Proxy tab

Explicit proxy settings

Explicit proxy IP

Define the IP address the explicit proxy server should be bound to. The address must match the IP address of one of the Sensor interfaces. It defaults to 0.0.0.0 (bind to all interfaces having a valid IP address).

This option is only available if Explicit proxy is enabled.

Port

Define the port the explicit proxy server is listening on.

This option is only available if Explicit proxy is enabled.

Source networks

Enter a set of address ranges that are allowed to connect to the explicit proxy. If ranges are defined and a client outside the ranges attempts to interact with the proxy, its requests are blocked with an error. You can enter an IP address, a CIDR IP address, or an IP address range. Type space or comma (,) to end a source network entry.

This option is only available if Explicit proxy is enabled.

HTTPS inspection

If Enabled, the proxy will perform TLS decapsulation of any HTTPS request. The resulting transactions are signed with a self-signed certificate that can be customized.

Note:

Browsers and other HTTPS clients will warn you when they encounter the self-signed certificate. You can use openssl to export the certificate from the Sensor and add it to the proxy settings on the client.

Upstream hosts

Define a set of next hop HTTP/HTTPS proxy servers that the VMware NSX Network Detection and Response explicit proxy should forward requests to. Initially click the message ("No upstream hosts configured. Click to add one") in the list:

• Enter an IP address by clicking the Empty link and typing an address in the pop-up textbox. Type Return to save your entry and dismiss the pop-up.
• Enter a Port number by clicking the Empty link and typing a number in the pop-up textbox. You can also use the +/- icon to scroll to the desired value. Type Return to save your entry and dismiss the pop-up.
• Click the icon to enable/disable SSL.

After you have more than one entry, click the icon to select the Default host.

To delete an entry, click the icon.

Blocking settings

Blocking threshold

Set a threshold value between 0 and 100. Any content that gets a score above that value will be sanitized. The default is 70. Type a value in the textbox. You can also use the +/- icon to scroll to the desired value.

To understand the threshold values, see the Impact score.

Check the Disabled to allow all content.

Blocking pages

Blocked page message

When a URL is blocked, the server notifies the client. You can customize the message sent to the user by editing the content in the textbox.

At any time, you can revert to the original text by clicking the Default button.

Pending page message

If Full with feedback blocking is enabled, the server provides feedback to the client. This page informs the user that the requested content is being held pending a VMware NSX Network Detection and Response analysis. You can customize the message sent to the user by editing the content in the textbox.

At any time, you can revert to the original text by clicking the Default button.

Blocked page details

If Enabled, system details are displayed on the blocking pages.

X-Lastline-* headers

If Enabled, additional X-Lastline-* headers are included in the HTTP responses. These can be useful to understand the blocking decisions.

Lastline logo

If Enabled, the VMware logo is displayed on the blocking pages.

Blocking behavior

Use the list to configure the blocking policy to be applied by the ICAP daemon for each type of file. Refer to the VMware NSX Network Detection and Response ICAP Integration Guide (PDF) for more information.

File types

Click the radio buttons in the list to set the blocking behavior for each type of file:

• Executable — Binary program formats such as Windows Portable Executable

• Archive — Archive formats such as ZIP or RAR

• Media — Macromedia (Adobe) Flash file

• Document — Includes other types of Office documents

• PDF — Portable Document Format files

• Other — Other recognized file format

• File upload — HTTP POST requests that are detected to contain malicious content

Passive

No blocking is attempted on this type of file, but any relevant content will be analyzed.

Sensor-known

Block all artifacts known to be malicious by the Sensor (listed in its local cache). This method offers the lowest levels of protection but ensures minimal lag.

Manager-known

Block all artifacts known to be malicious by the Manager. These data are listed in the Manager cache and shared across all managed appliances.

Full

Artifacts are not served to the client until they have been fully analyzed. This method offers the maximum level of protection against new, unknown files. However, it can result in significant delays (in the order of minutes) when serving certain types of content.

Full with feedback

Same as Full, artifacts are not served to the client until they have been fully analyzed. While waiting for analysis results, a feedback page is served to the client. This page is refreshed regularly until the analysis completes. The results are then served to the client.

HTTP POST

Determines what the Sensor does with malicious content. If Block, the Blocked page message is sent to the destination. If Sanitize, the Sensor removes the malicious content before it forwards the request to its destination.

Timeout

Set the maximum time in seconds that the proxy server is allowed to delay the request.

When you are done, click the Save and deploy button to enable your changes. Otherwise click Cancel to discard any changes.

If you have not made any changes, click the Retrigger configuration button to reload the appliance configuration.

Click Back to appliance list to return to the Overview tab