TrainingSupportCommunity

Set up other SIA components

Suggest Edits

ā€‹SIAā€‹ provides workflows in Enterprise Center that guide you through the process of setting up these features:

  • ā€‹SIAā€‹ Proxy. You can set up these configurations of ā€‹SIAā€‹ Proxy:

    • Selective Proxy. Scans risky domains and any of its associated URLs. For more information on setting up the selective proxy, see Set up selective proxy.

    • Full Web Proxy. Allows ā€‹SIAā€‹ Proxy to act as a Secure Web Gateway (SWG). The full proxy performs URL filtering and anti-malware scanning on all web traffic. For more information on setting up the full web proxy, see Set up a full web proxy.

  • Identity providers. You can set up an identity provider (IdP) to enable authentication and restrict access to specific users or groups in your organization. For more information, see Set up an identity provider.

Set up the selective proxy

The Selective Proxy Setup workflow guides you through the process of configuring ā€‹SIAā€‹ Proxy as a selective proxy. The selective proxy is a configuration of ā€‹SIAā€‹ Proxy that scans only risky domains and its URLs. With the selective proxy, ā€‹SIAā€‹ Threat Intelligence detects that a domain contains a suspicious URL. Traffic to risky domains is then sent to ā€‹SIAā€‹ Proxy where specific URLs are blocked, monitored, or analyzed in accordance with a policy. With the easy integration of the selective proxy, you can optimize security with minimal impact to users. If your enterprise needs to scan all web traffic, see Set up a full web proxy.

To set up the selective proxy:

  1. Generate the ā€‹SIAā€‹ Proxy certificate.

    ā€‹SIAā€‹ Proxy is a "trusted intermediary" that decrypts, inspects, and re-encrypts all Transport Layer Security (TLS) traffic from enterprise managed computers. This gives ā€‹SIAā€‹ visibility into TLS encrypted traffic and allows it to protect an enterprise from threats, while preserving confidentiality and integrity of traffic to origin websites.

    For ā€‹SIAā€‹ Proxy to decrypt and inspect traffic, a man-in-the-middle (MITM) certificate authority (CA) TLS certificate is required. This certificate needs to be distributed to an organization's trust store or TLS clients in your network.

    You can generate this certificate in ā€‹SIAā€‹ or you can upload an intermediate certificate. You upload an intermediate certificate if your organization already has a public key infrastructure and maintains an internal CA root certificate. For more information, see ā€‹SIAā€‹ Proxy MITM certificate.

    To complete this step in the workflow, you need to:

    • Generate a certificate in ā€‹SIAā€‹, distribute it to TLS clients, and activate it in ā€‹SIAā€‹. For instructions, see Create an ā€‹Akamaiā€‹ certificate.

    • Generate a certificate signing request (CSR) in ā€‹SIAā€‹, sign the request with your organization's CA, and upload the certificate to ā€‹SIAā€‹. You can then distribute the certificate to client devices and activate it in ā€‹SIAā€‹. For instructions, see Create a non-ā€‹Akamaiā€‹ certificate.

    For instructions on distributing the certificate to desktop devices, see Distribute the ā€‹SIAā€‹ Proxy certificate. For more information on how to distribute the certificate to mobile devices for ā€‹ETP Clientā€‹, see Distribute the mobile client and go to the instructions that are specific to your Mobile Device Management (MDM) solution.

  2. Configure a policy for the selective proxy.

    This process involves:

    • Enabling ā€‹SIAā€‹ Proxy

    • Choosing Selective Proxy as the Operating Mode setting for access control.

    • Choosing Selective Proxy as the mode for iOS, Android, and Chrome OS devices. The mobile mode settings are currently in beta.

    For instructions on configuring the policy, see Enable selective proxy.

  3. If you havenā€™t done so already, deploy the policy.

    For your policy configuration to take effect, you need to deploy it to the ā€‹SIAā€‹ network.

    For more information, see Deploy configuration changes.

Set up the full web proxy

The Full Proxy Setup workflow guides you through the process of configuring ā€‹SIAā€‹ Proxy as a full web proxy that scans all web traffic. This configuration allows ā€‹SIAā€‹ Proxy to act as a SWG that performs URL filtering and anti-malware scanning in your current network configuration.

You configure ā€‹SIAā€‹ Proxy as a full web proxy with one of these methods:

  • Proxy chaining. Directs all HTTP and HTTPS traffic from your organizationā€™s on-premises web proxy to ā€‹SIAā€‹ Proxy. For more information, see Set up proxy chaining.

