Create a Proxy Server element

Create a Proxy Server element that represents the proxy service.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to Network Elements.
  2. Browse to Servers.
  3. Select New > Proxy Server.
  4. Configure the settings.
  5. On the Services tab, configure the details of the service to which traffic is forwarded.
  6. Click OK.

Proxy Server Properties dialog box

Use this dialog box to change the properties of a Proxy Server.

Option Definition
General tab
Name The name of the element.
Address Enter the IPv4 or IPv6 address of the server. You can also add multiple IP addresses, separated by commas. Alternatively, you can enter an FQDN.
Resolve Automatically resolves the IP addresses of the server if you entered a domain name in the Name field.
Location Specifies the location for the server if there is a NAT device between the server and other SMC components.
Balancing Mode If multiple IP addresses or an FQDN is defined, you can select how traffic is balanced.
  • First Available ServerThe first IP address listed or resolved by DNS is used by default. Use this option when forwarding to the Forcepoint Web Security Cloud service.
  • According to Source — Traffic is distributed based on the client source. Clients that have the same source IP address are forwarded to the same proxy.
  • According to Destination — Traffic is distributed based on the server destination. Clients that attempt to connect to a particular server (the same website, for example) are redirected to the same proxy. A benefit to using this option is that more traffic is cached.
  • According to Source and Destination — Traffic is more evenly balanced among proxies, taking both source and destination into account.
Contact Addresses
  • Default — Used by default whenever a component that belongs to another Location connects to this server.
  • Exceptions — Opens the Exceptions dialog box.
Secondary IP Addresses

(Optional)

The NGFW Engine associates the secondary IP address to the correct element when the IP address is used as the source or destination address in pass-through communications.
Note: Secondary IP addresses are only used for routing and matching in Access rules. Do not add IP addresses of the proxy server or service.
Click Add to add a row to the table, or Remove to remove the selected row.
Category

(Optional)

Includes the element in predefined categories. Click Select to select a category.
Tools Profile Adds commands to the right-click menu for the element. Click Select to select an element.
Comment

(Optional)

A comment for your own reference.
Option Definition
Services tab
Proxy Service Listening Port The port that the NGFW Engine uses to communicate with the proxy service. This port is used for all protocols, unless overridden in the Protocol-Specific Listening Ports section.

The default port is 8080.

Protocol-Specific Listening Ports If you do not want to use the port defined in the Proxy Service Listening Port field for a particular protocol, select the protocol, then enter the port to use.
  • FTP — The default port is 21.
  • HTTP — The default port is 8080.
  • HTTPS — The default port is 8080.
  • SMTP — The default port is 25.
Proxy Service
  • Forcepoint Web Security Cloud — Traffic is forwarded to Forcepoint Web Security Cloud. A separate license and credentials are needed.
    Note: For more information and to learn about using EasyConnect services to forward traffic, see the document How to forward web traffic from Forcepoint NGFW to Forcepoint Web Security Cloud in Knowledge Base article 10582. Also see the Forcepoint Web Security Cloud documentation at https://support.forcepoint.com/s/article/Documentation-Featured-Article.
  • Generic Proxy — Traffic is forwarded to the proxy service, and you can select to include some additional HTTP headers.
  • Redirect Only — Traffic is forwarded to another server without modifying the payload.
Customer ID

(When the Proxy Service is Forcepoint Web Security Cloud)

Enter the customer ID from the EasyConnect service that you created in Web Security Cloud.
Key ID

(When the Proxy Service is Forcepoint Web Security Cloud)

Select a key ID from the EasyConnect service that you created in Web Security Cloud.

It can take up to an hour for a password change to be fully propagated in Web Security Cloud. To avoid downtime when updating the password, there are multiple passwords that are automatically generated in Web Security Cloud, and each password has a key ID assigned. See the following example of use:

  1. In the SMC Management Client, three NGFW Engines are configured to use key ID 1. The password for key ID 1 is 123xxxxxx.
  2. In Web Security Cloud, an additional password (321yyyyyy) is assigned to key ID 2.
  3. One by one, the SMC administrator configures the three NGFW Engines to use key ID 2.

    Because both key ID 1 and key ID 2 can be used to access Web Security Cloud, there is no downtime.

  4. When all the NGFW Engines have been configured to use key ID 2, the Web Security Cloud administrator can regenerate the password for key ID 1 in Web Security Cloud.
Password

(When the Proxy Service is Forcepoint Web Security Cloud)

Enter the password that matches the key ID from the EasyConnect service that you created in Web Security Cloud.

By default, passwords and keys are not shown in plain text. To show the password or key, deselect the Hide option.

Trust Host Header

(When the Proxy Service is Generic Proxy)

When selected, the host header is trusted.

  • HTTP connections — The GET request includes the domain name instead of the original destination IP address. If the domain name is used, DNS resolution is done by the proxy service.
  • HTTPS connections — If the client TLS handshake handled at the NGFW Engine contains the server name indication (SNI) field, the CONNECT request to the proxy service uses the domain name from the SNI field instead of the original destination IP address.
Note: For security reasons, we recommend that you use this option only if both ends involved in the communication are trusted.
Add X-Forwarded-For Header

(When the Proxy Service is Generic Proxy)

When selected, the X-Forwarded-For header is included in requests. This header reports the original source IP address of the client.
Option Definition
Monitoring tab
Log Server The Log Server that monitors the status of the element.
Status Monitoring When selected, activates status monitoring for the device. You must also select the Probing Profile that contains the definitions for the monitoring. When you select Status Monitoring, the element is added to the tree in the Dashboard view.
Probing Profile Shows the name of the selected Probing Profile. Click Select to select a Probing Profile element.
Log Reception Activates syslog reception from this device. You must select the Logging Profile that contains the definitions for converting the syslog entries to SMC log entries. You must also select the Time Zone in which the device is located. By default, the local time zone of the computer you are using is selected.
Logging Profile Shows the name of the selected Logging Profile. Click Select to select a Logging Profile element.
Time Zone Selects the time zone for the logs.
Encoding Selects the character set for log files.
SNMP Trap Reception Enables the reception of SNMP traps from the third-party device.
NetFlow Reception Enables the reception of NetFlow data from the third-party device. The supported versions are NetFlow v5, NetFlow v9, and IPFIX (NetFlow v10).
Option Definition
NAT tab

(All optional settings)

Firewall Shows the selected firewall.
NAT Type Shows the NAT translation type: Static or Dynamic.
Private IP Address Shows the Private IP Address.
Public IP Address Shows the defined Public IP Address.
Port Filter Shows the selected Port Filters.
Comment An optional comment for your own reference.
Add NAT Definition Opens the NAT Definition Properties dialog box.
Edit NAT Definition Opens the NAT Definition Properties dialog box for the selected definition.
Remove NAT Definition Removes the selected NAT definition from the list.