Non-identity on-ramps

On-ramps are the methods used to route traffic from your network to Cloudflare for inspection. With Cloudflare One, you can isolate HTTP traffic from on-ramps such as proxy endpoints (which your browser connects to via PAC files to send traffic through Gateway) or Cloudflare WAN (formerly Magic WAN, which connects your network to Cloudflare through GRE or IPsec tunnels). Since these on-ramps do not require users to log in to the Cloudflare One Client, identity-based policies are not supported.

Note

If you want to apply Isolate policies based on user identity, you will need to either install the Cloudflare One Client or manually redirect users to the Clientless Web Isolation URL.

Set up non-identity browser isolation

1. Install a Cloudflare certificate on your devices.
2. Connect your infrastructure to Gateway using one of the following on-ramps:
   • Configure your browser to forward traffic to a Gateway proxy endpoint with PAC files (Proxy Auto-Configuration files that tell the browser which traffic to route through the proxy).
   • Connect your enterprise site router to Gateway with the anycast GRE or IPsec tunnel on-ramp to Cloudflare WAN (site-to-site encrypted tunnels between your network and Cloudflare).
3. Enable non-identity browser isolation:
   1. In Cloudflare One ↗, go to Browser isolation > Browser isolation settings.
   2. Turn on Allow isolated HTTP traffic when user identity is unknown.
4. Build a non-identity HTTP policy to isolate websites in a remote browser.