Set up on-premises proxy for the full web proxy

To enable the full web proxy, in addition to settings you enable in ‚ÄčSIA‚Äč, you configure the on-premises proxy to forward traffic to ‚ÄčSIA‚Äč Proxy. ‚ÄčSIA‚Äč displays the ‚ÄčSIA‚Äč Proxy URL that you use to configure the on-premises proxy to send all traffic. You can also configure the on-premises proxy to include the X-Forwarded-For header in requests to identify traffic in ‚ÄčSIA‚Äč reporting.

You can require that ‚ÄčSIA‚Äč Proxy authorizes connections from the on-premises proxy. If you enable proxy authorization in a policy, you need to configure proxy credentials in ‚ÄčSIA‚Äč, and you need to configure these same proxy credentials in the on-premises proxy. For more information, see Proxy authorization.

If your local DNS resolver is not in the same office branch or network location as the on-premise proxy, the on-premises proxy directs traffic to an ‚ÄčSIA‚Äč Proxy that is nearest to the DNS resolver. ‚ÄčSIA‚Äč Proxy is hosted on the ‚ÄčAkamai‚Äč Intelligent Edge Security Platform. The Intelligent Edge Security Platform has many points of presence (PoP). In this case, configure the on-premises proxy to use the ‚ÄčSIA‚Äč DNS servers as the DNS resolver. For more information about this set up, see the official documentation of the on-premises proxy. To review how this is configured on Squid 3.5 or later, see Configure Squid to forward traffic to ‚ÄčSIA‚Äč Proxy.

As part of this setup, confirm that this applies:

  • Local DNS resolvers forward requests to ‚ÄčSIA‚Äč to make sure that non-web traffic is protected by ‚ÄčSIA‚Äč.

  • Your enterprise firewall settings block clients or traffic that bypasses the on-premises proxy and ‚ÄčSIA‚Äč Proxy. For more information on configuring the firewall, see Configure your enterprise firewall.

  • Add Enterprise CA root or ‚ÄčAkamai‚Äč MITM TLS CA certificate to list of trusted certificates on your on-premises proxy. This is the same certificate that you deployed on enterprise computers for ‚ÄčSIA‚Äč Proxy.

To secure traffic between users and an on-premises proxy, make sure your enterprise follows these best practices:

  • Require user authentication on the on-premises proxy. This allows you to control and secure web access.

  • Use secure proxy configuration and detection methods on end user machines. For example, you can do this through the Group Policy on Windows. Do not use the Web Proxy Auto Discovery (WPAD) protocol or the Dynamic Host Configuration Protocol (DHCP). These protocols are prone to MITM attacks.

  • Generate and deploy TLS certificate to on-premises proxy and configure devices to connect to enterprise proxy using TLS (for example, https://:8443) and not plain HTTP.

If your organization uses a proxy auto-configuration (PAC) file to direct internal traffic to its destination and external traffic to the on-premises proxy, see PAC file configuration.