Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Forcepoint Web Security Cloud : How the service works for roaming users
How the service works for roaming users
How the service works for roaming users | Forcepoint Web Security Cloud
This article describes how the cloud service handles users who are roaming that is, users accessing the Internet away from your network. Typically, this applies to users who are traveling or working at another location, and connecting their company laptop to a Wi-Fi network belonging to another organization, such as a hotel, a home network, or another business.
Directing traffic to the cloud service
In order for a roaming user to connect to the cloud service, they must either have Forcepoint Web Security Endpoint installed, or a proxy auto-configuration (PAC) file setting configured in their browser.
If the user has the endpoint client installed, this forces a connection to the cloud service to authenticate the user and apply policy settings appropriate for the user.
PAC files direct browser traffic to the cloud service, and are typically deployed to end user machines via a Windows Group Policy Object (GPO) or similar. Settings for end users are usually locked down so that they cannot be changed. For more information on PAC files, see Proxy auto-configuration (PAC) in the Forcepoint Web Security Cloud help.
A roaming user's ability to connect to the service may depend on any firewall restrictions that may be in place on their network, and the LAN settings configured in the roaming user's browser. By default, the cloud service uses port 8082 or 8087 to retrieve PAC files. In some networks, these ports may be locked down, which can cause problems for roaming users.
You can avoid the potential limitation with using port 8082/8087 by deploying the alternate PAC file address for roaming users. The alternate address connects via port 80 or 443, the standard ports for web browsing. See the Settings > General page in the cloud portal for more details.
Identifying roaming users
When the cloud service receives a web request, it attempts to recognize the user's account and policy. If the endpoint client is installed, this automatically identifies the user to the service.
When a PAC file is being used, the service attempts to identify the user based on the source IP address of the request. The service first attempts to match the source IP address to a policy. (The source IP address is configured as a proxied connection in the Connections tab of the cloud portal. See the Defining Web Policies > Connections tab in the Forcepoint Web Security Cloud help.)
When users are roaming (working at home, at another business premises, or in a public location such as a hotel or an airport), the IP address is unlikely to be configured as a proxied connection in any account. In this case, the roaming user encounters one of the following scenarios:
*
*
The cloud service then searches for the user in your policies. When it finds the user, the service knows who they are, which policy they are assigned, and consequently how to filter the request.
In order to log on, the user has to be registered. Roaming users must go through a one-time registration process before they can log on and browse.
For more information on setting up end user registration, see Defining Web Policies > End Users tab in the Forceoint Web Security Cloud help.
Common issues for roaming users
Registration problems
If you are having trouble registering with the cloud service, check the following:
*
Are you typing in your name in the Name field and your email address in the Email Address field?
*
Logon problems
If you get an authentication error when you try to log on and browse, one of the following may be the issue:
*
*
*
Remember that you register separately with the cloud service - your email address and password do not have to match any other logons that you may have.
*
If so, the cloud service may be applying another company's policy. Because you are not a user registered in that policy, you can neither log on nor register. You must contact the company's web policy administrator and ask for access within their policy. They may do this by inviting you as an end user.
Connection failure while roaming
If an end user cannot connect to the web while out of the office in a remote location, the most likely explanation is that the PAC (Proxy Auto Configuration) file URL is not set in Internet Explorer. This URL is required for a roaming connection to the cloud service.
In Internet Explorer, go to Tools > Internet Options > Connections, and check the defined connections and their settings by selecting a connection and clicking the Settings button. Each one should have Use automatic configuration script checked and Address set to "http://webdefence.global.blackspider.com:8082/proxy.pac" or whatever is correct for your policy.
Make sure Automatically detect settings and Use a proxy server for this connection are unchecked.
Using the service from public Internet access points
For some public Internet access points, such as hotel or airport Wi-Fi networks, users must complete a network enrollment page (known as a captive portal) when they first access the network.
The following scenarios use the example of a roaming user connecting to a hotel Wi-Fi network in order to illustrate the default behavior of the cloud service when using the default PAC file setting (using port 8082). These examples are provided to demonstrate the limitations of this setting for roaming users. For recommendations and best practices, see Recommendations for roaming users.
 
