Configuring explicit proxy

Forcepoint ONE SSE provides you the ability to enforce Cloud SWG policies simply by forwarding traffic from known locations (branch offices) using the Host PAC file and a Certificate for SSL decryption, without requiring a SmartEdge agent.

You can also use the explicit proxy when there is a requirement to not open up access to the entire internet on port 80 and 443.

The Cloud SWG Explicit Proxy only accepts web traffic from configured known locations (sites) and then filters the traffic based on the SWG policies.

When a user device with the SmartEdge agent comes to the Explicit Proxy configured Site (branch office), then the Cloud SWG Explicit Proxy and the SmartEdge agent interoperate in the following way:
  • The SmartEdge agent continues to perform user authentication for better user-experience instead of using SSO authentication with the Cloud SWG Explicit Proxy.
    Note: Forcepoint recommends that the SmartEdge agent is enabled to improve user-experience when the user device is at Site so that user does not get prompted to authenticate each instance when they access website from different web browsers as user devices are tracked based on cookies.
  • The SmartEdge agent detects which Site it is at based on the Source IP address and proxy chain based on the Agent Override option defined in the Site configuration.
  • If you have selected the Do not Override option, the SmartEdge agent continues to proxy traffic, however the traffic is not sent to the Cloud SWG Explicit Proxy.
  • If you have selected the Chain to Explicit Proxy option, the SmartEdge agent continues to proxy traffic, however, the traffic is sent to the Cloud SWG Explicit Proxy. The Cloud SWG Explicit Proxy recognizes that the traffic is from the SmartEdge agent and lets the traffic pass through without double proxying or logging.

    The Chain to Explicit Proxy option is supported only with the SmartEdge agent 2.0 or newer version.

When using the Explicit Proxy, there is no visibility into internal subnets. In the Web and Web DLP logs, you will see all traffic received from various users devices at the site has the Site’s Public IP. Therefore, the Explicit Proxy tracks users using cookies issued to the web browser.

Throughput

For Cloud SWG, Forcepoint allocates 0.1 megabits per second (Mbps) per licensed user across a bunch of virtual datacenters.

For example, for a tenant with 1000 licensed users, Forcepoint will allocate 100Mbps, that is 1000*0.1Mbps = 100Mbps, throughput across virtual datacenters.

Currently, the maximum throughput per virtual datacenter is 1Gbps. Once the bandwidth allocation exceeds this limit, an additional virtual datacenter will be allocated. The Explicit Proxy automatically load-balances the traffic across these virtual datacenters.

General Workflow

Following is the high level overview of Cloud SWG Explicit Proxy:



  1. Explicit Proxy PAC URL and Cloud SWG certificate:
    • Set the Explicit Proxy PAC URLs as system proxy on devices from which you want to forward traffic to the Cloud SWG Explicit Proxy. This can be delivered via Group Policy Object (GPO) or MDM.

      The Cloud SWG Explicit Proxy PAC file gets updated whenever you update SWG settings or SWG policies.

    • Install the Cloud SWG Certificate Authority on devices from which you want to forward traffic to the Cloud SWG Explicit Proxy. The Cloud SWG CA is required for SSL inspection. This can be delivered via Group Policy Object (GPO) or MDM.
  2. When you access internet via web browser from the Sites, the explicit PAC file forwards web traffic to Cloud SWG data centers through local edge device.
  3. Bypassed web traffic goes directly to Internet from the data centers or from the Site.
    • To bypass web traffic from the Microsoft 365 domains at the PAC file level, refer to Enabling Bypass Microsoft 365.
    • To bypass traffic from Microsoft 365 domains at Cloud SWG level or policy level, you should create SWG policies with the Microsoft 365 predefined custom URL category to provide authentication bypass or SSL Decryption bypass. Refer to Configuring SWG policies.
    • To bypass traffic from specific domains, host IPs or subnets, refer to Setting bypass domains, host IPs or subnets.
    • To bypass traffic from private networks, refer to Configuring bypass and exclusion controls for SmartEdge Agent.
  4. The Cloud SWG Explicit Proxy does the following:
    1. Filters the web traffic as per the SWG policies.
    2. Resolves website addresses using DNS.
    3. Sends the request to internet on behalf of end user device if the website is not blocked by SWG policies.

Limitations

  • Explicit Proxy is only supported for Web browsers and other applications that honor a PAC file.
  • Thick client applications, which do not honor a PAC file, cannot be monitored using Explicit Proxy.