Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring proxy chaining with the Forcepoint cloud service : Microsoft ISA Server or Forefront TMG
Microsoft ISA Server or Forefront TMG
Configuring proxy chaining | Forcepoint Web Security Cloud
A Microsoft Internet Security and Acceleration (ISA) Server or Forefront Threat Management Gateway (TMG) server can be deployed as a downstream proxy with Forcepoint Web Security Cloud. You can configure proxy chaining in the following ways:
*
Basic chaining. The ISA server does not perform any authentication before forwarding requests to the cloud proxy. The cloud proxy can perform manual authentication only.
*
NTLM pass-through. The ISA server is aware of a requirement for NTLM identification but takes no part in the authentication, forwarding requests to the cloud proxy which then performs NTLM identification.
*
X-Authenticated-User. The ISA server performs user authentication and forwards requests to the cloud proxy using the X-Authenticated-User header.
In this guide, "ISA/TMG" refers to ISA Server and Forefront TMG collectively. When instructions or information differ for the two products, they are referred to specifically as "ISA Server" or "Forefront TMG".
Basic chaining
To set up your ISA/TMG server to chain with the upstream cloud proxy, follow the instructions below.
1.
Log on to the ISA/TMG server and open the Server Management console.
2.
Under Configuration, open the Networks option and select the Web Chaining tab. Under this tab a default rule is present. Leave this as it is.
3.
Click the Tasks tab, then click the Create New Web Chaining Rule link to start the wizard.
4.
Give the rule a meaningful name such as Forcepoint Web Security Cloud, and click Next.
5.
In the next section, choose the destinations to which this rule applies (in most cases, it applies to external networks).
6.
Click Add and select the appropriate network.
7.
Click Next to specify how requests are to be handled. This is where you specify that requests be sent to an upstream server (i.e., Forcepoint Web Security Cloud).
8.
Select Redirect requests to a specified upstream server and click Next.
9.
On the Primary Routing page, specify the address of the Forcepoint Web Security Cloud service: webdefence.global.blackspider.com
10.
Specify port 8081 for both Port and SSL. Click Next.
11.
On the Backup Action page, select the appropriate action for your organization. Your choice depends on whether you are willing to allow requests to be served directly, without using Forcepoint Web Security Cloud. Click Next.
12.
Review your settings and click Finish.
Configuring exceptions
If there are any hosts that you do not want to use the proxy service, you must configure an exception for them. Minimally, you should add those hosts that are in the PAC file that is downloaded from the Forcepoint Web Security Cloud service (see Proxy auto-configuration (PAC) file in the Forcepoint Web Security Cloud help for more details).
You should also configure direct access to the cloud portal to allow the following:
*
Correct display of block pages
*
End-user self-registration
If you are using the roaming user home page, it should also be configured as an exception. The URL is:
http://home.webdefence.global.blackspider.com/
1.
To configure exceptions, click Firewall Policy, then select Network Objects from the Toolbox.
2.
Right-click Domain Name Sets and click New Domain Name Set.
3.
Give the new set a name (e.g., Forcepoint Web Security Cloud Unproxied).
In the Domain names included in this set section, add all Forcepoint Web Security Cloud global exceptions (from the Forcepoint Web Security Cloud PAC file). These include the following Microsoft Windows update sites:
download.microsoft.com
ntservicepack.microsoft.com
cdm.microsoft.com
wustat.windows.com
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
 
Also, add the following cloud service sites:
www.blackspider.com
mailcontrol.com
home.webdefence.global.blackspider.com
webdefence.global.blackspider.com
 
Include any other exceptions appropriate for your environment.
4.
Click OK and Apply changes.
5.
Navigate back to the proxy chaining policy you created above, open the policy and click the To tab.
6.
In the Exceptions section, click Add.
7.
Expand Domain Name Sets, select the domain set you just created (Forcepoint Web Security Cloud Unproxied), and click Add.
8.
Click Close on Add Network Entities.
9.
Click OK on the web chaining policy and Apply the changes.
Configuring NTLM pass through
To chain your ISA/TMG server with the cloud proxy and perform NTLM identification:
1.
Follow the steps in Basic chaining.
2.
Log on to the cloud portal.
3.
Select Web > Policy Management > Policies > policy name > Access Control.
4.
Select Authenticate users on first access, then select NTLM transparent identification where possible. For more information, see NTLM identification in the Web Security Cloud Help.
5.
Click Save.
Configuring X-Authenticated-User chaining
You can pass authentication details from your ISA/TMG server to the cloud proxy via a plug-in from Forcepoint LLC. This plug-in allows the cloud proxy to read the X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA/TMG server as part of a proxy chained configuration.
 
X-Forwarded-For
Contains the client IP address
X-Authenticated-User
When ISA authentication is turned on, this header will be populated with the user domain and username (domain\user).
With this setup, end users can be authenticated transparently by the cloud proxy, removing an authentication step and improving performance.
Two versions of the plug-in are available, for 32-bit ISA servers and 64-bit TMG servers. Zip files for both versions are available for download:
1.
Log on to your Forcepoint website account.
2.
Select the Downloads tab.
3.
Select Forcepoint Web Security Cloud from the Product drop-down list.
4.
In the list that appears, expand TMG 64-bit plugin for Content Gateway or ISA 32-bit plugin for Content Gateway to see the download details. You will need to scroll down to older product versions to see the ISA 32-bit plug-in. Click the download link to start the download.
Install the plug-in as follows:
1.
Copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to the Microsoft ISA/TMG installation directory. The default directory for this file is C:\Program Files\Microsoft ISA Server for ISA server, or C:\Program Files\Microsoft Forefront Threat Management Gateway for ForefrontTMG.
For the 32-bit version, install the following files in the installation directory in addition to Websense-AuthForward.dll:
msvcp100.dll
msvcr100.dll
2.
Open a Windows command prompt and change directory to the installation directory.
3.
From the command prompt, type
regsvr32 Websense-AuthForward.dll
4.
Verify the plug-in was registered in the ISA/TMG management user interface (Start > Programs > Microsoft ISA Server > ISA Server Management, or Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG Management). In the Configuration (for 32-bit) or System (for 64-bit) section, select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should be listed.
To uninstall the plug-in, run the following command in a Windows command prompt from the ISA/TMG installation directory.
regsvr32 /u Websense-AuthForward.dll

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Configuring proxy chaining with the Forcepoint cloud service : Microsoft ISA Server or Forefront TMG
Copyright 2022 Forcepoint. All rights reserved.