getting started guide for triton ap-web cloud

Getting Started Guide

Forcepoint Web Security Cloud

©2017, Forcepoint LLCAll rights reserved.10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin TX 78759Published 2017This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or machine-readable form without prior consent in writing from Forcepoint LLC.Every effort has been made to ensure the accuracy of this manual. However, Forcepoint LLC makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint LLC shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.

TrademarksForcepoint is a trademark of Forcepoint LLC. SureView, TRITON, ThreatSeeker, Sidewinder and Stonesoft are registered trademarks of Forcepoint LLC. Raytheon is a registered trademark of Raytheon Company. All other trademarks are the property of their respective owners.Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the sole property of their respective manufacturers.

Getting Started Guide i

Contents

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Chapter 2 Requesting an Account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Logging on to the Forcepoint Security Portal 4Forcepoint Web Security Cloud setup wizard. . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 3 Deploying Forcepoint Web Security Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

How Forcepoint Web Security Cloud works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Configuring browsers to use Forcepoint Web Security Cloud. . . . . . . . . . . . . . . . 9

Configuring Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configuring Firefox with Active Directory Group Policy. . . . . . . . . . . . . 12

Configuring Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Turning on Group Policy to configure a web proxy . . . . . . . . . . . . . . . . . 16Turning off the web proxy using Group Policy . . . . . . . . . . . . . . . . . . . . . 16

Configuring Safari manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring your firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Chapter 4 Deploying an I Series appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Issues to consider before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Initial portal settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Run directory synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Add new appliance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Generating an appliance certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Appliance setup and configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Installing the appliance on a virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . 27Deployment without Silicom card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Deployment with Silicom card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

First-Time Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Connecting the appliance to your network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring your firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Registering the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Browser support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring Active Directory authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Running diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Monitoring appliance traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Using Forcepoint Web Security Endpoint with an appliance . . . . . . . . . . . . . . . 46

Chapter 5 Using Chained Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

ii Cloud Security

Contents

Microsoft ISA Server or Forefront TMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Basic chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Configuring exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Configuring NTLM pass through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Configuring X-Authenticated-User chaining . . . . . . . . . . . . . . . . . . . . . . . . . 52

Blue Coat ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Basic chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53NTLM chaining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54X-Authenticated-User chaining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Squid Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Basic chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57NTLM chaining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Chapter 6 Adding IP Addresses to Your Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Chapter 7 Setting Up End-User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Setting up Forcepoint Web Security Endpoint. . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Web endpoint deployment overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Basic web endpoint deployment options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Endpoint system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65Downloading and distributing the endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . 66

For Windows operating system users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67For Mac operating system users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Deploying the endpoint from the cloud service . . . . . . . . . . . . . . . . . . . . . . . 71Updating the endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Other end-user authentication and identification options. . . . . . . . . . . . . . . . . . . 73

Enabling browsers for NTLM transparent authentication . . . . . . . . . . . . . . . . . . 74

Configuring Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75Configuring NTLM via Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77Configuring Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

End-user registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Directory synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80End-user self registration and bulk registration . . . . . . . . . . . . . . . . . . . . . . . 80NTLM transparent identification registration . . . . . . . . . . . . . . . . . . . . . . . . . 81

Authentication priority and overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Chapter 8 Working with Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

How to determine whether a browser is using Forcepoint Web Security Cloud . 84

Connecting from home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Connecting from third-party corporate networks . . . . . . . . . . . . . . . . . . . . . . . . . 86

Chapter 9 Configuring Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Create content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Define regular expression content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . 89

Getting Started Guide iii

Contents

Define key phrase content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90Define dictionary content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Configure Data Security policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Configure privacy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Configure reporting permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Configure block pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

View the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

View reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

View the audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Chapter 10 Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Managing web categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Managing protocols and exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Cloud service reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Chapter 11 Preparing Your End Users for Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 107

iv Cloud Security

Contents

1

Getting Started Guide 1

Introduction

Getting Started Guide | Cloud Web Protection Solutions

Forcepoint Web Security Cloud is a fully managed service that provides comprehensive and flexible protection against web threats, such as viruses, spyware, and phishing attacks, as well as the ability to control users’ web access.

As an alternative to a fully cloud-based service, you can deploy the I Series appliance. This provides fast on-premises URL analysis and application/protocol detection for web traffic, along with centralized policy management and reporting capabilities in the cloud.

Forcepoint Web Security Cloud is simple to use and works “out of the box” with a default policy. To make full use of its features, configure the policy and add new policies to meet the needs of your organization.

This guide outlines the tasks that you must complete to get Forcepoint Web Security Cloud managing your web traffic.

Getting Started


The following steps must be completed before you can use Forcepoint Web Security Cloud. It is important that you follow these in order:

1. Requesting an Account.

2. Deploying your chosen solution, either purely cloud-based (see Deploying Forcepoint Web Security Cloud) or with an I Series appliance (see Deploying an I Series appliance).

Options for connecting to the cloud service and authenticating users vary depending on the deployment you choose.

3. Adding IP Addresses to Your Policy for your Internet gateway.

4. Setting Up End-User Authentication, if required.

Other chapters discuss which proxies are supported, how to set up roaming users, how to configure data theft protection, and how to tailor your policy for your organization. The final chapter provides tips for preparing your end users for their new web protection system.

Introduction

2 Cloud Security

Further Information

Detailed configuration advice for Forcepoint Web Security Cloud features is available in the Forcepoint Security Portal Help.

The Knowledge Base also contains technical information that is not included in this guide, such as common configuration questions and known issues with workarounds. The Knowledge Base also allows you to search for answers to a question you may have.

Check these resources whenever you experience a problem or have a support question.

Technical Support

If you have any questions during the set up phase, please contact your reseller or Forcepoint Technical Support. Technical information about Forcepoint products is available online 24 hours a day, including:

● Release information

● Knowledge Base

● Show-me tutorials

● Product documents

● Tips

● Technical papers

Access support on the website at:

https://support.forcepoint.com/

Click My Account to create or log in to your website account. When you create an account, you may be prompted to enter all Forcepoint subscription keys. This helps to ensure ready access to information, alerts, and help relevant to your products and versions.

Create your website account when you first set up Forcepoint Web Security Cloud, so that access is readily available whenever you need support or updates.

For additional questions, the support portal offers an online support form. Just click Contact Support.

https://support.forcepoint.com/

https://support.forcepoint.com

http://www.websense.com/content/KnowledgeBase.aspx

http://www.websense.com/content/support/library/web/hosted/admin_guide/wd_configure_index.aspx

2


Requesting an Account


● If you are an existing Forcepoint Email Security Cloud customer or are performing a trial, you can request that Forcepoint Web Security Cloud services be added to your account by contacting Forcepoint Sales or your reseller. Forcepoint Technical Support notifies you by email when the services are added.

Alternatively you can request a demo online as described below.

● If you are new to Forcepoint cloud-based services, request a demo online. For more information, as described below.

Requesting a Forcepoint Web Security Cloud demo

1. Go to www.forcepoint.com and select Products > Cloud Security > Web Security.

2. Scroll down until you see the Request a Demo form.

3. Provide the information requested in the form, then click Request Demo.

Shortly after you click Request Demo, you will be contacted by a member of the Forcepoint Sales organization, who can introduce you to the product and set up your account.

If you prefer to talk to a representative immediately, inside the U.S., call 1-800-723-1166. Outside the U.S., please visit the Partners > Find a Partner page at www.forcepoint.com to locate a reseller.

https://www.forcepoint.com/


4 Cloud Security

Logging on to the Forcepoint Security Portal


When you receive cloud portal logon information from your Sales representative, log on to the Forcepoint Security Portal by visiting:

https://admin.forcepoint.net/portal

Enter your user name and password and click Log On.

If you are a new customer, a short first-time logon wizard will prompt you to:

1. Accept the license agreement for your product.

2. Select a primary and backup cloud data center for storing your reporting data.

NoteYou must have port 443 open on your firewall to access the portal.

https://admin.forcepoint.net/portal



3. Provide an administrator email address and password recovery question that can be used to reset a lost password.

Once you have completed the wizard, you are ready to configure your Forcepoint Web Security Cloud Cloud account.

Forcepoint Web Security Cloud setup wizard

When you first log on to the cloud portal to configure your web protection product, a setup wizard is displayed to guide you through the initial setup process. This initial setup involves a combination of steps performed in your network (to allow communication with the cloud service) and steps performed in the portal (policy configuration). The wizard guides you through configuring your firewall to access Forcepoint Web Security Cloud, setting up end-user registration and LDAP directory synchronization, setting up your first policy, and testing your configuration.

If you are not able to complete all of the in-network configuration steps immediately, you can skip them temporarily while you perform the cloud portal configuration steps.

See the Forcepoint Security Portal Help for further information on using the setup wizard. You can access the Help and other reference tools on the Forcepoint Support website or from the Help menu in the Security Portal.

Once you have completed the configuration steps in the setup wizard, you can change your account configuration at any time. Refer to the Help for full instructions on how to configure your account. For details of how to configure the synchronization client, see the Directory Synchronization Client Administrator Guide.

NoteIf you are deploying an I Series appliance, follow the instructions in the chapter Deploying an I Series appliance, page 19. If you are installing the appliance as a virtual machine, download the OVA file from the My Account page at forcepoint.com.

https://www.websense.com/content/support/library/web/hosted/dsc_admin/first.aspx

http://www.websense.com/content/support/library/web/hosted/admin_guide/toc.aspx

http://www.mywebsense.com

http://www.mywebsense.com


6 Cloud Security

3


Deploying Forcepoint Web Security Cloud


This chapter describes deploying Forcepoint Web Security Cloud as a purely cloud-based solution. If you are deploying with an I Series appliance, see Deploying an I Series appliance, page 19.

To deploy the product for your organization:

1. Start by reading How Forcepoint Web Security Cloud works, page 7, to better understand requirements for deployment.

2. Determine how to direct your web traffic through the cloud service.

■ During the initial stages of an evaluation, we recommend that you manually configure a number of web browsers to use the Forcepoint Web Security Cloud PAC file. (See Configuring browsers to use Forcepoint Web Security Cloud, page 9.)

Once you are happy that the service works as expected, you can add more users, perhaps by using Active Directory group policy to configure browsers.

■ If you have an existing proxy, you may be able to proxy chain for a subset of users before deploying across the complete organization. (See Using Chained Proxies, page 47.)

■ You can also deploy endpoint client software for a small number of users to test enforcement and seamless authentication. (See Setting up Forcepoint Web Security Endpoint, page 62. )

3. Configure your firewall to allow the host and port combinations that enable Forcepoint Web Security Cloud to manage traffic originating from your network. (See Configuring your firewall, page 17.)

Once you have completed these steps, you can define the IP addresses for which the service will receive web requests (see Adding IP Addresses to Your Policy, page 59), and choose how to manage your end users.

How Forcepoint Web Security Cloud works

There are several options for connecting to the cloud service. This section describes the basic deployment model, which you can use to get up and running quickly. Additional deployment options are available, however, including the addition of one


8 Cloud Security

or more i-Series appliances (described in Deploying an I Series appliance, page 19) and the use of web endoint clients to provide policy enforment for remote users (see Working with Remote Users, page 83).

In a basic deployment (before the addition of appliance and endpoints), Forcepoint Web Security Cloud operates as a proxy service for HTTP, HTTPS, and FTP over HTTP. This means that the browser does not connect directly to the required server (known as the origin server), but instead connects to a proxy server, which relays the request to the origin server on behalf of the browser. While doing this, the proxy server can examine the request and the response, and make decisions such as whether to allow or block the request.

1. Depending on the browser’s configuration, some requests may still go direct to the origin server. This is indicated in the diagram by the “Local server” box, because typically, such servers are local to the browser, inside the firewall.

2. Proxied HTTP requests are handled by the cloud service, then relayed to the origin server as appropriate.

3. Proxied secure (HTTPS) requests are carried over a tunneled connection. This means that the proxy server connects to the origin server on the browser’s behalf, but takes no further part in the conversation, passing data back and forth transparently.

If you enable SSL decryption, the cloud proxy establishes SSL channels for HTTPS sites. This enables the proxy to serve the correct notification page to the user—for example, a block page if the SSL site is in a category that the end user is prevented from accessing.

To implement this feature for your end users, you need a root certificate on each client machine that acts as a Certificate Authority for SSL requests to the cloud proxy. For more information, see the Forcepoint Security Portal Help.

http://www.websense.com/content/support/library/web/hosted/admin_guide/ssl_enable.aspx



4. Where the origin server is an FTP server, the Forcepoint Web Security Cloud cloud proxy acts as a gateway, converting the HTTP request sent by the browser into an FTP conversation with the origin server.

Configuring a chained proxy to connect to the cloud service

If your users’ browsers are already configured to connect to a proxy server in your network, you should be able to leave the browsers’ settings unchanged and configure your existing proxy to forward all HTTP, HTTPS, and FTP requests to Forcepoint Web Security Cloud.

● If your proxy is capable of using a PAC file, use the one provided in the Forcepoint Security Portal.

This is ideal, because the Forcepoint Web Security Cloud PAC file changes automatically based on your policy settings.

● Otherwise, download a copy of the PAC file and duplicate its functionality within in your proxy configuration.

In this case, you may have to make manual changes to your proxy configuration when your policy settings changes.

For more information about chained proxy configurations, see Using Chained Proxies, page 47.

Configuring browsers to use Forcepoint Web Security Cloud


If your browsers are to access the cloud service directly (i.e., not through a chained proxy), we recommend you use a PAC file to configure the browsers. See The Forcepoint Web Security Cloud PAC file, page 10, for more information.

Forcepoint Web Security Cloud has been tested with most commercially available web browsers, but for support purposes we recommend you use one of the following:

● Mozilla Firefox 4 to 40 on all platforms

● Microsoft Internet Explorer 7 through 11 on Microsoft Windows platforms (desktop interface only)

● Safari 3.1 on MacOS X 10.4 (Tiger)

● Safari 5.x on MacOS X 10.6 and 10.7

● Safari 6.x on MacOS X 10.8



● Google Chrome 13 to 44


10 Cloud Security

The Forcepoint Web Security Cloud PAC file

A proxy automatic configuration (PAC) file defines how web browsers choose an appropriate proxy for fetching a given URL. They are preferable to configuring browsers manually, because they can be easily deployed and provide more configurable capabilities than a browser’s own settings.

The PAC file contains a number of global settings and allows you to enter exclusions of your own (for example, intranet sites) that should not use the cloud proxy.

All supported browsers have the ability to use PAC files. Users may be instructed how to set this up for themselves. Alternatively, in a Windows environment, you can use an Active Directory Group Policy to configure browsers.

Either way, you must tell the browsers to get their PAC file from the cloud service. When configuring browsers to download the PAC file, you can specify either the standard PAC file or a policy-specific PAC file.

Standard PAC file

When a browser requests a PAC file, if the cloud service knows which policy the requester is using, it delivers the PAC file for that policy; otherwise it delivers a standard PAC file. You can retrieve the standard PAC file directly from the following URL:

http://pac.webdefence.global.blackspider.com:8082/proxy.pac

See the Forcepoint Security Portal Help for further information.

Policy-specific PAC file

If the cloud service knows which policy the requester is using, it delivers the PAC file specific to that policy. Alternatively, you can specify an alternative, policy-specific PAC file in the browser configuration. This ensures that the user receives the correct PAC file regardless of location. The policy-specific PAC file URL can be found in the General tab for each policy. It looks something like this:

http://pac.webdefence.global.blackspider.com:8082/proxy.pac?p=xxxxxxxx

Browser-specific PAC file configuration instructions

See the following sections for browser configuration instructions (note that Google Chrome uses the settings configured in Internet Explorer):

● Configuring Mozilla Firefox, page 11

● Configuring Internet Explorer, page 15

● Configuring Safari manually, page 17

You can also install a Proxy Connect endpoint client software to ensure all web traffic is routed via the cloud proxy. For more information, see Setting up Forcepoint Web Security Endpoint, page 62.

http://www.websense.com/content/support/library/web/hosted/admin_guide/pac_files.aspx#807922



Enabling cookies

For the best user experience, we recommend that you allow end users’ browsers to accept cookies when using Forcepoint Web Security Cloud. If a browser is unable to, or is configured not to accept cookies, the following features do not work:

● Acceptable Use Policy compliance page

● Web endpoint automatic installation (Proxy Connect only)

● Secure form-based authentication

● Single sign-on using an on-premises identity provider

If any of these features are enabled and cookies are not accepted, the browser may get stuck in a loop between the end user’s requested URL and the relevant Forcepoint Web Security Cloud notification page.

