Basic Configuration for Edge SWG (ProxySG) Chaining
Moving forward, the Edge SWG (ProxySG) closest to the client is called the Child Proxy and the Edge SWG (ProxySG) upstream from the Child Proxy will be called the Parent Proxy
Steps on Child Edge SWG (ProxySG)
First make sure the Proxy is set to intercept HTTP and HTTPS traffic
Open the GUI-->Configuration-->Services-->Proxy Services
if transparent set transparent port 80 and 443 to intercept
if explicit set explicit port 8080 or 80 to intercept
1) Create forwarding host
Open the GUI-->Configuration-->Forwarding-->Forwarding Host
Click New and give the host an Alias (name, reference HTTP or Port 80 in the name so we know this host is for HTTP)
Then enter the IP or hostname of the Parent Proxy and set the type to Proxy.
Then select HTTP: 80
This is for HTTP
Next we want to do the same thing but for HTTPS
Click New, set the name(reference HTTPS or Port 443 in the name so we know this host is for HTTPS and host but for the type select Server
Then select HTTPS: 443 (do not select Verify SSL certificate)
then click apply to save changes
2) Now we want to create policy to send traffic to the Parent Proxy. On the Child Proxy open the VPM and add a forwarding layer
First we will create the rule for HTTP
Right click destination-->Set-->new-->Destination Host/Port. Set port to 80 and click add then click OK
Now set the action, right click-->set-->new-->Select forwarding.
On the left hand side, select the forwarding host you created for HTTP and click Add
then click ok and ok again
Now, we want to create the policy for HTTPs
Add a new rule, set the destination again like we did before but set the port to 443
Set the action like we did before but chose the HTTPS forwarding host and then install policy
Now, when the Child Proxy sends traffic upstream it will use its own IP address, meaning it will not reflect the clients IP address
You have two options
1) Configure Reflect Client IP
Now, on the Parent Edge SWG (ProxySG) we need to make sure the proxy is set to intercept traffic.
Open the GUI-->Configuration-->Services-->Proxy Services.
make sure transparent port 80 and port 443 are enabled and the proxy will not intercept traffic.
This is the basic configuration for proxy chaining.