The Umbrella Deployment Documentation Developer Hub

Welcome to the Umbrella Deployment Documentation developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella Deployment Documentation as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Enable the Intelligent Proxy

The intelligent proxy is the ability for Umbrella to intercept and proxy requests for malicious files embedded within certain so-called "grey" domains.

The steps to enabling or disabling the intelligent proxy are controlled from within the setup of a new policy in the wizard, and once configured, you can change it from the policy summary page. This chapter of the docs will help you get the intelligent proxy configured correctly. We've also included some FAQs about what the intelligent proxy is and how it works below.

The intelligent proxy feature (and sub features) is only available for customers with the Umbrella Insights or Umbrella Platform packages. Click here to read more about packages and contact your Cisco account representative with any questions.

Wait, what's a proxy?

A proxy is just a step between your computer or mobile device and the internet. It intercepts requests to content on the internet, inspects it and if it doesn't find a problem, allows access. On the other hand, if there's a security threat posed by the content the computer was trying to access, it's blocked by the proxy. This quickly and easily protects you without the threat ever coming near enough to do harm.

Best practices and additional requirements

There's no additional software (or hardware) required to use it, and no additional cost besides your license. The intelligent proxy is just another security setting you can pick as a part of the policies you've created in your Umbrella dashboard, either in the advanced settings in the policy summary screen, or the "What should this policy do?" section of the policy setup wizard. See the top of this document for more detail.

However, we do highly recommend also selecting the SSL Decryption option to broaden the scope of the protection. You will need to install the Cisco root certificate to make the decryption possible. As with any change we recommend making this change on a small subset of your user base first to ensure full compatibility; you may find you need to expand your allow list.

Requirements and Implementation

Although only SSL sites on our greylist will be proxied, it's required that the root certificate be installed on the computers that are using SSL decryption for the intelligent proxy in their policy. Sites on our 'grey' list can include popular sites, such as file sharing services, that can potentially host malware on certain specific URLs while the vast majority of the rest of the site is perfectly harmless, so your users will go to some proxied sites even if they're acting in good faith.

Without the root certificate, when your users go to that service, they will receive errors in the browser and the site will not be accessible. The browser, correctly, will believe the traffic is being intercepted (and proxied!) by a 'man in the middle', which is our service in this case. The traffic won't be decrypted and inspected; instead, the entire website won't be available.

With the root certificate installed, errors won't occur and the site will be accessible when it's been proxied and allowed. For information on installing the root certificate on multiple browsers and platforms, see "Cisco Certificate Import Information".

Enabling the proxy

  1. Navigate to Policies > Management > All Policies and click Add or expand an existing policy.
  1. Whether you're creating a new policy or updating an existing one, the option to enable the intelligent proxy is found under Advanced Settings, in either the "What should this policy do" step or on the Summary screen.
  1. Under Advanced Settings, toggle on Enable Intelligent Proxy.

Once it's enabled, it's good idea to check whether it's working as expected. For more information, see Testing the Intelligent Proxy.

To disable the intelligent proxy for testing, or for a group of users, simply un-toggle the option and apply changes.

You'll notice there's two more features included here:

Sites that are not proxied by the intelligent proxy

Lots of big name domains like Google and Facebook are not proxied because there is a very low risk of these domains hosting malicious content. In fact, we have a list of highly popular domains—approximately 100 at the moment—that are low risk and will never be proxied.

Localized (language-specific) web content like Google searches or bandwidth intensive SaaS apps like Office 365 can experience issues when sent through a cloud-based proxy. But because these types of services don’t host malware, they aren’t considered “risky”. So, by default, our proxy doesn’t intercept this traffic. This means that your users receive accurate, localized content and services without the burden of creating a proxy exceptions.

The 'greylist' of risky domains is comprised of domains that host both malicious and safe content—we consider these “risky” domains. These sites often allow users to upload and share content—making them difficult to police, even for the admins of the site.

There's no reason to proxy requests to domains that are already known to be safe or bad. Umbrella’s intelligent proxy only routes the requests for risky domains for deeper inspection.

NOTE: We also do not proxy traffic on non-standard ports for web traffic. For more, see the troubleshooting section below.

Can I request or add domains to be proxied by the Intelligent Proxy?

Right now, the decision whether to proxy a domain is made by Umbrella security researchers, based on the intelligence of the Umbrella threat intelligence.

Configuring the Intelligent Proxy to handle HTTPS traffic

The intelligent proxy's SSL Decryption feature allows the intelligent proxy to go beyond simply inspecting normal URLs and actually proxy and inspect traffic that's sent over HTTPS. This would not take place for websites with personally identifiable information, such as banking, which are known to be good. Instead, it will only proxy and decrypt traffic from those domains known to be risky and on our greylist.

It's easy to set up SSL Decryption for the intelligent proxy, but it does require a little extra step to ensure your end users won't see unnecessary errors. The SSL Decryption feature does require the root certificate be installed, as in this section.

Requirements and Implementation

Although only SSL sites on our greylist will be proxied, it's required that the root certificate be installed on the computers that are using SSL decryption for the intelligent proxy in their policy. Sites on our 'grey' list can include popular sites, such as file sharing services, that can potentially host malware on certain specific URLs while the vast majority of the rest of the site is perfectly harmless, so your users will go to some proxied sites even if they're acting in good faith.

Without the root certificate, when your users go to that service, they will receive errors in the browser and the site will not be accessible. The browser, correctly, will believe the traffic is being intercepted (and proxied!) by a 'man in the middle', which is our service in this case. The traffic won't be decrypted and inspected; instead, the entire website won't be available.

With the root certificate installed, errors won't occur and the site will be accessible when it's been proxied and allowed. For information on installing the root certificate on multiple browsers and platforms, see "Cisco Certificate Import Information".

Enabling SSL Decryption

This feature is part of the intelligent proxy and as such, the intelligent proxy functionality must be enabled first.

In the Policy wizard, the feature is included in Step 2, "What should this policy do?". Expand "Advanced Settings" and select "SSL Decryption" to enable the feature.

On an existing policy, SSL Decryption can be enabled from the Summary Page by expanding Advanced Settings.

Testing SSL Decryption

Once you’ve deployed the Cisco Root CA to your client machines and configured the feature, you’ll want to confirm it is working. We’ve created the following URL to allow you to test this:

https://ssl-proxy.opendnstest.com

This will lead to a page advising if your request was successfully proxied or not.

What is being decrypted and proxied?

Some solutions, such as deep packet inspection solutions on the gateway of a network, will inspect all of the traffic sent through at it a granular level to look for information, such as strings of malicious code, or confidential information. This is not what the SSL decryption for the intelligent proxy does, instead, this is really just the intelligent proxy for SSL websites. The only thing that is being inspected are the requested URLs and domain names that are considered suspicious to begin with and are on our 'grey list', and we will block HTTPS URLs if they're considered malicious in our ruleset. We are not recording (or even looking) at anything beyond the URLs, possibly malicious files (and checksums) and the domain names themselves.

If File Inspection is enabled, then our proxy also inspects files attempted to be downloaded from those risky sites using anti-virus (AV) engines and Cisco Advanced Malware Protection (AMP), providing comprehensive protection against malicious files. Having SSL Decryption enabled along with File Inspection protects against sites using valid HTTPS but serving malicious files along with innocuous ones. For more information on File Inspection, see Enable File Inspection.


Wildcards and Destination Lists < Enable the Intelligent Proxy > Enable File Inspection

Enable the Intelligent Proxy