Configuring Mozilla Firefox


To configure Firefox manually

1. From the Firefox menu, select Options > Advanced.

2. Select the Network tab.

3. Under Connection, click Settings.

4. Select Automatic proxy configuration URL.

5. Insert the path to the PAC file.

6. Click Reload.


12 Cloud Security

7. Click OK and click OK again to return to the browser.

Configuring Firefox with Active Directory Group Policy


The following URL contains information and extensions for Firefox and Group Policy Objects (GPO):

http://sourceforge.net/projects/firefoxadm

We strongly recommend that you read all available documentation before installing the Active Directory extensions for Firefox. The above link provides a download of the FirefoxADM, which is a group of Active Directory Group Policy templates. Once

WarningFirefox is not the default or supported web browser for a Microsoft Active Directory domain. As a result, to configure this browser through Group Policy, you must install third-party extensions to Group Policy in Active Directory. The following extensions are not supported by Microsoft, nor are they supported and endorsed by Forcepoint.

http://sourceforge.net/projects/firefoxadm



you have downloaded the templates, you can install them all. The 2 files that are needed to configure Firefox for Forcepoint Web Security Cloud, however, are:

● firefoxlock.adm, which is the administrative template for locking down Firefox settings. See Turning on Group Policy to configure a web proxy, page 13.

● firefox_startup.vbs, which is the startup script for locking down Firefox settings. See Applying the policy, page 14.

Add these 2 files to AD. They are in the main FirefoxADM folder. You should save and extract these files to an easily accessible folder on the machine that you use to edit/create the GPO.

Turning on Group Policy to configure a web proxy

1. Log on to a directory server in the domain with administrator permissions.

2. Go to Start > Administrative Tools > Active Directory Users and Computers and expand your domain.

3. Right click the top-level domain or Organizational Unit where the policy should be applied, select Properties, then select the Group Policy tab.

4. Create a GPO and give it a meaningful name (Forcepoint Web Security Cloud, for example).

5. Select the newly created GPO and click Edit. Right click Administrative Templates from the Computer Configuration options.

6. Choose Add/Remove Templates. Click Add and browse to the folder where you extracted the firefoxlock.adm file.

7. Click the firefoxlock.adm file and select Open.

This installs the firefoxlock.adm template in AD.

8. Click Close in the Add/Remove Templates dialog box, then refresh your view. Under Computer Configuration > Administrative Templates, you should see a new section called Mozilla Firefox Locked Settings.

9. Double click Mozilla Firefox Locked Settings and double-click Proxy Settings.


14 Cloud Security

10. Edit the proxy settings to direct the browsers to pick up settings from the PAC file, then select Locked from the Preference State drop-down.

The Automatic Proxy Configuration URL should point at the PAC file you have chosen to use (see The Forcepoint Web Security Cloud PAC file, page 10, for more details).

Applying the policy

1. In the Forcepoint Web Security Cloud GPO, navigate to User Configuration > Windows Settings > Scripts (logon/logoff) and double-click Logon to open the Logon Properties dialog box.

2. Click Show Files to open the location of any logon scripts for this GPO. This is empty, because this is a new GPO. Leave this window open and navigate to the folder where you extracted the firefox_startup.vbs file (this should be the same folder as the firefoxlock.adm file).

3. Copy firefox_startup.vbs to the empty scripts folder you have previously opened. Close both file locations.

4. In the Logon Properties dialog box, select Add to open the Add a Script option.

5. Click Browse and you are shown the file you have just placed in the scripts folder.

6. Select the firefox_startup.vbs script and click Open, then click OK twice to apply this script to the GPO.

NoteFirefox is not native to Active Directory and even though you have installed an administrative template, it may not be applied the next time GP is refreshed. This is why you should use the firefox_startup.vbs script.



The next time users log onto a machine, this logon script directs their Firefox browsers to pick up the Firefox defaults set up in the earlier sections.

Turning off the web proxy using Group Policy

1. Open Active Directory Users and Computers.

2. Right-click the top-level domain or organization where the policy was originally applied, Select Properties, then select the Group Policy tab.

3. Select the original GPO (Forcepoint Web Security Cloud) and click Edit.

4. Navigate to User Configuration > Administrative Templates > Mozilla Firefox Default Settings and double-click Proxy Settings.

5. In the Proxy Settings dialog box, select Not Configured then click OK.

This change becomes active next time the client logs on.

Configuring Internet Explorer


Use the steps below to configure Internet Explorer manually. For instructions on using Group Policy, see Turning on Group Policy to configure a web proxy, page 16.

1. Go to Tools > Internet Options and click the Connections tab.

2. Click LAN Settings.

3. Clear Automatically detect settings, if selected.

4. To set up a PAC file, select Use automatic configuration script.

5. Enter the location of the PAC file in the Address field (see The Forcepoint Web Security Cloud PAC file, page 10, for more details).

6. Click OK to return to the Internet Options dialog box.


16 Cloud Security

7. You must now configure settings for VPN and dial-up connections. If you do not, it is likely that users’ browsers will fall back to a direct connection.

From the Connections tab, highlight the connection to be configured and click Settings.

8. Apply the same configuration that you set for the LAN connection, as covered in steps 4-6.

Turning on Group Policy to configure a web proxy


Log on to a server in the domain, and with administrative permissions, open up Administrative Tools > Group Policy Management and expand your domain.

1. Right click the top-level domain or Organizational Unit where the policy should be applied, and select Create and Link a GPO Here.

2. Create a GPO and give it a meaningful name (Forcepoint Web Security Cloud, for example). Click OK.

3. Right-click the new GPO, and select Edit.

4. In the Group Policy Management Editor, go to User configuration > Preferences > Control Panel Settings. Right-click Internet Settings, then select New > Internet Explorer 8.

5. Click the Connections tab.

6. Click LAN Settings.

7. Clear Automatically detect settings, if selected.

8. To set up a PAC file, select Use automatic configuration script.

9. Enter the location of the PAC file in the Address field (see The Forcepoint Web Security Cloud PAC file, page 10, for more details).

10. Once the configuration is complete, click OK.

Web clients using Internet Explorer pick up the settings in this GPO the next time that group policy refreshes, which by default is every 90 minutes for clients and every 5 minutes for Domain Controllers (or the next time a user logs off and on again). You can change the refresh interval in the default domain policy, or by going to a particular client and entering the following at a command prompt:

gpupdate /force

Turning off the web proxy using Group Policy


If the policy needs to be reversed, it is not as simple as removing the GPO that was originally applied. Internet Explorer stores proxy settings in the registry, so when you remove the policy, you keep the same registry settings. It takes another “write” session to re-configure the proxy settings. To achieve this:

1. Log on to a directory server in the domain with administrative permissions.



2. Open Administrative Tools > Group Policy Management and expand your domain.

3. Right-click the original GPO (Forcepoint Web Security Cloud) and select Edit.

4. From User configuration > Windows Settings > Internet Explorer Maintenance, clear Enable Automatic Configuration.

5. From Proxy Settings, clear Enable proxy settings.

6. Click OK and close the GPO.

The clients update the next time Group Policy refreshes or. Alternately, use the command line at a particular client to achieve this manually.

Configuring Safari manually


1. In Safari, go to Safari > Preferences.

2. Click on the Advanced icon.

3. Under Proxies, click Change Settings.

4. For Mac OS 10.5 and under:

■ For the Configure Proxies option, select Using a PAC file.

■ In the PAC file URL field, enter the path to the PAC file (See The Forcepoint Web Security Cloud PAC file, page 10).

■ Click Apply Now.

5. For Mac OS 10.6 and higher:

■ Under Select a protocol to configure, select Automatic Proxy Configuration.

■ In the Proxy Configuration File URL field, enter the path to the PAC file (See The Forcepoint Web Security Cloud PAC file, page 10).

■ Click OK.

6. Close and restart Safari.

Configuring your firewall


The following host and port combinations must be allowed through your firewall in order for Forcepoint Web Security Cloud to manage your traffic.

Port Purpose

8006 Single sign-on authentication with third-party providers.

Port 8006 is available for Oracle Identity Federation, PingFederate, and Microsoft AD FS.


18 Cloud Security

To guarantee availability, Forcepoint Web Security Cloud uses global load balancing technology to direct traffic across multiple geographic locations. A client using the service looks up the webdefence.global.blackspider.com record. This record resolves to the IP address of the nearest location of the cloud service.

Static users are typically always served by proxies from the cloud service closest to them. In the event of localized or Internet-wide connectivity issues, the global load balancing technology automatically routes requests to the next closest location. To make the most of the resilience offered by this infrastructure, users must be allowed to connect to the entire Forcepoint Web Security Cloud network—those IP addresses that the service uses now and those that may be deployed in the future.

If you decide to lock down your firewall, you should permit all the IP address ranges in use by the cloud service for all the above ports. These ranges are published in a Knowledge Base article called “Cloud Service cluster IP addresses and port numbers.”

If you block port 80, you may want to add an exception for some PCs (those used by your own IT staff) so that they can use the Forcepoint Web Security Cloud performance monitor. This monitor compares performance through the cloud service against direct connection performance. It needs to be able to connect directly to the target sites.

8089 Secure form authentication. This is required if you are using form-based authentication to authenticate end users.

80 Used by:

● The proxy service to manage Internet requests, by default. (Port 8081 may be used as an alternative.)

● Browsers (or proxies) that fetch their PAC file from the cloud service. (Port 8082 may be used as an alternative.)

● Notification page components, including stylesheets and images, served from the cloud platform at http://www.mailcontrol.com. This website is accessed directly (not through the cloud service).

● Unproxied home page (principally for remote users). Although this service is principally for remote users, you may choose to configure all browsers to use this as their home page.

● Checking browser configuration. Users can access a query page to find out whether their browser settings are correct for accessing the proxy.

● PAC file and proxy service for remote users. Remote users should also use the PAC file address for port 80 if requesting access from a network that has port 8081 or 8082 locked down.

443 Service administration. The Security Portal is similarly unproxied. Otherwise, it would be possible for you to accidentally block access and then be unable to rectify the situation.

NoteForcepoint is constantly expanding this list as we add new capacity to support our rapidly expanding user base.

http://www.websense.com/support/article/kbarticle/Cloud-service-data-center-IP-addresses-port-numbers

http://www.websense.com/support/article/kbarticle/Cloud-service-data-center-IP-addresses-port-numbers

4


Deploying an I Series appliance


This chapter describes the deployment of an I Series appliance as part of your Forcepoint Web Security Cloud solution. You can choose to deploy an appliance for all of your web traffic, or as part of a larger solution that combines the different management options available. For example, you may wish to have an appliance on one site, but deploy the PAC file for end users on another site, and install a web endpoint client for roaming users.

For information on other deployment options, see Deploying Forcepoint Web Security Cloud, page 7.

Once you have a cloud service account and have either received your I Series appliance or downloaded the appliance virtual image, you can deploy your appliance by completing the following tasks:

1. Issues to consider before you begin

2. Initial portal settings

3. Appliance setup and configuration

4. Connecting the appliance to your network

5. Registering the appliance

The Quick Start poster, which is packaged in the appliance shipping box, outlines these tasks for the hardware version and includes a section for writing down reference information during deployment.

Recommendations for an evaluation

During the initial stages of an evaluation, it is recommended that you configure all of your IP address ranges as trusted network sources, meaning that the appliance ignores all traffic. You can then test your deployment with a small number of clients before opening it up to all IP addresses and ignoring only those addresses whose traffic you

NoteData Security features are not supported with I Series appliances.


20 Cloud Security

do not want to be analyzed (for example, servers that receive Microsoft and antivirus updates).

Issues to consider before you begin


Consider the following before you begin the deployment:

● If you have a hardware appliance, determine appliance rack location.

● If you are installing the appliance as a virtual machine, ensure the installation machine meets the following requirements:

■ For a Silicom bypass card deployment, the card should be installed on ESXi in VMDirectPath mode. For more information on Silicom card installation, see Silicom card setup, page 28.

■ 6 dedicated CPU cores and at least 12 GB RAM

■ 128 GB hard disk drive

■ The appliance virtual machine can be installed only on VMware vSphere ESXi 5.1, 5.5, or 6.0.

● Determine appliance IP addresses for network deployment. You will require 2 addresses, and it is recommended that you configure 3.

● Determine your directory synchronization policy.

● If you wish to use transparent NTLM authentication for your users, decide whether to connect your appliance to a local Active Directory (see Configuring Active Directory authentication, page 44).

If you plan to use Active Directory authentication, ensure that your appliance hostname complies with Active Directory hostname requirements (see First-Time Configuration Wizard, page 38).

Alternatively you can enter the domain that forms part of your users’ NTLM identity when adding your appliance in the Forcepoint Security Portal.

● It is recommended that you provide a certificate when you add an appliance in the cloud portal, in order to avoid browser warnings regarding SSL termination for block, authentication, or quota/confirm operations. See Generating an appliance certificate.

To use the cloud service SSL decryption feature, you must also install the Forcepoint root certificate on each client machine. See the section “Enabling SSL decryption” in the Forcepoint Security Portal Help.

NoteTo use your Active Directory for authentication, the appliance must be able to access the directory’s IP address and ports. You may need to edit an internal firewall setting or LAN routing rules.



● The appliance ships with a pre-installed category database. After appliance setup, an update to this database is initiated. During this update, the appliance can analyze traffic using the pre-installed database. Because this database is out-of-date, traffic analysis may be more accurate after the full update is complete.

A progress message displayed on the Status > General page disappears when the update is complete.

● Browsing with Forcepoint Web Security Cloud via an I Series appliance has been tested with most commercially available web browsers. However, note that using a Windows XP machine with Internet Explorer 8 or below is not recommended, as HTTPS connections are not supported on I Series appliances for this platform and browser.

Initial portal settings


You should have received your Forcepoint Web Security Cloud confirmation email, including a portal user name and temporary password if you are a new cloud services customer, as described in Logging on to the Forcepoint Security Portal. The initial setup involves the following tasks:

1. Run directory synchronization

2. Add new appliance information.

Run directory synchronization


It is recommended that you use directory synchronization to import user and group information from your LDAP directory (for example, Active Directory) into the portal. This is the quickest and easiest way to import end users’ email addresses, as well as NTLM details if you are planning to use NTLM identification.

Forcepoint Web Security Cloud synchronizes with LDAP directories via a client-resident application called the Directory Synchronization Client. Changes made to a directory, such as deleting a former employee or adding a new one, are picked up by the service on the next scheduled update. If you have more than one LDAP directory, the client can merge them together before synchronizing the data with the service.

To set up and run directory synchronization:

1. Log on to the portal from the machine you want to use for directory synchronization.

NoteFor alternatives to directory synchronization, see Enabling browsers for NTLM transparent authentication.


22 Cloud Security

2. Go to the Account > Directory Synchronization page.

3. Download and install the appropriate version of the Directory Synchronization Client.

4. In the portal, go to the Account > Contacts page and set up an administrator contact with Directory Synchronization permissions. The logon credentials you define will be used by the Directory Synchronization Client to log onto the manager.

5. Configure the Directory Synchronization Client as described in the Directory Synchronization Client Administrator’s Guide, including the logon credentials you created in the previous step.

6. Once you are ready to synchronize data with the cloud, go back to the Account > Directory Synchronization page.

a. Click Edit.

b. Click Enable directory synchronization.

c. For User policy assignment, select Fixed.

d. For Email new users, define whether synchronized users should receive a notification email from Forcepoint Web Security Cloud.

e. Click Submit when done.

7. Run the synchronization, and check the results both in the client and on the portal:

■ In the client, click on the Groups and Users tabs to view the results.

■ On the portal, go to the Account > Directory Synchronization page. The Recent Synchronizations section shows your recent synchronization history; click the timestamp in the date column to view details about a specific synchronization.

Add new appliance information


To add your new appliance information in the portal:

NoteIf your LDAP data does not include users’ email addresses, you can change the default attribute for the primary mail value in the Directory Synchronization Client as follows:

● When creating or modifying the Users part of your configuration profile, go to the Data source > LDAP search page in the wizard. Click Advanced to display the Search attributes page.

● In the Primary Mail field, replace %mail% with another attribute.

