Setup the Next Hop Proxy

Configure the NHP on the SWG

Secure next hop leverages SCP mechanisms to connect and authenticate to the cloud instance. The tenant shared secret is used to encrypt the communication on port 8081.

The SWG Cloud Proxy URL is built from the customer ID as follows: c"customer ID".wgcs.skyhigh.cloud
Select the Next Hop Proxy Ruleset on the SWG and click on the Next Hop Proxy Setting “Skyhigh SSE Cloud”

Edit the NHP (Next Hop Proxy) server list -> CLick Edit

Click the green plus and enter the cloud gateway hostname you noted before. In the Port field please enter 8081 and scroll down to check the “Use secure connection to Next Hop Proxy” box.

Click OK, OK, OK and Save Changes
Review the Next Hop Proxy Ruleset

Tip

This Next Hop Proxy Ruleset let you decide if you want to send specific sites to the Cloud for Isolation (first rule - mostly used for Full Isolation usecases) or to send uncategorized sites (second rule - mostly used for Risky Isolation usecases)

Prepare the Cloud Web Policy

By default, the cloud web filter blocks uncategorized web traffic. Next, we will adjust the policy to allow all traffic to pass the web filter and run into the RBI filter.

Note: Risky Web Isolation is already enabled in the default policy.

On the Skyhigh Cloud UI select Policy -> Web Policy -> Policy

From the Web Policy tree on the left, navigate to Web Filtering -> Category, Reputation & Geo

Modify the Uncategorized Traffic selector to Allow All

Publish your changes

Tip

Explore the settings for Risky Web Browser Isolation.

In the web policy navigate to Browser Isolation -> Risky Web. You will see that RBI is already enabled, and that RBI provides activity controls for download/upload and clipboard.