Note 
The following scenarios do not apply if the Forcepoint Web Security Endpoint client is installed, since the endpoint is able to manipulate proxy settings in real time for example, to temporarily disable itself at public Internet access points to allow a roaming user to complete network enrollment via their browser.
Scenario 1 – no captive portal
In this scenario, the user is not required to complete a network enrollment or payment page when accessing the Internet. The roaming user's browser is configured with the standard PAC file on port 8082.
1.
2.
*
*
The browser will continue to try to obtain the PAC file over port 8082 until it times out. (By default, Internet Explorer will time out after 20 seconds.)
Once the browser times out trying to obtain the PAC file, it will then attempt to follow the proxy server setting, if configured.
If this is blank, the browser will connect via port 80.
The hotel firewall does not block port 80, so the roaming user will connect to www.google.de over port 80.
As such the user will be connecting to the Internet directly, instead of via the cloud service the browser is not using the PAC file to direct traffic to the cloud proxy. No policy enforcement will be applied. The user will not be able to use the cloud service, as port 8082 is blocked.
For guidance on resolving this issue for roaming users, see the recommendations detailed in the section Recommendations for roaming users.
Scenario 2 – captive portal
In this scenario, the hotel Wi-Fi redirects users' browsers to an online enrollment page (a captive portal) before allowing the user to connect to the Internet. The roaming user's browser is configured with the standard PAC file on port 8082
1.
2.
3.
4.
The firewall does not respond with the captive portal on port 8082, which is a non-standard port for web browsing. Because most HTTP requests use port 80, the firewall expects web requests on port 80.
 
Note 
If the firewall has been configured to serve the captive portal for requests on port 80 (most likely), the following occurs.
The browser continues to try to retrieve the PAC file over port 8082 until it times out. (By default, Internet Explorer will time out after 20 seconds.)
Once the browser times out trying to obtain the PAC file, it will then attempt to follow the proxy server setting, if configured.
*
Only when the user opens a new browser session (that is, a new browser window), the browser will then request the PAC file over port 8082.
Because the user has registered, the user will now be directed to the "You are connecting from an unrecognized location" logon page. Once the user logs on, the appropriate policy is applied.
*
However, because the firewall does not find the user's MAC address on its ACL, it does not allow the request. The firewall is not configured to respond with the enrollment page on port 8081.
At this point, the browser times out. The user cannot then connect to the Internet at all.
*
Only if the user opens a new browser session, i.e. a new browser window, will the browser then request the PAC file over port 8082.
Because the user's MAC address has been registered, the user will now be directed to the "You are connecting from an unrecognized location" logon page. Once the user logs on, the appropriate policy is applied.
For guidance on resolving these issues for roaming users, see the recommendations detailed in the section Recommendations for roaming users.
Using the service from home networks
Users connecting from home networks are treated as roaming, and are identified by the endpoint client, or by IP address, as described in Identifying roaming users.
In some circumstances, home users might connect to their network, launch a browser, and find that they are not using the Web Security Cloud service. This can happen for two reasons:
*
*
In the case of the Proxy Connect endpoint, if this occurs, the browser tries to retrieve its PAC file, and fails. If the computer is assigned an IP address immediately after the failure, the browser can fall back to accessing the Internet directly without retrying the PAC file. When endpoints can't connect to the cloud service, they allow Internet use to continue, and apply filters that have been cached, in order to provide as much protection as possible. This is known as Fallback mode.
If you encounter this issue, the possible solutions are as follows:
*
Installing the endpoint, either for all or just for roaming users, ensures that all web traffic receives enforcement from the cloud service.
*
Some browsers allow you to configure an explicit proxy in addition to using a PAC file. You must ensure that you also add the global non-proxied destinations contained in the Web Security Cloud PAC file as proxy exceptions. Failure to do so could result in the service being inaccessible. For information on accessing the cloud service PAC file, see Proxy auto-configuration (PAC) in the Forcepoint Web Security Cloud help.
Adding an explicit proxy for roaming users ensures that users are always protected, with no user intervention. However, you must manually update any non-proxied destinations you add to the cloud service. In some circumstances, it can also prevent connectivity from some public Internet access points. See Using the service from public Internet access points for more details.
Recommendations for roaming users
The following are recommendations and best practices to help ensure that roaming users are protected when connecting via public or home networks.
*
*
*
*
*
Note that some public networks may block ports 1723 or 47, typically used for VPN, and that captive portal enrollment may be required before the VPN can be established.VPN solutions that use port 80 are available.

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Managing Forcepoint Web Security Cloud : How the service works for roaming users
Copyright 2018 Forcepoint. All rights reserved.