In order to remotely filter your devices, we will need several things in place beforehand. The first of which is an A record (host record) setup in your internal DNS to point at the internal IP address of the Cipafilter. The second thing we'll need is another A record set to point at the public facing IP address of the Cipafilter ( or to the public ip address you are forwarding traffic from ). This will allow your devices to proxy via a hostname, which is important as it allows for a seamless transition between intranet and internet.
The hostname you setup in DNS must be different than the hostname set on the IP Settings page of the Cipafilter.
Once your DNS records are in place, we will need a SSL certificate that has been setup for the hostname. This certificate will need to be imported into the Cipafilter. If you prefer, you can opt to use our Let's Encrypt integration which will generate a SSL certificate for free, renews itself every 90 days, and requires no management. In order to do either of these, you will need to go to navigate to General --> Customization --> Portal Certificate. Here you can generate the Let's Encrypt cert or generate a CSR and upload the files for your SSL cert. If you have a wildcard cert for your domain, you will need to contact support to get it imported.
Once we have these pieces in place, we will then need to make the Cipafilter's proxy accessible to the internet. In order to do this, you will need to navigate to Next Generation Firewall --> Web Filtering.
Click on the "Insert Remote-Filtering (1-to-1) Rule" at the bottom of the page and click on "Save and Apply". This will create a new rule on your Cipafilter that looks like this:
You must require authorization on this subnet rule. If not, your proxy will be freely accessible to the internet and traffic from your public IP will start to become blacklisted by various ISPs. This is set to required by default.
You must not change the transparent proxy option from NO. Doing so will cause issues with connectivity. This is set to NO by default.
Once we have our DNS setup, our SSL cert generated and our proxy accessible to the internet, we'll need to verify the port we are using for proxy services is open. The filter's default proxy port is 6226, but you can verify this by going to Next Generation Firewall --> Web Filtering --> Advanced Configuration. We highly recommend using the default of 6226 or another port that isn't commonly used ( i.e. avoid 80, 443, 808, 1080, 3128, 8080, and 8118 ).
Finally, we need to decide how we are going to distribute our proxy settings to our clients. We can do so in one of two ways:
We recommend the use of a PAC (proxy auto-configuration) file for further customization and security. The PAC file will encrypt credentials sent via proxy requests, and gives you flexibility as a script based file that can be tailored to your needs. The Cipafilter provides a PAC file template to be distributed to your devices under Next Generation Firewall --> Web Filtering --> Advanced Configuration. The URL to point your devices to is located here. We highly recommend using HTTPS with HTTP failover. You can also configure options for DNS and proxy exceptions.
Alternatively, you can distribute proxy settings via GPP, Google Admin, or your management suite. This method is not considered best practice, as it sends the users credentials in clear text.