About parent proxy chaining
Most enterprise customers have an existing proxy or cloud web security server for caching or security services. The parent proxy chaining feature provides interoperability with a transparent upstream parent proxy or an explicit parent proxy setting to provide a local cache to save bandwidth. Enabling parent proxy reduces additional round trips if content can be served from a cache.
This feature supports these parent proxy modes:
• Off—No parent proxy is configured. This is the default setting.
• Automatic (Explicit)—Clients/browsers are explicitly configured to connect to an upstream proxy. In automatic mode the client/browser has an explicit IP address defined in its advanced network settings that defines how the browser connects to the internet. You must import the Certificate Authority (CA) of the parent proxy on to the client-side SteelHead if the parent proxy is intercepting and decrypting HTTPS connections.
• Manual (Transparent)—Clients/browsers connect transparently to the HTTP/S server. Clients/browsers have no knowledge of the proxy. You must import the Certificate Authority (CA) of the parent proxy on to the client-side SteelHead if the parent proxy is intercepting and decrypting HTTPS connections.
You can only have one mode configured on the SCC.
DNS resolution must succeed on SteelHeads for parent proxy chaining to function properly.
Configuring Manual Mode
In manual mode the web proxy transparently redirects the connection to the selected parent proxy. You can exclude domains so that they are not proxied to the upstream parent.
The parent proxy is selected based on:
• Scheme—Depending on the type of traffic, the first parent proxy listed in the HTTP/HTTPS list is selected as the parent proxy. You can have the same parent proxy listed under HTTP and HTTPS. The same parent proxies can have multiple ports. You can have a maximum of five parent proxies listed. For HTTPS, you must import the CA for the parent proxy onto the client-side SteelHead.
• Mode—The default mode is failover. In failover mode if the first parent proxy listed is down the traffic is routed to the next parent proxy in the list and so forth. If none of the parent proxies are up the connection is black-holed. You can also configure load-balance mode using this CLI command:
web-proxy parent manual mode {[failover] | [load-balance]}
where load-balance selects the parent proxies in a round-robin fashion.
Local caching isn’t affected in manual mode.
When the system doesn’t detect a certificate and the packets are tunneled it will appear in the system logs. You can view top domains and top URLs in the Web Proxy report. For details, see
Viewing web proxy reports.To configure a manual parent proxy
1. Choose Manage > Optimization: Web Proxy to display the Web Proxy page.
2. Under Parent Proxy, click the > to expand the page.
3. Select Manual to transparently redirect connections to the listed parent proxies.
4. Under HTTP Servers and HTTPS Servers enter a comma-separated list of parent proxy servers. You can have a maximum of five servers. You can have the same parent proxies in both HTTP and HTTPS. You can also have multiple ports listed for the same parent proxy.
5. Click Save to save your settings.
6. Optionally, to exclude domains from the parent proxy click + Add Domain to display the Parent Proxy Exceptions pop up window. This traffic will not go through the parent proxy.
7. Specify a domain name and click Save. The domain exceptions appear in the domain exception list.
8. For HTTPS, you must import the CA for the parent proxy onto the client-side SteelHead. For details, see the SteelHead User Guide.
9. Under Push to Appliances on the right-side of the window, specify the site or site types and appliances and click Push to push your settings.
Configuring automatic parent proxy chaining
Configure automatic mode for clients/browsers configured with a proxy auto-config (PAC) file or an explicit proxy defined on the browser. In automatic mode the client opens a connection to a proxy specified on the browser:
• If HTTP, it sends a GET request with the correct host header, for example wikipedia.com.
• IF HTTPS, it sends a CONNECT request followed by a handshake.
The client/browser opens a connection to a specific proxy and uses that particular connection to multiplex all of its requests.
Automatic mode doesn’t cache non SSL traffic.
No traffic is optimized if automatic mode is off and the client/browser has an explicit proxy defined.
To configure automatic parent proxy chaining
1. Choose Manage > Optimization: Web Proxy to display the Web Proxy page.
2. Under Parent Proxy, click the > to expand the page.
3. Select Automatic.
4. Under HTTP Whitelisted Servers, enter a comma-separated list of the IP address or hostname of the trusted parent proxy servers. HTTP cache will be enabled for servers you have listed in this field.
5. Click Save. The traffic is transparently redirected to a proxy explicitly defined in the client/browser.
6. For HTTPS, you must import the CA for the parent proxy onto the client-side SteelHead. For details, see the SteelHead User Guide.
7. Under Push to Appliances on the right-side of the window, specify the site or site types and appliances and click Push to push your settings.
Pushing your settings and viewing push status
You can push your settings to sites or site types from the Policy Push Control on the right side of the page. You can also view push status from the Push Status panel on the right side of the page.
If the SCC and SteelHeads are both running 9.2.0 or later, for the initial configuration the SCC pushes the entire configuration. For SteelHeads and an SCC running 9.2 or later, any changes made after the initial push, the SCC pushes only the modified settings to ensure improved response times and throughput performance. If the SCC and SteelHeads are both running 9.0 and 9.1, when you push configuration changes, whether the initial push or after, the SCC deletes the entire configuration and replaces it with the new configuration settings, which can slow response times and performance.
When you perform a policy push, the SCC is the master configuration; any local changes made on SteelHeads are overwritten.
To push settings
1. Under Policy Push Control on the right side of the page, click Include in Push to expand the page and display the Push to Appliances panel.
To exclude appliances from the push, under Push Control on the right side of the page, click Exclude from Push. (This option only appears if you have clicked Include in Push.)
2. Complete the configuration as described in this table.
Control | Description |
Push to Appliances | Select to push your path selection rules: • Site Types—Click the text box to display site types to choose from. Select the site types one at a time to add them to the text box. After you select the site type, it is displayed in the text box. To remove a site type, click the X. To view what sites make up the site type, click See More. We recommend that you choose site types rather than sites to organize your rules as site types make the management of rules easier. • Sites—Click the text box to display sites to choose from. Select the sites one at a time to add them to the text box. After you select the site, it is displayed in the text box. To remove a site, click the X. To view site details, click See Details. |
Push | Pushes configuration settings to the selected sites or site types. Click Clear to clear your settings. |
Viewing push status
You can view the current status of your pushes on the right side of the page in the Push Status panel.
To view current status of configuration pushes
• Under Push Status on the right side of the page, click More to be directed to the Operation History page.
The current operations (that is, pushes) and status are displayed in the Operations table.