Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Release Notes for Forcepoint Web Security Direct Connect Endpoint for Mac v20 : Installation and upgrade
Installation and upgrade
Updated 25-Feb-2020
Applies to:
Forcepoint Web Security Cloud
Hardware requirements
The following are minimum hardware recommendations for a machine with the Direct Connect Endpoint installed:
*
1 GHz or faster CPU
*
1 GB system memory
*
1 GB disk space
Support for latest browsers and operating systems
Browsers and operating systems are tested with existing versions of Forcepoint One Endpoint when they become available. For a full list of supported browsers and operating systems for each endpoint version, see the Certified Product Matrix.
Enabling the macOS 10.14 kernel extension
When the endpoint machine loads the Direct Connect Endpoint for the first time, a window is shown to prompt you to enable the extension. You can enable the extension in System Preferences > Security & Privacy. For more information, see the User-Approved Kernel Extension Loading Technical Note from Apple.
 
* 
Note 
You must reboot the Mac endpoint machine after enabling the kernel extension. The Direct Connect Endpoint will not work correctly until the endpoint machine reboots.
Disabling the blocked kernel extension prompt
To disable macOS from prompting the user to allow kernel extensions, complete the following steps. Please note that following these steps automatically allows all kernel extensions.
1.
Reboot the Mac endpoint machine in Recovery mode.
2.
From the command line, run:
spctl kext-consent disable
3.
Reboot the Mac endpoint machine.
Networking requirements
Firewall ports
*
Direct Connect Endpoint management channels over port 443
*
Outbound connections on ports 80 and 443
*
Alternatively use your proxy infrastructure. Direct Connect Endpoint itself does not use PAC files, but it is able to operate with your PAC file settings if required.
Firewall settings
Local network infrastructure must allow access to Forcepoint Cloud IP range. (See Cloud service data center (cluster) IP addresses and port numbers for details.)
Fallback mode will engage if the Forcepoint Cloud IP range is blocked. In Fallback mode, the endpoint continues to prevent access to previously blocked sites, so users' computers are partially protected. For more information, see Fallback mode in the End User's Guide for Forcepoint One Endpoint.
Obtaining endpoint client software
To obtain the latest Direct Connect Endpoint client software package, log onto the Forcepoint Security Portal, and then go to Web > Endpoint > General to download the endpoint installation package.
You must set an anti-tampering password to enable the package download links.
Deploying new Mac endpoints
For instructions, see the Installation and Deployment Guide for Forcepoint One Endpoint.
Uninstalling Forcepoint Web Security Direct Connect Endpoint
To uninstall from the command line:
1.
Open a terminal window and type the following command to uninstall the service:
sudo wepsvc --uninstall
2.
Type the root user Password.
3.
If you provided an anti-tampering password in the Forcepoint Security Portal, type the anti-tampering password when prompted.
To uninstall from System Preferences:
1.
Open System Preferences.
2.
Click Forcepoint to open the Forcepoint Endpoint Preferences page.
3.
Click the Uninstall Endpoint button.
4.
If you provided an anti-tampering password in the Forcepoint Security Portal, you are prompted to provide the anti-tampering password.
Type the anti-tampering password, then the root user password to continue.
5.
Click OK to close the confirmation dialog window.
Starting and stopping Forcepoint Web Security Direct Connect Endpoint
1.
Open a terminal window.
2.
Type the following command to stop the service:
sudo wepsvc --stop
3.
Type the following command to check the status of the service:
sudo wepsvc --status --wsdc
4.
Type the following command to start the service:
sudo wepsvc --start
Upgrading existing deployments
On an endpoint machine with a lower version of Direct Connect Endpoint installed:
You can install this version without uninstalling the lower version. Run the Direct Connect Endpoint installation package to automatically remove the installed version, then install this version.
On an endpoint machine with Proxy Connect Endpoint installed:
If you are upgrading an endpoint machine from the Proxy Connect Endpoint to the Direct Connect Endpoint, you must uninstall the Proxy Connect Endpoint before installing the Direct Connect Endpoint.
