How Forcepoint Web Security Cloud works

Getting Started Guide | Forcepoint Web Security Cloud

Forcepoint Web Security Cloud operates as a proxy server for HTTP and HTTPS traffic, as well as FTP over HTTP. When users request a web resource, their browsers do not connect directly to Internet web servers (shown in the following diagram as origin servers), but instead connect to the cloud proxy, which in turn relays requests to the origin server. This allows the cloud service to apply filtering rules and perform content scanning, providing protection against security threats, data loss, and inappropriate content.

The service can use various methods to identify and authenticate users: a Forcepoint Endpoint client, a third-party single sign-on identity provider, NTLM transparent identification, or manual authentication with a user name and password. Roaming users (those connecting from an unknown IP address) can be identified via the Forcepoint Endpoint client, via a single sign-on provider, or they are required to authenticate.

Optional SSL decryption allows the content of HTTPS sessions to be scanned, and allows the service to show the correct notification page to users (for example, a block page if the SSL site is in a category that is blocked). Content is re-encrypted after inspection.

The following diagram shows a basic overview of web traffic protected by Forcepoint Web Security Cloud.

The diagram shows the following elements of the service.

Identity management allows user details to be synchronized with the cloud, enabling users to be identified and authenticated. This allows user- and group-level policy settings to be applied, as well as providing detailed user-level reporting.

Web traffic is directed to the cloud service from a private network, and from roaming users connecting from outside their LAN. There are various methods to redirect traffic (see in Key concepts).

Authentication, filtering and enforcement settings are applied by a policy, which determines which requests to allow or block, performs real-time content scanning, and applies data security filtering, helping to prevent inadvertent or malicious data loss.

When policy decisions have been applied, web requests are then forwarded to the origin server, and content is served to the user's browser. If content is blocked, or security threats are detected, configurable notification pages are shown, informing the user of the reason why access to the resource is not allowed.

Some web requests can go directly to the origin server, if the address is defined as a proxy bypass destination.

Secure (HTTPS) sessions are forwarded over a tunneled connection. If you enable SSL decryption, the content of these sessions can be scanned and policy settings applied, before the traffic is re-encrypted. This feature requires you to install a root certificate on end-users' machines, allowing clients to connect securely to the cloud proxy. (See Enabling SSL decryption in the Forcepoint Web Security Cloud help for more information.)

Key concepts

In order to get started with the service, you must arrange to forward your web traffic to the service, add users to the service (if required), and create policies to control web access (a default policy is pre-configured).

Traffic forwarding

In order for the service to perform filtering, you must redirect web traffic to the cloud service, and configure your firewall to allow access to the service on specific ports.

Traffic can be directed to the cloud service in a number of ways:

A Forcepoint Endpoint: a lightweight software client that runs on end user devices, providing policy enforcement for web browsing.

A browser PAC (proxy auto-config) file: a configuration script that can be configured in your users' browsers (via GPO or similar) to redirect browser requests to the service

Firewall redirection: a simple method implemented on your firewall to redirect all HTTP/HTTPS traffic to the service

Tunneling: IPsec or GRE connectivity to forward traffic to the service from a supported edge device.

Alternatively, a Forcepoint I Series appliance can be deployed in order to provide fast, flexible on-premises traffic analysis. If you have an existing on-premises proxy, this can be connected to the service via proxy chaining.

For more information about forwarding traffic, see Forwarding traffic.

User synchronization

The service can identify and authenticate users in order to provide user and group-specific policy enforcement, and detailed user activity reporting. Users can be added manually, or identity management can be configured so that user details are automatically updated to the cloud service.

This step is optional; some organizations apply the same policies to all users based solely on IP address, without requiring users to authenticate.

Note: if your organization has roaming users (those who connect from locations outside of your network), those users must be registered and must identify themselves in order to use the service remotely. See User registration methods.

Policies

Policies allow or block access to web resources, and control your authentication, content filtering, security, and data loss prevention (DLP) settings. Exceptions can be configured to override or bypass policy settings per user or group.

Filtering is based on a set of web categories drawn from the Forcepoint URL Database, constantly updated by Forcepoint Security Labs, with security threats identified in real time by Forcepoint ThreatSeeker Intelligence.

A default policy is available, providing a set of standard web filtering settings. Once you are up and running with the service, you can edit this policy and create new ones, providing differing levels of access for different users and departments. (See Tailoring your policies.)