Setup the Next Hop Proxy

Configure the NHP on the SWG

Secure next hop leverages SCP mechanisms to connect and authenticate to the cloud instance. The tenant shared secret is used to encrypt the communication on port 8081.

  1. The SWG Cloud Proxy URL is built from the customer ID as follows: c"customer ID"
  2. Select the Next Hop Proxy Ruleset on the SWG and click on the Next Hop Proxy Setting “Skyhigh SSE Cloud”

SWG NHP Setting SWG NHP Setting

  1. Edit the NHP (Next Hop Proxy) server list -> CLick Edit


  1. Click the green plus and enter the cloud gateway hostname you noted before. In the Port field please enter 8081 and scroll down to check the “Use secure connection to Next Hop Proxy” box.

SWG NHP Config SWG NHP Config

  1. Click OK, OK, OK and Save Changes
  2. Review the Next Hop Proxy Ruleset

SWG NHP Review SWG NHP Review


This Next Hop Proxy Ruleset let you decide if you want to send specific sites to the Cloud for Isolation (first rule - mostly used for Full Isolation usecases) or to send uncategorized sites (second rule - mostly used for Risky Isolation usecases)

Prepare the Cloud Web Policy

By default, the cloud web filter blocks uncategorized web traffic. Next, we will adjust the policy to allow all traffic to pass the web filter and run into the RBI filter.

Note: Risky Web Isolation is already enabled in the default policy.

  1. On the Skyhigh Cloud UI select Policy -> Web Policy -> Policy

Web Policy Navigation Web Policy Navigation

  1. From the Web Policy tree on the left, navigate to Web Filtering -> Category, Reputation & Geo

Web Filtering Navigation Web Filtering Navigation

  1. Modify the Uncategorized Traffic selector to Allow All

SWG CLoud Filter SWG CLoud Filter

  1. Publish your changes

Publish Changes Publish Changes


Explore the settings for Risky Web Browser Isolation.

In the web policy navigate to Browser Isolation -> Risky Web. You will see that RBI is already enabled, and that RBI provides activity controls for download/upload and clipboard.