Creating sites with explicit proxy

A Site represents a corporate location from which traffic will originate.

1. Navigate to Protect > Objects > Sites.
2. On the Sites page, click the green plus icon.
3. On the General tab:
   1. Enter a unique Name of the Site.
      
      
      
   2. Select the appropriate TimeZone of the corporate IP location.
   3. Enter Description for the Site.
   4. Select the Explicit Proxy option as the Type of the site.
      Available options are:

      • Tunnel (default) - Select Tunnel if you want to create GRE or IPSec tunnels so that web traffic from the site is forwarded to Cloud SWG via tunnels.
        Note: When Type is set to Tunnel, then the Tunnel tab is available.
      • Explicit Proxy - Select Explicit Proxy if you want to forward the web traffic from the site to Cloud SWG using a PAC file.
      • None - Select None if the Site is with an on-premise proxy that sends traffic direct to the internet (without sending it to the Cloud SWG).

      Note:

      • The Type cannot be changed once a Site is created. You can delete and create new site with correct Type.
      • Based on the Type selected, available options under the Agent Overrides tab vary.
   5. Enter the Public IP address of the site.

      Forcepoint ONE SSE validates the IP address to make sure that the value is actually an IP address and is not a duplicate of another site with same IP address that is already created.

   6. Set the Identify Coordinates to Automatic to identify the location of the site based on entered IP address when you click Detect Location.

      The Location field displays the location name of the entered IP address to which your web content will be localized.

   7. If Forcepoint ONE SSE is unable to identify the correct location or did not display the location of the entered IP address, then:
      1. Set the Identify Coordinates to Manual.
      2. Select the applicable Localization Country to which your web content should be localized.

         Cloud SWG uses an egress IP address corresponding to the Localization Country selected to send proxied traffic to its destination. If the selected localization country is not available, the country of the Cloud SWG datacenter processing the traffic will be used instead. To know about the supported localization countries list, refer to Cloud SWG vPoP IP addresses.

         Note: For existing Sites, where the Localization Country was not available for selection, is set so that you can select Localization Country later.
4. Ignore the Subnets tab as there is no visibility into internal subnets. All traffic is received from the Site’s Public IP entered on the General tab and the user is tracked using cookies.
   When creating SWG policies, you must set Traffic Type to Any.
5. On the Agent Overrides tab, define what should the SmartEdge agent do when it arrives at a site (office location) that has explicit proxy configured.
   
   
   

   Note: If Set PAC is unchecked on the Protect > Forward Proxy > SmartEdge Proxy page or on the Analyze > Devices > SmartEdge Agent > Details page, then the user device with the SmartEdge agent will ignore the Agent Override setting and will not set the system proxy.

   From the Agent Override drop-down, select the desired behavior of the SmartEdge agent 2.1.0 or latest version when it is at the site:

   • Do not override (default) - Selecting the Do not override option enables the SmartEdge agent to operate as it does at remote location. To make sure the SmartEdge agent filters the web traffic correctly, you should enable access to port 80 and 443 to the entire internet.
   • Do not set PAC - Selecting the Do not set PAC option disables the SmartEdge agent from setting the PAC when at the site so that the Admin can setup their own PAC file using other mechanisms.

   • Chain to Explicit Proxy - Selecting the Chain to Explicit Proxy option enables the SmartEdge agent to enforce SWG policies for filtering and to forward traffic to the Cloud SWG Explicit Proxy. The Cloud SWG Explicit Proxy recognizes that the traffic is from the agent and lets the traffic pass through without enforcing the SWG Content policy for second time. Note that the SWG connection policy is still applied.

     You should select this option when you want to interoperate the SmartEdge agent with the Cloud SWG Explicit Proxy and do not want to open up port 80 and 443 to the entire internet

     When access to outbound IPs on port 80 and 443 is prohibited (that is you want to only allow access to specific IPs, not the entire internet), access to the following needs to be allowed through the firewall:

     • All domains going direct in the Explicit Proxy PAC file and the SmartEdge Agent PAC
     • Forcepoint ONE Bypass Lists for Firewalls and Security Software

   Note:

   • For the older versions of SmartEdge agent (previous to 2.1.0), the SmartEdge agent will behave as if Agent Override is set to Do not override irrespective of what behavior you have selected.
   • Available options vary based on the Type selected on the General tab.

   Attention: When installing the SmartEdge agent at an explicit proxy site with Agent Override set to Chain to Explicit Proxy, ensure that IaaS Provider IPs is not blocked in the login policy. Otherwise, the end-user will not be able to log into the SmartEdge agent.
6. To configure a site with selected information, click OK.

   As soon as the Site is created, the status of Site will be Configuring. After some time, the status of the Site gets changes to Provisioned or Failed.