Many Corporate environments have a security setup on the local network. One of the frequently used deployment scenarios includes Proxy Server on the way to the internet to control, or monitor, outbound traffic.

Traffic secured by Secure Access Cloud (SAC) has no essential reason to pass through SWGs or Proxy Servers, since the auditing is done by SAC itself. Consequently, passing this data through the organizational proxy will not gain additional security value but will increase the resource requirements on the proxy server itself.

Addition reason to avoid passing SAC traffic through a Proxy is certificate-based trust. In order to keep the communication secured the SWGs or Proxy Servers will have to be authenticated with their own certificate. This will prevent SAC to authenticate connectors placed behind the Proxy with its unique certificate to guarantee the connector identification.

Getting a more detailed look on a topology, it would be recommended to allow connectors direct outbound connection to SAC Front End URLs specified in this link by defining relevant Firewall rules.

Note: In some cases, the IP addresses of the SAC may change, hence its recommended to use URLs for the firewall rules. 

 

However, due to the different constraints & considerations (such as inability to configure Firewall exclusions), some organization prefer to keep the Proxy Server for the whole organization's traffic.

The example in the picture below describes the scenario where one application (app1.tenant.com) secured by SAC & Firewall assumed to provide connectivity from Proxy Server only:

 

SAC fully supports this topology, by setting Proxy parameters as part for the Site Provisioning process.

 

 

Secure Access Cloud

Configuration steps for Proxy Use Case

Proxy Server configurations placed on a Site level and applied to all Site connectors once saved.

  1. As a first step switch the “Use a Proxy Server for outbound connection” toggle button to “On” state
  2. Proxy Server URI should be set
  3. Set Proxy username and password (if needed)

Note 1:

The Proxy configuration support requires 2.6.3 connector version and up. Please upgrade your connector appropriately to allow the functionality.

Note 2:

Proxy configuration takes effect as part of the connectors provisioning process only. Such in case any Proxy configuration (including on/off) need to be changed, you will be asked to re-deploy connectors, while you can keep the other Site configurations

When you have connectors, which weren’t deployed with the new configuration, you will have the following indicative warning:

 

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.