Configuring Forcepoint RBI (Cloud Deployment) in proxy chaining mode with Forcepoint Content Gateway for full isolation

The following steps provide a procedure to configure Forcepoint RBI cloud in proxy chaining mode for full isolation.

  1. Cloud Ops team shares the Cloud RBI Proxy information via fulfillment email. The email contains the RBI proxy certificate to be installed in the Forcepoint Content Gateway Manager. The fulfillment email also includes Cloud RBI proxy host and port details.
  2. Save the RBI proxy certificate to the local machine in .crt format and then, add the RBI proxy certificate as Root CA in the Forcepoint Content Gateway Manager.
  3. To configure proxy chaining for Content Gateway, open Forcepoint Content Gateway Manager and perform the following steps:
    1. Select Configure > Content Routing.
    2. Select Hierarchies.
    3. In the Parent Proxy section, select Enabled.
    4. Continue as indicated in the following screen shot.

  4. Under Parent Proxy Cache Rules, configure the following.
    1. Content Gateway Manager, Forcepoint Security Manager, Forcepoint RBI Domain (Wildcard) to go Direct.
    2. azureedge.net, gstatic.com, edge.microsoft.com, ntp.microsoft.com to go Direct.
    3. All traffic (*) with source IP of RBC Cluster Browsing Nodes to go Direct.
    4. All traffic (*) to redirect to Forcepoint RBI Proxy as Parent Proxy.

  5. Navigate to Configure > SSL > Certificates > Add Root CA.
    1. Click on Choose file and select the Forcepoint RBI Proxy .crt file created earlier. Once the Root CA is added, it displays under Certificate Authorities.
    2. Select the certificate that you have saved and change the status to Allow, as shown in the following image:

  6. On the Forcepoint RBI Portal.
    1. Click On the top bar, click the icon to navigate to the settings page.
    2. Scroll down to the RBI section.
    3. In Security & Provacy, disable Allow Anonymous Authentication.

When the configuration is complete, Forcepoint RBI can be used in a Proxy chaining mode for Full Isolation.

Note: Web URLs that are part of Desktop applications must be added to Forcepoint Content Gateway proxy bypass or configured in Parent Proxy Cache Rules to Go direct.