Configuring transparent proxy

Forcepoint ONE SSE provides you the ability to enforce Cloud SWG policies simply by forwarding traffic from known locations (branch offices) via GRE or IPsec tunnels configured between customer's edge device (Firewall or router) and data centers of Cloud SWG Transparent Proxy, without requiring a PAC or SmartEdge agent.

The Cloud SWG solution supports GRE and IPsec modes of tunneling as some network devices only support IPSec tunneling and others support GRE tunneling.

Important: Network devices must be configured and tested to use fail-over in order to take advantage of the high availability features of the cloud service and to benefit from the Network Infrastructure Availability Service Level Agreement.
When the user device is on an internal corporate network with the SmartEdge agent installed and configured and Cloud SWG Transparent Proxy configured, then the Cloud SWG Transparent Proxy and the SmartEdge agent interoperate in the following way:
  • The SmartEdge agent continues to perform user authentication for better user-experience instead of using SSO authentication with the Cloud SWG Transparent Proxy.
  • The SmartEdge agent detects which Site it is at based on the tunnel over which traffic is received (not based on Site Public IP address) and then proxy chain based on the Agent Override option defined in the Site configuration.
  • If you have selected the Do not Override option, the SmartEdge agent continues to proxy traffic, however, the traffic is sent to the Cloud SWG Transparent Proxy. The Cloud SWG Transparent Proxy recognizes that the traffic is from the SmartEdge agent and lets the traffic pass through without double proxying or logging.
  • If you have selected the Do not set PAC option, the SmartEdge agent will unset the PAC effectively turning off the agent. The admin can then set their own PAC to enforce different behavior on internal networks.
Note: When the user device with the SmartEdge agent installed and configured is on an internal corporate network with GRE tunnel configured, then IP address seen going through GRE tunnel is the Cloud SWG datacenter IP address instead of the site IP address in some instances.

The Cloud SWG also supports consolidated policy configuration for deployments with thousands of geographically distributed locations with similar traffic types (example: Managed/ Guest/ IoT devices/ Servers).

As a first step, install the Cloud SWG Certificate Authority on devices from which you want to forward traffic to the Cloud SWG. This can be delivered via Group Policy Object (GPO) or MDM. Refer to Setting the Cloud SWG certificate authority.

Throughput

For Cloud SWG, Forcepoint allocates 0.1 megabits per second (Mbps) per licensed user per virtual datacenter.

For example, for a tenant with 1000 licensed users, Forcepoint will allocate 100Mbps, that is 1000*0.1Mbps = 100Mbps, throughput per virtual datacenter.

Currently, the maximum throughput per virtual datacenter is 1Gbps. As a consequence, for transparent proxy, the maximum throughput per tunnel is also limited to 1Gbps. Once the bandwidth allocation exceeds this limit, an additional virtual datacenter will be allocated. In this case, the customer router/ firewall originating the tunnels is expected to load-balance traffic across the primary virtual datacenters using ECMP or alternate method and to load-balance across secondary virtual datacenters on failover.