Selective proxy

A selective proxy analyzes risky web traffic. It examines the domain and full URL of requests to determine if it's risky.

This graphic illustrates how the proxy functions in a network:


This graphic does not illustrate how ​SIA​ Proxy behaves when it's configured on a network with an on-premises proxy.

The corporate resolver forwards requests to ​SIA​. Requests are forwarded to the ​SIA​ network in the closest geographical region. When Selective Proxy is set as the operating mode or as the mode for mobile traffic in a policy, ​SIA​ DNS directs requests to ​SIA​ Proxy. The IP address of the ​SIA​ proxy server is then cached in the resolver and all suspicious traffic is forwarded to the proxy.

With the selective proxy, ​SIA​ Threat Intelligence detects that a domain contains a suspicious URL. Traffic to risky domains is sent to ​SIA​ Proxy. However, only specific known threat URLs are blocked, monitored, or analyzed in accordance with the established policy. If a website is not a suspected threat or its category is assigned the Bypass action, it bypasses the proxy. For example, in the graphic above, the safe website is not inspected by the ​SIA​ proxy and the request is resolved.

A number of checks are performed to determine how suspicious traffic is handled:

  • ​SIA​ confirms that the request comes from an IP address that is registered as a location for your organization. If the IP address is unknown, the request is dropped.

  • If the IP address is known, the destination port is checked to confirm that port 443 or 80 is used. If these ports are not used, traffic is dropped.

  • For port 443, the TLS Server Name Identification (SNI) value is extracted and ​SIA​ connects to the origin server with that hostname.

  • For port 80, traffic is likely HTTP. ​SIA​ extracts the hostname from the Host header in the HTTP request.

  • If the hostname cannot be extracted or identified, the end user is shown an error page.


If your network already contains an on-premise proxy, the ​SIA​ proxy can work with the internal proxy without requiring significant changes to your network. For more information, see Support of an on-premises HTTP forward proxy.