Set up on-premises proxy for the full web proxy

To enable the full web proxy, in addition to settings you enable in ​SIA​, you configure the on-premises proxy to forward traffic to ​SIA​ Proxy. ​SIA​ displays the ​SIA​ Proxy URL that you use to configure the on-premises proxy to send all traffic. You can also configure the on-premises proxy to include the X-Forwarded-For header in requests to identify traffic in ​SIA​ reporting.

You can require that ​SIA​ Proxy authorizes connections from the on-premises proxy. If you enable proxy authorization in a policy, you need to configure proxy credentials in ​SIA​, and you need to configure these same proxy credentials in the on-premises proxy. For more information, see Proxy authorization.

If your local DNS resolver is not in the same office branch or network location as the on-premise proxy, the on-premises proxy directs traffic to an ​SIA​ Proxy that is nearest to the DNS resolver. ​SIA​ Proxy is hosted on the ​Akamai​ Intelligent Edge Security Platform. The Intelligent Edge Security Platform has many points of presence (PoP). In this case, configure the on-premises proxy to use the ​SIA​ DNS servers as the DNS resolver. For more information about this set up, see the official documentation of the on-premises proxy. To review how this is configured on Squid 3.5 or later, see Configure Squid to forward traffic to ​SIA​ Proxy.

As part of this setup, confirm that this applies:

  • Local DNS resolvers forward requests to ​SIA​ to make sure that non-web traffic is protected by ​SIA​.

  • Your enterprise firewall settings block clients or traffic that bypasses the on-premises proxy and ​SIA​ Proxy. For more information on configuring the firewall, see Configure your enterprise firewall.

  • Add Enterprise CA root or ​Akamai​ MITM TLS CA certificate to list of trusted certificates on your on-premises proxy. This is the same certificate that you deployed on enterprise computers for ​SIA​ Proxy.

To secure traffic between users and an on-premises proxy, make sure your enterprise follows these best practices:

  • Require user authentication on the on-premises proxy. This allows you to control and secure web access.

  • Use secure proxy configuration and detection methods on end user machines. For example, you can do this through the Group Policy on Windows. Do not use the Web Proxy Auto Discovery (WPAD) protocol or the Dynamic Host Configuration Protocol (DHCP). These protocols are prone to MITM attacks.

  • Generate and deploy TLS certificate to on-premises proxy and configure devices to connect to enterprise proxy using TLS (for example, https://:8443) and not plain HTTP.

If your organization uses a proxy auto-configuration (PAC) file to direct internal traffic to its destination and external traffic to the on-premises proxy, see PAC file configuration.