Content Gateway initial configuration

Applies to:
  • Forcepoint Web Security, v8.5.x

After Content Gateway is installed, perform these basic configuration activities:

Note: The subscription key is automatically applied to Content Gateway when you enter it in the Web Security module of the Forcepoint Security Manager.
  1. Log onto the Content Gateway manager and run a basic test (Getting Started)
  2. If there are multiple instances of Content Gateway, consider configuring a managed cluster.
  3. Configure protocols to proxy in addition to HTTP: HTTPS (SSL support), FTP
  4. Complete your explicit or transparent proxy deployment
  5. If proxy user authentication will be used, configure user authentication. Alternatively, configure Other methods of user identification using the Other methods of user identification section in Content Gateway deployment issues.
  6. Configure the real-time Scanning Options in the Forcepoint Security Manager
  7. If you enabled content caching during installation, configure content caching.

After the base configuration has been tested, consider these additional activities:

  • When HTTPS (SSL support) is used, configure categories, clients, and destination servers for SSL decryption bypass in the Forcepoint Security Manager.
  • Create Content Gateway filtering rules to:
    • Deny or allow URL requests
    • Insert custom headers
    • Allow specified applications, or requests to specified web sites to bypass authentication
    • Keep or strip header information from client requests
    • Prevent specified applications from transiting the proxy
  • In explicit proxy deployments, customize the PAC file
  • In transparent proxy deployments, use ARM dynamic and static bypass, or use router ACL lists to bypass Content Gateway (see your router documentation)
  • The ARM (Adaptive Redirection Module) module of Content Gateway uses a firewall. To facilitate interception and redirection of traffic:
    • IPTables rules are configured during installation of Content Gateway.
      • Forcepoint IPTables chains are inserted.
      • Forcepoint IPTables rules are also inserted into existing chains.
      • Forcepoint chains and rules use “NC_” as a prefix for identification purposes.
    • IPTables rules configured outside of Content Gateway Manager must
      • Be inserted after Forcepoint rules.
      • Never be added to Forcepoint chains.
    • Forcepoint chains and rules should never be edited.
    • If customized chains or rules impact the Forcepoint configuration, navigate to /opt/wcg/bin and execute the following to re-establish the Forcepoint IPTables chains and rules.:

      netcontrol.sh -r