Web proxy settings are under Manage > Optimization: Web Proxy. The settings there enable you to configure a web proxy policy, which you can then push to managed appliances by site or site type. You can configure a global proxy profile that applies to all sites, and establish other profiles customized for specific sites or site types. Web proxy settings also allow you to enable HTTPS optimization; create a whitelist of domains, including domains authenticated through Subject Alternate Name (SAN) certificates; and integrate with upstream, parent proxies such as a DMZ proxy or cloud security service.

A single-ended web proxy transparently intercepts all traffic bound to the internet. The web proxy improves performance by providing optimization services such as web object caching and SSL decryption to enable content caching and logging services. The efficient caching algorithm provides a significant advantage for video traffic. The benefit comes in the form of multiple users viewing the same video content, thereby saving significant WAN bandwidth and providing efficient network use. YouTube caching is handled as a special case given its growing popularity in the enterprise.

Web proxy improves performance and reduces congestion on internet traffic. It also provides performance benefits when you access HTTP and HTTPS servers on the internet directly from a branch office. It provides visibility to all internet activity at any given branch as long as that traffic passes through the web proxy. Web proxy is only supported on the SteelHead and the xx70.

You enable the web proxy in a single-ended or asymmetric SteelHead deployment; a server-side SteelHead isn’t required. Both physical and virtual in-path deployments are supported.

HTTPS integrates with the certificate authority (CA) service on the SCC to generate server certificates and decrypt traffic for a predefined whitelist.

You can view web proxy connections in the managed appliance’s Current Connections report as a new connection type: web proxy. Log messages display SEPIA_YES if web proxy is successful.

Web proxy supports IPv4 only.

The HTTP web proxy has these characteristics:

The in-path rule table includes a default web proxy rule set to Auto. By default, all traffic not specified in user-configured rules is web proxied for internet-bound traffic. This includes all traffic destined to public IP addresses not included in Request for Comments (RFC) 1918 on port 80 and 443.

Only IPv4 is supported for web proxy. Legacy Cloud Accelerator takes priority over web proxy when web proxy is configured as Auto.

If you need a more fine-grained rule for public IP addresses, then you must add a new in-path rule with these options:

If you need an in-path rule for private or intranet IP addresses, specify these options:

HTTPS optimization enables caching and acceleration of content that’s SSL encrypted. HTTPS optimization is required for YouTube caching. Server certificates are autogenerated and autorenewed based on the SCC’s domain whitelist. The decrypting key and certificate are stored in the secure vault on the client-side appliances. HTTPS optimization requires these items and has these characteristics:

YouTube caching is enabled by default. Caching for YouTube uses a heuristic algorithm based on observed traffic flow that automatically learns the key to cache YouTube traffic. Because YouTube traffic is typically encrypted, HTTPS optimization must be enabled, and you must add these domains to the HTTPS domain whitelist:

You can view YouTube cache usage statistics. For more information, see About web proxy reports. YouTube caching is not supported on Firefox and mobile browsers.

There is a default pass-through rule for all secure ports traffic above the default in-path rule that prevents all traffic to port 443 from being intercepted.

If HTTPS proxying is required, then the pass-through rule must be added above the secure ports rule, to direct SSL traffic to the web proxy with these options: