Identifying users

Getting Started Guide | Forcepoint Web Security Cloud

Once you have completed the initial setup, a single policy applies enforcement to all traffic from your organization's egress IP. In order to implement per-user or per-group policy enforcement, Forcepoint Web Security Cloud must identify specific users. User identification also allows the service to log individuals' internet usage and provide user-based and group-based reporting.

This section discusses the options available for registering users with the service and identifying users when they access the proxy.

Policy selection by IP address

When the cloud service receives a web request, it first identifies the source of the request in order to find the user's account. If the request comes from an IP address that is defined as a connection in a policy, the service identifies the account, and, by default, applies the settings in that policy.

If you wish, you can define additional policies with different connection addresses, which can apply enforcement to different parts of your organization (as identified by egress IP). This is an easy way to apply different policy settings to different geographical offices, or network segments.


	Tip Using IP-based policy selection also allows users to browse anonymously, without having to authenticate. If user authentication is not required by the policy, enforcement actions are applied to all traffic coming from the egress IP, but users are not individually identified, and user-specific reporting data will not be available.

User authentication is always required for roaming users (those connecting from an unknown IP address), in order to identify the user's account and ensure that the user is entitled to access the service.

Add IP addresses to your policies in the cloud portal via Web > Policy Management > Policies, using the Connections tab.

Policy selection by user

In order to implement user- or group-level control of your organization's web browsing, the service must be able to identify specific users when they request a web resource.

The process by which this occurs is as follows:

When a web request is received from an IP address that is defined as a proxied connection in a policy, the service first identifies the account and policy using the source IP address, and by default applies this connection-based policy. (For connections from unknown IP addresses, see Working with remote users.)

If the connection-based policy requires authentication (defined on the Access Control tab), the service will then identify the user.

Once identified, if the user is found to be assigned to a different policy, the user's policy overrides the connection-based policy, and settings from the user's own policy are enforced.

In order for this to occur, users must be registered with the service, and user authentication must be configured in your policy. See the sections that follow:

User registration methods

User authentication methods

User registration methods

You can register users with the service, and assign those users to policies, in a number of ways. User registration methods are as follows:

Identity management

By invitation

Self-registration

These methods are outlined below.

Identity management

Registering your users via identity management is the most flexible and scalable option for user management.

We recommend that your synchronization includes:

(Directory Synchronization) Users' NTLM IDs: these can be used to transparently identify users without the need for users to manually log on. (Note: if NTLM IDs are not included in the synchronization, users must perform a one-time self-registration process when they first connect to the cloud service.)

Groups that will be useful for policy enforcement purposes - for example, if members of different departments will have different policy settings. You can configure the cloud service to assign users to policies based on group membership, allowing you to manage policy assignment via your directory. You can also configure policy exceptions based on group membership.


	Note Forcepoint recommends that you include the minimum number of groups required for policy enforcement. Including more groups than necessary can impact performance.

For advice on configuring identity management, see Planning for your first synchronization in the Web Security Cloud help.

Once you have synchronized your users and groups, assign groups to the relevant policy via the End Users tab of the policy.

Registering by invitation

If you cannot use identity management, you can invite users to register via an option on the End Users tab of a policy. Users can be invited individually by email address, or in bulk via a CSV file. This option may be useful for users on your network who do not appear in your directory, such as third-party contractors.

When end users are invited, an email is sent inviting the user to create a password before using the service. Users are added to the policy after completing registration.

For further information, see Registering by invitation in the Web Security Cloud help.

Self registration

You can add email domains to your policies in order to allow users to self-register with the service using their email address. For example, if your users have email addresses in the form 'user@yourcompany.com', add 'yourcompany.com'. Add domains on the End Users tab of your policy, under Self Registration. Users registering using an email address at this domain will be assigned to the policy.

Domains can also be added at the account level, via Web > Settings > Domains. This allows you to associate the domain with all policies, allowing users to self-register to any policy in your account. The actual policy the user is assigned depends on the connection from which they connect - if this matches a proxied connection in a policy, the user is registered to that policy. Users connecting from unknown IP addresses are added to a default policy you can select. (See Configure Domain settings in the Web Security Cloud help.)

Users can self-register by clicking Register on the default logon page shown when they first attempt to browse, or by navigating directly to the self-registration URL:

www.mailcontrol.com/enduser/reg/index.mhtml

For further information, see End user self-registration in the Web Security Cloud help.

Managing user policy assignment

If you are using identity management, assign groups to the relevant policy via the End Users tab of the policy. Under Identity Management, click Modify list of groups, and select the groups that should be assigned to the policy.

User assignment to policies can be overridden per user by editing the user via the Accounts > End Users page.

You can also add users to policies using a CSV file. Navigate to Web > Policies. Upload a file under Policy Assignment.

Managing policy assignment via your directory

If you are using identity management you can manage user policy assignment entirely using your identity provider or LDAP directory. Once you have synchronized your users, assign groups to your policies as required.

On the Account > Identity Management screen, click Edit. For the User policy assignment setting, ensure Follow group membership is selected.

With this setting applied, moving users to a different group will automatically update their policy assignment in the portal.