Manage the Intelligent Proxy
Secure Access Packages and Feature Availability
Not all features described here are available to all Secure Access packages. To determine your current package, navigate to Admin > Subscription. For more information, see Determine Your Current Package.
If you encounter a feature described here that you do not have access to, contact your sales representative for more information. See also, Cisco Umbrella and Cisco Secure Access packages.
Secure Access's intelligent proxy intercepts and proxies requests for URLs, potentially malicious files, and domain names associated with certain uncategorized or unknown domains. Some websites, especially those with large user communities or the ability to upload and share files, have content that most users want to access but also pose a risk because of the possibility of hosting malware. Administrators don't want to block access to an unknown domain for all users, but they also don't want your users to access files that could harm their computers or compromise company data.
With the intelligent proxy, Secure Access avoids the need to proxy requests to domains that are already known to be safe or bad. Most phishing, malware, ransomware, and other threats are hosted on domains that are classified as malicious. It's simple: Secure Access blocks those threats at the DNS layer, with no need to proxy. If a domain poses no threat, such as a content-carrying domain (CDN) for Netflix or YouTube, Secure Access allows the domain, and again, no proxy is required.
Yet some domains may pose a greater threatâfor example, domains associated with a web server or sites that have the possibility of hosting malware. These domains can include sites that allow users to upload and share content making them difficult to police. If you allow all traffic to these risky domains, users might access malicious content, resulting in an infection or data leak. But if you block traffic, you can expect false positives, an increase in support inquiries, and thus, more headaches. By only proxying risky domains, the intelligent proxy delivers more granular visibility and control.
The intelligent proxy bridges the gap by allowing access to most known good sites without being proxied and only proxying those that pose a potential risk. The proxy then filters and blocks against specific URLs hosting malware while allowing access to everything else.
The intelligent proxy is built using a container-based microservices architecture. The proxy itself, and the services Secure Access integrates into the proxy, run and auto-scale independently from one another. For example, if the proxy notices a lot of files coming through for antivirus (AV) scanning, it automatically scales and provides more capacity for that function. This results in more effective performance for the intelligent proxy.
Table of Contents
- How the Intelligent Proxy Works
- Advantages of Using the Intelligent Proxy
- Sites That are Not Proxied by the Intelligent Proxy
- Best Practices
- SSL Decryption Requirements and Implementation
- Selective Decryption Lists
How the Intelligent Proxy Works
Normally, when you send a DNS request to Secure Access's DNS resolvers, we check to see if it's a malicious site, registered on a destination list, or if it's blocked by a content setting. If it is blocked, Secure Access returns a block page for the request. If it's not blocked, Secure Access returns the IP address of the domain and you can visit the site.
With the intelligent proxy, if a site is considered potentially suspicious or could host malicious content, Secure Access returns the intelligent proxy's IP address. The request to that domain is then routed through our cloud-based secure gateway, and malicious content is found and stopped before it's sent to you.
Advantages of Using the Intelligent Proxy
The stumbling block for most proxies in the past was that they couldn't scale with the internet. The internet grows in ways that proxy hardware manufacturers can't prepare forâmassive streaming video feeds, video conferencing, Voice over IP, and so on. With other proxies, all of that traffic needed to be proxied and all of it needed to be scanned, which slows down traffic at the gateway proxy, and devices outside of the gateway are not protected.
The intelligent proxy has some big advantages that make it not just more secure, but faster, too:
- Secure Access's services are cloud-based and scale to handle any amount of internet traffic.
- If your laptop leaves your corporate network, the intelligent proxy makes sure its protection follows you, keeping you secure 24/7/365.
- Secure Access's predictive intelligence allows it to determine what gets proxied; thus, not all traffic is proxied. Some domains Secure Access knows are badâthese domains are stopped immediately by Secure Access's DNS service. Other domains Secure Access knows are always going to be goodâthese domains are always allowed by Secure Access's DNS service and are never proxied. For domains that are on Secure Access's grey list, Secure Access proxies HTTP and HTTPS traffic to and from the device to protect you from accessing malicious files.
Sites That are Not Proxied by the Intelligent Proxy
We maintain a list of highly popular, low-risk domains that are never proxied.
Localized (language-specific) web content like Google searches or bandwidth-intensive SaaS apps like Office 365 can experience issues when sent through a cloud-based proxy. But because these types of services donât host malware, they arenât considered ârisky.â So, by default, our proxy doesnât intercept this traffic. This means that your users receive accurate, localized content and services without the burden of creating proxy exceptions.
The list of unknown domains is comprised of domains that host both malicious and safe contentâwe consider these âriskyâ domains. These sites often allow users to upload and share contentâmaking them difficult to police, even for site administrators.
There's no reason to proxy requests to domains that are already known to be safe or bad. Secure Accessâs intelligent proxy only routes the requests for risky domains for deeper inspection.
Note: Secure Access does not proxy traffic on non-standard ports for web traffic.
Best Practices
When enabling the intelligent proxy, we highly recommend also selecting SSL Decryption, which broadens the scope of your protection. The SSL Decryption feature allows the intelligent proxy to decrypt and inspect traffic that's sent over HTTPS.
SSL Decryption Requirements and Implementation
You must install the Cisco Umbrella root certificate on computers that are using SSL decryption for the intelligent proxy. Secure Access inspects URL and domain names found on our "grey" list and blocks these HTTPS URLs if they're considered malicious in our policies. These uncategorized sites can include popular sites, such as file-sharing services. While many uncategorized sites contain safe URLs, these sites can potentially host malware on certain specific URLs. In this case, Secure Access considers the site uncategorized and proxies the site for users.
Without the root certificate, when your users go to the intelligent proxy service, they receive browser errors and the site is not accessible. The browser correctly determines that the traffic is being intercepted (and proxied) by a 'man in the middle,' which, in this case, is the Secure Access service. Traffic is not decrypted and inspected; instead, the website is unavailable.
With the root certificate installed, errors do not occur and the site is accessible when it's been proxied and allowed. For information on installing the root certificate, see Install the Cisco Umbrella Root Certificate.
Selective Decryption Lists
Within the Selective Decryption Lists policy component, you can create a list of content categories. With SSL Decryption enabled, the intelligent proxy inspects HTTPS traffic but excludes sites associated with the Selective Decryption content categories. For example, if you add the category News / Media to the Selective Decryption list and then visit www.cnn.com, this destination is not inspected by the intelligent proxy.
After adding a selective decryption list to a DNS policy, you can reuse this decryption list in other DNS policies. For more information, see Add a Policy.
Note: Secure Access excludes the Terrorism, Internet Watch Foundation, and German Youth Protection content categories from the Selective Decryption list. Secure Access always inspects and proxies sites related to these content categories.
File Inspection Reports < Manage the Intelligent Proxy > Enable the Intelligent Proxy
Updated 7 months ago