Web Proxy Server
Crystal Eye’s Web Proxy Server app acts as an intermediary for web requests originating from a network. The basic functionality of this app is providing improved page access time, decrease bandwidth use and provides site visit audits of the users and IP addresses in the CE XDR network.
The Web Proxy Server app turns the Crystal Eye XDR appliance as a high-performance Proxy Caching Server. This essentially means that the CE XDR appliance acts as an intermediary between the client and the original web server. The advantages of having such a setup is that the CE XDR would act as a gateway and start co-coordinating with the source server so as to start caching or storing its resources.
It also provides improved security by providing an extra cover against malicious websites etc. One of the most important features of Crystal Eye’s Web Proxy is that it allows users to bypass blocked resources. These resources are generally blocked by the organisation, but the bypass functionality of CE XDR’s web proxy can be used to whitelist any IP address of a server, website etc.
The Web Proxy Server application is installed by default and can be accessed from the left-hand navigation panel.
Left-hand Navigation Panel > Network Control > Web Proxy Server  |
|---|
The Crystal Eye XDR runs on Transparent Proxy Mode by default and works as an intermediary through which the web traffic is routed from a user device in the network.
When the Transparent mode of CE is enabled, the appliance silently proxies all the HTTP traffic. This also means that a CE XDR administrator can push the HTTP web traffic originating from a user device in the CE XDR network through the proxy without performing browser reconfiguration tasks or installing CE certificates in the browsers.
The transparent proxy mode of the Crystal Eye XDR appliance does not have an authentication mode and can only be used to enforce blanket proxy on the entire network traffic.
While the CE XDR appliance is run on transparent proxy mode, advanced CE proxy features such as SSL Decryption can also be activated to enable proxy services for HTTPs traffic. However, the process of enabling proxy services for HTTPs traffic requires all network users to install CE security certificates in the proxy settings section of their browsers.
Note: When CE XDR is run on Transparent_SSL mode, internet can only be accessed if the CE security certificate is installed in the browser.
This option is widely appreciated for its ability to reduce the administrative burden of the CE administrator since explicit configuration of proxy is not required to be done on each device in the CE network.
How to setup Transparent Proxy in the Crystal Eye XDR appliance to enable proxy services for both HTTP and HTTPs Traffic?
Note: The Crystal Eye XDR appliance runs on Transparent Proxy mode by default. Henceforth, the CE XDR only scans and filters only http traffic by default. However, if there is a requirement to scan https traffic as well then, the Transparent_SSL mode must be activated.
Let’s learn how to setup Transparent_SSL mode on the Crystal Eye XDR.
Step 1: Go to Security Configuration > Advanced Firewall > Traffic Rules tab and then click the edit icon next to Default Transparent Web Filter.
Step 2: You will now be directed to the Edit page. Select Transparent_SSL from the mode dropdown under the Actions section and click the Update button.
Step 3: Go to Security Configuration > Web Filter > Web Proxy Server and click the Download Certificate button next to SSL Decryption.
Step 4: Install the CE Certificate to the browser if you are using a laptop. Read below to know how to install certificates in Google Chrome and Mozilla Firefox browsers.
Note: Ensure that the browser is set up to automatically detect proxy settings.
Follow the steps below to install CE certificate in Mozilla Firefox:
Type ‘about:preferences’ in the browser > Privacy and Security > Certificates > Certificates Manager > Authorities > Click Import button and import the CE certificate
Note: Ensure that the browser is set to automatically detect proxy settings (Go to Network Settings > Select Auto-detect proxy settings for this network)
In Explicit Proxy mode, only the network devices in the CE XDR network that have explicit proxy settings (automatic configuration) will be proxied by the CE XDR. All other traffic would pass undetected and unscanned by CE XDR. HTTPs sites will be proxied and scanned only when SSL Decryption is initiated.
Explicit Mode can be enabled to support user authentication for users created in the CE XDR network.
SSL Decryption should be enabled in Explicit Proxy mode to intercept HTTPs traffic. When SSL Decryption is enabled, client devices should have the CE security certificate installed as a trusted certificate in their device browsers to avoid service disruption.
How to setup Explicit Proxy in the Crystal Eye XDR appliance to enable proxy services for both HTTP and HTTPs Traffic?
Step 1: Go to Security Configuration > Advanced Firewall > Traffic Rules tab and then click the Edit icon next to Default Transparent Web Filter.
Step 2: You will now see the Edit page. Select the Explicit _ SSL mode under the Actions section and click the Update button.
Step 3: Go to Security Configuration > Web Filter > Web Proxy Server and click the Download Certificate button next to SSL Decryption.
Step 4: Install the CE Certificate to the browser if you are using a laptop. Read below to know how to install certificates in Google Chrome and Mozilla Firefox browsers.
Note: Ensure that the browser is set up to automatically detect proxy settings.
Follow the steps below to install CE certificate in Mozilla Firefox:
Type ‘about:preferences’ in the browser > Privacy and Security > Certificates > Certificates Manager > Authorities > Click Import button and import the CE certificate
Note: Ensure that the browser is set to automatically detect proxy settings (Go to Network Settings > Select Auto-detect proxy settings for this network)
There are certain cases, like certificate pinning, where servers do not honour requests from an intermediate proxy server. This can appear as loss of connectivity to the CE XDR network user or there might be servers which the clients do not want to establish proxy connections to. In such cases, the CE XDR gives an option to bypass proxy for sites, groups, and IP addresses.
