To assign multiple policies for a single Network identity (an egress IP) and identify internal IP addresses in reports, you must configure XFF. You can do this by using an on-premise proxy, or by using a browser plugin such as (for Firefox) the Simple Modify Headers plugin. This configuration is not required for proxy chaining.
- On-Premise X-Forwarded-For Header Configuration (No Plug-In)
- Browser PluginX-Forwarded-For Header Configuration (No Proxy Chaining)
For information on how to configure an X-Forwarded-For (XFF) to HTTP headers, see your proxy documentation.
For the XFF header to be properly written to HTTPS packets, internal clients must be configured for an explicit proxy (that is, configured to forward web traffic to the proxy’s internal network interface, or a PAC file) and HTTPS decryption or for transparent proxy deployments the proxy must provide Man-in-the-Middle (MitM) decryption.
For HTTPS decryption to work correctly you need to import your Umbrella certificate into your proxy. Refer to your proxy documentation for more information.
The browser plug-in approach is not scalable for production deployments and should be used for testing and troubleshooting only.
XFF and HTTPS Decription
If you are not using XFF headers (using SAML or only external IP for identity), HTTPS decryption does not need to be performed on the on-premises proxy, but only in the cloud.
Updated about 1 month ago