ETP Client for web traffic

With ‚ÄčETP Client‚Äč, you can:

  • Direct all web traffic to ‚ÄčSIA‚Äč Proxy and scan it for malware. The client supports users who are on or off the corporate network.

  • Provide SSO to all applications on the client computer after a user authenticates to access websites or applications on the web. This configuration is based on ‚ÄčSIA‚Äč policy and IdP settings. ‚ÄčETP Client‚Äč also authenticates devices to ‚ÄčSIA‚Äč Proxy. As a result, HTTP traffic from a specific device is tied to the user‚Äôs identity. For more information, see Authentication policy.

  • Split traffic to ensure that users can directly access websites on the local network and these requests are not forwarded to ‚ÄčSIA‚Äč Proxy.

  • If an exception list with a bypass action is configured in a policy or you configured local bypass settings, ‚ÄčETP Client‚Äč directs this traffic to its destination. ‚ÄčAkamai‚Äč also maintains a list of traffic that‚Äôs not directed to ‚ÄčSIA‚Äč Proxy for compliance and performance reasons. For more information, see Bypass list.

  • Enable walled garden. You can use ‚ÄčETP Client‚Äč to block all traffic when it‚Äôs in an unprotected state. This setting blocks all traffic except for the domains and IP addresses that are configured as exceptions in the Local Bypass Settings. This feature is enabled in the policy and applies to the desktop client. For more information on configuring walled garden exceptions, see Configure walled garden exceptions.

  • Support multiple users on the same device. Version 4.4.0 on Windows provides additional support when multiple users share the same device. For example, you can use ‚ÄčETP Client‚Äč on a device that‚Äôs set up as a kiosk. After a new user accesses the device, there may be a short period of time where ‚ÄčETP Client‚Äč has not yet synchronized with the identity provider to identify the user and grant access. Version 4.4.0 offers login and logout buttons. This allows the previous user to log out and the new user to log in. A user enters Login Portal credentials to access the network resources you‚Äôve permitted through the identity provider and the ‚ÄčSIA‚Äč policy configuration. To enable this feature, contact your ‚ÄčAkamai‚Äč representative.

As part of the setup for ‚ÄčETP Client‚Äč, you enable the proxy and perform the setup that‚Äôs required for the proxy such as generating or uploading the MITM certificate in ‚ÄčSIA‚Äč for TLS decryption. For more information, see Set up ‚ÄčSIA‚Äč Proxy.

To forward all web traffic to ‚ÄčETP Client‚Äč, you can configure ‚ÄčETP Client‚Äč as a local web proxy on the user‚Äôs machine or you can configure it as a transparent proxy that intercepts traffic.

Local web proxy

From a policy or in the ‚ÄčETP Client‚Äč configuration settings, you can configure ‚ÄčETP Client‚Äč as the local web proxy on the user‚Äôs device. When one of these settings is enabled, ‚ÄčETP Client‚Äč modifies the local proxy settings on the user‚Äôs device to make it the proxy. This allows the client to forward all traffic to ‚ÄčSIA‚Äč Proxy.

In a policy, this setting is called Overwrite Device Proxy Settings. It modifies the local web proxy when Yes is selected. It also modifies the proxy settings when there’s no local proxy configured and the Only if there’s no local proxy option is selected. This setting applies to all clients that are associated with the policy. It also takes precedence over the client configuration setting.

In the ‚ÄčETP Client‚Äč configuration, an administrator can select the Configure ‚ÄčETP Client‚Äč as local computer web proxy setting and further modify the proxy port if needed. By default, ‚ÄčETP Client‚Äč listens for traffic on port 8080. If this port is used by another process in your network, you can enter a new port into this field.

ūüďė

If you selected Yes to Overwrite Device Proxy Settings or Configure ‚ÄčETP Client‚Äč as a local computer web proxy and then decide to disable the setting by selecting No, ‚ÄčETP Client‚Äč does not save and restore the previous proxy settings that were on the device. These settings will also overwrite any PAC file configuration that's set in the browser or device.

Transparent traffic interception

In the ‚ÄčETP Client‚Äč configuration, you can enable the Transparent Traffic Interception setting to have ‚ÄčETP Client‚Äč intercept and capture traffic without modifying browser or operating system settings. This allows ‚ÄčETP Client‚Äč to act as a transparent proxy.

