Documentation
|
Support
Configuring proxy chaining with the Forcepoint cloud service
: Squid Proxy
Squid Proxy
Configuring proxy chaining | Forcepoint Web Security Cloud
Forcepoint Web Security Cloud supports the configuration of a chained Squid open source downstream proxy, in the following cases:
Basic chaining
For policies where NTLM is enabled and end users are asked to authenticate for Forcepoint Web Security Cloud
The Squid proxy must be version 3.1.5 or later.
Basic chaining
In this case, Squid forwards requests to the cloud proxy but performs no authentication. End users can be authenticated using manual authentication only: prompting users for a user name and password the first time they access the Internet through a browser.
Configure Squid to forward requests to the cloud proxy as follows:
1.
Define one or more ACLs to identify sites that should be not be filtered through Forcepoint Web Security Cloud. These must include certain service-specific sites, and should include any other sites that are not normally handled through the cloud service. You can identify these sites by examining the service-generated PAC file available at
http://pac.webdefence.global.blackspider.com:8082/proxy.pac
.
You should also configure direct access to the cloud portal to allow the following:
Correct display of block pages
End-user self-registration
The roaming user home page (
http://home.webdefence.global.blackspider.com/)
, if used, should also be configured as an ACL.
The following sites
must
be included in the ACLs:
acl WBSN dstdomain .mailcontrol.com
acl WBSN dstdomain www.blackspider.com
acl WBSN dstdomain webdefence.global.blackspider.com
always_direct allow WBSN
2.
Force all other sites to use the cloud proxy as follows:
never_direct allow all
3.
Tell Squid the location of the upstream cloud proxy:
cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest
NTLM chaining
The Squid proxy performs local NTLM identification, then forwards the appropriate Proxy-Authorization headers as an NTLM Type 3 message to the cloud proxy for further transparent user authentication. Squid can maintain multiple connections to the cloud proxy, allowing the sharing of connections across users but ensuring that each request is associated with the correct user. When Squid reassigns a connection to another user, only then is a new Proxy-Authorization header sent for that user.
To use this setup, configure Squid to do the following:
1.
Perform NTLM authentication.
2.
Forward requests to the cloud proxy.
3.
Forward user information to the cloud proxy.
Configuring Squid for NTLM authentication
To configure Squid to perform NTLM authentication of users, refer to the Squid documentation:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
Forwarding requests to the cloud proxy
To configure Squid to forward requests to the cloud proxy:
1.
Define one or more ACLs to identify sites that should be not be filtered through Forcepoint Web Security Cloud. These must include certain service-specific sites, and should include any other sites that are not normally handled through the cloud service. You can identify these sites by examining the service-generated PAC file available at
http://pac webdefence.global.blackspider.com:8082/proxy.pac
.
The following sites
must
be included in the ACLs:
acl WBSN dstdomain .mailcontrol.com
acl WBSN dstdomain www.blackspider.com
acl WBSN dstdomain webdefence.global.blackspider.com
always_direct allow WBSN
2.
Force all other sites to use the cloud proxy as follows:
never_direct allow all
3.
Tell Squid the location of the upstream cloud proxy:
cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest
Forwarding user information to the cloud proxy
To configure squid to forward user information, add option login=PASS to the cache-peer line:
cache_peer webdefence.global.blackspider.com parent 8081 0 no-query default no-digest login=PASS
©2022 Forcepoint. Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint. All other trademarks used in this document are the property of their respective owners.
Document last updated: May 13, 2022
Configuring proxy chaining with the Forcepoint cloud service
: Squid Proxy
Copyright 2022 Forcepoint. All rights reserved.