How to bypass proxy for a website or a pre-configured group of websites?
User can either add individual sites or select one of the pre-configured groups in CE to bypass proxy for the end users.
Step 1: In the Web Proxy Server page click the Edit button of Proxy Bypass under the Rules section.
Step 2: Click the Add dropdown button and select Add by Site if it’s a single site and select Add by Group if you want to bypass a site group.
Note: The list of pre-configured websites groups that can be bypassed are Apple Store, Dropbox, Google Suite, Microsoft Services, Slack, and Whatsapp.
How to bypass web proxy for Certificate Verification?
Step 1: In the Web Proxy Server application page, click the Edit button next to Proxy Bypass.
Step 2: You will now see the Proxy Bypass dashboard. Click the Add button in the Web Proxy Certificate Verification Bypass section.
Step 3: Now, enter the website address in the Sites textbox and click the Add button.
This feature of the Web Proxy Server app is generally used when the User Authentication mode is enabled following which web users need to use used access credentials to browse the internet. When the website or network address is added to the exception list, user can access it without credentials.
How to Add a Website or a Network Address to the Authentication Exception Sites List?
Step 1: In the Web Proxy Server app page, click the Authentication Exception Sites Edit button in the Rules section.
Step 2: You will now see the Authentication Exception Site dashboard. Click the Add button.
Step 3: Enter the Website Domain Name or the Network Address in the textbox and click the Add button.
Note: On completing step 3 you will be able to view and will be automatically directed to on the Authentication Exception Sites dashboard where the list of bypassed websites and networks can be viewed.
The Safe Port is one of the most useful features of web proxy as it enables CE administrators to allow standard and non-standard HTTP ports.
In default configurations of the Crystal Eye XDR the following HTTP ports are filtered by web proxy: (insert table)
How to allow HTTP ports using the Safe Port rule of the Web Proxy Server application?
Step 1: In the Web Proxy application page, click the Edit button next to Safe Ports in the Rules section.
Step 2: You will now see the safe ports page. Click the Add button.
Step 3: You will now be directed to the Add Port page. Enter the port in the textbox and click the Add button.
The SSL Port rules in the Web Proxy app are used by CE administrators to allow standard and non-standard HTTPS Ports.
In default configurations of the Crystal Eye XDR the following HTTPS ports are filtered by web proxy:
(insert image)
How to allow HTTPS ports using the SSL Ports rule of the Web Proxy Server application?
Step 1: In the Web Proxy application page, click the Edit button next to SSL Ports in the Rules section.
Step 2: You will now see the SSL ports page. Click the Add button.
Step 3: You will now be directed to the Add Port page. Enter the port in the textbox and click the Add button.
Step 4: You will now be directed to the SSL Ports page. Click the Return to Summary button.
Cache settings can be configured to determine the Maximum Cache Size, Maximum Object Size, and Maximum File Download Size.
Maximum Cache Size relates to the hard disk size of the Crystal Eye Box that would be used dedicatedly as a proxy server to cache resources from the source servers. This should normally be at least several Gigabytes, up to several hundred Gigabytes depending on network size and number of users.
Maximum Object Size relates to size of any file that goes through the proxy server. Ideally, all files are made to pass through the proxy server when the transparent mode is enabled. However, if the file size exceeds the Maximum Object Size then the file will still pass through the proxy server but will not get cached. But there could be scenarios where the file size of one file cached in the proxy server occupies more than 90% of the disk space. Such cases can be easily countered by the administrator by defining the maximum limits of the object size or the file size.
Maximum File Download Size relates to the limit that can be set for file downloading. After setting this parameter, any file that exceeds the download file size limits will automatically not download.
Note: The default setting of Crystal Eye defines Maximum Cache Size as 10 GB, Maximum Object Size as 500 MB and Maximum File Download Size as Unlimited. If the default settings have been changed and the administrator wishes to restore default setting it can be done by clicking the Reset Cache button under the Settings section.
How to Configure Cache Settings in the Crystal Eye XDR?
Step 1: In the Web Proxy Server app page, click the Edit button under the Settings section.
Step 2: You will now see the editable version of the Settings section. Select the Maximum Cache Size from the dropdown.
Note: The administrator will have the option to set the Maximum Cache Size with the lowest being 100 MB and the highest being 90 GB.
Step 3: Select the Maximum Object Size from the dropdown.
Step 4: Select the Maximum File Download Size from the dropdown and click the Add button.
Note: The administrator will have the option to set the Maximum File Download Size with the lowest being 1 MB and the highest being Unlimited.
YouTube for School is an advanced network setting that is specially designed for schools allowing students and teachers to access educational content. The entire system has special features that give special access to YouTube EDU Videos. The best part of this specially designed system is that it limits access to other non-educational videos.
The Web Proxy Server app makes it possible for the network settings to be done so that the content accessed on YouTube for Schools flows through the Crystal Eye platform.
How to Enable/Disable You Tube?
Step 1: In the Web Proxy Server app page, click the Edit button under the Settings section.
Step 2: You will now see the editable version of the Settings section. Select Enable/Disable from the dropdown, enter the YouTube EDU ID and click the Update button.
