The Umbrella User Guide Developer Hub

Welcome to the Umbrella User Guide developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella User Guide as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Manage Proxy Chaining

You may employ proxy-chaining in your environment for easier migration or proxy transparency. To use proxy-chaining in conjunction with Umbrella SIG, first determine which anycast method is appropriate for your environment.

Umbrella's secure web gateway (SWG) leverages anycast routing to ensure a connection to the best possible datacenter. Umbrella achieves this through one of the following methods:

  • FQDN anycast (recommended)
  • TCP anycast.

The difference between these methods is in how the anycast routing is performed.

FQDN anycast uses Umbrella DNS to discover the best datacenter to forward web traffic to and is the primary anycast method used across Umbrella. If Umbrella DNS can be used, and the on-premises proxy can use an FQDN-based URL to define the upstream proxy, then FQDN anycast should be used.

TCP anycast does not use Umbrella DNS, and therefore can be employed by on-premises proxies that require the upstream proxy to be defined as an IP address. TCP anycast is also appropriate for environments in which the on-premises proxy does not have DNS configured and all traffic forwarding decisions are made by IP address, offloading DNS lookups to the upstream proxy.

To configure your on-premises upstream proxy settings for FQDN anycast, use the following:

  • HTTP upstream proxy = proxy.sig.umbrella.com:80
  • HTTPS upstream proxy = proxy.sig.umbrella.com:443

To configure your on-premises upstream proxy setting for TCP anycast, use these settings:

  • HTTP upstream proxy = 146.112.255.50:80
  • HTTPS upstream proxy = 146.112.255.50:443

The following URLs must be routed directly to the internet and not forwarded to Umbrella:

ocsp.int-x3.letsencrypt.org
isrg.trustid.ocsp.identrust.com 
*.cisco.com
*.opendns.com 
*.umbrella.com (see following note)
*.okta.com
*.oktacdn.com
*.pingidentity.com 
secure.aadcdn.microsoftonline-p.com

Note: In the case of *.umbrella.com, however, there may be an exception. If you are using SAML, gateway.id.swg.umbrella.com must be sent through the Umbrella proxy.

Make sure that you have configured a Network identity that matches the public IP of your on-premise proxy (NAT) IP address.


Customize Umbrella's PAC File < Manage Proxy Chaining > Forwarded-For (XFF) Configuration

Updated about a month ago

Manage Proxy Chaining


Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.