Authenticating Forcepoint ECA using client certificates

Using a client certificate, the Forcepoint NGFW Engines authenticate the endpoint machines running Forcepoint ECA. This certificate must be installed on the endpoint machine before installing Forcepoint ECA. Otherwise, the Forcepoint ECA client cannot connect to the Forcepoint NGFW Engines.

Steps

  1. In the Management Client component of the SMC, establish a CA for Forcepoint ECA in one of the following ways:
    1. Import your existing Active Directory Certificate Services (AD CS) CA certificates to the SMC, if they have already been used to deploy client computer authentication certificates within your organization. The deployed certificates must have the Client Authentication application policy enabled. If such certificates have been deployed to each endpoint machine where the Forcepoint ECA software will be deployed, skip step 2.
    2. In the domain where the Forcepoint ECA clients are located, create a CA, then import the CA to the SMC as a Trusted Certificate Authority element. For more information, see Knowledge Base article Create a certificate authority for Forcepoint Endpoint Context Agent. Forcepoint ECA uses the customer-provided CA to authenticate the endpoint machine and uses the SMC’s internal CA to authenticate the NGFW Engines.
  2. After the CA is established, create a new certificate template in AD CS and enroll it to each endpoint machine where Forcepoint ECA is to be installed. This certificate is required to authenticate the endpoint machine with the Forcepoint NGFW Engines. When you create the certificate template in AD CS, you must select the Client Authentication application policy extension.
    Note: Note Each endpoint machine must have a unique certificate. Only computer certificates are supported. User certificates are not supported.

    After the CA is established and each endpoint machine has a valid client certificate, continue with the configuration steps in the next section.