied. These requests are not forwarded to local DNS resolvers.
If no threat is detected, SIA allows the request. The client forwards the request to the corporate (local) DNS resolver for resolution. Requests to websites in the internal network (as defined in the local bypass settings) are first resolved by the corporate resolver.

📘
Before distributing ETP Client throughout your network, make sure you test ETP Client in an environment that contains the same network configuration, VPN, and security applications as production.

When the client sends queries to SIA, it sends the request to the closest SIA DNS server. SIA returns an IP address that is in the closest geolocation to the client, providing optimal DNS resolution performance.

Network flow

These sections describe how ETP Client resolves an allowed domain in different network topologies:

In all these scenarios, ETP Client provides optimal internet routing. For more information see Optimized Internet routing.

📘
In these scenarios, SIA Proxy is not enabled.

On corporate network

This graphic is an example of how ETP Client functions when it's on a corporate network:

These steps apply:

Requests are directed to SIA DNS. If DNS over TLS is enabled, requests are encrypted with TLS.
If a threat is detected, ETP Client handles the request based on the policy configuration. For example, if a threat category is assigned the block action with an error page response, the request is resolved to the IP address of the Website Access Prohibited error page. This page does not include any of the customization that is configured for error pages in SIA.
If no threat is detected, requests are forwarded to the corporate (local) DNS resolver for resolution. Requests to websites in the internal network are first resolved by the corporate resolver. If a domain is not resolved by the corporate DNS resolver, it is resolved by SIA.

Off-corporate network

This graphic is an example of how ETP Client functions when it's running off the corporate network:

When the ETP Client is on a visiting network or off the corporate network, a similar network topology applies:

Off-network requests are directed to SIA DNS. If DNS over TLS is enabled, requests are encrypted with TLS.
If a threat is detected, ETP Client handles the request based on the policy configuration. For example, if a threat category is assigned the block action with a refused response as the response to users, the request is blocked and a browser-specific error page appears.
If no threat is detected, requests are forwarded to the local DNS resolver for resolution. Requests to websites in the internal network are resolved by the local resolver. If a domain is not resolved by the local resolver, it is resolved by SIA.

📘
If a user is visiting a network, ETP Client applies the policy of the user's corporate network. It does not apply the policy of the visiting network. In this case, the policy associated with the Off Network ETP Clients location in the user's corporate network takes effect.

Split VPN tunnel

This graphic shows ETP Client on a network with a split VPN tunnel. This scenario allows end users to securely access resources on a corporate and visited network, while also accessing the Internet through an existing local Internet breakout:

📘
To configure a split VPN tunnel, you need to configure your VPN to allow connections to the localhost (127.0.0.1). See your VPN application's documentation for more information.

These steps apply:

Requests are directed to SIA DNS. If DNS over TLS is enabled, requests are encrypted with TLS.
If a threat is detected, ETP Client handles the request based on the policy configuration. For example, if a threat category is assigned the block action with a refused response as the response to users, the request is blocked and a browser-specific error page appears.
If no threat is detected, requests are directed to the VPN. Through the VPN, requests are forwarded to the corporate DNS resolver. If requests are not resolved by the corporate DNS resolver, they are resolved by SIA.

Optimized Internet routing

This graphic shows how ETP Client sends requests to the SIA DNS server that is in the closest geographical region, even if the visited network has no local DNS Resolver. Regardless of network topology, SIA returns the IP address of the origin server that is in the geographical proximity to ETP Client:

For example, in this graphic, requests to the Internet are directed to the SIA DNS server that is in the closest geographical location to the Visited Network (Australia). SIA is then able to return an IP address of the origin that is local to this region, allowing ETP Client to connect to the closest origin server (for example, the Australian website).

Without ETP Client, requests would go to the resolver in the United States and return the US version of the website, resulting in the end user in Australia experiencing a slower and non-localized version of the website.