To enable the full web proxy, in addition to settings you enable in SIA, you configure the on-premises proxy to forward traffic to SIA Proxy. SIA displays the SIA Proxy URL that you use to configure the on-premises proxy to send all traffic. You can also configure the on-premises proxy to include the X-Forwarded-For header in requests to identify traffic in SIA reporting.
You can require that SIA Proxy authorizes connections from the on-premises proxy. If you enable proxy authorization in a policy, you need to configure proxy credentials in SIA, and you need to configure these same proxy credentials in the on-premises proxy. For more information, see Proxy authorization.
If your local DNS resolver is not in the same office branch or network location as the on-premise proxy, the on-premises proxy directs traffic to an SIA Proxy that is nearest to the DNS resolver. SIA Proxy is hosted on the Akamai Intelligent Edge Security Platform. The Intelligent Edge Security Platform has many points of presence (PoP). In this case, configure the on-premises proxy to use the SIA DNS servers as the DNS resolver. For more information about this set up, see the official documentation of the on-premises proxy. To review how this is configured on Squid 3.5 or later, see Configure Squid to forward traffic to SIA Proxy.
As part of this setup, confirm that this applies:
Local DNS resolvers forward requests to SIA to make sure that non-web traffic is protected by SIA.
Your enterprise firewall settings block clients or traffic that bypasses the on-premises proxy and SIA Proxy. For more information on configuring the firewall, see Configure your enterprise firewall.
Add Enterprise CA root or Akamai MITM TLS CA certificate to list of trusted certificates on your on-premises proxy. This is the same certificate that you deployed on enterprise computers for SIA Proxy.
To secure traffic between users and an on-premises proxy, make sure your enterprise follows these best practices:
Require user authentication on the on-premises proxy. This allows you to control and secure web access.
Use secure proxy configuration and detection methods on end user machines. For example, you can do this through the Group Policy on Windows. Do not use the Web Proxy Auto Discovery (WPAD) protocol or the Dynamic Host Configuration Protocol (DHCP). These protocols are prone to MITM attacks.
Generate and deploy TLS certificate to on-premises proxy and configure devices to connect to enterprise proxy using TLS (for example, https://:8443) and not plain HTTP.
If your organization uses a proxy auto-configuration (PAC) file to direct internal traffic to its destination and external traffic to the on-premises proxy, see PAC file configuration.
Updated 3 months ago