ETP Client for web traffic

With ETP Client, you can:

  • Direct all web traffic to ETP Proxy and scan it for malware. The client supports users who are on or off the corporate network.

  • Provide SSO to all applications on the client computer after a user authenticates to access websites or applications on the web. This configuration is based on ETP policy and IdP settings. ETP Client also authenticates devices to ETP Proxy. As a result, HTTP traffic from a specific device is tied to the user’s identity. For more information, see Authentication policy.

  • Split traffic to ensure that users can directly access websites on the local network and these requests are not forwarded to ETP Proxy.

  • If an exception list with a bypass action is configured in a policy or there's an internal network configuration in ETP, ETP Client directs this traffic to its destination. ​Akamai​ also maintains a list of traffic that’s not directed to ETP Proxy for compliance and performance reasons. For more information, see Bypass list.

  • Enable walled garden. You can use ETP Client to block all traffic when it’s in an unprotected state. This setting blocks all traffic except for the domains and IP addresses that are configured as exceptions in the ETP network configuration. This feature is enabled in the policy and applies to the desktop client. For more information on configuring walled garden exceptions, see Configure walled garden exceptions.

As part of the setup for ETP Client, you enable the proxy and perform the setup that’s required for the proxy such as generating or uploading the MITM certificate in ETP for TLS decryption. For more information, see Set up ETP Proxy.

To forward all web traffic to ETP Client, you can configure ETP Client as a local web proxy on the user’s machine or you can configure it as a transparent proxy that intercepts traffic.

Local web proxy

From a policy or in the ETP Client configuration settings, you can configure ETP Client as the local web proxy on the user’s device. When one of these settings is enabled, ETP Client modifies the local proxy settings on the user’s device to make it the proxy. This allows the client to forward all traffic to ETP Proxy.

In a policy, this setting is called Overwrite Device Proxy Settings. It modifies the local web proxy when Yes is selected. It also modifies the proxy settings when there’s no local proxy configured and the Only if there’s no local proxy option is selected. This setting applies to all clients that are associated with the policy. It also takes precedence over the client configuration setting.

In the ETP Client configuration, an administrator can select the Configure ETP Client as local computer web proxy setting and further modify the proxy port if needed. By default, ETP Client listens for traffic on port 8080. If this port is used by another process in your network, you can enter a new port into this field.

📘

If you selected Yes to Overwrite Device Proxy Settings or Configure ETP Client as a local computer web proxy and then decide to disable the setting by selecting No, ETP Client does not save and restore the previous proxy settings that were on the device.

Transparent traffic interception

In the ETP Client configuration, you can enable the Transparent traffic interception setting to have ETP Client intercept and capture traffic without modifying browser or operating system settings. This allows ETP Client to act as a transparent proxy.

On Windows, ETP Client 4.1 and later automatically installs a driver that allows ETP Client to securely capture traffic. ETP Client then forwards DNS traffic to ETP resolvers and web traffic to ETP Proxy.

📘

This feature is in beta. It's currently supported on Windows 11 and Windows 10 (64-bit version).

If ETP client was previously set to modify the local web proxy settings, enabling this setting will revert the local web proxy to its previous state where no local web proxy is configured.

When using ETP Client with transparent traffic interception, note the following:

  • If your organization uses Enterprise Application Access (EAA) Client, make sure you add the destination IP address or CIDRs of any client-based application that you don’t want scanned by the proxy to the ETP Network Configuration. By default, the internal IP addresses that are part of RFC 1918 and RFC 4193 are added to the ETP network configuration.

  • Browser sessions that were open while the client was in an unprotected state will remain open even if the client returns to a protected state.

  • If there is a system crash on a Windows machine (blue screen error), ETP Client disables itself for three minutes.

  • If a Windows machine is already using an Npcap version that is earlier than 0.9988, ETP Client is not able to redirect traffic. This occurs as a result of a known issue in Npcap. In this situation, ETP Client disables itself on the machine.

Additional requirements for ETP Client

To use ETP Client in your network, make sure these conditions apply:

  • ETP Client locations on the corporate network are configured in ETP. This includes public IP addresses of all exit points or gateways in the corporate network. These addresses allow ETP to identify the location where traffic is coming from and apply the policy that corresponds to this location.

