The Umbrella SIG supports the proxy chain and can handle all the HTTP/HTTPs requests from the downstream proxy server. This is a comprehensive guide to implement the proxy chain between Cisco WSA and the SWG including the configuration at both WSA and SWG.
WSA Policy Configuration
1. Configure the SWG HTTP and HTTPs links as the Upstream Proxy via Network>Upstream Proxy.
2. Create a bypass policy via Web Security Manager>Routing Policy to route all suggested URLs to the internet directly. All bypassed URLs can be found from https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/proxy-chaining.
First, need to create a new "Custom Category" via Web Security Manager>Custom and External URL Categories since the bypass policy is based on the "Custom Category".
And then create a new bypass routing policy via Web Security Manager>Routing Policy. Please make sure this policy is the first one as WSA is matching the policy based on the policy order.
3. Create a new routing policy for all HTTP requests.
In the WSA routing policy member definition, here are the available options while "All Identification Profiles" are selected. Since there is no option for HTTPs, we have to create the routing policy for HTTPs request individually after implementing this routing policy for all HTTP requests.
4. Create the routing policy for HTTPs requests based on the "Identification Profile". Please be careful about the sequence of the defined "Identification Profile" since WSA will match the "Identification" for the first match. In this example, the Identification Profile "win2k8" is an internal IP based identity.
5. Final configurations for the WSA Routing Policies.
Here is the final configuration for the WSA Routing Policies. Please keep in mind that WSA evaluates the identities and access policies using a "top down" rule processing approach. This means that the WSA checks identities or access policies in a "top > down" fashion and the first match that is made, at any point in the processing, results in the action taken by the WSA.
Additionally, identities are evaluated first. Once a client's access matches a specific identity, the WSA checks all access policies that are configured to use the identity that matched the client's access.
1. X-Forwarded-For Header.
The X-Forwarded-For header needs to be enabled in the WSA via Security Services > Proxy Settings in order to implement the internal IP based Web Policy in SWG.
2. Trusted Root Certificate for HTTPs decryption.
"Cisco Root Certificate" downloaded from the Umbrella dashboard>Deployments>Configuration needs to be imported into WSA trusted root certificates if the HTTPs decryption is enabled at Web Policy in the Umbrella dashboard.
The end-user will receive the following error if the "Cisco Root Certificate" hasn't been imported to the WSA while the HTTPs decryption is enabled at SWG Web Policy.
Here is an example of the HTTPs been decrypted by Umbrella SWG and the certificate is verified by the "Cisco Root Certificate" named "Cisco".
SWG Web Policy Configuration in Umbrella dashboard.
1. SWG Web Policy based on internal IP.
- Please make sure the X-Forwarded-For Header has been enabled at WSA since SWG relies on that to identify the internal IP.
- Register the egress IP of the WSA into Deployment>Networks.
- Create an internal IP of the client machine in Deployment>Configuration>Internal Networks, please select the registered WSA egress IP (Step 1) after ticking "Show Networks".
- Create a new Web Policy based on the internal IP created in Step 2.
- Make sure the "Enable SAML" option is disabled in the Web Policy.
2. SWG Web Policy based on AD user/group.
- Make sure all AD users and groups have already been provisioned to the Umbrella dashboard.
- Create a new web policy based on the registered egress IP of WSA with the "Enable SAML" option enabled.
- Create another new web policy based on the AD user/group with the "Enable SAML" option disabled. Also need to place this web policy ahead of the Web Policy created at step 2.