Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Web endpoint overview
Forcepoint Web Security Endpoint is a lightweight software client that runs in the background on user devices, providing a seamless browsing experience for your end users. Endpoint automatically authenticates users with the service, and provides policy enforcement and data security features. The endpoint client has been designed to consume minimal CPU, memory, and disk resources, and has tamper controls to prevent users disabling the software.
There are 2 versions of the endpoint client available:
*
Proxy Connect: this endpoint type redirects all traffic to the cloud proxy for analysis. Proxy Connect is recommended for most scenarios, and supports the widest set of security features.
*
Direct Connect: this endpoint type contacts the cloud service for each request to determine whether to block or permit a website, but routes the web traffic itself directly to the Internet. Direct Connect also routes traffic to the cloud service to perform content analysis, if configured in your policy. Direct Connect is recommended for scenarios in which proxy connections may be problematic.
The differences between the two types of endpoint client are further outlined below.
Proxy Connect
The Proxy Connect endpoint redirects all traffic to the cloud proxy for analysis. Proxy Connect is ideal where proxy connections can be used without issue. This endpoint type supports the widest set of security features, such as data security scanning. Proxy Connect is regarded as the default option, and is recommended for most situations.
For more information on the current version, please see the Release Notes for Forcepoint Web Security Proxy Connect Endpoint, available in the portal on the Web > Endpoint > General page.
Direct Connect
The Direct Connect endpoint contacts the cloud service for each request, to determine whether to block or permit a website, but routes the web traffic itself directly to the Internet. Direct Connect also routes traffic to the cloud service to perform content analysis, if configured in your policy, and connects to the cloud service to retrieve its configuration settings.
 
Note 
Direct Connect endpoint is designed for use in situations where the use of proxy connections may be problematic. Direct Connect endpoint can improve the security and usability of the service in the following scenarios:
*
*
*
*
*
*
 
Important 
For more information on feature support, see the Release Notes for Forcepoint Web Security Direct Connect Endpoint, available in the portal on the Web > Endpoint > General page.
Endpoint connectivity
An overview of connectivity for the Proxy Connect and Direct Connect endpoint versions is illustrated in the following diagram.
The diagram shows the two different endpoint versions servicing a web request:
1.
2.
a.
b.
If required, you can deploy a combination of Proxy Connect and Direct Connect endpoints in your organization. However, only one endpoint instance can be installed on a client machine at any one time.
 
Note 
Endpoint deployment options
The Proxy Connect version of endpoint can be deployed on Windows and Mac operating systems (excluding iOS devices, such as iPhones, iPods, or iPads). The Direct Connect version is currently available only for Windows.
After configuring the endpoint client (as described in the next section), you have the following deployment options:
Windows operating system users
*
*
(Direct Connect and Proxy Connect) Push it manually to selected client machines using your preferred distribution method - for example, Microsoft Group Policy Object (GPO).
*
(Proxy Connect only) Allow users to download and install the endpoint software themselves from a link that you provide.
*
(Proxy Connect only) Deploy the endpoint client to the end users in a web policy directly from the cloud. Each affected user is asked to install the endpoint software on their machine when they start a browsing session. See Endpoint tab.
Mac operating system users
*
*
Users who do not install the endpoint client are authenticated according to the options specified on the Access Control tab for their policy. Single sign-on is used if configured; otherwise the cloud-based service falls back to NTLM identification or basic authentication. Users are prompted to install the endpoint software each time they start a browsing session, until they complete the installation process.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2019 Forcepoint. All rights reserved.