Connections tab

Use the Connections tab of the Web > Policy Management > Policies page for any policy to define:

The source IP addresses (proxied connections) assigned to the selected policy (see Proxied connections)

Destination domains and IP addresses that users assigned this policy can access without going through the cloud service (see Proxy bypass)

Proxied connections

Most organizations have at least one proxied connection configured per policy. The proxied connection address is used to identify traffic from your organization's egress IP address and, by default, apply the policy to that traffic.

Proxied connections:

Are public-facing IP addresses, IP address ranges, or IP subnets for offices in your organization using the cloud service.

Are often the external address of your Network Address Translation (NAT) firewall.

May be appliances or edge devices configured on the Web > Settings > Network Devices page.

Could include branch offices, remote sites, or satellite campuses.

Proxied connections are NOT:

IP addresses of individual client machines.

IP addresses outside your organization.

If you have several points of presence on the Internet, you can combine all of these under one policy, or have separate policies for each public-facing IP address.


	Note If you do not add any proxied connections to the policy, all users are treated as remote and must authenticate to use the service. In this case, the policy they use is determined by their email domain. They see a service-wide Remote User Welcome page that is not configurable. Once logged on, they are served configurable notification pages from the customer account.

To add a proxied connection:

Click Add under the Proxied Connections table.

In the Add Proxied Connection dialog box, enter a unique Name and helpful Description for the connection.

Specify the connection Type, then enter the Address (single IP address), Subnet, or Range.

Select the Time zone for this connection.

If you have a single policy for multiple Internet gateways in different countries, you may want to set each to a different time zone. If all connections are in the same time zone, it is easier to set the time zone for the complete policy (see Time zone) and select the "use policy time zone" option.

Daylight saving time is supported where valid on all time zones except GMT and UTC, which are static.

Optionally, mark the Override Google redirect behavior checkbox, then determine which override option to use.

By default, Google redirects browsers to the appropriate site for the country it detects (for example, google.fr for France). Sometimes this is not accurate (for example, if end users browse through a cloud proxy in a different country).

The Google redirect setting for the connection takes precedence over the setting for the policy (see User and group exceptions for time-based access control). If you do not configure Google settings for the connection, the policy-level, if any, are used.

This feature requires that you enable SSL decryption for the Search Engines and Portals category on the Web Categories tab (see Managing categories, actions, and SSL decryption), and install the Forcepoint root certificate on end user machines. If you mark the checkbox without enabling SSL decryption, a warning appears.

The available options are:

Ensure requests for google.com are not redirected, which prevents Google from redirecting to a local country site when the end user enters "google.com"

Redirect requests for google.com to, which ensures all google.com requests are redirected to a local country site of your choice. Enter the country code in the text field (for example, fr for google.fr, or co.uk for google.co.uk).

Click Continue to save your change and return to the Connections tab.

Proxy bypass

Proxy bypass sites are destinations that users can access either directly, or through an alternate (third-party) proxy, without going through the cloud service. For example, organizational webmail sites and system traffic, like Microsoft and antivirus updates, should be added to the bypass list.

For users with the Neo or Direct Connect endpoint, bypass destinations are not analyzed by the cloud service.

For users whose traffic is sent to the cloud service via PAC file, including users of the Proxy Connect endpoint, bypass destinations are added to the policy PAC file.

By default, the PAC file excludes all non-routable and multicast IP address ranges; so if you are using private IP address ranges defined in RFC 1918 or RFC 3330, you need not enter these.

Browsers configured to use the policy's PAC file automatically use the cloud service, but bypass it for the specified destinations.

Any destinations that you add to the Proxy Bypass table apply only to the selected policy. To add bypass destinations that apply to all policies, use Proxy Bypass tab of the Web > Settings > Bypass Settings page.

To define bypass destinations:

Click Add under the Proxy Bypass table.

In the Add Proxy Bypass dialog box, enter a unique Name and helpful Description for the destination.

Specify the destination Type, then enter the Address (single IP address), Subnet, or Domain.

If traffic to the specified destination is managed by a third-party proxy, mark the Send traffic to another proxy check box, then enter the proxy IP address or hostname in the field provided.


	Important The alternate proxy specified here must not be another Forcepoint proxy.

Use the optional Comment box to add helpful information, such as why the entry was created.

Click Continue to save your changes and return to the Connections page.


	Note You can add a total of 1000 proxy bypass destinations per policy. Account-level bypass destinations (added via Web > Proxy Bypass) count towards this limit for each policy. For example, if your policy has 10 bypass destinations, and you have 10 account-level bypass destinations, this is counted as a total of 20 destinations for the policy.