For example, you could use %userPrincipalName% if configured, or create a ‘fake’ email address using the sAMAccountName such as %sAMAccountName%@mydomain.com.

http://www.websense.com/content/support/library/web/hosted/dsc_admin/toc.aspx

http://www.websense.com/content/support/library/web/hosted/dsc_admin/toc.aspx



1. Go to the Web > Network Devices > Device Management page.

2. Click the New button above the table.

You are taken to the Add Appliance page.

Define general settings

Under General Settings:

1. Use the toggle at the top of the page to indicate whether this appliance is used for filtering (ON is the default). When filtering is set to OFF, the appliance can communicate with the cloud service, but allows all web traffic to pass through unfiltered.

2. Enter a unique appliance Name (1 - 512 alphanumeric characters) and Description (maximum length 1024 characters).

3. Select a Default policy for this appliance, and the Time zone used to apply policy settings.

You will have a chance to apply different policies to different internal networks managed by this appliance later.

4. If you are using transparent NTLM authentication and your appliance is not connected to a local Active Directory instance, enter the Authentication domain that forms part of your users’ NTLM identity. The NTLM domain is the first part of the domain\username with which users log on to their Windows PC; for example, MYDOMAIN\jsmith.

If you have connected your appliance to a local Active Directory for NTLM authentication, this field is not required because the appliance automatically retrieves domain information from the local directory.

5. Select a time period after which a user’s login and password must be revalidated from the Session timeout drop-down list. The default is 1 day.

6. Forward traffic to the cloud for advanced analysis is selected by default. This redirects appropriate traffic to the nearest cloud service data center for additional analysis. Clear this check box if you do not want any traffic to be forwarded to the cloud. All traffic will be analyzed through the appliance, without any cloud analytics.

ImportantYou must configure your end users’ browsers to support transparent NTLM authentication, either manually or via GPO or similar. See Enabling browsers for NTLM transparent authentication, page 74.


24 Cloud Security

Configure a Certificate Authority

Under Certificate Authority:

1. Use the drop-down list to indicate whether to Upload certificate files, or Use default certificate.

2. If you have selected to upload certificate files, click Browse to navigate to the public certificate file, then click Open to populate the Public certificate field.

3. Next, click Browse to navigate to the private key file, then click Open to populate the Private key field. The private key must be in either PEM or .key format.

4. If you have chained certificates, click Browse and navigate to the intermediate certificate, then click Open to populate the Chained certificate field.

The certificate chain should include the root CA, and optionally additional intermediate CAs.

Generating an appliance certificate

Each appliance should have a valid X.509 version 3 identity certificate in PEM format with an unencrypted key. This certificate can be generated using a variety of tools. Below is a simple procedure using OpenSSL to generate a private key and CA that can be used for your appliance.

This section assumes that you are familiar with OpenSSL and have a working OpenSSL installation.

The following OpenSSL statement creates a 2048-bit RSA private key with a password of 1234:

ImportantForcepoint recommends that you define certificates when you add an appliance, in order to avoid browser warnings regarding SSL termination block, authentication, or quota/confirm operations. Some browsers, for example later versions of Chrome, may block the transaction and display an error message.

Be sure to:

1. Generate a CA certificate. Each appliance should have a valid X.509 identity certificate with an unencrypted key. This certificate can be generated using a variety of tools, for example OpenSSL. For details and an example, see For information on generating your own certificate for the appliance, see Generating an appliance certificate, page 24.

2. Import this certificate to all relevant browsers.

3. Upload this certificate to each appliance as described below.

To use the cloud service SSL decryption feature, you must also install the Forcepoint root certificate on each client machine. See the section “Enabling SSL decryption” in the Security Portal Help.



openssl genrsa -passout pass:1234 -des3 -out CA_key_password.pem 2048

You must supply a password, as OpenSSL does not allow the creation of a private key without one. You can then strip the password from the key as follows:

openssl rsa -in CA_key_password.pem -passin pass:1234 -out CA_key.pem

This also renames the private key file from CA_key_password.pem to CA_key.pem.

Finally, use the following statement to create the CA:

openssl req -x509 -days 11000 -new -sha1 -key CA_key.pem -out CA_cert.pem

Note that this command prompts you to input information about different parameters, such as country, state, locality, or your organization’s name.

Once you have created the private key (CA_key.pem) and public certificate (CA_cert.pem), import the certificate to all relevant browsers, and upload the certificate to each appliance using the Certificates tab.

Define internal network settings

The Internal Networks section of the page is used to optionally:

● Assign different policies to different internal networks.

● Identify trusted networks for which incoming or outgoing traffic, or both, should not be analyzed.

● Configure session-based authentication for specific networks.

To begin:

1. Select the Policy Assignment tab and click Add to identify a network to which you want to assign a policy other than the appliance default. In the Add Policy Assignment dialog box:

a. Enter a unique Name for the network.

b. Use the Type list to indicate how you want to identify the network (IP address, Subnet, or IP range).

c. Enter the subnet, address, or range.

d. Select a Policy from the drop-down list.

e. Click Add.

Repeat these steps for each internal network to which you want to assign a policy.

Note that networks (IP address ranges and subnets) may not overlap, and you can assign only one policy to each network.

2. Select the Trusted Networks tab and click Add to identify IP addresses or address ranges whose traffic should not be analyzed. In the Add Trusted Network dialog box:



26 Cloud Security



d. Indicate whether to Bypass analysis for traffic from this network, Bypass analysis for traffic to this network, or both.

e. Click Add.

Repeat these steps for each internal network whose incoming or outgoing traffic, or both, should not be analyzed.

3. Select the Session-Based Authentication tab and click Add to define network addresses and IP address ranges that should use session-based authentication. The defined addresses will be authenticated based on a cookie sent to the browser on the local machine.

This authentication is valid for the length of time defined in the Session timeout drop-down list (under General).




d. Click Add.

Repeat these steps for each internal network that will use session-based authentication.

Appliance setup and configuration


Perform the steps below to set up and configure your appliance. The steps for the hardware version are also described, with diagrams, on the Quick Start poster.

1. Either:

■ Verify the contents of the accessory box that was shipped with the appliance. It should include power cable, an appliance bezel, and a quick start poster.

■ Rack the appliance and plug it in.

Or:

■ Deploy the I Series appliance OVA file on a VMware ESXi workstation server. See Installing the appliance on a virtual machine, page 27.

2. Power the appliance on and allow the boot sequence to complete.

NoteWhen session-based authentication is enabled, policy SSL decryption rules that apply to sites or categories with the Confirm action are not currently supported.



3. Connect a computer with DHCP enabled (such as a laptop) to the appliance C1 interface. Wait a few moments, until the automatic network setup process is complete, to begin appliance configuration.

4. Log on to the appliance via a web browser connection (https://169.254.0.2). Credentials are admin/admin.

5. Complete the appliance First-Time Configuration Wizard.

6. Log off the appliance and disconnect the computer from the appliance.

Installing the appliance on a virtual machine


Download the OVA file suitable for your deployment from your website account to a local directory. There are 2 ways to install appliance on a virtual machine:

● With a Silicom bypass card connected to the ESXi host, and with one management NIC. For this scenario, use the OVA file starting Websense-i500v-dio-bp-InstallImage.

● Without a Silicom card, just using 3 virtual switches. In this scenario, use the OVA file starting Websense-i500v-InstallImage.

Ensure the installation machine meets the following requirements:

● For a Silicom bypass card deployment, the card should be installed on ESXi in VMDirectPath mode. For more information on Silicom card installation, see Silicom card setup, page 28.

● 6 dedicated CPU cores and at least 12 GB RAM

● 128 GB hard disk drive

● The appliance virtual machine can be installed only on VMware vSphere ESXi 5.1, 5.5, or 6.0.

This section describes how to set up the ESXi machine, and how to install the OVA file.

● Network settings

● Silicom card setup

● Setting up promiscuous mode (no Silicom card)

● Importing the OVA

● Deployment without Silicom card

● Deployment with Silicom card

http://www.mywebsense.com/


28 Cloud Security

Network settings

It is recommended that you have dedicated NICs for each of the 3 switches required for the appliance. The B1 WAN and B2 LAN switches must use different physical interfaces.

To create the required network interfaces:

1. In the VMware vSphere Client, select Hosts and Clusters.

2. Select your host and click the Configuration tab.

3. Select Networking in the Hardware section, and click Add Networking.

4. Select a connection type and click Next.

5. Select Create a vSphere standard switch.

6. Select the check boxes for the network adapters that your standard switch will use and click Next.

7. Under Port Group Properties, enter a network label for the management NIC: C1 Management.

8. Click Next.

9. Review your settings and click Finish.

10. Repeat these steps for 2 more switches: B1 WAN (for outgoing traffic) and B2 LAN (for incoming traffic).

Silicom card setup

To set up the Silicom bypass card on the ESXi machine, VMDirectPath technology is required. To use VMDirectPath, verify that the host has Intel® Virtualization

ImportantDo not use the ESXi management physical interface for the B1 or B2 switch.



Technology for Directed I/O (VT-d) or AMD I/O Virtualization Technology (IOMMU) enabled in the BIOS.

1. In the vSphere Client, go to the Configuration tab and select Advanced Settings in the Hardware section.

2. Click the Edit link.


30 Cloud Security

3. Mark the Silicom card check box. You can identify the Silicom card by checking the device details for the Silicom Subvendor ID, which should be 1374.

4. Click OK.

The message “Changes made to some of the devices below will not take effect until the host is restarted” appears on the Advanced Settings screen.

5. Restart the ESXi host server.



After the restart, the list of Silicom Card NICs should appear on the Advanced Settings screen with green bullets.

Setting up promiscuous mode (no Silicom card)

If you are installing without a Silicom card, you must set the B1 and B2 NICs to be in promiscuous mode:

1. In the vSphere Client, go to the Configuration tab and select Networking in the Hardware section.

2. Click the Properties link for the B1 switch.

3. Select the B1 NIC in the list, then click Edit.


32 Cloud Security

4. On the Security tab, mark Promiscuous Mode, and select Accept from the drop-down list.

Click OK.

5. The B1 NIC properties should now look like this:

Click Close.

6. Repeat steps 2-5 for the B2 NIC.



Importing the OVA

1. In the vSphere Client, go to File > Deploy OVF Template.

2. Browse to the OVA file that you downloaded from your Forcepoint website account, then click Next twice.

3. Enter a name for the I Series appliance VM, then click Next twice.

4. If you set up the network configuration on the ESXi host as described in Network settings, you should see the following screen:

For a VM with Silicom card:


34 Cloud Security

For a VM without Silicom card:

5. Click Next.



6. Click Finish, and wait for the installation to complete.

Deployment without Silicom card

If you have deployed the VM without a Silicom card, you must verify the MAC addresses that have been generated:

1. Initially, no MAC addresses are assigned to the machine NICs. Turn on the new VM, then right-click the VM and select Edit Settings.

Each NIC should now have a MAC address:

2. Confirm that the generated MAC addresses are in alphabetical order, with B1 WAN having the lowest address, followed by B2 LAN and then C1 Management. If this is not the case, change the mapping of your NICs as follows:

a. Select the NIC with the lowest MAC address.

b. Under Network Connection, change the Network label to B1 WAN.


36 Cloud Security

c. Repeat the Network label change for the next lowest MAC address (setting it to B2 LAN) and finally the highest MAC address (setting it to C1 Management).

d. Click OK when done.

Deployment with Silicom card

If you have deployed the VM with a Silicom card, you should connect the Silicom Card NICs to the new VM as follows:

1. Right-click the new VM, and select Edit Settings.

2. Click Add.

3. Select PCI Device from the Device Type list, then click Next.



4. Choose the first NIC of the Silicom card (this is the first entry displayed on the Configuration tab > Advanced Settings page).

5. Click Next, then click Finish.

6. Repeat steps 2-5 for the second Silicom NIC.


38 Cloud Security

7. Click OK on the Virtual Machine Properties page to see the final result:

First-Time Configuration Wizard


The First-Time Configuration Wizard walks you through some initial settings that are important for appliance operation. You must complete the wizard before you can manage the appliance. Canceling the wizard before completing initial appliance configuration logs you out of the appliance, and any settings you may have entered up to that point are not saved.

Click Next on the Welcome page to start the wizard.

1. On the Hostname page, enter the appliance host name or fully-qualified domain name (FQDN). The name can consist of 1-32 alphanumeric characters, dashes, and periods. It must begin with a letter and cannot end with a period.

The format for an appliance hostname is hostname. You can also use the format hostname.parentdomain.

The format for the FQDN is hostname.parentdomain.com.

If you plan to use Active Directory authentication, the following hostname requirements are enforced:



■ Total length of 2 - 128 alphanumeric characters (including hostname and parent domain name elements; format is hostname.parentdomain)

■ May include dashes, underscores, and periods

■ Must begin with an alphanumeric character

■ Cannot end with a dash, underscore, or period

■ Hostname element length should be between 2 and 15 characters

■ Cannot match any of the following reserved words:

Click Next to continue with the wizard.

2. On the Network Interfaces page:

a. In the Outbound Traffic section, specify the appliance IP address and subnet mask for the network bridge created by the B1 and B2 interfaces. These interfaces are used for all outbound traffic. One interface (B1) handles traffic routed out of your network, and the other (B2) handles traffic to your internal network.

b. To allow appliance management via the B1 and B2 bridge interfaces along with the C1 interface, mark the Allow appliance management access in addition to the C1 interface check box.

c. Provide the IP address and subnet mask for the C1 interface in the Appliance Management section. This interface is used for appliance management functions. This interface can also be used when the B1/B2 bridge interface is in hardware bypass mode.

If you have deployed a virtual appliance that does not include the appliance bypass function, use of the C1 interface for appliance management is optional. If you do not define a C1 management interface, then you must use the B1/B2 bridge interface for management purposes. In this case, the Outbound Traffic section includes a Use this interface for appliance management check box, which is marked and not accessible.

If you do wish to define a C1 management interface, mark the Use a dedicated appliance management IP address check box in the Optional Appliance Management section, and enter the IP address and subnet mask for the C1 interface. The Allow appliance management access in addition to the C1 interface check box is then accessible for marking or clearing.

d. In the DNS Servers section, define a DNS server by entering its IP address in the IP address field and clicking Add. The IP address appears in the DNS Server IP Address list.

ANONYMOUS BATCH BUILTIN

DIALUP INTERACTIVE INTERNET

LOCAL NETWORK NULL

PROXY RESTRICTED SELF

SERVER SERVICE SYSTEM

USERS WORLD


40 Cloud Security

You can define up to 3 DNS servers. You cannot define more than one server with the same IP address.


3. On the Routing page, specify the IP address of your default gateway for outbound traffic.

The appliance supports the use of a single VLAN tag to identify management communication traffic from the appliance to the cloud and database download services. This tag is also used by any client that communicates with the appliance bridge interface, either explicitly for management purposes or transparently, for example for authentication, or for quota or confirm actions when filtering.

Mark the Use the following VLAN tag check box, then enter the tag in the entry field using a number from 0 to 4094.


4. The final page of the wizard summarizes the entries and selections you have made. If you want to change any setting after your review, click Back to access the desired wizard page and edit your settings.

If you are satisfied with your settings, click Finish.

NoteIn many cases, you need only a gateway specification on this page. However, there may be cases where explicit or static routing is required. For more information on these scenarios, please see the knowledge article “Configuring routing for I Series appliances”.

If you need to define routing over the bridge interface, please contact Technical Support in the first instance. You can define routing rules over the management interface as follows:

Click Routing Table.

Click Add and then provide the following route information in the Route Properties dialog box:

● Destination network

● Subnet mask for the destination network

● Gateway IP address

● Interface used. In the drop-down list, select either Bridge, (B1, B2) or Management (C1).

NoteEnsure you have configured valid routing between any client generating traffic that is intercepted by the appliance and the bridge interface, taking into account the VLAN tag that you define on this page.

http://www.websense.com/support/article/kbarticle/Configuring-routing-for-i-Series-appliances

http://www.websense.com/support/article/kbarticle/Configuring-routing-for-i-Series-appliances



You must log off the appliance and log back on for your configuration settings to take effect.

When you log back on, you are prompted to change your initial password (if you have not already done so) and register the appliance with Forcepoint Web Security Cloud. See Registering the appliance for information.