On Windows, ‚ÄčETP Client‚Äč 4.1 or later automatically installs a driver that allows ‚ÄčSIA‚Äč Client to securely capture traffic. ‚ÄčETP Client‚Äč then forwards DNS traffic to ‚ÄčSIA‚Äč resolvers and web traffic to ‚ÄčSIA‚Äč Proxy. It's currently supported on Windows 11 and Windows 10.

On macOS, ‚ÄčETP Client‚Äč 4.3 or later uses the Apple Network Extension framework to intercept traffic. As you install or upgrade the client, you must allow ‚ÄčETP Client‚Äč Extensions to use the client and intercept traffic. While administrators are prompted to enable the client extensions after installation, you can enable them at any time in the Security & Privacy system preferences. The extensions are required to use version 4.3 or later of the client.

ūüďė

This feature is currently in beta on macOS.

If ‚ÄčETP Client‚Äč was previously set to modify the local web proxy settings, enabling transparent traffic interception will revert the local web proxy to its previous state where no local web proxy is configured.

When using ‚ÄčETP Client‚Äč with transparent traffic interception, note the following:

  • If your organization uses Enterprise Application Access (EAA) Client, make sure you add the destination IP address or CIDRs of any client-based application that you don‚Äôt want scanned by the proxy to the Local Bypass Settings. By default, the internal IP addresses that are part of RFC 1918 and RFC 4193 are added to the Local Bypass Settings.

  • Browser sessions that were open while the client was in an unprotected state will remain open even if the client returns to a protected state.

  • If there is a system crash on a Windows machine (blue screen error), ‚ÄčETP Client‚Äč disables itself for three minutes.

  • If a Windows machine is already using an Npcap version that is earlier than 0.9988, ‚ÄčETP Client‚Äč is not able to redirect traffic. This occurs as a result of a known issue in Npcap. In this situation, ‚ÄčETP Client‚Äč disables itself on the machine.

  • You can specify Windows applications that have traffic you don‚Äôt want directed to ‚ÄčETP Client‚Äč. For more information, see Configure local bypass settings.

Additional requirements for ‚ÄčETP Client‚Äč

To use ‚ÄčETP Client‚Äč in your network, make sure these conditions apply:

  • ‚ÄčETP Client‚Äč locations on the corporate network are configured in ‚ÄčSIA‚Äč. This includes public IP addresses of all exit points or gateways in the corporate network. These addresses allow ‚ÄčSIA‚Äč to identify the location where traffic is coming from and apply the policy that corresponds to this location.

  • When ‚ÄčETP Client‚Äč is off the corporate network and connects from an IP address that is not configured as a location in ‚ÄčSIA‚Äč, the pre-defined Off Network <‚ÄčETP Client‚Äč location is applied. Similarly, if a user is visiting a network, ‚ÄčETP Client‚Äč applies the policy of the user‚Äôs corporate network. It does not apply the policy of the visiting network. In this case, the policy associated with the Off Network ‚ÄčETP Client‚Äčs location in the user‚Äôs corporate network takes effect.

  • Configure the DNS suffixes and IPv4 and IPv6 addresses ranges of internal corporate network resources and websites. This is done in the Local Bypass Settings. ‚ÄčETP Client‚Äč directs traffic to these websites to their destination and in turn, bypasses ‚ÄčSIA‚Äč Proxy. If your organization also uses Enterprise Application Access (EAA), you can provide the hostnames of EAA applications.

    Similarly, you can create an exception list with the domains and IP addresses that you prefer bypass ‚ÄčSIA‚Äč Proxy. You can then assign this list to an ‚ÄčSIA‚Äč policy. For more information, see Add a custom exception list.

  • On Windows machines where ‚ÄčETP Client‚Äč will be installed, make sure Web Proxy Auto-Discovery (WPAD) for WinHTTP is running. For more information, see Web Proxy Auto-Discovery (WPAD) on Windows.

  • Harden devices in your network to prevent users from changing proxy settings.

  • Do not enable authentication on client devices that are shared by more than one user. Keep in mind that after a user authenticates on a client device, ‚ÄčETP Client‚Äč grants SSO to applications and websites based on that user‚Äôs identity.

