The Proxy settings allow you to set parameters associated with the proxy service. These settings define:
ProTip: We strongly suggest reading the Concepts section in order to fully understand the options that are presented here.
The explicit proxy listening port option allows you to customise which port will be open to receive explicit proxy connections. This is the port that will be specified in the proxy configuration(s) of client web browsers.
The standard proxy port is 3128, however many organisations prefer to use 8080.
Warning: Be careful not to use a port that's already reserved by another protocol.
As well as filtering content, LiveStream can also cache it. Whenever possible, it will cache (store) previously served web data so that subsequent requests for that data may be served from its cache rather than retrieving the request from the original source (the internet).
Caching can greatly improve browsing performance for end-users while reducing your organisation’s overall data usage with your ISP.
ProTip: Cache performance is tracked by the stats in Reports and on the Dashboard. Check out all the gigabytes you're saving!
Otherwise known as "transparent proxy" or "forced proxy"—an intercepting proxy behaves identically to an internet gateway, effectively performing NAT (Network Address Translation) but actually intercepts the web traffic for filtering and analysis.
As the system administrator, it's your responsibility to decide the manner in which the different types of devices on your network will connect to LiveStream 5. You can get in touch with Getbusi at any time for advice beyond what is presented here and in Deployment Options.
Warning: All non-web traffic will be ignored and passed-through by the NAT rules. Make sure that LiveStream 5's own gateway and logical network position does not allow clients to bypass their typical outbound connectivity restrictions.
As you have read previously in this guide, intercepting, decrypting and mimicking valid website certificates is a "necessary evil" when using an intercepting proxy.
When a client browser is explicitly using a proxy it will purposefully establish SSL connections in such a way that the proxy can maintain the client <---> website encryption tunnel. However, if the client browser's proxy is transparent it doesn't know that it should do this.
In order for an intercepting proxy to see any information about an HTTPS request (even the site hostname) it has to perform a man-in-the-middle violation. This would—ordinarily—trigger errors in the browser, suggesting to the user not to proceed.
Disclaimer: We realise this feature is ethically questionable, so it is disabled by default. It's left up to your organisation to determine the feasibility of the feature both technically and ethically.
Note that the only normally-encrypted information that LiveStream 5 will store is the full URLs of intercepted HTTPS requests. The contents of these pages is never stored or accessed by LiveStream.
Additionally, LiveStream will not mimic website certificates that are invalid. Actually invalid website certificate errors will be reproduced so that end users may still avoid potentially compromised web services.
When you enable HTTPS filtering in LiveStream, you are enacting a system called SSL Bump which handles every intercepted SSL connection accordingly:
This process would obviously also cause browser warnings except if the client trusts the LiveStream proxy to sign all SSL certificates. To create this trust the client simply needs to install the CA certificate bundle (.cer) that LiveStream conveniently auto-generates when you enable the feature.
Once the cert bundle is downloaded from LiveStream 5 you may distribute it to devices via a domain group policy or MDM system.
If you're dealing with BYOD, pre-distribution of the proxy certificate may not be practical. LiveStream has you covered by automatically probing intercepted clients for the presence of the certificate when they first access LiveStream. If they don't have it installed yet, they will be presented with a friendly splash page instructing them how to install or the certificate and why or, alternatively, opt-out and avoid HTTPS sites.
Not all web-enabled applications were designed with web proxies and web filtering in mind. Chances are, if an application violates HTTP1.1 norms it may have trouble connecting via a proxy.
The compatibility options tab allows you to enable work-arounds for common applications and services that have known compatibility issues.
These definitions are maintained by Getbusi, based on testing, and are subject to sudden, unannounced changes by each vendor. If a compatibility option stops working for you, please contact support.
Compatibility definitions are currently maintained for:
ProTip: Getbusi would love to add more compatibility definitions. Drop us a line if you have an app or service you would like to suggest.
To enable a compatibility option, simply select the corresponding checkboxes and click save and apply.
Bypass lists allows you to specify web resources which will not require certain proxy features in order to be accessed. This is an effective means to bypass compatibility issues with apps and services that don't have definitions maintained by Getbusi.
Bypass lists draw from the same List Groups as the rest of the system. Meaning you can bypass based on domain, IP, or subnet. List Groups are discussed later in the documentation.
ProTip: Determining what needs to be bypassed in order to get an application working is usually a matter of researching the app's proxy compatibility. Often, the vendor will provide instructions on how to configure the proxy to handle the app's connectivity quirks.
The most common incompatibility is with web applications that do not support proxy authentication. This typically manifests itself with repeated prompts for authentication that cannot be avoided even by entering the valid credentials.
This can be used for highly dynamic web content which does not respond well to being cached. This will typically manifest itself with stale data being displayed.
When an upstream proxy has been configured, requests to internet resources on the selected list will be made directly from LiveStream 5 to the website, bypassing the upstream proxy. This might be necessary for things such as internal websites that aren't accessible by the upstream proxy.
Under most circumstances you will want to create a specific list group for each type of Bypass.
A Bypass List is just a list group like any other on the system, it is only a "bypass" list because you chose to apply it as such. You could also apply the same list to other rules, exceptions and bypasses.
You can edit a bypass list from the Proxy Settings or directly within the Lists section.
See the List Groups section for details on editing a list group.