Guides
ProductDeveloper
Guides

Manage Proxy Chaining

👍

Limited Availability

Cisco Web Security Appliance (WSA) Async OS 14.1 introduces Cisco Umbrella Seamless Identity sharing. This can be used to authenticate end-users with the on-premise active directory, and forward the traffic and user identity to Cisco Umbrella when used in proxy chain mode. For more information, see https://www.cisco.com/c/dam/en/us/products/se/2021/6/Collateral/swa-async-os.pdf.

You may employ proxy-chaining in your environment for easier migration or proxy transparency. To use proxy-chaining in conjunction with Umbrella SIG, first determine which anycast method is appropriate for your environment.

Note: Proxy chain traffic is supported for Network deployments and for sending through tunnels.

Umbrella's secure web gateway (SWG) leverages anycast routing to ensure a connection to the best possible data center. Umbrella achieves this through one of the following methods:

  • FQDN anycast (recommended)
  • TCP anycast. 

The difference between these methods is in how the anycast routing is performed.

FQDN anycast uses Umbrella DNS to discover the best data center to forward web traffic to and is the primary anycast method used across Umbrella. If Umbrella DNS can be used, and the on-premises proxy can use an FQDN-based URL to define the upstream proxy, then FQDN anycast should be used.

TCP anycast does not use Umbrella DNS, and therefore can be employed by on-premises proxies that require the upstream proxy to be defined as an IP address. TCP anycast is also appropriate for environments in which the on-premises proxy does not have DNS configured and all traffic forwarding decisions are made by IP address, offloading DNS lookups to the upstream proxy.

To configure your on-premises upstream proxy settings for FQDN anycast, use the following:

  • HTTP upstream proxy = swg.umbrellagov.com:80
  • HTTPS upstream proxy = swg.umbrellagov.com:443

To configure your on-premises upstream proxy setting for TCP anycast, use these settings:

  • HTTP upstream proxy = 18.254.209.165:80
  • HTTPS upstream proxy = 18.254.209.165:443

The following URLs must be routed directly to the internet and not forwarded to Umbrella:

ocsp.int-x3.letsencrypt.org
isrg.trustid.ocsp.identrust.com 
*.cisco.com
*.umbrellagov.com (see following note)
*.okta.com
*.oktacdn.com
*.pingidentity.com 
secure.aadcdn.microsoftonline-p.com

Note:

  • In the case of *.umbrellagov.com, there may be an exception. If you are using SAML, gateway.id.swg.umbrellagov.com must be sent through the Umbrella proxy.
  • In the case of *umbrellagov.com, there may be an exception. If you are using "Warn Page" function, block.umbrellagov.com must be sent through the Umbrella proxy.

Make sure that you have configured a Network identity that matches the public IP of your on-premise proxy (NAT) IP address.


Customize Umbrella's PAC File < Manage Proxy Chaining > Forwarded-For (XFF) Configuration