Proxy Forwarding Policy for Web Security Services


Article ID: 169862


Updated On:


Web Security Service - WSS Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


The purpose of this article is to provide an easily accessible and updated Content Policy Language (CPL) script, which allows for proper connections to the Web Security Services.

This CPL code is based on information gathered from Web Security Services Web guide, the article: Cloud Proxy Forwarding - How to prevent the Local ProxySG from forwarding request to Cloud Services for specific destinations in addition to extensive testing.

Note: Sections of the CPL script that may require admin modification are outlined in the code comments.


; ========================================================= Proxy Cloud Forwarding CPL policy =========================================================
;Define subnets that should be treated as internal in your environment. Internal traffic should not go through Web Security Services.
define subnet BC_Internal_subnets
;@@@@@@@ Add any other destination subnet that should not be to the Cloud Service.
;Traffic that will NOT be MODIFIED before being sent to the Cloud Service.
define condition BC_Cloud_Proxy_Bypass_List
url.address=BC_Internal_subnets ; Internal traffic ; Threatpulse portal
;@@@@@@@ Add any other public sites that are not be modified by the proxy to be sent to the Cloud Service.
;Traffic that will NOT be FORWARDED to the Cloud Service
define condition BC_Cloud_Forward_Bypass_List
server_url.address=BC_Internal_subnets ; Internal traffic
health_check=yes ; Health Checks ; Threatpulse portal
;@@@@@@@ Add any other public sites that are not be forwarded to the Cloud Service.
; Forward the desired traffic to the cloud.
; - HTTP traffic is sent encrypted and sent over port 8443 to the Cloud Service.
; - Non SSL-Intercepted HTTPS traffic is forwarded directly over port 8080.
; - Requests which are SSL-Intercepted locally are sent to the Cloud Service over port 8084.
<Forward Cloud> condition=!BC_Cloud_Forward_Bypass_List
[Rule] proxy.port=(443, 8080) url.scheme=https,ssl,tcp
url.scheme=https forward(ThreatPulseInterceptedHTTPS8084) ; SSL-Intercepted traffic
forward(ThreatPulseHTTP8080) ; Undecrypted SSL Traffic
url.scheme=http forward(ThreatPulseSecure8443) ; HTTP Traffic
; After user authentication, pass the username and groups to the Web Security Service.
<Proxy Cloud_Auth> condition=!BC_Cloud_Proxy_Bypass_List
    authenticated=yes action.Auth_Cloud(yes)
; User and Group information are passed to the Web Security Service in special headers added to the request.
define action Auth_Cloud
    set( request.x_header.BC_Auth_User, "$(user:encode_base64)" )
    set( request.x_header.BC_Auth_Groups, "$(groups:encode_base64)" )
; If you plan to use the the Web Security Service to enforce appropriate use policies (content filtering and application control), then you must either disable caching or ensure that you always verify access requests with the Web Security Service.
<Cache Cloud_Verify_Cached_Authorization> condition=!BC_Cloud_Proxy_Bypass_List
    always_verify(yes) ; Check for authorization
; This layer provides the ability to mark the system (mostly refresh traffic) with a specific userID.
; This template marks the traffic with the userID "Refresh User" by setting the BC_Auth_User header to the base-64 encoded version of that string.
<Cache Cloud_Tag_System_traffic> condition=!BC_Cloud_Proxy_Bypass_List
has_client=false action.Cloud_Auth_Refresh_Traffic(yes) ; It is a system request (mostly refresh?)
define action Cloud_Auth_Refresh_Traffic
set(request.x_header.BC_Auth_User, "UmVmcmVzaCBVc2Vy")
; For reporting purposes, forward the client IP addresses rather than the ProxySG appliance IP address.
<Proxy Forwarding_Client_IP>
define action Forwarding_Client_IP
    set(request.header.Client-IP, "$(client.address)")
; ========================================================= Proxy Cloud Forwarding CPL policy =========================================================