  • ā€‹ETP Clientā€‹. You can forward all HTTP and HTTPS traffic to ā€‹SIAā€‹ Proxy. This occurs when you set ā€‹ETP Clientā€‹ as the local web proxy on the userā€™s machine, you use ā€‹ETP Clientā€‹ with an existing enterprise proxy, or you enable transparent traffic interception. For more information, see About ā€‹ETP Clientā€‹.

šŸ“˜

While not shown in this workflow, you can also configure the full web proxy with Security Connector as an HTTP Forwarder, by directing traffic from the userā€™s browser or system to the proxy, or with IPsec tunnels. To learn more, see Security Connector as an HTTP Forwarder, Configure the proxy in browsers, or Set up IPsec tunnels.

To set up the full proxy:

  1. Generate the ā€‹SIAā€‹ Proxy certificate.

    ā€‹SIAā€‹ Proxy is a ā€œtrusted intermediaryā€ that is able to decrypt, inspect, and re-encrypt all TLS traffic from enterprise managed computers. This gives ā€‹SIAā€‹ visibility into TLS encrypted traffic and allows it to protect an enterprise from threats, while preserving confidentiality and integrity of traffic to origin web sites.

    For ā€‹SIAā€‹ Proxy to decrypt and inspect traffic, a MITM CA TLS certificate is required. This certificate needs to be distributed to an organizationā€™s trust store or TLS clients in your network.

    You can generate this certificate in ā€‹SIAā€‹ or you can upload an intermediate certificate. You upload an intermediate certificate if your organization already has a public key infrastructure and maintains an internal CA root certificate. For more information, see ā€‹SIAā€‹ Proxy MITM certificate.

    To complete this step in the workflow, you need to:

    • Generate a certificate in ā€‹SIAā€‹, distribute it to TLS clients, and activate it in ā€‹SIAā€‹. For instructions, see Create an ā€‹Akamaiā€‹ certificate.

    • Generate a CSR in ā€‹SIAā€‹, sign the request with your organizationā€™s CA, and upload the certificate to ā€‹SIAā€‹. You can then distribute the certificate to client devices and activate it in ā€‹SIAā€‹. For instructions, see Create a non-ā€‹Akamaiā€‹ certificate.

    For instructions on distributing the certificate to desktop devices, see Distribute the ā€‹SIAā€‹ Proxy certificate. For more information on how to distribute the certificate to mobile devices for ā€‹ETP Clientā€‹, see Distribute the mobile client and go to the instructions that are specific to your MDM solution.

  2. Configure internal IP addresses, domains, and DNS suffixes for traffic that you donā€™t want scanned by ā€‹SIAā€‹ Proxy.

    If there are domains, IP addresses, and DNS suffixes that you donā€™t want directed to ā€‹SIAā€‹ Proxy, such as domains for internal websites, you can configure them in the Local Bypass Settings. For instructions, see Configure local bypass settings.

  3. If you want to direct web traffic to the proxy with ā€‹ETP Clientā€‹, set up the client. You can deploy the client to desktop or mobile devices on your network. You can configure ā€‹ETP Clientā€‹ as a local web proxy that forwards requests to ā€‹SIAā€‹ Proxy or if your enterprise includes an on-premises proxy, you can also configure proxy chaining to forward requests from the on-premises proxy to ā€‹SIAā€‹ Proxy. You can also use the full web proxy by enabling transparent traffic interception. For more information, see ā€‹ETP Clientā€‹ for web traffic.

    If you plan to use ā€‹ETP Clientā€‹ as a local web proxy, make sure you enable these settings.

    • Enable ā€‹ETP Clientā€‹ as Proxy. This policy setting modifies the local web proxy settings on the userā€™s machine and in turn, enables ā€‹ETP Clientā€‹ as the local web proxy.

      In addition to choosing whether to enable this setting, you can also choose to modify the local web proxy only when no web proxy is configured on the userā€™s machine.

    šŸ“˜

    You can also enable the Configure ā€‹ETP Clientā€‹ as local computer web proxy setting in the client configuration. For more information, see ā€‹ETP Clientā€‹ configuration settings. The Enable ā€‹ETP Clientā€‹ as Proxy setting in the policy takes precedence over the client configuration setting.

    • Proxy Port. If ā€‹ETP Clientā€‹ modifies the local web proxy settings on the userā€™s computer, it listens for traffic on port 8080 by default. If this port is used by another process in your network, you can enter a new port into this field. You enable this setting in the client configuration settings. For more information, see ā€‹ETP Clientā€‹ configuration settings.

