Setup instructions

Initial Configuration

1. Verify access to the Forcepoint Data Security Cloud | SSE: Follow the steps in the Signing in to Forcepoint Data Security Cloud section. Once you have logged in, select App Security from the left navigation menu.
2. Allow traffic from Forcepoint Data Security Cloud | SSE datacenters and IP addresses:
   1. Allow traffic between Forcepoint Data Security Cloud | SSE AWS server IP addresses and corporate security devices.
   2. Accept the use of Forcepoint Data Security Cloud | SSE domains for SmartEdge agent as required.
   3. Configure API calls to pull updated IP address and datacenter details.
3. Manage portal access: To manage users, groups, user roles, and SAML or Active Directory (AD) configurations, refer to the Admin section.

Integrate Identity

To manage users, groups, user roles, and SAML or Active Directory (AD) configurations, refer to the Admin section.

Policy Configuration

1. Preconfigure policy objects:
   1. Configure custom inline popup notifications, user email or group email notifications, and other messages notifications.
   2. Configure custom notification files.
   3. Add custom locations.
2. Set up login policies
   • Configure a delay login policy.
   • Configure a block login policy.
   • Set up multi-factor authentication.
   • Configure an expire session policy.
   • Test the policies and update policy configuration if necessary.
   Note: At this point in time, these policies will apply to Forcepoint Data Security Cloud | SSE only. The policies will also apply to managed cloud applications, once configured.
3. Set up automatic log collection for Shadow IT reporting:

   Manually upload logs for Shadow IT discovery.

   OR

   1. Set up one of the following methods for automatic log collection:
      • Configure Downloadable OVA.
      • Configure Syslog-ng relay.
      • Configure Rsyslog.
   2. Map forwarded logs to Forcepoint Data Security Cloud | SSE fields.
   3. Review the reports generated in preparation for policy planning.
4. Configure managed device identification:
   1. Discover the methods to distinguish managed devices.
   2. Select the managed device identification method you want to use.
      • Configure managed client certificates.
      • Set up SmartEdge agent custom device profiles.
      • Configure SAML attribute match.

Setup traffic steering

Configure and deploy traffic steering for inline protection through SmartEdge Agent for a control group.

Setup DLP and data patterns

Configure DLP and data patterns.

Add managed applications

• Add pre-defined cloud applications as managed applications.
• Add custom cloud applications as managed applications.

Protection for data at rest

• Set up API access.
• Set up API scanning in Forcepoint Data Security Cloud | SSE.
• Configure policy actions for data at rest.

Protection for data in motion

1. Configure SSO for cloud applications for a control group:

   Review this video for more information.

   1. Select and deploy the SSO method appropriate for your application and organization.

      This may be SAML relay or SAML ACS proxy.

   2. Verify access to the cloud application.
2. Configure inline policies for managed cloud applications for a control group:
   1. Configure contextual access control and set proxy policy actions.
   2. Test the inline policies.
   3. Update policy configurations if necessary.