Many enterprises use proxy servers or cloud security services to enhance network performance and security. Parent proxy chaining enables you to configure managed appliances to connect to your upstream proxy services. When enabled, the feature also provides local caching to save bandwidth, which reduces additional round trips if content can be served from the cache.

You can enable the feature in either automatic mode or manual mode. Regardless of the mode you choose, you must import the Certificate Authority (CA) of the parent proxy on to the client-side managed appliances if the parent proxy is intercepting and decrypting HTTPS connections. See the SteelHead User Guide.

This feature is disabled by default.

When the system doesn’t detect a certificate and the packets are tunneled, an error will appear in the system logs. You can view top domains and top URLs in the Web Proxy report. For details, see About web proxy reports.

You can only have one mode configured on at a time. DNS resolution must succeed on managed appliances for parent proxy chaining to function properly.

In automatic mode, you need only enter servers to the whitelist. Clients connect transparently to the HTTP and HTTPS servers. The client opens a connection to the specific parent proxy with which it is configured to connect and uses that connection to multiplex all of its requests. Automatic mode doesn’t cache non SSL traffic. No traffic is optimized if the parent proxy feature is not enabled and the client has an explicit proxy defined.

Use this mode when your clients are configured with a proxy auto-config (PAC) file or have an explicit proxy defined in browser settings.

In manual mode, you need to provide an ordered, comma-separated list of HTTP and HTTPS servers. The managed appliance’s proxy redirects client requests to the appropriate parent proxy for the traffic type, HTTP or HTTPS. The appliance proxy attempts to redirect to the first parent proxy listed. If it is not available, the traffic is routed to the next listed parent proxy and so forth. If none of the parent proxies are available, the connection is black-holed. You can have the same parent proxy listed under HTTP and HTTPS. The same parent proxies can have multiple ports. You can list a maximum of five parent proxies.

Optionally, you can specify domains the traffic to which you do not want redirected to the parent proxy. Traffic to the excepted domains will flow through the managed appliance’s proxy only.

You can also configure load-balance mode using the web-proxy CLI command, where load-balance selects the parent proxies in a round-robin fashion:

Local caching isn’t affected in manual mode.