Universal Policy Enforcement (UPE) 101 for Edge and Cloud SWG
Article ID: 259547
Updated On:
Products
Issue/Introduction
Learn how to troubleshoot Universal Policy Enforcement issues for Edge and Cloud Secure Web Gateway.
Resolution
Contents
- About Universal Policy Enforcement in your Environment
- Prerequisites
- SSL Requirements
- Deploy UPE First Steps
- UPE Use Cases and Examples
- Troubleshoot UPE
About Universal Policy Enforcement in your Environment
In Management Center (MC), use UPE to define a single policy that MC shares with Edge Secure Web Gateway (Edge SWG) appliances and Cloud Secure Web Gateway (Cloud SWG).
Universal Policy comprises various rules that are required of your enterprise to enforce acceptable web-use policies for employees who connect through an on-premises Edge SWG appliance, Cloud SWG, or both. To achieve Universal Policy Enforcement, MC allows you to centralize your policy creation, maintenance, and installation to multiple appliances and the cloud service.
In UPE deployments, MC uses Edge SWG reference devices to get custom exception pages, security roles, and several other settings that impact policy. MC requires these reference devices to determine what part of the policy is for on-premise devices and what part is for Cloud SWG.
After you set up UPE, you use MC to quickly maintain, edit and publish policy updates without having to log in to multiple products.
Prerequisites
To use the universal policy feature, you must first:
- Have a valid Cloud SWG account registered to accept the policy from the Management Center using the WSS onboarding wizard. Existing WSS cloud customers may contact Customer Support for configuration assistance. For steps on onboarding a new WSS portal, see Register the Cloud SWG Portal. Enable enforcement domains and create the policy on the reference ProxySG appliance. Although you can import the universal policy from a source that does not have enforcement domains that are enabled, you cannot deploy the policy unless you launch the VPM Editor and save a new revision of the policy. Saving the new revision generates the CPL with enforcement domains enabled.
SSL Requirements
The universal policy requires proper SSL certificate validation. You must:
- Ensure that Management Center is able to connect to https://sgapi.es.bluecoat.com
- Verify that no inline proxies disrupt SSL connections to your devices.
- If Management Center uses the explicit HTTP proxy, ensure that it does not decrypt the traffic
Software Version Requirements
Appliance |
Version |
| ProxySG Appliance | SGOS 7.x, 6.7.1+, 6.6.x, 6.5.9.14+ |
| Cloud SWG | Subscription ID |
| Management Center | 1.8.1.1 or later |
Deploy UPE First Steps
UPE Use Cases and Examples
- Deployment Use Case: Existing Web Isolation On-Premises/Service
- Deployment Use Case: WSS Web Isolation Policy
- Deploy Management Center Exception Pages Using Universal VPM Policy
- Suppress Information for WSS Users in UPE Deployments
- UPE: Optimize Connections for Non-Standard Ports (Resolve Connection Delays)
Troubleshooting UPE
Source Policy Switch
- Cloud SWG policy source is configured to Cloud SWG Portal Mode
- Blank page to the Cloud SWG Portal after switching from Portal mode to Universal Policy Enforcement
- Differences between UPE-managed policy versus Portal-managed policy in Cloud SWG
Search Restrictions
Integrations
Malware
- Cloud SWG Malware Services Not Functioning as Expected
- How to enable the Malware Scanning error handling policy in UPE
- How to exempt destinations from Malware scanning in UPE setup
- Java-based Application used for E-procurement Government Portal blocked by Cloud SWG
DLP
- You want to confirm how to setup WSS for the DLP Cloud Detection Service
- Symantec Cloud DLP Integration with Cloud SWG (formerly known as WSS) UPE
- DLP detector does not see any ICAP requests when integrated with Cloud SWG
CASB
Web Isolation
- High-Risk Isolation Technical Overview
- Configuring Web Isolation Policy on Cloud Secure Web Gateway UPE (Universal Policy Enforcement) Tenant
- Resolve a Script Error for Web Isolation in a UPE Deployment
Header Modification
- Controlling Office 365 access using tenant restrictions on ProxySG or Advanced Secure Gateway
- O365 tenant restriction on WSS proxy without turning on O365 SSL interception
- How to disable the XFF header for a specific website when the Cloud SWG policy is managed from the Management Center
- How to remove the X-Bluecoat-Via header from a specific location in the Cloud SWG
- Remove proxy headers from the request to resolve the "Bad Request" error with the browser
- Internal client IP exposed on Public Internet within HTTP X-Forwarded-For header
Others
Feedback
