You may employ proxy-chaining in your environment for easier migration or proxy transparency. To use proxy-chaining in conjunction with Umbrella SIG, first determine which anycast method is appropriate for your environment.
Umbrella's secure web gateway (SWG) leverages anycast routing to ensure a connection to the best possible datacenter. Umbrella achieves this through one of the following methods:
- FQDN anycast (recommended)
- TCP anycast.
The difference between these methods is in how the anycast routing is performed.
FQDN anycast uses Umbrella DNS to discover the best datacenter to forward web traffic to and is the primary anycast method used across Umbrella. If Umbrella DNS can be used, and the on-premises proxy can use an FQDN-based URL to define the upstream proxy, then FQDN anycast should be used.
TCP anycast does not use Umbrella DNS, and therefore can be employed by on-premises proxies that require the upstream proxy to be defined as an IP address. TCP anycast is also appropriate for environments in which the on-premises proxy does not have DNS configured and all traffic forwarding decisions are made by IP address, offloading DNS lookups to the upstream proxy.
To configure your on-premises upstream proxy settings for FQDN anycast, use the following:
- HTTP upstream proxy = proxy.sig.umbrella.com:80
- HTTPS upstream proxy = proxy.sig.umbrella.com:443
To configure your on-premises upstream proxy setting for TCP anycast, use these settings:
- HTTP upstream proxy = 18.104.22.168:80
- HTTPS upstream proxy = 22.214.171.124:443
The following URLs must be routed directly to the internet and not forwarded to Umbrella:
ocsp.int-x3.letsencrypt.org isrg.trustid.ocsp.identrust.com *.cisco.com *.opendns.com *.umbrella.com (see following note) *.okta.com *.oktacdn.com *.pingidentity.com secure.aadcdn.microsoftonline-p.com
Note: In the case of
*.umbrella.com, however, there may be an exception. If you are using SAML,
gateway.id.swg.umbrella.com must be sent through the Umbrella proxy.
Make sure that you have configured a Network identity that matches the public IP of your on-premise proxy (NAT) IP address.
Updated about a month ago