We have an upcoming requirement to track internal clients accessing certain external websites. All users access the internet through a well-known proxy provider on the same IP:PORT (XXX.XXX.XXX.XXX:8080).
I don't fully understand the communication between the client and the proxy but I'm assuming the HTTP will be in clear text and the HTTPS will be encrypted, either by a corporate key/certificate pair if my proxy is doing MitM analysis or the remote site ones if not.
Given the requirement to monitor some services accessed through the proxy and needing to be able to decode and analyse HTTPS where possible as well as knowing and understanding client IP address to tie to location details, this suggests the following:
Are my assumptions correct and is this an appropriate way to achieve this?
Anyone else doing anything similar?
I've had not a full experience with proxy and different flows, but yes separate experience. For seeing the same server port from different flows (if not possible to configure the client_IP identification), I've used two AMDs as you propose. This is something I've already configured
For the Proxy monitoring ( I didn't need to go over the https decode), your approach is the good one. Defining a set of URL and switching off the URL auto-learning on the defined SS. I've done it like this too.
I'll say that yes your apporach is good.
I hope it helps