Deploying SCP

PAC Files vs Agents

Generally, we recommend to deploy the Skyhigh Client Proxy (SCP) Agent to corporate devices to forward traffic. SCP is available for Windows, Mac, iOS, Android and is pre-installed on your workshop clients. SCP enables your organisation to use a single agent for SWG, Private Access (ZTNA), and Cloud Firewall!

PAC Files

Pros

  • Granular proxy selection with different fallback options for each scenario.
  • Supported by most browsers irrespective of operating system.
  • Supports secure network environments where there is no external DNS resolution and no default route.

Cons

  • Operates only for applications and TCP protocols that are aware of PAC file and honor it.
  • Browser or application needs to be restarted in case the PAC file cannot be reached on application start (e.g. captive portal environments). Changes to the PAC file only get reflected when the application is restarted.
  • PAC files can not add encryption, some ISPs will block unencrypted proxy CONNECT requests. Also, PAC files when used alone cannot transparently authenticate to a cloud proxy.
  • Complicated and difficult to maintain, syntax errors can break operation and it is easy to implement incorrect logic that results in unexpected operation.
  • Can’t be configured for fastest response time.
  • Easily bypassed or subverted unless there are compensating controls that may also impact operation in uncontrolled environments.
  • Does not pass any context about the client to the destination proxy.
  • Use of HTTP3/QUIC will bypass the PAC file unless the network blocks UDP on 443 and 80.

SCP Agent

Pros

  • Application agnostic, highly tamper resistant, not easily bypassed, administrative controlled bypass and uninstall.
  • Supplies prompt-less user and group information to the proxy without need for a directory connection or synch.
  • Allows for alternate proxy and bypass based on destination port, domain, IP, and process name.
  • Adds additional context for filtering decisions, policy name, process name, OS, OS version, system name etc. Can also be configured to failover, fail open, or fail closed (when internet is available, but no proxies can be reached).
  • Network aware, operation can be adjusted based on network location. Redirection policy automatically updated on all clients within a few minutes of change.
  • When using cloud service, it will automatically select best proxy based on geolocation of client. Can also be used with Web Gateway Cloud Service and Skyhigh Secure Web Gateway simultaneously.
  • Can add encryption for unencrypted protocols. SCP Policy can block HTTP3/QUIC so that this traffic doesn’t bypass the proxy.

Cons

  • Requires installation of an agent that only runs on Windows and Mac operating systems.
  • Needs to have routing to a supported proxy (cloud, or on premise).
  • Requires standard DNS resolution for domain-based redirection decisions.
  • Only intercepts configured ports if Cloud Firewall not enabled.
  • Selection of the optimal cloud proxy requires DNS resolution of Skyhigh cloud proxy domains.

What is an OPG File

An OPG file is an encrypted policy file, unique to your tenant, that sets client level policy. SCP reads this policy file to enforce:

  • Proxy server list
  • Redirection settings
  • Redirection bypass list
  • Client level block list
  • Cloud firewall settings
  • Other preferences about IPv6, QUIC, group membership and more

Deployment

OPG files can be downloaded alongside the latest version of SCP from your Skyhigh SSE dashboard in a bundle, or standalone usually for testing purposes.

Your OPG file should be copied to: C:\ProgramData\Skyhigh\SCP\Policy\Temp\SCPPolicy.opg. This allows the SCP agent to inherit the client level policy which we will look at in the next section.

With the executable and OPG file, you will be able to deploy via MDM, image devices with SCP, or use your preferred method of large scale deployment.