Connecting the appliance to your network


Connect the appliance to your network. The appliance must have at least a valid connection to the cloud service for registration and the subsequent database update to succeed. You can choose either of the following methods:

● Install the appliance in your network and then register it with the cloud service. The appliance operates as a simple network bridge, forwarding all traffic, until registration is complete.

● Install the appliance offline, with only the B1 interface connected to the network to allow an upstream connection to the cloud service. Once registration is complete and the appliance is fully set up, you can connect it to your the rest of your network.

The sample diagram shows a possible deployment:

NoteIf you are unable to access the appliance, you can connect to the appliance manager interface at any time using the C1 interface via https://169.254.0.2.


42 Cloud Security

Configuring your firewall


If your network includes a firewall, by default your appliance is configured to use the standard destination TCP ports 80 and 443 for connections to the cloud service. Ensure these ports are open.

Alternatively and depending on your corporate firewall policy, you can configure your appliance to use the following ports, which are the ones used for non-appliance connections to the cloud service:

You can switch between the standard and alternative ports at any time using the appliance command-line interface (CLI). To switch port settings:

1. On the appliance machine, open a command-line window.

2. Type device.

cmd> device

3. Type one of the following:

device> use_standard_ports yes

for the standard ports 80 and 443

device> use_standard_ports no

for the alternative ports 8002 and 8081, plus 80 and 443

The CLI returns the confirmation Done when the ports have been switched. If the ports are already set to the option you specify, the CLI returns Not changed.

You must also open outbound UDP port 123 to enable the appliance to synchronize its clock with the Network Time Protocol.

To guarantee availability, Forcepoint Web Security Cloud uses global load balancing technology to direct traffic across multiple geographic locations. Content analysis is

Port Purpose

8002 Configuration and policy update information retrieval from Forcepoint Web Security Cloud. This port must be open for an I Series appliance to retrieve periodic configuration and policy updates from the cloud service.

8081 Proxy service. This is where the cloud-based content analysis is provided.

80 Notification page components. The default notification pages refer to style sheets and images served from the Forcepoint Web Security Cloud cloud platform. For these pages to appear correctly, this Web site is accessed directly (i.e., not through the cloud service).

This port should also be opened for standard web traffic that does not need to be sent to the cloud for further analysis.

443 Service administration. The Security Portal is similarly unproxied. Otherwise, it would be possible for you to accidentally block access and then be unable to rectify the situation.

This port should also be opened for standard secure web traffic that does not need to be sent to the cloud for further analysis, and for database updates.



typically always performed by proxies from the cloud service closest to the end user. In the event of localized or Internet-wide connectivity issues, the global load balancing technology automatically routes requests to the next closest location. To make the most of the resilience offered by this infrastructure, users must be allowed to connect to the entire cloud service network, both those IP addresses that the service uses now and those that may be deployed in the future.

If you decide to lock down your firewall, you should permit all the IP address ranges in use by the Forcepoint cloud service for all the above ports. These ranges are published in a Knowledge Base article called “Cloud Service cluster IP addresses and port numbers.” Note that you need to log on to your Forcepoint website account to view this article.

Registering the appliance


In order to manage your appliance, you must change the initial password and register the appliance with Forcepoint Web Security Cloud.

When you log back in to the appliance after completing the First-Time Configuration Wizard, the initial screen lets you change the initial password, if you have not already done so, in the Administrator Credentials box. If you changed the password before completing the wizard, the Administrator Credentials box does not appear on this page when you log back in.

This initial page also lets you enter your Forcepoint Web Security Cloud registration key. To register your appliance:

1. Log on to the Security Portal and select Web > Network Devices.

2. Select the row that contains this appliance.

3. Click Register at the bottom of the page to open the Register Appliance box.

4. Copy the displayed registration key and click Close.

5. Return to the appliance manager and paste the key into the Registration key field.

6. Click OK.

At this point, an update to the pre-installed Web category database begins. During this update, the appliance can analyze traffic using the pre-installed database. Note that this database is out-of-date, and analysis may be more accurate after the update process completes.

A download progress message appears on the Status > General page. This message disappears when the update is complete.

https://www.websense.com/support/article/kbarticle/Hosted-Service-Cluster-IP-Addresses-and-Port-Number

https://www.websense.com/support/article/kbarticle/Hosted-Service-Cluster-IP-Addresses-and-Port-Number


44 Cloud Security

Browser support


Forcepoint Web Security Cloud has been tested with most commercially available web browsers, but for support purposes we recommend you use one of the following:

● Mozilla Firefox 4 to 40 on all platforms

● Microsoft Internet Explorer 7 through 11 on Microsoft Windows platforms (desktop interface only)

● Safari 3.1 on MacOS X 10.4 (Tiger)

● Safari 5.x on MacOS X 10.6 and 10.7




● Google Chrome 13 to 44

When using a Windows XP machine with Internet Explorer 8 or below, HTTPS connections are not supported on I Series appliances.

Configuring Active Directory authentication


Use the appliance Configuration > System page to connect to an Active Directory server for transparent NTLM authentication. When this screen first opens, the status under Active Directory Authentication is Disconnected, and a button labeled Connect is available.

To establish a connection to an Active Directory server for authentication:

1. Click Connect.

2. In the Active Directory Authentication dialog, enter the following server information in the appropriate fields:

■ Domain name

■ Active Directory administrator name

■ Active Directory administrator password

Note that this password is used only for establishing the server connection. The contents of this field are not stored anywhere in the system.

3. Indicate how the system finds the domain controller by selecting 1 of the following options:

■ Auto-detect using DNS

■ Enter a domain controller name or IP address.

You can specify backup servers in a comma-separated list.



4. Click OK.

The connection cannot be made if the server hostname does not adhere to Active Directory naming restrictions. See First-Time Configuration Wizard, page 38, for a detailed list of Active Directory hostname requirements.

After a connection is successfully established, the button name changes from Connect to Disconnect.

Running diagnostics


The Diagnostics tab on the appliance Status > Alerts and Diagnostics page provides the capability to run a series of system tests to determine the current state of the cloud service. As a best practice, it is recommended that you run these tests when you first deploy an appliance, and if you encounter any connectivity issues.

The first time you open the Diagnostics tab, a table shows a list of the tests to run. The tests include, for example, a status check of the network interfaces, the default gateway, your DNS servers, or the cloud connection.

Click Run Diagnostics to start the tests. The Results column displays test status (In progress) and results (Passed, Failed, or Could not complete). For tests that do not complete or fail, the Details column displays more information, including suggestions for resolving the issue that caused the failure.

Each time you open the Diagnostics tab thereafter, the results of the last test run appear, along with the date/time of those tests.

Monitoring appliance traffic

The capability to monitor appliance traffic for troubleshooting purposes is available via the appliance command-line interface (CLI). Access the traffic monitor using the following commands:

cmd> status

status> monitor

Then run the monitor using the monitor command and its arguments:

monitor <arguments>

Other command options let you configure default display attributes for the log entries as well as display custom attribute combinations and protocols. Click here to see a Knowledge Base article that provides detailed information about the CLI monitor command options.

http://www.websense.com/support/article/kbarticle/How-do-I-run-the-i-Series-Appliance-Traffic-Monitor


46 Cloud Security

Using Forcepoint Web Security Endpoint with an appliance


If some of your end users have the Proxy Connect Forcepoint Web Security Endpoint installed, perhaps because they often work remotely, you can set up your appliance to handle endpoint traffic in one of the following ways when those end users are at a site served by an appliance:

● Ignore all traffic generated by an endpoint client. This means that endpoint users are effectively treated as roaming users even when on-site.

● Manipulate PAC file requests from endpoint clients and ensure that endpoint traffic goes direct through the appliance rather than via the cloud service proxy. This means that end users have less latency and get a better user experience.

Both of these configurations must be enabled by Technical Support; please contact Support for further information.

The Direct Connect Forcepoint Web Security Endpoint does not currently analyze browsing that takes place behind appliances.

5


Using Chained Proxies


Forcepoint Web Security Cloud has been tested with a number of commercially available proxies in chained proxy configuration. For support purposes, if chained proxy is your chosen deployment method, using of one of the following is recommended:

● Microsoft ISA Server or Forefront TMG, page 47

● Blue Coat ProxySG, page 53

● Squid Proxy, page 56

Microsoft ISA Server or Forefront TMG


A Microsoft® Internet Security and Acceleration (ISA) Server or Forefront™ Threat Management Gateway (TMG) server can be deployed as a downstream proxy with Forcepoint Web Security Cloud. You can configure proxy chaining in the following ways:

● Basic chaining. The ISA server does not perform any authentication before forwarding requests to the cloud proxy. The cloud proxy can perform manual authentication only.

● NTLM pass-through. The ISA server is aware of a requirement for NTLM identification but takes no part in the authentication, forwarding requests to the cloud proxy which then performs NTLM identification.

● X-Authenticated-User. The ISA server performs user authentication and forwards requests to the cloud proxy using the X-Authenticated-User header.

NoteThis chapter is not applicable if you are deploying Forcepoint Web Security Cloud with an I Series appliance.


48 Cloud Security

In this guide, “ISA/TMG” refers to ISA Server and Forefront TMG collectively. When instructions or information differ for the two products, they are referred to specifically as “ISA Server” or “Forefront TMG”.

Basic chaining


To set up your ISA/TMG server to chain with the upstream cloud proxy, follow the instructions below.

1. Log on to the ISA/TMG server and open the Server Management console.

2. Under Configuration, open the Networks option and select the Web Chaining tab. Under this tab a default rule is present. Leave this as it is.

3. Click the Tasks tab, then click the Create New Web Chaining Rule link to start the wizard.

4. Give the rule a meaningful name such as Forcepoint Web Security Cloud, and click Next.

5. In the next section, choose the destinations to which this rule applies (in most cases, it applies to external networks).

6. Click Add and select the appropriate network.

7. Click Next to specify how requests are to be handled. This is where you specify that requests be sent to an upstream server (i.e., Forcepoint Web Security Cloud).

8. Select Redirect requests to a specified upstream server and click Next.



9. On the Primary Routing page, specify the address of the Forcepoint Web Security Cloud service: webdefence.global.blackspider.com

10. Specify port 8081 for both Port and SSL. Click Next.

11. On the Backup Action page, select the appropriate action for your organization. Your choice depends on whether you are willing to allow requests to be served directly, without using Forcepoint Web Security Cloud. Click Next.

12. Review your settings and click Finish.

Configuring exceptions


If there are any hosts that you do not want to use the proxy service, you must configure an exception for them. Minimally, you should add those hosts that are in the PAC file that is downloaded from the Forcepoint Web Security Cloud service (see The Forcepoint Web Security Cloud PAC file, page 10, for more details).

You should also configure direct access to the Forcepoint Security Portal to allow the following:

● Correct display of block pages

● End-user self-registration

If you are using the roaming user home page, it should also be configured as an exception. The URL is:

http://home.webdefence.global.blackspider.com/




50 Cloud Security

1. To configure exceptions, click Firewall Policy, then select Network Objects from the Toolbox.

2. Right-click Domain Name Sets and click New Domain Name Set.

3. Give the new set a name (e.g., Forcepoint Web Security Cloud Unproxied).

In the Domain names included in this set section, add all Forcepoint Web Security Cloud global exceptions (from the Forcepoint Web Security Cloud PAC file). These include the following Microsoft Windows update sites:



download.microsoft.comntservicepack.microsoft.comcdm.microsoft.comwustat.windows.comwindowsupdate.microsoft.com*.windowsupdate.microsoft.comupdate.microsoft.com*.update.microsoft.com*.windowsupdate.com

Also, add the following cloud service sites:

www.blackspider.com

mailcontrol.com

home.webdefence.global.blackspider.com

webdefence.global.blackspider.com

Include any other exceptions appropriate for your environment.

4. Click OK and Apply changes.

5. Navigate back to the proxy chaining policy you created above, open the policy and click the To tab.

6. In the Exceptions section, click Add.

7. Expand Domain Name Sets, select the domain set you just created (Forcepoint Web Security Cloud Unproxied), and click Add.

8. Click Close on Add Network Entities.

9. Click OK on the web chaining policy and Apply the changes.


52 Cloud Security

Configuring NTLM pass through


To chain your ISA/TMG server with the cloud proxy and perform NTLM identification:

1. Follow the steps in Basic chaining, page 48.

2. Log on to the Security Portal.

3. Select Web > Policy Management > Policies > policy name > Access Control.

4. Select Authenticate users on first access, then select NTLM transparent identification where possible. For more information, see NTLM identification in the Cloud Security Help.

5. Click Save.

Configuring X-Authenticated-User chaining


You can pass authentication details from your ISA/TMG server to the cloud proxy via a plug-in from Forcepoint LLC. This plug-in allows the cloud proxy to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA/TMG server as part of a proxy chained configuration.

With this setup, end users can be authenticated transparently by the cloud proxy, removing an authentication step and improving performance.

Two versions of the plug-in are available, for 32-bit ISA servers and 64-bit TMG servers. Zip files for both versions are available for download:

1. Log on to your Forcepoint website account.

2. Select the Downloads tab.

3. Select Forcepoint Web Security Cloud from the Product drop-down list.

4. In the list that appears, expand TMG 64-bit plugin for Content Gateway or ISA 32-bit plugin for Content Gateway to see the download details. You will need to scroll down to older product versions to see the ISA 32-bit plug-in. Click the download link to start the download.

Install the plug-in as follows:

1. Copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to the Microsoft ISA/TMG installation directory. The default directory for this file is C:\Program Files\Microsoft ISA Server for ISA server, or C:\Program Files\Microsoft Forefront Threat Management Gateway for ForefrontTMG.

X-Forwarded-For Contains the client IP address

X-Authenticated-User When ISA authentication is turned on, this header will be populated with the user domain and username (domain\user).

http://www.websense.com/content/support/library/web/hosted/admin_guide/first.aspx



For the 32-bit version, install the following files in the installation directory in addition to Websense-AuthForward.dll:

msvcp100.dllmsvcr100.dll

2. Open a Windows command prompt and change directory to the installation directory.

3. From the command prompt, type

regsvr32 Websense-AuthForward.dll

4. Verify the plug-in was registered in the ISA/TMG management user interface (Start > Programs > Microsoft ISA Server > ISA Server Management, or Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG Management). In the Configuration (for 32-bit) or System (for 64-bit) section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.

To uninstall the plug-in, run the following command in a Windows command prompt from the ISA/TMG installation directory.

regsvr32 /u Websense-AuthForward.dll

Blue Coat ProxySG


Blue Coat ProxySG can be deployed as a downstream proxy with Forcepoint Web Security Cloud. You can configure proxy chaining in the following ways:

● Basic chaining. The Blue Coat server does not perform any authentication before forwarding requests to the cloud proxy. The cloud proxy can perform manual authentication only.

● NTLM pass-through. The Blue Coat server takes no part in authentication, forwarding requests to the cloud proxy which then performs NTLM identification.

● X-Authenticated-User. The Blue Coat server performs user authentication and forwards requests to the cloud proxy using the X-Authenticated-User header.

Basic chaining


In this case, Blue Coat ProxySG forwards requests to the cloud proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.

Use the Blue Coat Management Console to forward requests to the cloud proxy as follows:


54 Cloud Security

1. In the Blue Coat Management Console Configuration tab, select Forwarding > Forwarding Hosts.

2. Select Install from Text Editor from the drop-down, and then click Install.

3. Update the Forwarding Hosts configuration file to point an alias name to webdefence.global.blackspider.com, port 8081. For example, if you choose the alias name Forcepoint_Proxy, enter the following at the end of the “Forwarding host configuration” section:

fwd_host Forcepoint_Proxy webdefence.global.blackspider.com http=8081

4. Add the following to the end of the ‘Default fail-over sequence’ section:

sequence alias name

replacing alias name with the alias name that you chose in step 3.

5. When you have finished editing, click Install.

6. In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch.

7. In the Policy menu, select Add Forwarding Layer and enter an appropriate policy name in the Add New Layer dialog box.

8. Select the Forwarding Layer tab that is created. The Source, Destination, and Service column entries should be Any (the default).

9. Right-click the area in the Action column, and select Set.

10. Select the alias name that you created (for example, Forcepoint_Proxy) from the list, and click OK.

11. Right-click the alias name in the Action column and select Edit.

12. Choose the forwarding behavior if your Blue Coat proxy cannot contact the cloud proxy: either to connect directly, or to refuse the browser request.

