Install Web Security Endpoint for Dynamic Edge Protection

Create an endpoint client installation package using the Forcepoint One Endpoint package builder. The endpoint can be deployed manually to end user machines via a deployment mechanism such as Windows GPO.

Endpoint installation for Dynamic Edge Protection is performed by creating an installation package, creating a configuration file, and installing the package using command line parameters.

For more information about creating and deploying installation packages using the Forcepoint One Endpoint, see Forcepoint One Endpoint Solutions Installation and Deployment Guide.

Steps

  1. Obtain a supported build of the Forcepoint One Endpoint from Technical Support.
  2. Using the Forcepoint One Endpoint package builder, create an installer for the Web Security Endpoint – Proxy Connect.
  3. Go to the Administration > Proxy > Hosted PAC Files page in the management portal, copy the URL for the PAC file you want to use.
  4. Go to the Administration > Proxy > Endpoint General page, and download the HWSConfig.xml file.
  5. Open the HWSConfig.xml file in a text editor, and add the following entries within the <ProxySetting> section:
    • PAC file URL: the URL to retrieve the appropriate PAC file. (From the Administration > Proxy > Hosted PAC Files page.)
      <PACFile URL="[URL]">
    • Account token: a string used to identify your account to the service. (From the Administration > Proxy > Endpoint General page.)
      <Context InitContext=[account_token]>
    • Application bypass list: a pipe-separated (|) list of applications, including the file extension, entered as regular expressions. 
      <AppWhiteList AppNames="[application1/.exe]|[application2/.exe]"
      Important: Filenames are entered as regular expressions. Backslash (/) is required as an escape character before the dot in the filename extension.
    • End user control option: a setting that determines whether users can temporarily disable the endpoint client. Set EnableLocalProxySetting to 1 to enable end user control, and 0 to disable end user control of the endpoint client.
      Enabled: <LocalProxySetting AutoOverrideMode="1" EnableLocalProxySetting="1" />
      Disabled: <LocalProxySetting AutoOverrideMode="1" EnableLocalProxySetting="0" />
    An example HWSConfig.xml file is shown below.
    <?xml version="1.0" encoding="utf-8"?>
<ProxySetting>
  <PACFile URL="https://example-url.forcepoint.io/proxy.pac?p=6653876" />
  <Context InitContext="751bd19c06024415b653705a586b3e33-0" />
  <AppWhiteList AppNames="OUTLOOK\.EXE|WORDPAD\.EXE" />
  <LocalProxySetting AutoOverrideMode="1" EnableLocalProxySetting="0" />
</ProxySetting>
    Tip: If you want to support a different PAC file URL, application bypass list, or endpoint user control setting for different users, you can install the client using different versions of the HWSConfig.xml file.
  6. Deploy the installation package, either manually or via a deployment mechanism such as Windows GPO.
    Ensure that your edited HWSConfig.xml file is placed in the same folder as the installation package.
    As part of the installation, you can provide an anti-tampering password via a command line parameter as follows:
    /v"XPSWDPXY=[tamper_password]"
    The anti-tampering password is required for users who attempt to uninstall the client. This password cannot be changed later, so ensure you carefully record the password.
    For example, to deploy the client manually on a Windows machine, use the following command line installation arguments:
    FORCEPOINT-ONE-ENDPOINT-x64.exe /v"XPSWDPXY=[tamper_password]"
    Note: In order to make changes to the anti-tamper password, account token, PAC file location, application bypass list, or end user control option, the client must be uninstalled and reinstalled.