Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Release Notes for Forcepoint Web Security Direct Connect Endpoint for Windows v20 : Installation and upgrade
Installation and upgrade
Updated 25-Feb-2020
Applies to:
Forcepoint Web Security Cloud
Hardware requirements
The following are minimum hardware recommendations for a machine with the Direct Connect Endpoint installed:
*
1 GHz or faster Intel-compatible processor
*
1 GB system memory
*
1 GB disk space
Support for latest browsers and operating systems
Browsers and operating systems are tested with existing versions of Forcepoint One Endpoint when they become available. For a full list of supported browsers and operating systems for each endpoint version, see the Certified Product Matrix.
When you deploy Direct Connect Endpoint to Windows endpoints with Firefox v53 or higher installed, follow the below deployment guidance:
Edit the DCUserConfig.xml configuration file to specify the following configuration parameters in "DCSetting":
*
<FirefoxSetting FirefoxConfigCFGFileName="mozilla.cfg" FirefoxConfigJSFileName="channel-perfs.js" />
Networking requirements
Firewall ports
*
Direct Connect Endpoint management channels over port 443
*
Outbound connections on ports 80 and 443
*
Alternatively use your proxy infrastructure. Direct Connect Endpoint itself does not use PAC files, but it is able to operate with your PAC file settings if required.
Firewall settings
Local network infrastructure must allow access to Forcepoint Cloud IP range. (See Cloud service data center (cluster) IP addresses and port numbers for details.)
Fallback mode will engage if the Forcepoint Cloud IP range is blocked. In Fallback mode, the endpoint continues to prevent access to previously blocked sites, so users' computers are partially protected. For more information, see Fallback mode in the End User's Guide for Forcepoint One Endpoint.
Fallback mode
If the Direct Connect Endpoint is unable to contact the Forcepoint cloud service, it moves into Fallback mode. The device is now partially protected by applying filters cached from previously blocked site visits. For example, if the user previously saw a block page when visiting Facebook, then the user would also see a block page when visiting Facebook while in Fallback mode. This block page indicates that it was a result of cached results. Once the network issue is resolved, normal filtering resumes.
For more information, see Fallback mode in the End User's Guide for Forcepoint One Endpoint.
Application support
By default, any running applications are subject to the same web enforcement policy on HTTP requests on port 80, and HTTPS requests on port 443.
Occasionally some applications do not work properly in conjunction with endpoint enforcement. This might occur with, for example, custom-designed applications for your organization, or applications that need to contact an Internet location for updates.
If you are experiencing problems with applications on end users' machines, the Endpoint Bypass tab on the Web > Endpoint page in the Forcepoint Security Portal enables you to add the names of any application executables that you want to bypass endpoint policy enforcement. For more information, see Endpoint bypass in the Forcepoint Security Portal Help.
Secure channel support
This version of the Direct Connect Endpoint supports secure channel handling through the host system infrastructure. Depending on the version of Windows on the installation machine, the endpoint communicates with the cloud service over:
*
TLS 1.1 and 1.2
These channels follow the system proxy settings in a network environment where all traffic is proxied.
Obtaining endpoint client software
To obtain the latest Direct Connect Endpoint client software package, log onto the Forcepoint Security Portal, and then go to Web > Endpoint > General to download the endpoint installation package.
*
You must set an anti-tampering password to enable the package download links.
*
This version of the endpoint is currently supported on 32-bit or 64-bit Windows.
*
Copy the GPO code that is provided if you intend to deploy the Direct Connect Endpoint MSI package to client machines via Microsoft Group Policy Object (GPO).
Deploying new Windows endpoints
There are a few ways to distribute the Direct Connect Endpoint software on Windows clients, including virtual desktop clients running Windows:
*
Manually on each endpoint device, using the installation package supplied by Forcepoint.
*
Using a GPO or other third-party deployment tool for Windows. If you need assistance, contact Forcepoint Technical Support.
For instructions, see the Installation and Deployment Guide for Forcepoint One Endpoint.
Upgrading existing deployments
On an endpoint machine with a lower version of Direct Connect Endpoint installed:
You can install this version without uninstalling the lower version. Run the Direct Connect Endpoint installation package to automatically remove the installed version, then install this version.
You must reboot the endpoint machine to complete the installation.
On an endpoint machine with Proxy Connect Endpoint installed:
You must uninstall the Proxy Connect Endpoint before installing the Direct Connect Endpoint. Both agents cannot be installed on the same endpoint machine.
You must reboot the endpoint machine after you uninstall the Proxy Connect Endpoint.
Auto-Update:
Automatic updates are enabled through the Forcepoint Security Portal. For more information, see the Upgrade Guide for Forcepoint One Endpoint.
If you have disabled auto-update, endpoint machines show an error in the Diagnostics Tool stating that it cannot reach the auto-update service. This error may also display on endpoint machines that have enabled auto-update, but that have not been updated to the new Forcepoint One Endpoint version of the Direct Connect Endpoint.
Configuring endpoint behavior
Following are some of the configuration options available in the Forcepoint Security Portal for the Direct Connect Endpoint. Note that all links go to the Forcepoint Technical Library.
*
Web categorization. See Web Categories.
*
Setting a default endpoint policy for roaming users. See Deploying the endpoint for Windows.
*
Auto-update of previously installed Direct Connect Endpoint.
Note: A Proxy Connect Endpoint cannot be auto-updated to a Direct Connect Endpoint.
*
End user control. See Deploying the endpoint for Windows.
*
Anti-tampering password. See Deploying the endpoint for Windows.
*
Endpoint bypass settings.
*
Policy exceptions by time, user, and group. See User and group exceptions for time-based access control.
*
SSL inspection. See Enabling SSL decryption.
*
Allowing end users to proceed when notified of certificate errors, and managing specific domains for certificate bypass. See Bypassing certificate verification.
*
Non-proxied destination domains and IP addresses at account and policy level. These operate as non-enforcement destination domains for this version of the endpoint. The configured domains are added to the endpoint management service rather than the PAC file. See Adding and importing non-proxied destinations, and Connections tab.
*
Endpoint reporting. See the Advanced section under Predefined reports.
*
Data Center allocation based on end user egress IP. This does not impact geo-localization of content, but does require a software restart for the setting to take effect.
Unsupported options
The following configuration options are not currently supported by the Direct Connect Endpoint.
Functional:
*
True File Type download blocking
*
Executable file upload blocking
*
Cloud Data Security (DLP)
*
Social Media updates
*
Low risk profile ACE scanning settings
*
Scanning for malware on low risk profile sites
*
File download blocking by size
*
Endpoint browsing behind an iSeries appliance
*
Acceptable Use landing page
*
Bandwidth reporting
*
YouTube restricted mode
Operational/Deployment:
*
Automatic initial endpoint deployment from cloud service
*
Fallback mode block page cannot be customized via the cloud portal

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Release Notes for Forcepoint Web Security Direct Connect Endpoint for Windows v20 : Installation and upgrade
Copyright 2020 Forcepoint. All rights reserved.