Next steps

Forcepoint IPsec Advanced Guide | Forcepoint Web Security Cloud

Once you have completed the setup steps in the preceding section, your next steps are to:

Enable notification pages for HTTPS sites (if required)

Set up end-user authentication (if required)

Configure browsers for NTLM identification (if required)

Using single sign-on

Ensure you have configured policies to manage traffic from your network. See Forcepoint Web Security Cloud Help - Defining Web Policies for information on policy configuration.

Test your policies.

Enable notification pages for HTTPS sites

In order for notification pages to be displayed for HTTPS sites - for example, block pages if the website is in a category that is blocked, or the Pre-logon welcome page for authentication - you must configure a root certificate on each client machine. This acts as a Certificate Authority for secure requests to the cloud proxy.

The setting is found on the Web > Block & Notification Pages page, under Settings. To enable it, select the checkbox Use certificate to serve notifications for HTTPS pages.

This page also has a link to download the Forcepoint root certificate, which should be installed on client machines. For further details, see Forcepoint Web Security Cloud Help - Configure Block & Notification Pages.

Set up end-user authentication

End-user authentication is driven by the setting configured in your Web policy. For IPsec Advanced traffic, the cloud service can perform either NTLM identification or manual authentication. NTLM identification uses the credentials presented by a user's browser, and compares these to the user details you have synchronized with the cloud service in order to identify the user. Manual authentication requires users to log on before they can browse, using the email address and password registered with the cloud service.

The following graphic shows the Access Control tab in the cloud portal, used to define your authentication settings.

By default, manual authentication is enabled. If the Always authenticate users on first access option is set, users are prompted to authenticate when first logging on.

If NTLM identification is enabled, it is given priority and will be used instead of manual authentication. In order for NTLM identification to work seamlessly, you must synchronize end user information including NTLM IDs with the cloud service. (See Forcepoint Security Portal Help - Directory Synchronization). If a user cannot be identified via NTLM, the service defaults to manual authentication.

For further information on setting up end-user authentication, see Forcepoint Web Security Cloud Help - Access Control tab.


	Note Currently, single sign-on, the endpoint client, and secure form-based authentication are not supported for use with Forcepoint IPsec. See Limitations.

Authentication bypass

Both cloud and hybrid administrators can elect to bypass authentication based on internal IP addresses, ranges, or subnets. Forcepoint Technical Support must enable the Internal Bypass Rules for Edge Devices feature for your account. See Forcepoint Web Security Cloud Help - Bypassing authentication settings for more information.

Configure browsers for NTLM identification

NTLM identification also requires that you add the authentication URLs for the Forcepoint cloud service to your browsers' local intranet zone.

The following URLs must be trusted:

http://proxy-login.blackspider.com

https://ssl-proxy-login.blackspider.com

For guidance on adding these URLs for various browsers, see the following article in the Forcepoint Knowledge Base: Configuring browsers for NTLM identification.

Using single sign-on

Single sign-on using the SAML standard is supported for IPsec Advanced tunneling.

Single sign-on must be configured in the cloud portal. See Configure Single Sign-On settings in the cloud portal Admin Guide for more information.

Test your policies

Your policies can be tested using the proxy query page:

http://query.webdefence.global.blackspider.com/?with=all

Verify that traffic is going through the cloud service and that the correct policies are being applied. The following graphic shows the result of a successful test.