13. Click OK.

14. Click Install Policy in the Blue Coat Visual Policy Manager.

NTLM chaining


To chain Blue Coat ProxySG with the cloud proxy and perform NTLM identification:

1. Follow the steps in Basic chaining, page 53.

2. Log on to the Forcepoint Security Portal.

3. Go to the Web > Policy Management > Policies page, then select a policy.

4. Click the Access Control tab for the policy.

5. Select Always authenticate users on first access, then select NTLM transparent identification where possible. For more information, see NTLM identification in the Forcepoint Security Portal Help.

6. Click Save.



X-Authenticated-User chaining


You can pass authentication details from your Blue Coat proxy to send X-Forwarded-For and X-Authenticated-User headers to the cloud proxy either by manually editing a policy text file, or defining the policy in Blue Coat Visual Policy Manager.

With this setup, end users can be authenticated transparently by the cloud proxy, removing an authentication step and improving performance.

Note that for Blue Coat to service HTTPS requests properly with the following setup, you must have a Blue Coat SSL license and hardware card.

Editing the local policy file

In the Blue Coat Management Console Configuration tab, click Policy in the left column and select Policy Files. Enter the following code in the current policy text file, using an Install Policy option:

<Proxy>

action.Add[header name for authenticated user](yes)

define action dd[header name for authenticated user]

set(request.x_header.X-Authenticated-User, "WinNT://$(user.domain)/$(user.name)")

end action Add[header name for authenticated user]

action.Add[header name for client IP](yes)

define action dd[header name for client IP]

set(request.x_header.X-Forwarded-For,$(x-client-address))

end action Add[header name for client IP]

Using the Blue Coat graphical Visual Policy Manager

Before you configure the Blue Coat header policy, ensure that NTLM authentication is specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO). Set Forcepoint Web Security Cloud as the forwarding host (in the Blue Coat Management Console Configuration tab, Forwarding > Forwarding Hosts). The address of the Forcepoint Web Security Cloud service is webdefence.global.blackspider.com, port 8081.

X-Forwarded-For Contains the client IP address

X-Authenticated-User When Blue Coat authentication is turned on, this header will be populated with the user domain and username (domain\user).


56 Cloud Security

In the Blue Coat Management Console Configuration tab, click Policy and select Visual Policy Manager. Click Launch and configure the header policy as follows:

1. In the Policy menu, select Add Web Access Layer and enter an appropriate policy name in the Add New Layer dialog box.

2. Select the Web Access Layer tab that is created.

3. The Source, Destination, Service, and Time column entries should be Any (the default).

4. Right-click the area in the Action column, and select Set.

5. Click New in the Set Action Object dialog box and select Control Request Header from the menu.

6. In the Add Control Request Header Object dialog box, enter a name for the client IP Action object in the Name entry field.

7. Enter X-Forwarded-For in the Header Name entry field.

8. Select the Set value radio button and enter the following value:

$(x-client-address)

9. Click OK.

10. Click New and select Control Request Header again.

11. In the Add Control Request Header Object dialog box, enter a name for the authenticated user information Action object in the Name entry field.

12. Enter X-Authenticated-User in the Header Name entry field.

13. Select the Set value radio button and enter the following value:

WinNT://$(user.domain)/$(user.name)

14. Click OK.

15. Click New and select Combined Action Object from the menu.

16. In the Add Combined Action Object dialog box, enter a name for a proxy chain header in the Name entry field.

17. In the left pane, select the previously created control request headers and click Add.

18. Select the combined action item in the Set Action Object dialog box and click OK.

Click Install Policy in the Blue Coat Visual Policy Manager.

Squid Proxy


Forcepoint Web Security Cloud supports the configuration of a chained Squid open source downstream proxy, in the following cases:

● Basic chaining



● For policies where NTLM is enabled and end users are asked to authenticate for Forcepoint Web Security Cloud

The Squid proxy must be version 3.1.5 or later.

Basic chaining


In this case, Squid forwards requests to the cloud proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.

Configure Squid to forward requests to the cloud proxy as follows:

1. Define one or more ACLs to identify sites that should be not be filtered through Forcepoint Web Security Cloud. These must include certain service-specific sites, and should include any other sites that are not normally handled through the cloud service. You can identify these sites by examining the service-generated PAC file available at http://pac.webdefence.global.blackspider.com:8082/proxy.pac.

You should also configure direct access to the Security Portal to allow the following:

■ Correct display of block pages

■ End-user self-registration

The roaming user home page (http://home.webdefence.global.blackspider.com/), if used, should also be configured as an ACL.

The following sites must be included in the ACLs:

acl WBSN dstdomain .mailcontrol.com

acl WBSN dstdomain www.blackspider.com

acl WBSN dstdomain webdefence.global.blackspider.com

always_direct allow WBSN

2. Force all other sites to use the cloud proxy as follows:

never_direct allow all

3. Tell Squid the location of the upstream cloud proxy:

cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest

NTLM chaining


The Squid proxy performs local NTLM identification, then forwards the appropriate Proxy-Authorization headers as an NTLM Type 3 message to the cloud proxy for further transparent user authentication. Squid can maintain multiple connections to the cloud proxy, allowing the sharing of connections across users but ensuring that each





58 Cloud Security

request is associated with the correct user. When Squid reassigns a connection to another user, only then is a new Proxy-Authorization header sent for that user.

To use this setup, configure Squid to do the following:

1. Perform NTLM authentication.

2. Forward requests to the cloud proxy.

3. Forward user information to the cloud proxy.

Configuring Squid for NTLM authentication

To configure Squid to perform NTLM authentication of users, refer to the Squid documentation:

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm

Forwarding requests to the cloud proxy

To configure Squid to forward requests to the cloud proxy:

1. Define one or more ACLs to identify sites that should be not be filtered through Forcepoint Web Security Cloud. These must include certain service-specific sites, and should include any other sites that are not normally handled through the cloud service. You can identify these sites by examining the service-generated PAC file available at http://pac webdefence.global.blackspider.com:8082/proxy.pac.

The following sites must be included in the ACLs:

acl WBSN dstdomain .mailcontrol.com

acl WBSN dstdomain www.blackspider.com

acl WBSN dstdomain webdefence.global.blackspider.com

always_direct allow WBSN

2. Force all other sites to use the cloud proxy as follows:

never_direct allow all

3. Tell Squid the location of the upstream cloud proxy:

cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest

Forwarding user information to the cloud proxy

To configure squid to forward user information, add option login=PASS to the cache-peer line:

cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest login=PASS

http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm


6


Adding IP Addresses to Your Policy


When a Forcepoint Web Security Cloud proxy receives a request, its first task is to identify the correct policy to use. First, it checks the IP address that is the source of the request. Typically, this is the external IP address of your firewall. If this IP address matches a proxied connections setting in a policy, that policy is used.

Alternatively, the cloud service attempts to authenticate the user. This may take various forms, including (but not limited to):

● If you have deployed Proxy Connect endpoint, the endpoint passes authentication details to the cloud proxies, enabling the cloud service to associate the correct policy with the user.

● With secure form authentication or basic authentication, the user is prompted to provide credentials, which are used to identify the correct policy.

● If you are using I Series appliances, the user’s NTLM identity may be used in transparent authentication.

Initial settings

When you first access the Forcepoint Security Portal, the Web > Policy Management > Policies page lists a single policy called DEFAULT. Initially, this policy has no proxied connections. It is possible to use the cloud service like this, but it may be inconvenient because users always have to authenticate and you have to manually invite each user to register on the service.

NoteThis chapter is not applicable if you are deploying Forcepoint Web Security Cloud with an i-Series appliance.

Adding IP Addresses to Your Policy

60 Cloud Security

Policy selection by IP address

There are two reasons for allowing policy selection by IP address:

● To allow users to use the service anonymously, without having to authenticate.

● To provide different policies for parts of your organization, as identified by IP address. This is typically used by remote offices with their own Internet gateway and can be used, for example, to delegate user administration and reporting to local support personnel.

To add IP addresses to your policy:

1. Log on to the Security Portal.

2. Go to the Web > Policy Management > Policies page.

3. Select the DEFAULT policy.

4. Select the Connections tab.

5. Click Add under Proxied Connections.

6. Enter a Name and Description for the connection.

7. Select the connection type. A proxied connection can be an IP address, an IP range, or an IP subnet.

8. Enter the IP address, range, or subnet details.

9. Define the connection’s time zone.

Each proxied connection has a time zone setting.

■ If you have a single policy for multiple Internet gateways in different countries, you may want to set each to a different time zone.

■ If all connections are in the same time zone, it is easier to set the time zone for the whole policy on the General tab and select the “use policy time zone” option.

10. Click Submit.

7


Setting Up End-User Authentication


By default, the Forcepoint Web Security Cloud service applies a single policy to an organization’s web traffic to provide protection from malware and inappropriate content. To enhance this protection, most organizations further tailor the service to align it with their Internet usage policy, which may require granular configuration on a per-user and per-group basis. Users must also identify themselves to enable user and group-based reporting on Internet use.

Authentication and identification options are set up on the Access Control tab within a policy, meaning that you can specify different authentication methods for different end users.

1. Log on to the Forcepoint Security Portal.

2. Navigate to the Web > Policy Management > Policies page.

3. Click your policy name, then select the Access Control tab.

The cloud service offers the following user identification and authentication options:

● Installing Forcepoint Web Security Endpoint on end users’ machines ensures that those users are both authenticated and always receive proper policy enforcement. See Setting up Forcepoint Web Security Endpoint, page 62.

● If you have an on-network identity provider, you can use this to provide secure clientless authentication to Forcepoint Web Security Cloud. See the Forcepoint Security Portal Help for details.

● You can register your end users with Forcepoint Web Security Cloud to enable NTLM identification, secure form-based authentication, or manual authentication. Alternatively, you can request users to self-register, or identify themselves for NTLM. See End-user registration, page 79.


62 Cloud Security

Setting up Forcepoint Web Security Endpoint


Forcepoint Web Security Endpoint is designed to provide a seamless experience to end users for authenticating and receiving policy enforcement via the Forcepoint Web Security Cloud cloud infrastructure.

There are two different endpoint clients available (Direct Connect and Proxy Connect), each suited to different sets of end user needs. In combination, these endpoint clients allow administrators to create policies that provide full visibility into inbound and outbound traffic, but that don’t restrict use of the device.

The endpoint client appends two additional headers into each HTTP request. One header tells the cloud service which version of the endpoint is installed; the other is an encrypted token which identifies the end user. This enables the cloud service to apply the appropriate policy for that user and to log reporting correct data. These headers do not include any domain passwords or other security information. The headers are then stripped from the requests by the cloud proxy.

The endpoint client has been designed to consume minimal CPU, memory, and disk resources.

For more information about the available endpoint clients, how they work, and how to deploy them, continue with Web endpoint deployment overview.



Web endpoint deployment overview


There are two options for deploying the web endpoint:

● The Direct Connect endpoint routes traffic directly to the Internet, and contacts a new endpoint cloud service to:

■ Determine whether to block or permit a request

■ Perform content analysis

■ Retrieve endpoint configuration

A management service communicates endpoint settings configured in the Forcepoint Security Portal.

The Direct Connect endpoint may be beneficial for roaming users where proxy-type connections are problematic. See When to use the Direct Connect endpoint for more information.

The Direct Connect endpoint is available for Windows operating systems only.

● The Proxy Connect endpoint redirects web traffic to the cloud proxy for analysis.

The proxy connect endpoint is available for both Windows or Mac clients.

Users who do not install the endpoint are authenticated according to the options you select on the Access Control tab for their policy. Single sign-on is used if configured; otherwise the cloud service falls back to NTLM identification or basic authentication.


64 Cloud Security

When to use the Direct Connect endpoint

The Direct Connect endpoint extends protections for out-of-network (roaming) users when a proxy-based approach can be problematic. Consider using Direct Connect if:

A geographical firewall prevents proxy use (for example, due to a national firewall or local network security system).

Localized content is critical.

You have complex networks and changing network connections.

Users frequently switch between different network connections (for example using a mix of mobile, wifi and on-prem networks).

End users access a significant number of websites that do not work well with proxy technology and would otherwise require proxy bypass.

You have non-browser and/or custom applications that require bypasses due to conflicts with proxy technology.

Although Direct Connect and Proxy Connect endpoints can both be used in the same deployment, only one type can be installed on a given machine.

Although Direct Connect can provide improved security coverage in the circumstances cited above, please verify that the networking requirements and level of feature support are acceptable in your intended deployment. Refer to the Release Notes for specifics.

Proxy Connect endpoint and I Series appliances

If end users of Proxy Connect endpoint sometimes browse from a location served by an I Series appliance, you may wish to either direct that traffic through the appliance when appropriate, or have the appliance ignore endpoint-generated traffic. For more information, see Using Forcepoint Web Security Endpoint with an appliance, page 46.

The Direct Connect endpoint does not currently analyze browsing that takes place behind appliances.

Anti-tampering protections

The endpoint has a number of key protections against tampering, which should prevent the majority of end users from uninstalling or deleting the endpoint even if they have local administrator rights:

● Endpoint files and folders are protected from deletion and cannot be modified, moved, or renamed.

● The endpoint process will automatically restart if it is stopped or killed.

● A password is required to uninstall the endpoint or stop the endpoint service.

● (Windows only) Endpoint registry settings cannot be modified or deleted.

● (Windows only) The Service Control command to delete the endpoint service is blocked.

https://support.forcepoint.com/DocumentsDisplayed?version=All%20versions&name=TRITON%20AP-WEB%20Cloud

https://support.forcepoint.com/DocumentsDisplayed?version=All%20versions&name=TRITON%20AP-WEB%20Cloud



Basic web endpoint deployment options


Windows

● Download one of the endpoint installation files for Windows and push it manually to selected client machines using your preferred distribution method. For example, you might deploy it using Microsoft Group Policy Object (GPO).

● Send users a URL from which they can download and install the endpoint themselves.

● Deploy the endpoint to the end users in a web policy directly from the cloud. Each user will be asked to install the endpoint software on their machine when they start a browsing session.

You can update endpoints automatically once they are installed. See Updating the endpoint, page 72, for details.

Mac (Proxy Connect only)

● Download one of the endpoint installation packages for Mac on individual client machines and launch the installer by double-clicking the package.

● Remotely install the endpoint using Apple Remote Desktop software, which distributes the installation package to a group of machines and performs the installation on that group.

Endpoint system requirements


Refer to the Certified Product Matrix on the Forcepoint website for a list of the latest supported operation system and browser versions.

Windows operating systems

The endpoint software can be installed either by GPO or directly from the cloud service. Once installed, the endpoint provides user authentication and enforces Forcepoint Web Security Cloud policies. The Proxy Connect endpoint is also able to manipulate proxy settings in real time—for example, to temporarily disable itself at public Internet access points to allow a roaming user to complete the billing requirements.

Both the Proxy Connect and Direct Connect endpoint support automatic updates directly from the cloud service.

The Windows installer is less then 5MB in size, and requires less than 10MB in hard disk space and less than 6MB in memory usage.

For the Proxy Connect endpoint, full support means that the browser supports all installation methods, as well as content analysis, policy enforcement, and proxy manipulation.

https://support.forcepoint.com/KBArticle?id=TRITON-AP-ENDPOINT-Browser-Certified-Product-Matrix


66 Cloud Security

Mac operating systems

The Proxy Connect endpoint installer may be downloaded to individual machines for installation, or remotely deployed via Apple Remote Desktop software. The endpoint provides user authentication and enforces filtering via Forcepoint Email Security Cloud. Proxy manipulation is supported.

For Mac end users, no option exists to auto-update the endpoint. To update the endpoint, uninstall the old version and then install the new version.

The installer for the Mac is less than 2MB in size and requires less than 10MB in hard disk space.

Downloading and distributing the endpoint


Download the latest version of the endpoint client software from the Web > Settings > Endpoint page in the Forcepoint Security Portal.

Before you can download the installation file or enable deployment from the cloud service, you must define an anti-tampering password to be used to stop the endpoint service or uninstall the endpoint. The password is automatically linked to any deployments of the endpoint, including Web deployments.

To set the password and download the endpoint client software, do the following:

1. Under Set Anti-Tampering Password, click Set Password.

2. Enter and confirm your anti-tampering password, then click Submit.

Windows operating system users should note the script command displayed on screen and use it to configure your GPO deployment script or manual installation. This command is in the format:

WSCONTEXT=xxxx

Here, xxxx is a unique code for your account.

The command is required during installation to associate the endpoint with your customer account and enable your end users to log on transparently.

