Netskope Help

Configure the Appliance in Explicit Proxy mode

In the explicit proxy mode, the appliance acts as a proxy server or integrates with the existing proxy servers in the network to serve as the explicit proxy for the cloud app domains. You can make the appliance an explicit proxy server using the following methods.

  • Configure the proxy hostname and port

  • Configure the PAC file

Configure the proxy hostname and port

All the network traffic is sent directly to the appliance on a specific port. To configure the proxy hostname and port,

  1. Enable the explicit proxy mode on the appliance, run

    set dataplane proxy-mode explicit enable true
  2. Configure the default IP address that the appliance uses to listen to the client traffic. This address is the first address configured on the inbound interface.

    set dataplane proxy-listener-ip 172.16.1.10
    

    In appliance version 58 and higher, run the following command.

    set dataplane proxy-listener-interface dp1
  3. Optionally, specify the TCP port for the explicit proxy. If not specified, the default port is 8080.

    set dataplane proxy-mode explicit listener-port <port>
Configure the PAC file

You can direct all the cloud app traffic to the appliance while other traffic can go through your existing proxy server. To do this, the appliance needs to be configured to access the contents of the existing PAC file.

The appliance can be configured in the following two ways:

Use merged PAC file - The appliance downloads the existing PAC file and in turn hosts a modified PAC file that redirects cloud app traffic to the appliance's proxy server and retains the PAC file rules for all other traffic.

Use custom PAC file - Host your customized PAC file directly on the appliance to redirect cloud app traffic to the appliance's proxy server and all other traffic to your existing proxy server.

Use merged PAC file

If you want to direct the cloud app traffic to the appliance and the web traffic to your existing proxy server, configure the merged PAC file server on the appliance.

  1. Set the IP address to host the merged PAC file server on the appliance. If not provided, the IP address of the DNS server is used if it is configured:

    set dataplane pac-server listener-ip <PAC server IP>

    In appliance version 58 and higher, run the following command.

    set dataplane pac-server listener-interface <PAC server interface>
  2. Set the TCP port to host the merged PAC file server on the appliance:

    set dataplane pac-server listener-port <PAC server port>
  3. Set the URL of the existing PAC file server:

    set dataplane pac-server url http://wpad.yourdomain.com/wpad.dat
    
  4. Enable the PAC file server:

    set dataplane pac-server enable true
  5. Save the configuration:

    save

    The PAC file will be hosted at http://<PAC server IP>:<pac-server-port>/wpad.dat and http://<PAC server IP>:<pac-server-port> /proxy.pac.

  6. Enable the explicit proxy mode for the appliance by doing the following:

    set dataplane proxy-mode explicit enable true
  7. Optionally, specify the fully-qualified domain name that resolves to the IP configured for the appliance. This host name will be used in the merged PAC file. If this setting is not provided, the appliance IP will be present in the merged PAC file.

    set dataplane pac-server explicit-proxy-hostname sfproxy.yourdomain.com
  8. Optionally specify the TCP port for hosting the explicit proxy. The default port used by the appliance is 8080.

    set dataplane proxy-mode explicit listener-port <explicit proxy port>
  9. Save the configuration.

    save
Use a custom PAC file

If you want to host your customized PAC file directly on the appliance.

  1. Set the IP address to host the merged PAC file server on the appliance. If not provided, the IP address of the DNS server is used if it is configured:

    set dataplane pac-server listener-ip <PAC server IP>

    In appliance version 58 and higher, run the following command.

    set dataplane pac-server listener-interface <PAC server interface>
  2. Set the TCP port to host the merged PAC file server on the appliance:

    set dataplane pac-server listener-port <PAC server port>
  3. Paste the contents of the PAC file server: 

    set dataplane pac-server custom-pac
  4. Enable the PAC file server:

    set dataplane pac-server enable true
  5. Save the configuration:

    save

    The PAC file will be hosted at http://<PAC server IP>:<pac-server-port>/wpad.dat and http://<PAC server IP>:<pac-server-port> /proxy.pac.

  6. Enable the explicit proxy mode for the appliance by doing the following:

    set dataplane proxy-mode explicit enable true
  7. Optionally, specify the fully-qualified domain name that resolves to the IP configured for the appliance. This host name will be used in the merged PAC file. If this setting is not provided, the appliance IP will be present in the merged PAC file.

    set dataplane pac-server hostname sfproxy.yourdomain.com
  8. Optionally specify the TCP port for hosting the explicit proxy. The default port used by the appliance is 8080.

    set dataplane proxy-mode explicit listener-port <explicit proxy port>
  9. Save the configuration.

    save
Configuring an explicit proxy chain

In explicit proxy mode, the appliance can work with other explicit proxy server in the network to load balance the network traffic. The appliance sends HTTP requests to the third-party proxy server to establish an explicit proxy chain. When the connection between the appliance and the third-party proxy server is successful, a tunnel is established to send and receive client requests that are trying to reach the cloud apps.

If you want to create an explicit proxy chain between the appliance and your existing third-party proxy server, run

set dataplane explicit-proxy-chaining hostname <hostname or IP address>
set dataplane explicit-proxy-chaining port <port>
set dataplane explicit-proxy-chaining enable true