Configuring Explicit HTTP Proxy (Experimental)

You can configure the Explicit HTTP Proxy to allow clients to send traffic to the Engine before it is sent to the destination.

When the Engine receives traffic, it resolves the destination address for the follow-up connection where the traffic is sent to. Additionally, the Engine uses the resolved destination address to match the follow-up access rules for the traffic before sending the traffic to the destination.
Note: The Engine does not resolve the Source IP address to make it available for the follow-up access rule matching. Therefore, a NAT rule is required to ensure the follow-up connections are routed correctly.
Benefits:
  • The client internet access is controlled by proxy settings to route through the explicit proxy IP or port of the Engine.
  • Connection authentication occurs even if the connection cannot be decrypted without External Certificate Authority (ECA).
To configure the Explicit HTTP proxy, follow these general steps:
  1. Create a service element for the HTTP Explicit proxy. For more details, refer to the Create a service element for HTTP Explicit proxy topic.
  2. (Optional) Configure the Integrated Windows Authentication (IWA) to authenticate proxy users. For more details, refer to the Configuring the Integrated Windows Authentication topic.
  3. Add access rules for the Explicit HTTP Proxy in the Engine policy. For more details, refer to the Add access rules for Explicit HTTP Proxy topic.