Manage the Intelligent Proxy


Umbrella Packages and Feature Availability

Not all features described here are available to all Umbrella packages. To determine your current package, navigate to Admin > Licensing. For more information, see Determine Your Current Package.

If you encounter a feature described here that you do not have access to, contact your sales representative for more information. See also, Cisco Umbrella Packages.

Umbrella's intelligent proxy intercepts and proxies requests for URLs, potentially malicious files, and domain names associated with certain uncategorized or unknown domains. Some websites, especially those with large user communities or the ability to upload and share files, have content that most users want to access but also pose a risk because of the possibility of hosting malware. Administrators don't want to block access to an unknown domain for all users, but they also don't want your users to access files that could harm their computers or compromise company data.

With the intelligent proxy, Umbrella avoids the need to proxy requests to domains that are already known to be safe or bad. Most phishing, malware, ransomware, and other threats are hosted on domains that are classified as malicious. It's simple: Umbrella blocks those threats at the DNS layer, with no need to proxy. If a domain poses no threat, such as a content-carrying domain (CDN) for Netflix or YouTube, Umbrella allows the domain, and again, no proxy is required.

Yet some domains may pose a greater threat—for example, domains associated with a web server or sites that have the possibility of hosting malware. These domains can include sites that allow users to upload and share content making them difficult to police. If you allow all traffic to these risky domains, users might access malicious content, resulting in an infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more granular visibility and control.

The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting malware while allowing access to everything else.

The intelligent proxy is built using a container-based microservices architecture. The proxy itself, and the services Umbrella integrates into the proxy, run and auto-scale independently from one another. For example, if the proxy notices a lot of files coming through for antivirus (AV) scanning, it automatically scales and provides more capacity for that function. This results in more effective performance for the intelligent proxy.

Table of Contents

How the Intelligent Proxy Works

Normally, when you send a DNS request to Umbrella's DNS resolvers, we check to see if it's a malicious site, registered on a destination list, or if it's blocked by a content setting. If it is blocked, Umbrella returns a block page for the request. If it's not blocked, Umbrella returns the IP address of the domain and you can visit the site.

With the intelligent proxy, if a site is considered potentially suspicious or could host malicious content, Umbrella returns the intelligent proxy's IP address. The request to that domain is then routed through our cloud-based secure gateway, and malicious content is found and stopped before it's sent to you.

Advantages of Using the Intelligent Proxy

The stumbling block for most proxies in the past was that they couldn't scale with the internet. The internet grows in ways that proxy hardware manufacturers can't prepare for—massive streaming video feeds, video conferencing, Voice over IP, and so on. With other proxies, all of that traffic needed to be proxied and all of it needed to be scanned, which slows down traffic at the gateway proxy, and devices outside of the gateway are not protected.

The intelligent proxy has some big advantages that make it not just more secure, but faster, too:

  • Umbrella's services are cloud-based and scale to handle any amount of internet traffic.
  • If your laptop leaves your corporate network, the intelligent proxy makes sure its protection follows you, keeping you secure 24/7/365.
  • Umbrella's predictive intelligence allows it to determine what gets proxied; thus, not all traffic is proxied. Some domains Umbrella knows are bad—these domains are stopped immediately by Umbrella's DNS service. Other domains Umbrella knows are always going to be good—these domains are always allowed by Umbrella's DNS service and are never proxied. For domains that are on Umbrella's grey list, Umbrella proxies HTTP and HTTPS traffic to and from the device to protect you from accessing malicious files.

Sites That are Not Proxied by the Intelligent Proxy

We maintain a list of highly popular, low-risk domains that are never proxied.

Localized (language-specific) web content like Google searches or bandwidth-intensive SaaS apps like Office 365 can experience issues when sent through a cloud-based proxy. But because these types of services don’t host malware, they aren’t considered “risky.” So, by default, our proxy doesn’t intercept this traffic. This means that your users receive accurate, localized content and services without the burden of creating proxy exceptions.

The list of unknown domains is comprised of domains that host both malicious and safe content—we consider these “risky” domains. These sites often allow users to upload and share content—making them difficult to police, even for site administrators.

There's no reason to proxy requests to domains that are already known to be safe or bad. Umbrella’s intelligent proxy only routes the requests for risky domains for deeper inspection.

Note: Umbrella does not proxy traffic on non-standard ports for web traffic.

Best Practices

When enabling the intelligent proxy, we highly recommend also selecting SSL Decryption, which broadens the scope of your protection. The SSL Decryption feature allows the intelligent proxy to decrypt and inspect traffic that's sent over HTTPS.

SSL Decryption Requirements and Implementation

You must install the Cisco Umbrella root certificate on computers that are using SSL decryption for the intelligent proxy. Umbrella inspects URL and domain names found on our "grey" list and blocks these HTTPS URLs if they're considered malicious in our policies. These uncategorized sites can include popular sites, such as file-sharing services. While many uncategorized sites contain safe URLs, these sites can potentially host malware on certain specific URLs. In this case, Umbrella considers the site uncategorized and proxies the site for users.

Without the root certificate, when your users go to the intelligent proxy service, they receive browser errors and the site is not accessible. The browser correctly determines that the traffic is being intercepted (and proxied) by a 'man in the middle,' which, in this case, is the Umbrella service. Traffic is not decrypted and inspected; instead, the website is unavailable.

With the root certificate installed, errors do not occur and the site is accessible when it's been proxied and allowed. For information on installing the root certificate, see Install the Cisco Umbrella Root Certificate.

Selective Decryption Lists

Within the Selective Decryption Lists policy component, you can create a list of content categories. With SSL Decryption enabled, the intelligent proxy inspects HTTPS traffic but excludes sites associated with the Selective Decryption content categories. For example, if you add the category News / Media to the Selective Decryption list and then visit, this destination is not inspected by the intelligent proxy.

Note: After adding a selective decryption list to a DNS policy, you can reuse this decryption list in other DNS policies. For more information, see Add a Policy.

Note: Umbrella excludes the Terrorism, Internet Watch Foundation, and German Youth Protection content categories from the Selective Decryption list. Umbrella always inspects and proxies sites related to these content categories.

Troubleshoot Destination Lists < Manage the Intelligent Proxy > Enable the Intelligent Proxy