Configure user access to the hybrid service

Administrator Help | Forcepoint Web Security | v8.5.x

To use the hybrid service for policy enforcement, you must configure how users connect to and are managed by the hybrid service. To do so, select Settings > Hybrid Configuration > User Access.

The Proxy Auto-Configuration (PAC) File section shows the URL from which users' browsers retrieve the PAC file (see What is the hybrid PAC file?).

The PAC file defines which requests the browsers send to the hybrid service, and which are sent directly to the target site (see Specify sites not managed by the hybrid service). The PAC file also contains information about filtered locations, and the proxy configuration for any locations that manage Internet access for their users through an explicit or transparent proxy when on-premises, so that traffic can be routed properly at all locations.


	Note The exact mechanism for configuring a user's browser to use the PAC file depends on the browser and your network environment. For example, if you are using Microsoft Active Directory and Internet Explorer or Mozilla Firefox, you might want to automate the process by using group policies.

The default PAC file is retrieved over port 8082. If users request this PAC file from a location where port 8082 is locked down, they cannot access it. In this case, use the second PAC file address in this section, which enables the user to access the PAC file and hybrid service over port 80. Remote users should also use the PAC file address for port 80 if requesting access from a network that has port 8081 locked down. Even if they can access the PAC file on port 8082, port 8081 is the standard port required to be able to use the hybrid service.


	Important If you are using an identity provider for single sign-on, the PAC file defined for port 8082 is the only PAC file that can be used.

Use the Availability section to specify whether all Internet requests should be permitted or blocked when the hybrid service is unable to access policy information for your organization.

Under Time Zone, use the drop-down list to select a default time zone to use when applying policies in the following situations:

For users connecting to the hybrid service from an IP address that is not part of an existing filtered location (see Filtered locations)

The default time zone is used, for example, by off-site users, or for other users that self-register with the hybrid service.

Whenever time zone information is not available for a filtered location

Use the Custom End User Block Page section to define a customized logo and text for block pages displayed by the hybrid service (see Customizing hybrid block pages).

Use the Certificate Verification Bypass for HTTPS Sites section to chose whether or not to use certificate verification and, when enabled, whether and how end users can bypass certificate verification failures (see Configuring certificate verification bypass).

Use the HTTPS Notification Pages section to enable users making HTTPS requests to view the appropriate notification pages (see Enabling hybrid HTTPS notification pages).

If the hybrid service uses directory data collected by Directory Agent to identify users, you can configure hybrid passwords for user accounts on the Hybrid Configuration > Shared User Data page (see Send user and group data to the hybrid service). If your organization does not use directory data collected by Directory Agent to identify users connecting to the hybrid service from outside filtered locations, you can let users self-register for the service. This allows users with email accounts associated with domains that you specify under Registered Domains to identify themselves to the hybrid service.

Users requesting Internet access from an unrecognized IP address are prompted to self-register. The domain portion of the user's email address is used to associate the user with your organization so that the proper Default policy is applied.

Users who cannot be associated with an organization receive the hybrid service Default policy.

Click Add to add a domain (see Adding domains for hybrid self-registration).

Click a domain entry to edit the domain or its attributes (see Editing domains for hybrid self-registration).

You can also apply hybrid policy enforcement to off-site users connecting from unknown IP addresses, regardless of how those users are filtered when they are in-network or connecting from a filtered location. Under Off-site Users, mark Enable the hybrid service for off-site users.

If you clear this check box, any user connecting from an unknown IP address will not be filtered.

See Hybrid service management of off-site users for more information.

By default, end user web traffic is routed to the nearest cloud data center based on the egress IP address of your Domain Name Server (DNS). This may mean that traffic for users in a geographic location different from the DNS is not optimally routed, causing some latency issues. Select Route traffic based on end users' egress IP on the Settings > Hybrid Configuration > User Access to re-route your web traffic to data centers based on the location of the end user, rather than your DNS.