Forwarding traffic

Getting Started Guide | Forcepoint Web Security Cloud

In order for Forcepoint Web Security Cloud to filter your traffic, web requests must be redirected to the cloud service. There are a number of methods available to redirect traffic.

During the initial stages of an evaluation or while testing a deployment, we recommend that you manually configure a number of web browsers to use the Forcepoint Web Security Cloud PAC file to forward traffic to the service. This is described in PAC file.

The following table outlines all the traffic redirection methods available, which may be suitable for different organizations and different network environments.


Method	Summary	Recommended for
PAC file	The simplest method to direct browser traffic. Easily configured for a small number of browsers for testing purposes. Once you are happy that the service works as expected, you can deploy the PAC file to more users, via Windows GPO or similar. Further detail is given below (see PAC file).	Initial setup and testing. Organizations where software cannot be installed on end user devices or other types of connectivity cannot be used.
Endpoint client	A lightweight software application installed on end-user devices. The endpoint client seamlessly authenticates users, and provides policy enforcement for web browsing. Further detail is given below (see Endpoint).	Most scenarios where software can be installed on end user devices.
Firewall redirection	Transparently redirect all web traffic by configuring redirection rules on your firewall. For details on this connectivity method, see Firewall Redirect: Forwarding Traffic to the Cloud Service.	Networks with unmanaged devices, such as a guest Wi-Fi network or BYOD networks.
IPsec tunneling	Securely forward traffic over a virtual private network (VPN) using a supported firewall or router. For details on this connectivity method, see the Forcepoint IPsec Guide.	Networks with unmanaged devices, such as guest Wi-Fi networks or BYOD networks. Organizations that require increased security for web traffic.
GRE tunneling	Forward traffic over a GRE tunnel using a supported firewall or router. For details on this connectivity method, see the Forcepoint GRE Guide.	Networks with unmanaged devices, such as guest Wi-Fi networks or BYOD networks.
I Series appliance	Forcepoint appliance that performs fast on-premises URL analysis and application/protocol detection for web traffic, forwarding traffic to the cloud proxy where required. See Deploying an I Series Appliance on the Forcepoint Support site for more details.	Organizations that require on-premises traffic filtering and analysis
Proxy chaining	Configure your existing on-premises proxy to forward traffic to the cloud service. See Configuring proxy chaining with the Forcepoint cloud service on the Forcepoint Support site for more details.	Organizations with an existing on-premises proxy where existing network infrastructure cannot be changed.

PAC file

A proxy auto-configuration (PAC) file defines how web browsers choose an appropriate proxy for fetching a given URL. The Forcepoint Web Security Cloud PAC file contains a number of global settings and includes any exclusions you add (for example, intranet sites) that should not use the cloud proxy.

All supported browsers have the ability to use PAC files. PAC files can be configured manually, or delivered via Windows GPO, or similar.

When configuring browsers to download the PAC file, you can specify either the standard PAC file URL or a policy-specific PAC file URL.

Standard PAC file URL: if a user's browser requests the standard PAC file URL from a known IP address associated with a policy, the user will be served the policy-specific PAC file. If the standard PAC file is requested from an unknown IP (for example, roaming users), a global PAC file will be delivered.

Example standard PAC file URL (HTTPS):

https://pac.webdefence.global.blackspider.com:8087/proxy.pac

Policy-specific PAC file URL: if a user's browser requests a policy-specific PAC file URL, then this policy-specific PAC file will always be served. This can be used to ensure that users always receive their policy-specific PAC file, even when connecting from unknown IP addresses, such as roaming users.

Example policy-specific PAC file URL (HTTPS):

https://pac.webdefence.global.blackspider.com:8087/proxy.pac?p=xxxxxx

(Where xxxxxx is a unique policy identifier.)

For more information on PAC files, see Proxy auto-configuration (PAC) in the Web Security Cloud help.

Endpoint

Forcepoint Endpoint clients run in the background on end user devices, providing a seamless browsing experience. Endpoint automatically authenticates users with the service, and provides policy enforcement and data security features. The endpoint client has been designed to consume minimal CPU, memory, and disk resources, and has tamper controls to prevent users disabling the software.

The endpoint client allows administrators to create policies that provide user-specific policy enforcement, with seamless authentication, full visibility of inbound and outbound traffic, and that don't restrict use of the device.

There are three versions of the endpoint client, each suited to different sets of end user needs:

Neo: this endpoint client can be used in either proxy connect mode or direct connect mode, and can automatically switch from one to the other when necessary.

Proxy Connect: also known as Classic Proxy Connect endpoint, this endpoint client redirects all traffic to the cloud proxy for analysis. Proxy Connect is recommended for most scenarios, and supports the widest set of security features.

Direct Connect: also known as Classic Direct Connect endpoint, this endpoint client contacts the cloud service for each request to determine whether to block or permit a website, but routes the web traffic itself directly to the Internet. Direct Connect also routes traffic to the cloud service to perform content analysis, if configured in your policy. Direct Connect is recommended for scenarios in which proxy connections may be problematic, and in some circumstances can improve content localization.

The following diagram illustrates the connectivity for Proxy Connect (through Neo or the Classic Proxy Connect endpoint) and Direct Connect (through Neo or the Cassic Direct Connect endpoint).

The diagram shows the two different endpoint versions servicing a web request:

In the first scenario, Neo or the Classic Proxy Connect endpoint directs all web traffic via the cloud proxy. If the request is permitted, the proxy connects to the requested website and sends content back to the end-user client. (If the request is blocked, the user is shown a block page.)

In the second scenario, a web request via Neo or the Classic Direct Connect endpoint consists of two stages:

The endpoint connects to the cloud service to look up the user's policy settings for the requested site.

If the request is permitted, the client then redirects the request directly to the Internet. (If the request is blocked, the user is redirected to a block page.)

If required, you can deploy a combination of Proxy Connect and Direct Connect endpoints in your organization. However, only one classic endpoint instance (Classic Proxy Connect or Classic Directory Connect) can be installed on a client machine at any one time. The Neo endpoint agent includes both proxy connect and direct connect modes.

For more information about Forcepoint Endpoint software, including deployment options and configuration settings, see Web endpoint overview in the Web Security Cloud help.