Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Endpoint overview
Forcepoint Endpoint agents are lightweight software clients that run in the background on user devices, providing a seamless browsing experience for your end users. Endpoint agents automatically authenticate users with the service, and provide policy enforcement and data security features. The endpoint clients have been designed to consume minimal CPU, memory, and disk resources, and have tamper controls to prevent users disabling the software.
The endpoint agents provide a User Principal Name (UPN) and an NTLM ID to identity end users. The cloud service uses this information to match users to the appropriate policy. The service first attempts to match the UPN. If no match is found, or if no UPN is available, the service attempts to find a user match using the NTLM ID.
Available endpoint agents are:
*
Neo: this endpoint agent can be used in either proxy connect mode or direct connect mode, and can automatically switch from one to the other when necessary. For customers who have also purchased Forcepoint Dynamic User Protection, Neo sends user activities there for analysis to compute the risk score.
*
Proxy Connect: this classic endpoint agent redirects all traffic to the cloud proxy for analysis. Proxy Connect is recommended for most scenarios, and supports the widest set of security features.
*
Direct Connect: this classic endpoint agent contacts the cloud service for each request to determine whether to block or permit a website, but routes the web traffic itself directly to the Internet. Direct Connect also routes traffic to the cloud service to perform content analysis, if configured in your policy. Direct Connect is recommended for scenarios in which proxy connections may be problematic.
The differences between endpoint agents are further outlined below.
Neo
The Neo endpoint agent is a single agent that installs on the endpoint machine and includes both proxy connect and direct connect modes. Neo can automatically switch between the two modes depending on network conditions and performance.
Once Neo is activated, full functionality of proxy connect or direct connect is available. Neo uses the appropriate endpoint mode, based on network conditions. When proxy connect mode is in use but cannot connect to the proxy or if performance becomes an issue, Neo will switch to the direct connect mode.
Neo collects activity data from the endpoint and, for customers who have purchased Forcepoint Dynamic User Protection, sends the data there where it is analyzed for the purpose of risk score calculation.
Proxy Connect (Classic)
The Proxy Connect endpoint redirects all traffic to the cloud proxy for analysis. Proxy Connect is ideal where proxy connections can be used without issue. This endpoint type supports the widest set of security features, such as data security scanning. Proxy Connect is regarded as the default option, and is recommended for most situations.
For more information on the current version, please see the Release Notes for Forcepoint Web Security Proxy Connect Endpoint, available in the portal on the Web > Endpoint > General page.
Direct Connect (Classic)
The Direct Connect endpoint contacts the cloud service for each request, to determine whether to block or permit a website, but routes the web traffic itself directly to the Internet. Direct Connect also routes traffic to the cloud service to perform content analysis, if configured in your policy, and connects to the cloud service to retrieve its configuration settings.
 
Note 
Direct Connect endpoint is designed for use in situations where the use of proxy connections may be problematic. Direct Connect endpoint can improve the security and usability of the service in the following scenarios:
*
*
*
*
*
*
 
Important 
For more information on feature support, see the Release Notes for Forcepoint Web Security Direct Connect Endpoint, available in the portal on the Web > Endpoint > General page.
Endpoint connectivity
The following diagram illustrates the connectivity for Proxy Connect (through Neo or the Classic Proxy Connect endpoint) and Direct Connect (through Neo or the Cassic Direct Connect endpoint).
The diagram shows the two different endpoint versions servicing a web request:
1.
2.
a.
b.
If required, you can deploy a combination of Proxy Connect and Direct Connect endpoints in your organization. However, only one classic endpoint instance (Classic Proxy Connect or Classic Directory Connect) can be installed on a client machine at any one time. The Neo endpoint agent includes both proxy connect and direct connect modes.
 
Note 
Endpoint deployment options
Neo, Classic Proxy Connect, and Classic Direct Connect endpoint versions can be deployed on Windows and Mac operating systems (excluding iOS devices, such as iPhones, iPods, or iPads).
After configuring the endpoint client (as described in the next section), you have the following deployment options:
Windows operating system users
*
*
*
(Classic Proxy Connect only) Allow users to download and install the endpoint software themselves from a link that you provide.
*
(Classic Proxy Connect only) Deploy the endpoint client to the end users in a web policy directly from the cloud. Each affected user is asked to install the endpoint software on their machine when they start a browsing session. See Endpoint tab.
Mac operating system users
*
*
*
*
*
*
Users who do not install the endpoint client are authenticated according to the options specified on the Access Control tab for their policy. Single sign-on is used if configured; otherwise the cloud-based service falls back to NTLM identification or basic authentication. Users are prompted to install the endpoint software each time they start a browsing session, until they complete the installation process.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2022 Forcepoint. All rights reserved.