3. Select an endpoint Type (Direct Connect or Proxy Connect).

4. Select an operating system platform platform.

5. Click the version number under Available Version. Release notes are available for your review as well.

ImportantFor security reasons, the cloud service does not retain a copy of your anti-tampering password. If you forget your password, you can reset it in the portal by entering and confirming a new password. All installed endpoints will be updated to use the new password next time they connect to the Internet.



You can repeat steps 3-5 for each endpoint type and operating system platform used in your network.

For Windows operating system users


Distributing the endpoint via GPO

Follow the steps below to deploy endpoint clients through an Active Directory group policy object (GPO). You need to write different installation scripts for a 32-bit versus a 64-bit operating system. Check in your script to see if the endpoint is installed, because your script should only install the endpoint if it is not already installed.

1. Unzip the downloaded endpoint file to a location of your choice.

2. Create a shared folder (create a folder and turn on sharing in the Properties menu).

3. Create a batch file (.bat) in the shared folder, for example “installmsi.bat”. This can be done in any text editor.

Type the following msiexec command into the batch file and save it.

msiexec /package "\\path\Websense Endpoint.msi" /quiet /norestart WSCONTEXT=xxxx

Where:

■ path is the path to the unzipped installer

■ WSCONTEXT=xxxx is the script command noted from the Endpoint page in the portal.

4. Test your batch file manually to make sure it runs on other workstations. You can do this by opening the server path to the file on a workstation and attempting to run the file. If the file does not run, check your permissions.

5. Open the Group Policy Management Console (GPMC).

6. Create a new (or open an existing) GPO on the organization unit (OU) in which your computer accounts reside. To create a new GPO:

a. In the console tree, right-click Group Policy Objects in the forest and domain in which you want to create a Group Policy object (GPO).

b. Click New.

c. In the New GPO dialog box, specify a name for the new GPO, and the click OK.

7. Open Computer Configuration > Windows Settings > Scripts, and double-click Startup in the right pane of the screen.

8. Click Add.

9. In the Script Name field type the full network path and filename of the script batch file you created in step 2.

10. Click OK.

11. Close the GPMC.

12. Run the gpupdate /force command at the command prompt to refresh the group policy.


68 Cloud Security

The application should be installed on startup. The client may not be fully functional until a reboot occurs.

Installing the endpoint on a single machine

Follow the steps below to deploy an endpoint client on a single machine. Note that you must have administrator rights on the machine.

1. Unzip the downloaded endpoint file to a location on the machine.

2. Open a command-line window, and navigate to the location of the unzipped endpoint files.

3. Enter the following command:

msiexec /package "Websense Endpoint.msi" /norestart WSCONTEXT=xxxx

Where WSCONTEXT=xxxx is the script command noted from the Endpoint Download screen in the portal.

4. Use the Windows Services tool to confirm the endpoint is installed and running. Check that Websense SaaS Service is present in the Services list, and is started.

Uninstalling the endpoint from Windows

You can uninstall the endpoint by doing the following:

1. Go to Control Panel > Programs and Features, and select Websense Endpoint.

2. Click Uninstall.

3. Click Yes to continue. Then enter the endpoint anti-tampering password that you set in the portal.

4. Click OK to begin uninstalling the endpoint.

5. You will receive a confirmation message if the endpoint was successfully uninstalled

You can also uninstall the endpoint through the command line by running this command:

msiexec /uninstall "<path>\Websense Endpoint.msi" /qb /promptrestart XPSWD=xxxx

where <path> is the path to your endpoint package, and xxxx is the anti-tampering password you set in the portal.

To stop the endpoint, navigate to the endpoint installation folder and run this command:

wepsvc -stop -password <password> wspxy

ImportantIf you uninstall the endpoint, be sure to restart your operating system or your web browsing experience may be affected.



In this command, replace <password> with the anti-tampering password.

For Mac operating system users


To deploy the endpoint manually on a single machine, follow these steps:

1. Under Mac Endpoint Client, click on the version number to download the endpoint zip file.

2. When you download the endpoint, it should include the endpoint.pkg file along with a file called HWSConfig.xml, which is specific to your account. This file needs to be in the same directory as the .pkg file for the endpoint to successfully install.

Note that if you wish to use the endpoint over port 80 for proxying and PAC file retrieval, you need to do the following before installing the endpoint:

■ Ask your endpoint support representative to add the “Send HWS endpoint to port 80” template to your account. You can add this template to specific policies or globally.

■ Change the HWSConfig line from this:

<PACFile URL="http://webdefence.global.blackspider.com:8082/proxy.pac" />

To this:

<PACFile URL="http://pac.webdefence.global.blackspider.com/proxy.pac" />

By applying this template, you will also move to port 80 any endpoints that are already installed.

3. Double-click the endpoint package to open an introductory screen for the installer. Click Continue for step-by-step instructions on the installation process.

4. When you reach the “Standard install on Macintosh HD” screen, click Install to begin the installation process.

You must install the endpoint on the local hard disk. You can change the installation location on this screen by clicking Change Install Location.

5. Enter a user name and password for a user with administrator rights to install the software.

If the installation process fails, check that the HWSConfig.xml file is present and is in the correct format if you have edited it.

6. A confirmation screen informs you if the installation is successful. Click Close.

7. After installation, go to System Preferences > Other.

8. Click the icon for the endpoint program.

This brings you to a page where you can see available components for the version you have installed. You can also do the following:

■ Save Debug Logs to Desktop

■ Uninstall Endpoint.


70 Cloud Security

Save Debug Logs to Desktop allows your endpoint support team to quickly access all troubleshooting logs in one place. Clicking it creates an archive file on the Mac desktop beginning with ClientInfo*.zip. If you need to open a support ticket about the endpoint, include this zip file with your request.

Identifying Mac end users of endpoint

When a Mac user is logged into an active directory-based domain, the endpoint identifies users in the same way that it does for Windows operating system users. For Mac users not logged into a domain, however, the endpoint formats the user details in Forcepoint Web Security Cloud as mac.local.[local_username]@[local_address].

For example, if you are logged in as “Joe Bloggs,” it might appear as [email protected].

To search for all locally logged-on Mac users, do the following:

1. Go to the Account > End Users page.

2. In the Name field, enter “mac.local*”

3. Click Search.

This brings up a list of all Mac users that are logged on locally.

Changing the policy of a Mac end user

To change the policy of a Mac user, do the following:

1. After searching for all locally logged-on users (see Identifying Mac end users of endpoint, page 70), in the Please select an action drop-down menu, select Change Web policy.

2. Choose the policy that you want to move the selected Mac user to.

3. Select each of the displayed Mac users you want to move and click the Go button.

The new policy is applied to these users.

Note that two Mac usernames will be common across all of your Mac users: mac.local.root and mac.local._softwareupdate. These users receive software updates from the Internet. It is best practice to limit access by these users to just a few categories, such as Information Technology.

Uninstalling endpoint from the Mac

You can uninstall the endpoint by doing the following:

1. Go to System Preferences > Other, and click the icon for the endpoint software.

2. Click Uninstall Endpoint.

3. Enter the local administrator name and password.

4. Click OK. Then enter the endpoint anti-tampering password that you set in the portal.

5. Click OK to begin uninstalling the endpoint.

6. You will receive a confirmation message if the endpoint was successfully uninstalled



7. Click OK to finish the process.

You can also uninstall the endpoint through the command line:

1. After entering the Mac administrator password, run this command:

sudo wepsvc --uninstall

2. You will be asked for the service password, which is the default password unless the password was changed in the portal.

To stop the endpoint, do the following through the command line:

1. After entering the Mac administrator password, run this command:

sudo wepsvc --stop

2. You will be asked for the service password, which is the default password unless the password was changed in the portal.

Deploying the endpoint from the cloud service


You can deploy the Proxy Connect endpoint on a per-policy basis to either roaming users or all users in a policy directly from the cloud service. (Does not apply to Direct Connect.)

When you select this option, on the Endpoint tab of a policy in the portal, end users are prompted to install the endpoint next time they open a browser. See Local users, page 72, and Roaming users, page 72. You can customize the text on the first page of the installer to make it clear that the installation is sanctioned by your organization.

The endpoint installer for Windows operating system users is available in English, French, German, Italian, Spanish, Dutch, Simplified Chinese, and Japanese. The language used for the installation is picked up from the browser settings.


72 Cloud Security

Local users

For Windows operating system users, when the endpoint has been deployed to all users in a policy, an end user opening Internet Explorer or Firefox sees the following:

If the user clicks Install Secure Browsing, they are redirected to an assistance page that explains the installation process for their browser. They then click Continue with the installation to install the endpoint.

If the user clicks Ask me next time, Forcepoint Web Security Cloud falls back to alternative authentication or identification methods if enforced in the Access Control tab for the user’s policy. The endpoint installer will reappear next time the user opens a web browser.

Roaming users

For Windows operating system users, when the endpoint is deployed to roaming users, the user must first authenticate using their basic authentication credentials, if they have them. If they do not already have credentials, they must self-register with Forcepoint Web Security Cloud (see End-user self registration and bulk registration, page 80).

Once they are registered and have logged in using basic authentication, the endpoint installer starts and the process is the same as for local users. If the user clicks Ask me next time, the user is presented with a manual authentication login page each time they access the Internet as a roaming user, followed by the endpoint installation page.

Updating the endpoint


For Windows operating system users, the Endpoint tab in web policies includes an auto-update feature that can automatically deploy newer versions of Proxy Connect or



Direct Connect endpoint software, without desktop administrators getting involved. If you select this option, it applies to all users in the policy who have installed the endpoint, regardless of whether it has been deployed via GPO or directly from the policy, assuming their browser supports deployment from the cloud service.

Mark Automatically update installations when a new version is released on the Endpoint tab if you want to ensure that endpoints on your client machines have the latest version when it is available.

The setting is disabled by default, as most organizations like to control the software on the desktop themselves and test newer versions before deploying them. You may want to enable the option once you have tested the new software so all users (including roaming users) get the latest endpoint installed. Once they have all updated the endpoint, you can then disable updates again.

Note that while an endpoint update is taking place (which can take several minutes), end users will be unable to browse, but will be shown a web page stating that the endpoint is updating. This page will continue to retry the requested web page every 10 seconds until the endpoint has finished updating, and will then display the requested page correctly if the user is allowed to access this URL, or alternatively will display a block page.

Mac operating system users

For Mac operating system users, the endpoint for the Mac can automatically deploy newer versions to browsers without involvement from desktop administrators.

Other end-user authentication and identification options


Authentication options

End users can use the details entered during registration to authenticate with Forcepoint Web Security Cloud when working remotely or, if forced authentication is configured within the policy, whenever they access the Internet.

For secure form-based authentication, users are asked to authenticate the first time they open a browser. Users who have authenticated once do not then have to re-authenticate for subsequent web browsing sessions, for a period of time defined by the Session Timeout option on the Access Control tab.


74 Cloud Security

For basic authentication, users are asked to authenticate when opening a new browser instance. Once authenticated, they are not asked to authenticate again as long as the browser remains open.

End-user identification

If the policy dictates that NTLM is to be used to identify users unless they are working remotely, end users are never prompted for credentials, but their surfing habits can be monitored and per-user configuration can be applied. In this case, the users are transparently identified.

If you have an I Series appliance deployment and have enabled transparent NTLM authentication on the appliance’s Authentication tab, see Enabling browsers for NTLM transparent authentication.

Enabling browsers for NTLM transparent authentication


In an I Series appliance deployment, NTLM transparent authentication is available for your end users if you:

● Connect your appliance to a local Active Directory

● Enter your NTLM domain on the Authentication tab when you add your appliance to Forcepoint Email Security Cloud

● Select NTLM transparent identification where possible on the Access Control tab in your Forcepoint Web Security Cloud policy.

You must also configure your end users’ browsers to support this form of authentication. In order for a browser to work with NTLM transparent authentication, the machine on which the browser is hosted must be part of the domain.

This section describes how to configure supported browsers, either manually or via a Group Policy.

WarningIf you want to protect remote users, instruct them to log onto the service using their email address and the password with which they registered. NTLM transparent identification is not used when the browser has connected from a remote location.

NoteIf validating against a local Active Directory for NTLM authentication, an end user cannot use their email addresses as their user name, and must use the domain\username format (for example, MYCOMPANY\jsmith).



Configuring Internet Explorer


To enable NTLM on a single Internet Explorer browser:

1. Go to Tools > Internet Options.

2. Select the Security tab.

3. Select Local Intranet, then click Sites to open the list of Trusted Sites for the Intranet zone.

NoteThe settings in this section will also be applied to a Google Chrome browser on the same machine.


76 Cloud Security

4. For Internet Explorer 8 and above, click Advanced on the window that appears.

5. Enter the IP address of the B1/B2 bridge interface on your appliance, then click Add.

6. Clear the Require server verification box.

7. Click Close.

8. With Local Intranet still selected, click Custom level.



9. Scroll down to the User Authentication section, and ensure Automatic logon only in Intranet zone is selected.

10. Click OK, and exit Internet Options.

Configuring NTLM via Group Policy


To create an NTLM transparent authentication policy using a Group Policy Object (GPO):

1. Log on to your Active Directory domain controller (DC) using a domain admin account.

2. Perform the steps listed in Configuring Internet Explorer to enable NTLM in the Internet Explorer or Chrome browser on the DC.

3. To turn off Internet Explorer Enhanced Security Configuration:

a. Open Server Manager.

b. Scroll down to Security Information, and click Configure IE ESC.

c. Turn ESC Off for administrators and users, and close the window.

4. Open Group Policy Management.

5. Right click your domain name (or the OU that contains the end users who will receive this policy), and click Create a GPO in this domain, and link it here.

6. Give your new policy a name, and click OK.

7. Right-click your newly-created policy, and select Edit.

8. Navigate to User Configuration > Policies > Windows Settings > Internet Explorer Maintenance > Security > Security Zones and Content Ratings.


78 Cloud Security

9. Select Import the current security zones and privacy settings.

10. You may receive a warning about Enhanced Security Configuration. This is why the enhanced configuration was disabled in step 3, so that this policy will apply to workstations without enhanced security turned on. Click Continue.

11. Turn on Enhanced Security Configuration again, and repeat steps 4-9 to create a policy with ESC enabled. This ensures that workstations with either configuration are supported.

12. Close all open windows.

The changes will take time to replicate though your Active Directory, depending on your setup. This may be from 15 minutes to an hour; if you have a multi-site AD setup, it may take a day or two.

You can then set up a login script that will install the policy when end users log on to their workstations.

This method uses 2 files:

● login.bat

● ntlm.reg

The login.bat script contains two lines:

@echo off

regedit /s \\path\ntlm.reg

In the ntlm.reg script, replace <Box IP> with the IP address of your appliance:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range5]

"*"=dword:00000001

":Range"="<Box IP>"

Configuring Firefox


To enable NTLM transparent authentication in Firefox:

1. Open Firefox, and type about:config in the address bar.

NoteIf you are configuring Firefox v38 or later on Linux, you must perform step 6 in the procedure below to ensure the browser falls back to NTLM v1. This is due to the Linux version having issues with NTLM v2 that can cause authentication failures.



2. Click I'll be careful, I promise! to open the advanced configuration page.

3. Type ntlm in the Search field.

4. Select network.ntlm.send-lm-response and double-click it to toggle it to on.

5. Double-click network.automatic-ntlm-auth-trusted-uris. In the box that appears, enter the IP address of the B1/B2 bridge interface on your appliance, and click OK.

6. If you are configuring Firefox on a Linux machine, double-click network.auth.force-generic-ntlm-v1.

The Status is changed to user set, and the Value is changed to true.

End-user registration


If you do not deploy Web endpoint or single sign-on, the following options are available for end-user registration, and subsequent authentication or identification:

● Directory synchronization

● End-user self registration and bulk registration

● NTLM transparent identification registration

● Authentication priority and overrides

These options are also used as a fallback if either the endpoint or single sign-on fails.

Note that manual authentication is always used if none of the above methods is available.


80 Cloud Security

Directory synchronization


Forcepoint Email Security Cloud includes a directory synchronization feature for organizations with an LDAP-compliant directory (such as Active Directory). If you have a directory like this and you use the synchronization feature, you do not need to register end users. When you synchronize your directory with the cloud service, users are automatically registered.

If directory synchronization includes NTLM IDs, you can enable NTLM identification on the Access Control tab; then your users can use the service immediately after synchronization. This is the easiest way to get users going with the service.

