Filtered locations with hybrid (including hybrid with CASB)

A filtered location is the external IP address, IP address range, or subnet from which Internet requests appear to originate when seen by the hybrid service. Hybrid policy enforcement can be applied to off-site users, regardless of how requests from those users are managed when they are in the network.

You can define filtered locations for both of the following:

  • Users managed by the hybrid service both in and outside the network

    Enter their in-network location details and specify that the location is managed by the hybrid service. When users make an Internet request from off site, they are prompted to log on to the hybrid service so that the appropriate user or group- based policy can be applied.

    Because the hybrid service is hosted outside your network, any locations managed by the hybrid service must be external addresses, visible from the Internet.

    Locations managed by the hybrid service:

    • Are public-facing IP addresses
    • Are often the external address of your Network Address Translation (NAT) firewall
    • Could include branch offices, remote sites, or satellite campuses
    These locations are NOT:
    • IP addresses of individual client machines
    • The IP address of any Content Gateway machine
  • Users managed by on-premises components (Filtering Service) when they are inside the network, but the hybrid service when they are off site

Doing this serves two purposes:

  1. It configures the browser PAC file to determine whether the user is in the network or off site before forwarding an Internet request.
  2. It helps the hybrid service know whether a user is in-network (for example, after hybrid failover has occurred) or off site. This is important if your policies apply different settings to in-network and offsite users.

    The PAC file generated by the hybrid service is configured automatically based on your Filtered Locations settings.

    When defining a site managed by on-premises components as a Filtered Location:

  3. Specify that these users are managed by local web protection software.
  4. Define whether their on-premises policy enforcement is through a firewall- integrated or transparent proxy (for example, Content Gateway in transparent mode), or an explicit proxy.
  5. If Internet requests from in-network machines at a specified location pass through an explicit proxy, you provide the proxy location (hostname or IP address) and port to ensure requests are routed properly for users at that location.

Each location that you define appears in a table that combines a name and description with technical configuration details, including the selected proxy mode, the type of location (single IP address, IP address range, or subnet), and the actual external IP address or addresses from which requests originate.

  • To edit an existing entry, click the location Name, and then see Adding or editing filtered locations.
  • To define a new location, click Add, and then see Adding or editing filtered locations.
  • To remove a location, mark the check box next to the location name, and then click Delete.
  • To add and edit on-premises explicit proxies for use with filtered locations, click Manage Explicit Proxies, then see Managing hybrid service explicit proxies.

If you have added or edited a location entry, click OK to cache your changes. Changes are not implemented until you click Save and Deploy.