In an explicit deployment, there is no way to completely bypass the Edge SWG (ProxySG) without creating exceptions in the browser or managing exceptions through a PAC file as explained in article Bypass Edge SWG (ProxySG) in Explicit Environment.

For HTTPS traffic, Protocol Detection can be disabled instead. This will tunnel the HTTPS request instead of using the SSL engine to inspect it. More information on this can be found in article TCP Tunnel Proxy vs SSL Proxy.

As for HTTP traffic, there is a way to tunnel those requests without them being recognized by the common proxy engines (HTTP or SSL). This can be useful if creating rules in the firewall to allow traffic from specific IP is undesired, which is a common occurrence in Explicit environments. This means that the source IP of the outgoing packet will still be the Proxy's IP, as it is still being intercepted by it instead of bypassing it through the browser settings or a PAC file.

1. Configure a new TCP Tunnel Proxy Service:

First we need to create a new service that will be listening for connections which destination is the site we want to tunnel through. Each site will be associated to a specific non-standard port in the Edge SWG (ProxySG).

• In the Management Console, go to Configuration > Proxy > Proxy Services > New
• Create a new Service as follows (you can choose any name and port as long as it's not in use):

2. Create a forwarding host for the site:

In order for the Edge SWG (ProxySG) to send the request to the destination server, it must be forwarded. Otherwise, the Edge SWG (ProxySG) will think that the destination is the Edge SWG (ProxySG) itself. For this we will create a forwarding host for www.example.com, which resolves to ##.###.###.##

• Go to Configuration > Forwarding > Forwarding Hosts > New
• Create the new Forwarding host as follows (Alias name can be different):

3. Configure Forwarding policy to send requests to the Forwarding Host:

The Forwarding Host can only be used if we create policy and assign it to a rule. We can perform this by going to the Visual Policy Manager and creating this rule:

• In Destination we should select Server Port 9999, which should be the same port as the one we specified in the Service.
• In the Action column, we selected the Forwarding Host we created previously.

4. Create PAC file and point requests made to the chosen port:

After all of this is done, we can create our own PAC file. In this example, we will create a PAC file that sends requests made to www.example.com to my proxy (IP #.#.#.#) on port 9999 to be TCP Tunneled, while the rest of the requests will be sent to the default Explicit Service on port 8080, which will be using the HTTP engine.