Symantec Endpoint Detection and Response does not normally inspect traffic between internal computers. A proxy server usually has an IP address in the internal range, so if the proxy sits between Symantec EDR and the Internet, all traffic between protected endpoints and the Internet appears as internal traffic. When you add the proxy server IP address to the Enterprise Proxy list, however, Symantec EDR treats all traffic to the proxy as outbound network traffic and inspects it.
Configure an enterprise proxy only if Symantec EDR is on the LAN side of the proxy. Otherwise, the appliance does not inspect traffic between the proxy and the Internet. If you use a single-leg proxy, Symantec recommends that you configure the Symantec EDR enterprise proxy so that it only inspects traffic between the proxy and the internal networks.