If you enable NTLM identification but for some reason do not synchronize NTLM IDs from your directory, your users are required to self-register and then associate their NTLM IDs with their user accounts on the service.

If you don’t want to use NTLM identification, you can configure the service to send invitations to all newly synchronized users. They can then complete the self-registration process and log in using email address (or name) and password.

Through the directory synchronization feature, you have the option to notify new users that they are protected by the cloud service when they surf the Web.

End-user self registration and bulk registration


Self-registration for individual users

One way to register users is to invite them to self-register. For those using secure form-based or manual authentication, there are 3 steps for individual end-user self registration:

1. You enter your email domains into the policy or account.

2. Users complete stage 1 registration (enter name and email address into a form).

3. Users complete stage 2 registration (create a password).

Users can access the stage 1 registration form at:

https://www.mailcontrol.com/enduser/reg/index.mhtml

or by clicking Register on the default pre-login welcome page or NTLM registration page that is presented when they are forced to identify or authenticate themselves.

Once users have entered their name and email address into the form, they receive an email from Forcepoint Web Security Cloud. This contains a link, that when clicked, takes them to a page where they can complete registration stage 2 by creating a password.




Bulk registering end-users

Bulk end-user registration simplifies the self-registration process by reducing it from 2 steps to 1. Rather than end users visiting the portal and entering their name and email address into a form, you upload all their names and addresses at once. End users automatically receive email notification once the bulk upload is finished. They can then click a link on the email they receive and create a password on the portal.

NTLM transparent identification registration


If you do not have an LDAP directory and your users are using NTLM transparent identification, an additional one-time step is required.

The first time these users send a request to the cloud service, an NTLM registration form appears where they must enter their email address and password. Forcepoint Web Security Cloud associates these user credentials with the NTLM credentials automatically obtained from the browser. This association is saved and the user does not have to complete this step again.

Authentication priority and overrides


You can select multiple authentication options for your end users on the Access Control tab of a policy. The options are prioritized as follows:

● Forcepoint Web Security Endpoint is always used if installed on an end user’s machine.

● If the endpoint is not installed or fails, single sign-on is used if:

■ it has been deployed in your network, and

■ it has been selected on the Access Control tab for the end user’s policy.

● If neither the endpoint nor single sign-on is available, the end user is authenticated via either NTLM identification or basic authentication.

● Secure form-based authentication is used if both of the following are true:

■ It has been selected on the Access Control tab.

■ The user agent or application requesting authentication supports form-based authentication via an HTML page.

NoteIf you are using directory synchronization and have synchronized NTLM IDs, users are not prompted for this information. Only NTLM users who self-registered, were invited to register, or were bulk registered have to perform this step.


82 Cloud Security

When this option is selected, applications that do not support form-based authentication use basic authentication.

● Basic authentication is always used if you have chosen to enforce end-user authentication and none of the other options are either selected or available.

You can also enforce a specific authentication option for certain end users, overriding the authentication settings in the policy, by deploying a PAC file URL in the following format:

http://webdefence.global.blackspider.com:8082/proxy.pac?a=X

The a= parameter controls the authentication option, and X can be one of the following:

Deploy PAC files with the a= parameter if you want some of your users in a policy to use single sign-on, and others to use secure form-based authentication. This is because the two methods use different ports on the cloud service (see Configuring your firewall, page 17).

Parameter Description

a=n NTLM identification or basic authentication is used, depending on the policy settings and the browser or application capability.

a=t Authentication is performed using single sign-on.

If the application or user agent cannot use single sign-on, NTLM identification or basic authentication is used.

If a remote user cannot log on using single sign-on, they are given the option to try again or log on using other credentials.

a=f Authentication is performed using secure form-based authentication.

8


Working with Remote Users


Forcepoint Web Security Cloud can protect and monitor users even when they are not in their normal office location, such as when they are traveling. This section describes how Forcepoint Web Security Cloud handles users who are roaming from their network domains.

Forcepoint Web Security Cloud works on the basis of source IP address. When the cloud service receives a URL request, it checks the source IP address of the request and searches all customer policies to find the policy with that source IP address. The source IP address is configured as a proxied connection on a policy’s Connections tab in the Forcepoint Security Portal.

If users are roaming, they are most likely either at home, an Internet cafe, a hotel, or an airport. It is unlikely that the IP addresses of these places are configured in any of your proxied connections. In this situation, the roaming user encounters one of the following scenarios:

● If the user has a laptop with Forcepoint Web Security Endpoint installed, the endpoint forces a connection to Forcepoint Web Security Cloud to send authentication and, in the case of Proxy Connect, get the PAC file and policy settings appropriate for the user.

● If you have deployed single sign-on, the roaming user is authenticated seamlessly as long as you have a suitable proxy on your network.

● If neither Forcepoint Web Security Endpoint nor single sign-on is in use and the service cannot find the source IP address in any of the customer policies, it prompts the user to log on. The service then searches for the user in its policies. When it finds the user, the service knows who they are, which policy they are using, and how to respond to the request (block or allow).

In order to log on, the user has to be registered. Roaming users must go through the one-time registration process to be covered.

Some browsers exhibit inconsistent behavior in certain circumstances, such as when used in public Internet access points in hotels and airports. If the browser is configured to get the PAC file from the cloud service, as it is with Proxy Connect, it is possible that it may not be able to immediately do so. In such situations, some browsers fall back to direct connections, bypassing Forcepoint Web Security Cloud. This can occur in the following situations:


84 Cloud Security

1. The web browser is launched and the laptop does not have Internet access because it does not have IP connectivity, nor is it connected to another device, such as a router, with IP connectivity. The browser cannot connect to the cloud service. This typically occurs in home office environments.

2. The laptop has full network connectivity but is unable to connect to the Internet because it is located behind a firewall that is preventing this. This typically occurs when the user is connected to a third-party’s network—either corporate or public.

These scenarios are expanded upon in the next sections:

● How to determine whether a browser is using Forcepoint Web Security Cloud, page 84

● Connecting from home, page 85

● Connecting from third-party corporate networks, page 86

How to determine whether a browser is using Forcepoint Web Security Cloud


A tool is available to help identify whether a browser has a proxied connection to Forcepoint Web Security Cloud. Find the Proxy query page link on the Web > Settings > General page in the cloud portal.

When you request the query page from a browser whose requests are routed through the Forcepoint Web Security Cloud proxy, it looks like this:

If you are not using the Forcepoint Web Security Cloud proxy—for example, you have lost your proxy connection or you are using the Direct Connect endpoint—it looks like this:

This proxy query page link has also been embedded in the Forcepoint Web Security Cloud remote user home page: http://home.webdefence.global.blackspider.com/. This home page is also used to help resolve other challenges associated with remote user connectivity. As a best practice, make this the home page for all remote users.





You can customize the remote user home page if required. The URL for the resulting account-specific page is available from your account in the portal. It looks like the figure above, but has an account-specific identifier appended to it.

To determine whether the Direct Connect endpoint can contact the cloud service, use the diagnostics tool in the endpoint software. Access the tool by double-clicking the endpoint icon in the client’s system tray.

Connecting from home


In some circumstances, home users might connect to a network, launch a browser, and find that they are not using the Forcepoint Web Security Cloud cloud service.

This can happen for two main reasons:

● The user launches the browser before the computer receives its IP configuration information.

● The computer connects to a network that uses a router that does not have an IP address assigned. This can occur with some Internet connections that use dynamically assigned IP addresses such as some home broadband connections. If the connection hasn’t been used for some time, the router’s lease for its IP address may have expired.

In the case of Proxy Connect endpoints, the browser tries to get the PAC file and fails. If the computer then gets its IP address immediately after the failure to get the PAC file, the browser then accesses the Internet directly without retrying the PAC file.

When endpoints can’t connect to the cloud service, they allow Internet use to continue and apply filters that have been cached to provide as much protection as possible. This is known as Fallback mode.

Solutions

Deploy Forcepoint Web Security Endpoint

Installing the endpoint, either for roaming users or all users, ensures all web traffic receives policy enforcement from the cloud service.

For more information, see Setting up Forcepoint Web Security Endpoint, page 62.

Use a local copy of the PAC file

If you are not using the Direct Connect endpoint, you can download a copy of the PAC file, save it locally, and configure the browsers to use it. This ensures that the browsers can always access it regardless of network connectivity.

The benefits of this solution are that the users’ browsers are always able to access the PAC file regardless of any delay in the laptop receiving IP configuration, and no user


86 Cloud Security

intervention is required. The disadvantage is that you must download the PAC file to the laptop every time an unproxied destination is added to your Forcepoint Web Security Cloud policy. It is unlikely for this to occur often, and you can automate distribution of the PAC file.

Connecting from third-party corporate networks


When connecting from a third-party corporate network, users most likely are behind a firewall that may restrict Internet connectivity.

Why this may occur:

● The laptop is connected to a network behind a firewall that does not allow connectivity using port 8082, and the browser is unable to access the Forcepoint Web Security Cloud cloud service.

● The laptop is connected to a network behind a firewall that does not allow connectivity using port 8081, and the browser is not able to communicate with the proxy.

Solution

Use the PAC file available via port 80

If you are not using the Direct Connect endpoint, and port 8082 is locked down, a URL is available that enables the remote user to access the PAC file and cloud service over port 80. Remote users should also use the PAC file address for port 80 if requesting access from a network that has port 8081 locked down. Even if they can access the PAC file on port 8082, port 8081 is the standard required port to be able to use Forcepoint Web Security Cloud policy enforcement.

This URL is available on the Web > Settings > General page, and a policy-specific version is displayed on the General tab of each policy.

Use the security solution on the corporate network

If port 8081 is locked down, it is likely that in this scenario, the organization to whose network the laptop is connected has its own security policy in place and wishes the user to be governed by it, requiring reconfiguration of the laptop. Alternatively some organizations have “public networks” that they provide visitors.

9


Configuring Data Security


The Data Security feature in Forcepoint Web Security Cloud lets you monitor and prevent the loss of sensitive data and intellectual property via the web channel as well as assess your risk exposure. You can protect intellectual property, data that is protected by national legislation or industry regulation, and data suspected to be stolen by malware or malicious activities.

To get started, follow these steps:

1. Create content classifiers

This is helpful for monitoring intellectual property.

2. Configure Data Security policy settings

3. Configure reporting permissions

This determines who can see Data Security reports.

In addition, you can optionally:

1. Configure privacy settings

2. Configure block pages

3. View the dashboard

4. View reports

5. View the audit trail

Create content classifiers


Content classifiers can be used to identify intellectual property and data types that are not covered by the default Personally Identifiable Information (PII), Payment Card

ImportantThe Data Security feature is not supported with I Series appliances.


88 Cloud Security

Industry (PCI), and Protected Health Information (PHI) rules. For example, a key phrase custom classifier can be created to identify a document classification marker.

The content classifiers that you create can then be used on the Data Security tab of your web policies.

If you are concerned only about regulatory compliance and data theft, you can skip this step.

1. In the Forcepoint Security Portal, select Web > Policy Management > Content Classifiers from the main toolbar.

2. Click Add and select the type of classifier you want to create:

■ Key Phrase: a keyword or phrase that indicates sensitive or proprietary data (such as product code names or patents).

■ Regular Expression: a pattern used to describe a set of search criteria based on syntax rules.

For example, the pattern “a\d+” detects all strings that start with the letter “a” and are followed by at least one digit, where “\d” represents any digit and “+” represents “at least one.”

■ Dictionary: a container for words and expressions relating to your business.

3. Complete the fields as described in the appropriate section, and then click Save.

■ Define key phrase content classifiers, page 90



■ Define regular expression content classifiers, page 89

■ Define dictionary content classifiers, page 91

4. Repeat steps 2-3 until you’ve added all the classifiers you require.

Define regular expression content classifiers


Regular expression (regex) patterns can be detected within content, such as the pattern of an internal account number or alphanumeric document code.

When extracted text from a transaction is scanned, the system searches for strings that match regular expression patterns and may be indicative of confidential information.

To create a regular expression classifier:

1. Enter a unique Name for the pattern.

2. Enter a Description for the pattern.

3. Enter the Regular expression pattern (regex) that you want the system to search for, using Perl syntax.

For syntax and examples, click Help > Explain This Page.

4. Use the Pattern Testing section of the page to test your regular expression.

Because a regular expression patterns can be quite complex, it is important that you test the pattern before saving it. If improperly written, a pattern can create many false-positive incidents and slow down the system.

a. Create a .txt file (less than 1 MB) that contains values that match this regex pattern. The file must be in plain text UTF8 format.


90 Cloud Security

b. Browse to the file and click Test to test the validity of your pattern syntax. If the pattern you entered is invalid, you’re given an opportunity to fix it. You cannot proceed until the test succeeds.

You can have up to 100 regular expression classifiers.

Define key phrase content classifiers


The presence of a keyword or phrase (such as “Top Secret” or “Project X”) in a web post may indicate that classified information is being exposed. You can learn about activity like this by defining a key phrase classifier.

To create a key phrase classifier:

1. Enter a unique Name for the key phrase classifier.

2. Enter a Description for the key phrase.

3. Enter the key word or phrase that might indicate classified information, up to 255 characters. Key phrases are case-insensitive.

Leading and trailing white spaces are ignored. If you need to use slashes, tabs, hyphens, underscores, or carriage returns, define a regular expression classifier rather than a key word classifier.

Key phrases also identify partial matches. For example, the key phrase “uri” reports a match for “security”. Note that wildcards are not supported for key phrases.

You can have up to 100 key phrase classifiers.



Define dictionary content classifiers


A dictionary is a container for words and expressions pertaining to your business.

To create a dictionary classifier:

1. Enter a unique Name for the dictionary classifier.

2. Enter a Description for the dictionary.

3. Dictionaries can have up to 100 phrases. To add content to the dictionary, click Add under Dictionary content.

4. Complete the fields on the resulting dialog box as follows:

a. Phrase: Enter a word or phrase to include. This phrase, when found in the content, affects whether the content is considered suspicious.


92 Cloud Security

b. Weight: Select a weight, from -999 to 999 (excluding 0). When matched with a threshold, weight defines how many instances of a phrase can be present, in relation to other phrases, before triggering a policy.

5. If you have many phrases to include, create a text file listing the phrases, then click Import and navigate to the text file.

6. Mark The phrases in this dictionary are case-sensitive if you want the phrases that you entered to be added to the dictionary with the same case you applied.

You can have up to 100 dictionary classifiers. Each is limited to 100 phrases.

For examples and restrictions, click Help > Explain This Page.

Configure Data Security policy settings


To configure options for detecting and preventing data loss over web channels:

1. In the portal, go to the Web > Policy Management > Policies, page, then open the policy you want to configure.

2. Click the Data Security tab in the policy.

3. Complete the fields as described in the following sections:

■ Enable Data Security regulations in policies, page 93

■ Enable data theft detection in policies, page 94

■ Enable custom Data Security classifiers in policies, page 95

■ Trusted Domains, page 96

4. When you are finished, click Save.

The system will search for sensitive data that is being posted to HTTP and HTTPS sites, and report on it in an Incident report (available from the Reporting > Report Catalog > Standard Reports > Data Security page). This includes intellectual property, data that is protected by national legislation or industry regulation, and data suspected to be stolen by malware or malicious activities.

To search for data over HTTPS, be sure SSL decryption is enabled by following the instructions provided on the SSL Decryption tab.



Enable Data Security regulations in policies


Most countries and certain industries have laws and regulations that protect customers, patients, or staff from the loss of personal information such as credit card numbers, social security numbers, and health information.

To set up rules for the regulations that pertain to you:

1. Click No region selected.

2. Select the regions in which you operate.

3. Select the regulations of interest:

4. Select an action to take when matching data is detected. Select Block to prevent the data from being sent through the web channel. Select Monitor to allow it. (Incidents are created either way.) You can filter by action in the Data Security Incident Manager.

5. Select a sensitivity to indicate how narrowly or widely to conduct the search.

Select Wide for the strictest security. Wide has a looser set of detection criteria than Default or Narrow, so false positives may result and performance may be affected. Select Narrow for tighter detection criteria. This can result in false negatives or undetected matches. Default is a balance between the two.

Severity is automatically calculated for these regulations.

Field Description

Personally Identifiable Information (PII)

Detects Personally Identifiable Information—for example, names, birth dates, driver license numbers, and identification numbers. This option is tailored to specific countries.