      To set up the desktop or mobile version of the client, see Prepare for ā€‹ETP Clientā€‹ setup.

    šŸ“˜

    Using ā€‹ETP Clientā€‹ for a full web proxy configuration is optional in this setup only if you plan to implement a proxy chaining configuration. To set up a full web proxy, you need to either set up ā€‹ETP Clientā€‹ for web traffic or set up proxy chaining.

  4. If you want to forward traffic from your on-premises proxy to ā€‹SIAā€‹ Proxy, configure proxy chaining. For more information, see Set up on-premises proxy for ā€‹SIAā€‹ full web proxy.

    As part of a proxy chaining configuration, you need to enable these policy settings:

    • Trust X-Forwarded-For (XFF) header. The XFF header contains the client IP address. It prevents users from anonymizing their IP address or configuring their browser to inject a fake XFF with a fake IP address. Make sure you enable the XFF setting only if the on-premises proxy is configured to add this header and your firewall blocks direct access to outbound port 443 for users who attempt to bypass the proxy.

    • Proxy authorization. Requires that ā€‹SIAā€‹ Proxy authorize connections from the on-premises web proxy. You need to configure proxy credentials in ā€‹SIAā€‹ and configure these credentials in the on-premises proxy. For more information, see Configure proxy authorization.

    The Proxy host information that you use to configure the on-premises proxy to send all traffic to ā€‹SIAā€‹ Proxy is available in a policy configuration.

    šŸ“˜

    Proxy chaining is an optional step in the workflow only if you plan to set up ā€‹ETP Clientā€‹. To set up a full web proxy, you need to either set up ā€‹ETP Clientā€‹ for web traffic or implement proxy chaining.

  5. Configure your policy for the full web proxy.

    In addition to enabling ā€‹SIAā€‹ Proxy and the settings that are required for ā€‹ETP Clientā€‹ or a proxy chaining configuration, you also select Full Proxy as the Operating Mode and as the mobile mode for iOS, Android, and Chrome OS device. The mobile mode settings are currently in beta.

    For instructions on configuring the policy, see Enable full web proxy.

  6. If you havenā€™t done so already, deploy the policy.

    For your policy configuration to take effect, you need to deploy it to the ā€‹SIAā€‹ network.

    For more information, see Deploy configuration changes.

Set up an identity provider

An IdP is a service that creates, manages, and saves user identity information. This identity information is used to authenticate users within a network. Identity information or attributes are stored in a directory. By setting up an IdP, you can enable user authentication. You can configure authentication to require that users or groups authenticate to access websites, web applications, sensitive data, or specific file types. With this configuration in place, you can also report usernames and groups in access control events. To learn more about IdPs, see About identity providers.

ā€‹Secure Internet Access Enterpriseā€‹ supports these IdPs:

  • ā€‹Akamaiā€‹
  • Third-Party security assertion markup language (SAML)
  • Okta
  • PingOne

To set up an IdP:

  1. Set up an identity connector.

    An identity connector is a complete virtual appliance that you download in ā€‹SIAā€‹ and deploy behind the firewall in your data centers or hybrid cloud environments. Identity connectors allow ā€‹SIAā€‹ to synchronize with your organizationā€™s AD or LDAP servers.

    To download an identity connector, see Create and download an identity connector.

  2. Add a directory.

    A directory is a service that your enterprise uses to manage users and user groups. To authorize user access to domains or URLs in a policy, you add directories to ā€‹SIAā€‹ and associate them with IdPs.

    ā€‹SIAā€‹ supports these directory services:

    • Cloud Directory
    • AD
    • LDAP
    • Active Directory Lightweight Directory Services (AD LDS)
    • System for Cross-domain Identity Management (SCIM)

    šŸ“˜

    Cloud directory is a directory that's included with ā€‹SIAā€‹ to provide user access to the Internet without integrating LDAP. By default, all users you add to this directory are part of the main Users group.

    As part of a directory configuration, you need to associate an identity connector.

    For more information about directories, see About directories. To add a directory service, see Add a directory.

  3. Add an IdP.

    To add an IdP, see Add an identity provider.

    The online help includes detailed procedures that guide you through the process of setting up these specific identity providers.

  4. Enable authentication in a policy.

    Enable authentication, assign an identity provider, and select the users or groups that can access websites in a specific category. For instructions, see Require authentication to access a website or web application.

  5. If you havenā€™t done so already, deploy the policy.

    For your policy configuration to take effect, you need to deploy it to the ā€‹SIAā€‹ network.

    For more information, see Deploy configuration changes.

Updated 3 months ago