Auto-Update:
Automatic updates are enabled through the Forcepoint Security Portal. For more information, see the Upgrade Guide for Forcepoint One Endpoint.
 
* 
Note 
If you are upgrading to a combined deployment of Direct Connect Endpoint and Forcepoint DLP Endpoint, you must restart the endpoint machine to finalize the Forcepoint DLP Endpoint upgrade.
Deployment model support
This build supports the following deployment models:
*
Behind third-party authenticating proxies (chained/explicit proxy)
*
Behind third-party filtering proxies (chained/explicit proxy)
*
Behind third-party Transparent proxies
*
Behind on-premises IPsec (VPN) Edge device
*
The Direct Connect Endpoint will not be able to contact the disposition service, so it will fail open and traffic will be transparently re-directed. There is no end user impact.
*
Behind on-premises Firewall re-direct
*
The Direct Connect Endpoint will not be able to contact the disposition service, so it will fail open and traffic will be transparently re-directed. There is no end user impact.
Application support
By default, any running applications are subject to the same web enforcement policy on port 80 (HTTP requests) and port 443 (HTTPS requests). Occasionally, some applications do not work properly in conjunction with endpoint enforcement. This might occur with, for example, custom-designed applications for your organization, or applications that need to contact an Internet location for updates.
If you are experiencing problems with applications on endpoint machines, go to the Endpoint Bypass tab on the Web > Endpoint page in the Forcepoint Security Portal and add the names of any application executables that you want to bypass endpoint policy enforcement. For more information, see Endpoint bypass in the Forcepoint Security Portal Help.
Fallback mode
If the Direct Connect Endpoint is unable to contact the Forcepoint cloud service, it moves into Fallback mode. The device is now partially protected by applying filters cached from previously blocked site visits. For example, if the user previously saw a block page when visiting Facebook, then the user would also see a block page when visiting Facebook while in Fallback mode. This block page indicates that it was a result of cached results. Once the network issue is resolved, normal filtering resumes.
For more information, see Fallback mode in the End User's Guide for Forcepoint One Endpoint.
Configuring endpoint behavior
Following are some of the configuration options available in the Forcepoint Security Portal for the Direct Connect Endpoint. Note that all links go to the Forcepoint Technical Library.
*
Web categorization. See Web Categories.
*
Setting a default endpoint policy for roaming users. See Deploying the endpoint for Mac.
*
End user control. See Deploying the endpoint for Mac.
*
Anti-tampering password. See Deploying the endpoint for Mac.
*
Endpoint bypass settings.
*
Policy exceptions by time, user, and group. See User and group exceptions for time-based access control.
*
SSL inspection. See Enabling SSL decryption.
*
Allowing end users to proceed when notified of certificate errors, and managing specific domains for certificate bypass. See Bypassing certificate verification.
*
Non-proxied destination domains and IP addresses at account and policy level. These operate as non-enforcement destination domains for this version of the endpoint. The configured domains are added to the endpoint management service rather than the PAC file. See Adding and importing non-proxied destinations, and Connections tab.
*
Endpoint reporting. See the Advanced section under Predefined reports.
*
Data Center allocation based on end user egress IP. This does not impact geo-localization of content, but does require a software restart for the setting to take effect.
Unsupported options
The following configuration options are not currently supported by the Direct Connect Endpoint.
Functional:
*
True File Type download blocking
*
Executable file upload blocking
*
Cloud Data Security (DLP)
*
Social Media updates
*
Low risk profile ACE scanning settings
*
Scanning for malware on low risk profile sites
*
File download blocking by size
*
Endpoint browsing behind an iSeries appliance
*
Acceptable Use landing page
*
Bandwidth reporting
*
YouTube restricted mode
Operational/Deployment:
*
Automatic initial endpoint deployment from cloud service
*
Fallback mode block page cannot be customized via the cloud portal
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Release Notes for Forcepoint Web Security Direct Connect Endpoint for Mac v20 : Installation and upgrade
Copyright 2020 Forcepoint. All rights reserved.