Endpoint tab

Use the Endpoint tab to enable secure transparent authentication with the web endpoint for end users whose requests are managed by this policy.

The cloud service uses the User Principal Name (UPN) or the NTLM ID provided by the endpoint agent to match endpoint users to the appropriate policy. The service first attempts to match the UPN. If no match is found, or if no UPN is available, the service attempts to find a user match using the NTLM ID.

From this tab you can deploy the Proxy Connect endpoint to either the roaming users or all users in the policy directly from the cloud. (The Direct Connect endpoint and Neo must be installed manually; automatic installation from this tab is not supported.)

Proxy Connect users in your network will be asked to install the endpoint software on their machine when they start a browsing session.

Roaming users must first authenticate themselves via the Roaming home page before being asked to install the endpoint software.

See this Knowledge Base article for a list of browsers that support Proxy Connect endpoint deployment directly from the cloud.

For Neo, Proxy Connect, and Direct Connect endpoint software, you can push the endpoint manually to selected client machines using your preferred distribution method. For more information, see Configure Endpoint settings.


	Note You must set an anti-tampering password for Proxy Connect or Direct Connect endpoint installations before you can deploy the endpoint software. Set this password on the Web > Settings > Endpoint page.

For both classic Direct Connect and Proxy Connect endpoint clients, you can choose to automatically update endpoint whenever a new version is released. Note that if you select an automatic update option, it applies to all users in the policy who have installed the endpoint on the selected operating system, regardless of how the endpoint software was originally deployed.

For Neo, automatic updates are enabled by default but can be configured on the Neo management portal, accessed from the Web > Settings > Endpoint page. For more information, see Settings section of the Forcepoint Dynamic User Protection Help.

Neo

Use this section to select the Neo mode to use. Select:

Intelligent auto-switching...to automatically switch between proxy connect and direct connect modes based on performance and network conditions. This is the recommended option.

Neo uses the appropriate endpoint mode, based on network conditions When proxy connect mode is in use but can't connect to the proxy or if performance becomes an issue, Neo will switch to the direct connect mode.

Proxy Connect to use only the Proxy Connect endpoint mode. This Neo mode corresponds to the functionality available in the standalone classic Proxy Connect agent.

Direct Connect to use only the Direct Connect endpoint mode. This Neo mode corresponds to the functionality available in the standalone classic Direct Connect agent.

From the Fallback mode drop-down, select the fallback behavior that should be applied to a user request if the network connection to Neo is interrupted.

Open to allow the user request.

Closed to block the user request.

Safe (not available with Proxy Connect) uses local cache to apply policy.

Endpoint PAC Control

By default, Neo and Proxy Connect endpoint clients retrieve the cloud service PAC file and use it to determine which websites should be accessed through the cloud proxy, and which port to use for web browsing.

Use the settings in the Endpoint PAC Control section to determine which PAC file URL Endpoint should access for users in this policy.

The options are:

Use default PAC file URL...: retrieves the PAC file over port 8082 (or 8087 for HTTPS). Web browsing is performed via port 8081.

Use alternate PAC file URL...: retrieves the PAC file over port 80 (or port 443 for HTTPS). Web browsing is also performed via ports 80 or 443. Use this option for locations where ports 8081 and 8082/8087 are locked down.

For more information on the default and alternate PAC file URLs, see Proxy auto-configuration (PAC).

Select Retrieve PAC file over HTTPS to download PAC files over a secure (HTTPS) connection. For more information on this setting, see Accessing PAC files over HTTPS.


	Note These settings only apply to the Proxy Connect endpoint. The Retrieve PAC file over HTTPS option requires build 2826 or later. Earlier versions of the Proxy Connect endpoint will always download the PAC file over HTTP, and are not affected by this setting. Ensure that your Endpoint clients have connectivity to a Forcepoint point of presence (data center or local PoP) on TCP ports 8087 or 443, as appropriate, before enabling this option.

Classic Endpoint installation

To configure web endpoint software installation:

If you want to deploy the Proxy Connect endpoint client automatically, mark the Deploy endpoint software on user machines... checkbox.

This setting defines whether the endpoint is deployed to the end users in this policy. If you clear this option at a later date, there will be no further new deployments of the endpoint. However, the installed endpoint software will continue to work unless it is uninstalled from the client machines.

Choose whether the Proxy Connect endpoint is deployed to all cloud end users, or only to roaming users.

To ensure that your endpoint client software always uses the latest version, mark one or more automatic update check boxes.

If you clear these options at a later date, there will be no further automatic updates of existing installations, although the installed endpoints will continue to work.

Define which PAC file URL the Proxy Connect endpoint should use, and whether to retrieve the PAC file via a secure (HTTPS) connection.

Use the alternate PAC file address for locations where non-standard ports are locked down (see Endpoint PAC Control).

Under Classic Endpoint Installation Screen, you can provide a customized message that appears to end users on Windows machines at the beginning of the Proxy Connect endpoint download and installation process.

The message can be used to reassure the user that the download is company-approved, and to provide any further information they may need. To customize the message, enter the message you want to display in the Branding text field.

Click Submit when done.