Protected Health Information (PHI)

Detects Protected Health Information—for example, terms related to medical conditions and drugs—together with identifiable information.

Payment Card Industry (PCI DSS)

Conforms to the Payment Card Industry (PCI) Data Security Standard, a common industry standard that is accepted internationally by all major credit card issuers. The standard is enforced on companies that accept credit card payments, as well as other companies and organization that process, store, or transmit cardholder data.


94 Cloud Security

Enable data theft detection in policies


Use this section to detect when data is being exposed due to malware or malicious transactions. When you select these options, Forcepoint Web Security Cloud searches for and reports on outbound passwords, encrypted files, network data, and other types of information that could be indicative of a malicious act.

To see if your organization is at risk for data theft:

1. Select the types of data to look for.

2. Select an action to take when matching data is detected. Select Block to prevent the data from being sent through the web channel. Select Monitor to allow it. (Incidents are created either way.) You can filter by action in the Data Security Incident Manager.

3. Select a sensitivity to indicate how narrowly or widely to conduct the search.

Select Wide for the strictest security. Wide has a looser set of detection criteria than Default or Narrow, so false positives may result and performance may be

Information Type Description

Common password information

Searches for outbound passwords in plain text

Encrypted file - known format

Searches for outbound transactions comprising common encrypted file formats

Encrypted file - unknown format

Searches for outbound files that were encrypted using unknown encryption formats

IT asset information Searches for suspicious outbound transactions, such as those containing information about the network, software license keys, and database files.

Malware communication Identifies traffic that is thought to be malware “phoning home” or attempting to steal information. Detection is based on the analysis of traffic patterns from known infected machines.

Password files Searches for outbound password files, such as a SAM database and UNIX / Linux passwords files



affected. Select Narrow for tighter detection criteria. This can result in false negatives or undetected matches. Default is a balance between the two.

Severity is automatically calculated for these types.

Enable custom Data Security classifiers in policies


Use this section if you want to detect intellectual property or sensitive data using custom phrases, dictionaries, or regular expressions containing business-specific terms or data.

1. Select the classifiers that you want to enable for the policy. If you skipped the section Create content classifiers, page 87, go there now to populate the list.

2. Select a severity for each classifier to indicate how severe a breach would be. Select High for the most severe breaches. Severity is used for reporting purposes. It allows you to easily locate High, Medium, or Low severity breaches when viewing reports.

3. Configure a threshold for each classifier.

a. Click the link in the Threshold column.


96 Cloud Security

b. Indicate how many times this classifier should be matched to trigger an incident. You can indicate a range if desired, such as between 3 and 10. By default, the threshold is 1.

c. Indicate whether you want the system to count each match, even if it is a duplicate, against the threshold, or whether you’d prefer to only count unique matches.

d. Click OK.

Trusted Domains


Select Enable trusted domains if you do not want certain domains to be monitored, then enter URLs for the trusted domains separated by commas.

The system does not analyze content passed between trusted domains. This means users can send them any type of sensitive information via HTTP, HTTPS, or other web channels from your network.

The domains you enter apply only to data security and only to the current web policy.

Duplicate URLs are not permitted. Wildcards and ‘?’ are supported.

Configure privacy settings


Use the Account > Settings > Privacy Protection page to prevent end-user identifying information, data security incident trigger values, or both from appearing



in logs and web reports. If required, you can still collect this information for security threats.

By default, incident data is not captured, stored, or displayed. Administrators with permission to view incident data are able to see the number of matches in the report, but not the match values or context.

Select Store and display incident data under Data Security Incident Settings if you want the values that triggered data security incidents to be captured, stored in the incident database, and displayed in reports.

Credit card numbers, social security numbers, and email addresses are masked when they are stored, as are passwords in certain instances.

Changing this setting has no impact on incident data that has already been collected.


98 Cloud Security

Configure reporting permissions


You can control which administrators can view data security reports (and potentially sensitive information). This setting is assigned at the account level.

To give administrators these permissions:

1. Navigate to Account > Settings > Contacts.

2. Select the contact whose permissions you want to edit.

3. In Contact Details, click the user name (email address) to view the contact login details.

4. On the Login Details screen, click Edit.

5. Under Account Permissions, select View All Reports and Data Security Reports, and then click Save.

This enables users to view data security reports, which may or may not contain incident forensics and trigger data, depending on your privacy protection settings. It does not change their ability to manage data security configuration settings.

Configure block pages

You have the option to customize the block pages that users receive when they request a web page that is blocked by a Data Security policy. To do so:

1. Go to the Web > Policy Management > Block & Notification Pages page.

2. Expand General.



3. Click Data Security.

4. Click in the title or body to edit the default text. You can replace logos and other images as well.

5. When you’re finished, click OK.

View the dashboard


For a high-level view of activity in your organization, click Dashboard, and then click the Data Security tab. Data Security charts include:

● Incident Count Timeline shows a daily incident count for the designated period. With it, you can quickly identify trends and make policy changes as required.

● Total Incidents by Content Type shows the number of regulatory incidents, data theft incidents, and custom classifier incidents in the designated period.

● Top Sources shows the users, machines, or IP addresses most frequently instigating data security violations as well as the severity of their incidents.

● Top Destination Domains shows the Internet domains most frequently targeted with sensitive data.

● Top Web Categories shows the website categories most frequently targeted with sensitive data. These can be custom categories or the categories classified by the URL category database.


100 Cloud Security

View reports


For a more granular view, access the data security reports.

1. Go to the Reporting > Report Catalog page.

2. Select Standard Reports > Data Security from the left navigation pane, and then select a report category: Content Type, Incidents, or Sources & Destinations.

3. Select a report from the list that displays. Following are descriptions of each report.

Report Description

Content Type

Compliance Summary Find out which compliance rules are most often violated in your organization and view a breakdown of the incident count for each policy or rule.

Custom Classifier Summary See which custom classifiers triggered the most incidents during the designated period.

Data Theft Summary View a list of data theft classifiers that triggered the most incidents during the designated period.

Incidents

Incident List View list or chart of all data loss incidents that were detected during the designated period, along with incident details such as the destination, severity, and transaction size.



4. After you select a report, select a time period (last 7 days by default) and any

required attributes, then click the Update Report button.

Refer to the Forcepoint Security Portal Help for details on adding attributes to a report.

Sources & Destinations

Destination Summary See the destination URLs or IP addresses involved with the most violations, broken down by severity.

Users Summary See the users, machines, or IP addresses most frequently violating data security policies and the severity of their breaches.

Report Description

TipTo view only incidents that meet a certain threshold (not every single match), filter the report using the Top Matches attribute.

Top Matches indicates the number of matches on the incident's most violated rule. For example, if rule A in MyPolicy has 2 matches, rule B has 5 matches, and rule C has 10 matches, top match equals 10.

When you apply the filter, enter the threshold to include in the report, and then select the operator to use: equal to, greater than, etc.

http://www.websense.com/content/support/library/web/hosted/admin_guide/web_reporting.aspx


102 Cloud Security

View the audit trail


Click Account > Settings > Audit Trail, and then click View Results to view an audit trail of all policy configuration changes.

You can search by user, action type, and date range.

10


Next Steps


You should now be directing all Internet traffic through the Forcepoint Web Security Cloud service and be protected from Internet threats. Although default settings are enforced from the start, to get best use of the service, you probably want to tailor your policy. Specific areas of interest may be:

● Creating additional administrators to delegate responsibilities

● Setting the time zone for your policies

● Customizing your notification pages

● Adding internal or other trusted sites to your non-proxied destinations

● Adjusting the website category dispositions to suit the nature of your business

● Creating custom categories to allow whitelisting or blacklisting of specific websites

● Creating custom protocols to handle non-HTTP Internet traffic. Custom protocols are available only if your subscription includes the I Series appliance.

● Creating groups of users

● Creating exceptions to override category or protocol dispositions for specified users, groups, and times of day. The protocol exception capability is available only if your subscription includes the I Series appliance.

Configuration advice for all of these features and others can be found in the Forcepoint Security Portal Help. Some basic steps for configuring your policy and managing reporting in the Forcepoint Security Portal are outlined in:

● Managing web categories

● Managing protocols and exceptions

● Cloud service reporting

http://www.websense.com/content/support/library/web/hosted/admin_guide/first.aspx

Next Steps

104 Cloud Security

Managing web categories


Forcepoint Web Security Cloud includes dozens of website categories. These categories are designed to help you apply policy to your organization’s web surfing. If a website has not previously been categorized, we assign it the “Unknown” category.

Click the Web Categories tab to configure the action you want the cloud service to take when users try to access websites in each of the categories.

The category list on the Web Categories tab includes standard categories and any custom categories that you have defined on the Policy Management > Custom Categories page.

In the Standard Categories section, child categories are indented under their parent categories. Parent categories allow specific categories to be grouped by a more generic description. However, there is no hierarchical relationship between parent categories and the child categories within them: you can set an action for a parent category without it affecting the child category, and vice versa.

To edit the action applied to a category:

1. Select a web category from the category list.

You can select a category directly from the list, or enter text in the search box to locate the category you want.

To select multiple categories, use the Shift and/or Ctrl keys. You can also use the drop-down menu above the category list to select or deselect the following categories:

■ all categories

■ privacy categories

■ Web 2.0 categories

2. Select an Action for the category:

■ Allow access means that any website within the category is always accessible, regardless of whether it exists in another category that has the Block access action.

■ Do not block ensures that the site is not blocked under this rule, but if it also exists in another category that has an action of Block access, it is blocked under that category.

■ Confirm means that users receive a block page, asking them to confirm that the site is being accessed for business purposes. Clicking Continue enables the user to view the site and starts a timer. During a configurable time period (10 minutes by default), the user can visit other sites in categories that are applied the Confirm action without receiving another block page. Once the time period ends, browsing to another Confirm site results in a block page.

■ Use Quota means that users receive a block page, asking them whether to use quota time to view the site. If a user clicks Use Quota Time, he can view the site for a configurable period.


Next Steps

Clicking Use Quota Time starts two timers: a quota session timer and a total quota allocation timer. The session length and total quota time available for each category depend on the options selected on the General tab.

■ Block access blocks access to websites in this category unless they exist in another category with the Allow access action. When a site is blocked, you can choose a notification page to be displayed.

3. To apply the setting to all categories within the selected category, mark Apply to all sub-categories.

4. Click Save.

Managing protocols and exceptions


Protocols

This feature is available for I Series appliance deployments only. Click the Protocols tab to manage how protocols, or non-HTTP Internet traffic, are handled by a policy.

The list of protocols appears in a 2-level tree display similar to that in the Categories tab. Protocol groups can be expanded to show the individual protocols within each group.

The list on the Protocols tab includes both standard protocols and any custom protocols that you have defined on the Policy Management > Protocols page. The standard protocol groups are updated regularly.

Configure how a protocol is filtered by selecting it in the protocols tree and specifying an action (Allow or Block) from the box on the right. You can select a protocol directly from the list, or enter text in the search box to locate the protocol you want.

Use the Shift and/or Ctrl keys to select multiple protocols.

Exceptions

Exceptions allow the default action for a web category or protocol to be overridden for specified users and groups of users. Exceptions are listed at the bottom of the Protocols (for I Series appliance deployments only) and Web Categories tabs. Click a protocol or category to view exception rules that may apply to it.

Click Add to add a new exception.

NoteTo ensure that notification pages appear for HTTPS sites, mark Use Websense certificate to serve notifications for HTTPS pages on the Web > Policy Management > Block and Notification Pages page.

Next Steps

106 Cloud Security

Cloud service reporting


The available reports for web traffic and analysis are located in the navigation pane under Reporting.

The Report Catalog contains a number of predefined reports that cover common scenarios, available in bar chart, trend chart, and tabular formats. You can copy any predefined report to apply your own filters to create a custom report, and share your reports with other administrators.

The Report Builder offers an enhanced model for creating multi-level, flexible reports that allow you to analyze information from different perspectives and gain insight into your organization’s Internet usage. If a high-level summary shows areas of potential concern, you can drill down to find more details and use Transaction Viewer for granular reports on individual transactions.

You can also do the following:

● Download report results as a comma-separated values (CSV) file or as a PDF file.

● Save the reports you generate most frequently and want to be able to locate quickly.

● Schedule one or more saved reports for regular delivery.

For more information about reporting and the full list of available reports, see the Forcepoint Security Portal Help.

http://www.websense.com/content/support/library/web/hosted/admin_guide/report_center_intro.aspx

11


Preparing Your End Users for Deployment


Before deploying Forcepoint Web Security Cloud, you should inform your users what the service does and how it impacts them. This may be a legal requirement in some countries. Below is some sample text that you can use as a model for an initial communication. You can also customize the registration email templates and pre-logon welcome page, if you are going to use them.

Introduction to the Forcepoint Web Security Cloud service

Forcepoint Web Security Cloud is an advanced web protection service that we have deployed to protect Internet users from computer viruses and other web-based threats such as spyware. All of our Internet traffic is directed to data centers where these threats are filtered out and our Internet acceptable use policy is enforced.

Many websites exist that contain viruses or inappropriate and potentially offensive content. Link to these sites may show up in search results, and the type of content may not be obvious until it is too late. Forcepoint Web Security Cloud allows us to block these sites.

Internet acceptable use policy

We have published an Internet acceptable use policy that outlines your responsibilities as an individual when using company resources to access the Internet. Forcepoint Web Security Cloud allows us to enforce this policy, report on web usage, and block inappropriate downloads. In the event that a website is blocked, you are presented with a page explaining why.

We recognize that different people need to access different types of websites to perform their jobs, so if sites that you are trying to access are being blocked, please email XXXX, include the website address and the reason why you need to access it. The full website address can be copied from your browser address bar.

Please click the link below to access our corporate Internet acceptable use policy.

http://link_to_corporate_acceptable_use_policy

Note

For information about acceptable use policy notices, see Notification pages in the Forcepoint Security Portal Help.

This feature is not available for I Series appliance deployments.

http://www.websense.com/content/support/library/web/hosted/admin_guide/wd_notifications.aspx


108 Cloud Security

If you will be using endpoint client software to enforce connections to the cloud service, the message might also include an explanation of the installation prompt that users may see:

Deploying Forcepoint Web Security Endpoint via the Internet

To use the Forcepoint Web Security Cloud service, you will be asked to install a Secure Browsing application next time you open a browser. Follow the instructions in the installer. This application ensures your browsing is always protected, whether inside or outside the office.

End-users who must self-register to connect to the Internet through the cloud service should have the following instructions:

Registering to use Forcepoint Web Security Cloud

To use the Forcepoint Web Security Cloud service, you first need to complete a simple, one-time registration process:

If not using bulk registration

1. Click the link below. It takes you to the end-user registration portal. https://www.mailcontrol.com/enduser/reg/index.mhtml

2. Enter your name and email address and click Submit.

3. When you receive an email from Forcepoint, click the link it contains.

If using bulk registration

You will receive an email containing a link that you should click.

If using basic authentication:

This takes you to the end-user registration portal. Enter the password that you want to use when you access the web (twice), and click Submit.

Registration is now complete, and you are not required to register again. To check that you are correctly registered, shut down all browsers and open a new one. When you try and access a website, you are first asked to log in. Type the email address and password that you used to register with Forcepoint Web Security Cloud and click OK. You may want to check the box that invites you to save these login details to simplify future logins.

If using NTLM transparent identification without directory synchronization:

This takes you to the end-user registration portal. Enter the password that you want to use when you access the web (twice), and click Submit.

Now enter a URL, such as www.forcepoint.com, into your browser address bar and you are presented with the final registration page.

Type the email address and password that you used to register with Forcepoint Web Security Cloud into the appropriate boxes.

If using basic authentication:

Logging in when you access the web

You need to log in every time you open a new browser to access the Internet. If you leave your browser open, you are not required to log in again. If you need a second browser window, do not launch a new browser. In your existing one, click





File > New Window. This opens a new browser session without you having to log in again.

For remote users who use Forcepoint Web Security Cloud with basic authentication when working remotely:

Accessing the Internet when you are not in the office

When you are working in the office, Forcepoint Web Security Cloud is able to recognize that you work for COMPANY NAME and can protect you from Internet threats according to our policy. To ensure that you are still protected when you are not working from the office, when you access the Internet, you are asked to log in. You must use the email address and password that you entered during Forcepoint Web Security Cloud registration before you can continue.


110 Cloud Security