Manage Proxy Chaining

You can deploy proxy-chaining in your environment for easier migration or proxy transparency. Cisco Secure Access supports proxy-chain traffic on Registered Networks only. Since the Forwarded-For (XFF) HTTP header is not available on traffic for network tunnels, we recommend that you do not send proxy-chain traffic through tunnels.

The Cisco Secure Access secure web gateway (SWG) leverages FQDN anycast routing to forward web traffic to the best possible data center. If the Secure Access DNS resolvers are used, and an on-premises proxy can use an FQDN-based URL to define the upstream proxy, then FQDN anycast should be used.

Network Requirements

  • Configure your on-premises upstream proxy settings for FQDN anycast and HTTP 80/443 on:
    • swg-url-proxy-https-sse.sigproxy.qq.opendns.com
  • Add a Registered Network in Secure Access that matches the public IP of your on-premises proxy's (NAT) IP address.
  • Route various URLs directly to the internet, not to the Secure Access secure web gateway. For more information, see Secure Access SAML Identity Provider Domains.
  • If you are using SAML authentication for single sign-on (SSO), send requests for id.sse.cisco.com to the Secure Access secure web gateway, not directly to the internet. For more information, see Secure Access SAML Gateway Services.

Upload Custom PAC Files to Secure Access < Manage Proxy Chaining > Forwarded-For (XFF) Configuration