  • Enable ‚ÄčSIA‚Äč Proxy in the policy associated with the Off Network ‚ÄčETP Client‚Äčs location.

  • In addition to installing ‚ÄčETP Client‚Äč on user computers, laptops, and supported mobile devices, you can also install it on server machines.

  • If there is another proxy deployed between ‚ÄčETP Client‚Äč and the on-premises proxy, make sure you don't configure this proxy with the TLS MITM certificate. Avoiding this improves performance.

ūüďė

The default settings on Mozilla Firefox and Microsoft Edge browsers may not support ‚ÄčETP Client‚Äč:

  • Mozilla Firefox does not automatically use the proxy settings on the user's device. If you configure ‚ÄčETP Client‚Äč as a local web proxy or you set up proxy chaining, you need to configure Firefox to use the system proxy settings. For more information, see Configure Mozilla Firefox to use system proxy settings.

  • By default, Microsoft does not allow Universal Windows Platform (UWP) apps such as Microsoft Edge to communicate with a network server that's listening on the localhost. When the proxy is enabled, communication with the localhost is necessary. To allow the use of Edge when ‚ÄčSIA‚Äč Proxy is enabled, see Allow ‚ÄčETP Client‚Äč connections on Microsoft Edge.

Network flow

These graphics show how ‚ÄčETP Client‚Äč behaves when the forward proxy setting is enabled in a policy. These graphics illustrate the network flow when there‚Äôs no on-premises proxy and when there's an on-premises proxy.

‚ÄčETP Client‚Äč in a network without on-premises proxy

In this scenario, ‚ÄčETP Client‚Äč is configured as the local web proxy on the device where the client is installed or it‚Äôs configured for transparent traffic interception:

In this graphic:

  1. Traffic to local websites is split from remote traffic. Based on the Local Bypass Settings in ‚ÄčSIA‚Äč, requests to internal websites go directly to their destination.

  2. ‚ÄčETP Client‚Äč checks whether some remote websites should bypass the proxy.

  3. ‚ÄčETP Client‚Äč directs web traffic that‚Äôs configured to bypass ‚ÄčSIA‚Äč Proxy to its destination. These domains and IP addresses were configured in an exception list and assigned to a policy with the bypass policy action.

  4. Web traffic that is not specifically defined in an exception list or in the Local Bypass Settings is directed to ‚ÄčSIA‚Äč Proxy for analysis.

‚ÄčETP Client‚Äč in a network with an existing on-premises proxy

In this scenario, ‚ÄčETP Client‚Äč is not configured as the local web proxy on the device where the client is installed. This occurs when the Configure ‚ÄčETP Client‚Äč as local computer web proxy setting is set to None or to the Only if there‚Äôs no local proxy option when there‚Äôs an existing proxy. Transparent traffic interception is also not enabled.

Depending on whether the on-premises proxy forwards traffic to ‚ÄčSIA‚Äč Proxy, ‚ÄčETP Client‚Äč shows a protected or not protected status as shown in this graphic:

Protected by local network

This flow applies:

  1. ‚ÄčETP Client‚Äč sends requests to the enterprise proxy. ‚ÄčETP Client‚Äč allows the enterprise proxy to decide whether requests to internal websites or resources are handled by the enterprise proxy or by ‚ÄčETP Client‚Äč.
  2. In this scenario, ‚ÄčETP Client‚Äč does not overwrite local web proxy settings. As a result, ‚ÄčETP Client‚Äč probes the enterprise proxy to determine what status to show. The protected status appears because proxy chaining is configured and the enterprise proxy forwards traffic to ‚ÄčSIA‚Äč Proxy.

Not Protected

In this situation, while ‚ÄčETP Client‚Äč forwards requests to enterprise proxy, it shows your device is NOT protected or unprotected status because the enterprise proxy does not forward the request to ‚ÄčSIA‚Äč Proxy:

When ‚ÄčETP Client‚Äč is not configured to overwrite local web proxy settings or transparent traffic interception is not enabled, the client probes ‚ÄčSIA‚Äč Proxy to determine what status to show. The status indicates the user‚Äôs device is not protected because proxy chaining is not set up.

For more information on the statuses, see ‚ÄčETP Client‚Äč on desktop computers and machines.