Configuring proxy chaining
Configuring proxy chaining involves these actions:
• Configuring SAM to work with your CASB.
• Configuring client-side SteelHead appliances or Client Accelerator Controller for interoperability with the feature.
Multiple SteelHead appliances can be configured through SteelCentral Controller for SteelHead (SCC), and Client Accelerator endpoints are configured through Client Accelerator Controller. We strongly recommend using those products if you need to configure several appliances.
• Configuring client endpoints to trust and send traffic to your CASB.
You’ll probably need to make a few changes to your configuration at your CASB’s portal, such as whitelisting SaaS Accelerator egress IP addresses there.
About the XFF header
Configuration settings for the proxy chaining feature include an option to forward the internal IP address of the client in the XFF header. This is helpful for debugging, statistics, and generating location-dependent content.
The XFF header exposes privacy sensitive information. Including internal IP addresses in this header can be a security risk. Use this option with caution.
About SaaS Accelerator egress IP addresses
These IP addresses are used to connect the SaaS Accelerator service to the third-party service. To ensure uninterrupted service, consider whitelisting these IP addresses in your third-party service configuration. SaaS Accelerator egress IP addresses are listed in SAM under the Proxy Chaining tab of the Advanced Config page.
To enable and configure proxy chaining
1. Choose Configure > SaaS Apps: Proxy Chaining.
2. Enable Proxy Chaining Interoperability.
3. In the Configuration section, perform these actions:
– Enter any arbitrary name for the third-party service.
– Select whether you want to specify the third-party proxy endpoint by using a URL to a PAC file, an IP address and port number, or a hostname and port number.
– Enter the URL, IP address and port number, or hostname and port number.
– Optionally, move the Forward client internal IP in the XFF header slider to the right to enable the feature. Move the slider to the left to disable it. See
About the XFF header. 4. In the Advanced Configuration section, upload the third-party’s CA certificate.
5. Upload the third-party’s CA certificate to all end-user client systems.
To disable proxy chaining
You must enter valid proxy connection information before you can enable proxy chaining. See
To enable and configure proxy chaining.1. Choose Configure > SaaS Apps: Proxy Chaining.
2. Disable Proxy Chaining Interoperability.
To view an application’s proxy chaining status
• Choose SaaS Accelerator.
In the Deployed Applications section, status icons under the Interop column indicate the proxy chaining status.
—or—
1. Choose SaaS Accelerator.
2. Select a deployed application.
3. Select the Settings tab, and then scroll down to the Proxy Chaining Status section.
To view IP addresses used by SAM to connect to third-party services
You can copy all listed IP addresses with a single click by using the Copy all button.
• Choose Configure > SaaS Apps: Proxy Chaining, and then scroll down to the SaaS Accelerator Egress IP Addresses section.