How to Forward Proxy Chained CASB Data through WSS.


Article ID: 206699


Updated On:


CASB Security Premium


As part of the GCP migration, CASB customer's are required to forward (PSG) Proxy SG traffic through WSS or (MWG) McAfee Web Gateway.

Any customer running the Reach Agent would need to switch to the WSSAgent or Proxy-chaining agentless.



For Proxy SG, two documents have been released:

Chaining Proxy-SG to WSS-Lite without an Agent Steps to forward CASB only traffic to WSS-Lite.

Chaining Proxy-SG to Full WSS Without an Agent Steps to forward all traffic including all CASB traffic.


Additional Information

For McAfee Web Gateway, specific documentation has not been verified.  Use the documents above to see the high level steps for configuration.

The high level tasks are the same.

  • Install the WSS root certificate on the proxy if the proxy is decrypting
  • Install the WSS root certificate on the workstation if MWG is not decrypting.
  • Forward the Traffic to the WSS back-end.