Cloud Web setup

Getting Started Guide | Forcepoint Web Security Cloud

During the initial setup process, you need to configure your firewall to access Forcepoint Web Security Cloud, set up end-user registration and identity management, set up your first policy, and test your configuration.

If you are not able to complete each step immediately, you can skip to the next step and complete any missed items later.

To begin, you will need to have:

Your organization's external IP addresses

Knowledge of your organization's directory infrastructure or NTLM domains.

The stages of the setup are:

Step 1: Firewall Setup

Step 2: End Users

Step 3: Policy Setup

Step 1: Firewall Setup

Your firewall must allow TCP connections outbound to Forcepoint data centers on specific ports. For details of the firewall ports required and how they are used, see Configuring your firewall to connect to the cloud service in the Web Security Cloud help.

Step 2: End Users

End user information can be sent to the cloud service in one of 2 ways:

Use System for Cross-domain Identity Management (SCIM) (recommended) to provision user and group identity data from a cloud-based identity provider to the cloud service.

Synchronize users from my directory (recommended when using a private Active Directory or LDAP) involves installing the Directory Synchronization Client in your network and configuring it to synchronize user and group information from your LDAP directory to the cloud service.

Manually enter end user information (name, email address, and NTLM identity) to use in testing. User details are added to policies using the End Users tab options.

System for Cross-domain Identity Management (SCIM)

Your identity provider must be configured to work with the cloud service so that user and group data can be synchronized from the provider. See How the service works with SCIM in Cloud Security Help for more details.


	Note Okta and Microsoft Azure Active Directory are the only identity provided currently supported.

Directory Synchronization

To enable directory synchronization between your LDAP directory and the cloud service, start by creating the contact with Directory Synchronization permissions. The user name and password will be used by the Directory Synchronization Client to connect to the cloud service.

Refer to the Directory Synchronization Client Administrator's Guide for further information, including how to download and configure the client software.

Add Users manually

User accounts that you plan to use for testing can be added when a new policy is added. See the step for Adding end users when setting up a policy.

Step 3: Policy Setup

Use the Web > Policy Management > Policies page to create a basic policy to determine which websites can and cannot be accessed by users whose traffic is managed by the cloud service.

The steps below walk you through creating a very basic policy that you can customize later if necessary. See Defining Web Policies in Cloud Security Help for complete details.

Click Add.

Enter a policy name and administrator email address. This email address is used as the address from which system messages are sent.

Select a pre-defined policy template to use as the basis for your new policy:

Default blocks access to sites in commonly blocked categories, like Adult Material, Gambling, and sites that present a security risk, while permitting access to sites commonly used for business or educational purposes.

Security only blocks only sites that present a security risk (such as phishing-related sites or sites that host malware) and permits access to all others.

Monitor only does not block any websites, but logs user activity for use in reporting.

Select a Time zone for this policy. This may be used both for time-based policy enforcement and reporting log records.

When you are finished, click Save.

Configuring policy connections

Select the Connections tab to identify the traffic originating from your organization that should be managed by the policy that you are creating.

Each connection is a public-facing IP address, range, or subnet for the gateway through which users' traffic reaches the Internet.

To get started, click Add, then:

Enter a unique Name and Description for the connection.

Select a connection Type: IP address, IP address range, or subnet.

Enter the connection definition for the type that you selected.

Optionally, select a Time zone for this connection. If no time zone is selected, the time zone defined for the policy as a whole is used.

Click Continue.

Repeat this process for each connection that you want to define for this policy.

Adding end users

The End Users tab is where all end-user registration configuration is performed. Registration is a method of getting user credentials into your cloud service account.

To get started with this new policy, select Invite an end-user in the User Management section.

In the Name field, enter the user's display name (for example, Jane Doe).

Enter the user's Email address (for example, jdoe@mydomain.com).

Enter the user's NTLM identity (for example, mydomain/jdoe).

Click OK.

Repeat this process as needed.

Directing user traffic to the cloud service

Use the Default Pac file addresses on the Web > Settings > General page to get the information you need to use a PAC file to direct user traffic from your browser to the cloud service.

Note: Forcepoint recommends performing initial testing using a PAC file manually configured in a browser. For details of other connectivity methods, see Forwarding traffic.

Perform the following steps on a machine that is inside the network that you defined as a connection in the previous step. (This may be the same machine that you are using to access the cloud portal.)

Configure Chrome to use a PAC file

Open Chrome on the selected machine.

Open the Settings menu.

Click the Advanced Settings link, then scroll down to the Network section.

Click Change proxy settings. This opens an Internet Explorer dialog box to the Connections tab.

Click LAN Settings.

Mark the Use automatic configuration script check box, then paste the URL from the portal page in the address field.

Click OK twice to close the dialog box.

Configure Internet Explorer to use a PAC file

Open Internet Explorer on the selected machine.

Open the Internet options menu.

Select the Connections tab, then click LAN Settings.

In the settings dialog box, mark the Use automatic configuration script check box and paste the URL from the portal page in the address field.

Click OK twice to close the dialog box.

Configure Firefox to use a PAC file

Open Firefox on the selected machine.

Open the Options menu.

Select the Advanced > Network tab.

Click Settings, in the Connection section at the top of the tab.

Select Automatic proxy configuration URL and paste in the URL from the portal page.

Click OK.


	Note We recommend that cookies are enabled in your browser to use the service. If cookies are not enabled, some features cannot work.

Next steps

After completing the basic setup, you have all that is needed to test and begin deploying Forcepoint Web Security Cloud. Your account has a single policy that controls and secures your organization's web traffic, and traffic is directed to the service via your browser's PAC file configuration. By default, the service applies your policy settings to all traffic from the IP address defined in the policy.

To get the most out of the solution, you may wish to implement a different traffic forwarding method, enable end-user authentication, tailor your policies, and view and create reports. The rest of this document guides you through these more advanced topics as you continue to roll out your deployment. The remainder of the document is organized into the following topics:

Forwarding traffic

Identifying users

Next steps: configuring advanced features

The appendix provides sample communications you can use to educate your users about your Forcepoint web protection solution (see Preparing end users for deployment).