  • When ETP Client is off the corporate network and connects from an IP address that is not configured as a location in ETP, the pre-defined Off Network ETP Clients location is applied. Similarly, if a user is visiting a network, ETP Client applies the policy of the user’s corporate network. It does not apply the policy of the visiting network. In this case, the policy associated with the Off Network ETP Clients location in the user’s corporate network takes effect.

  • Configure the DNS suffixes and IPv4 and IPv6 addresses ranges of internal corporate network resources and websites. This is done in the ETP Network Configuration. ETP Client directs traffic to these websites to their destination and in turn, bypasses ETP Proxy. If your organization also uses Enterprise Application Access (EAA), you can provide the hostnames of EAA applications.

    Similarly, you can create an exception list with the domains and IP addresses that you prefer bypass ETP Proxy. You can then assign this list to an ETP policy. For more information, see Add a custom exception list.

  • On Windows machines where ETP Client will be installed, make sure Web Proxy Auto-Discovery (WPAD) for WinHTTP is running. For more information, see Web Proxy Auto-Discovery (WPAD) on Windows.

  • Harden devices in your network to prevent users from changing proxy settings.

  • Do not enable authentication on ETP client devices that are shared by more than one user. Keep in mind that after a user authenticates on a client device, ETP Client grants SSO to applications and websites based on that user’s identity.

  • Enable ETP Proxy in the policy associated with the Off Network ETP Clients location.

  • In addition to installing ETP Client on user computers, laptops, and supported mobile devices, you can also install it on server machines.

  • If there is another proxy deployed between ETP Client and the on-premises proxy, make sure you don't configure this proxy with the TLS MITM certificate. Avoiding this improves performance.

📘

The default settings on Mozilla Firefox and Microsoft Edge browsers may not support ETP Client:

  • Mozilla Firefox does not automatically use the proxy settings on the user's device. If you configure ETP Client as a local web proxy or you set up proxy chaining, you need to configure Firefox to use the system proxy settings. For more information, see Configure Mozilla Firefox to use system proxy settings.

  • By default, Microsoft does not allow Universal Windows Platform (UWP) apps such as Microsoft Edge to communicate with a network server that's listening on the localhost. When the proxy is enabled, communication with the localhost is necessary. To allow the use of Edge when ETP Proxy is enabled, see Allow ETP Client connections on Microsoft Edge.

Network flow

These graphics show how ETP Client behaves when the forward proxy setting is enabled in a policy. These graphics illustrate the network flow when there’s no on-premises proxy and when there's an on-premises proxy.

ETP Client in a network without on-premises proxy

In this scenario, ETP Client is configured as the local web proxy on the device where the client is installed or it’s configured for transparent traffic interception:

In this graphic:

  1. Traffic to local websites is split from remote traffic. Based on the network configuration in ETP, requests to internal websites go directly to their destination.

  2. ETP Client checks whether some remote websites should bypass the proxy.

  3. ETP Client directs web traffic that’s configured to bypass ETP Proxy to its destination. These domains and IP addresses were configured in an exception list and assigned to a policy with the bypass policy action.

  4. Web traffic that is not specifically defined in an exception list or in the ETP Network Configuration is directed to ETP Proxy for analysis.

ETP Client in a network with an existing on-premises proxy

In this scenario, ETP Client is not configured as the local web proxy on the device where the client is installed. This occurs when the Configure ETP Client as local computer web proxy setting is set to None or to the Only if there’s no local proxy option when there’s an existing proxy. Transparent traffic interception is also not enabled.

Depending on whether the on-premises proxy forwards traffic to ETP Proxy, ETP Client shows a protected or not protected status as shown in this graphic:

Protected by local network

This flow applies:

  1. ETP Client sends requests to the enterprise proxy. ETP Client allows the enterprise proxy to decide whether requests to internal websites or resources are handled by the enterprise proxy or by ETP Client.
  2. In this scenario, ETP Client does not overwrite local web proxy settings. As a result, ETP Client probes the enterprise proxy to determine what status to show. The protected status appears because proxy chaining is configured and the enterprise proxy forwards traffic to ETP Proxy.

Not Protected

In this situation, while ETP client forwards requests to enterprise proxy, it shows your device is NOT protected or unprotected status because the enterprise proxy does not forward the request to ETP Proxy:

When ETP Client is not configured to overwrite local web proxy settings or transparent traffic interception is not enabled, the client probes ETP Proxy to determine what status to show. The status indicates the user’s device is not protected because proxy chaining is not set up.

For more information on the statuses, see ETP Client on desktop computers and machines.


Did this page help you?