Create ECA Configuration elements

ECA Configuration elements contain the Trusted Certificate Authority element used to secure communication between the Engine and the Forcepoint F1E clients.

Before you begin

Create or use a certificate authority from the domain where the endpoint clients are located, then import the CA to the Secure SD-WAN Manager as a Trusted Certificate Authority element. For more information, see Knowledge Base article 14099.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration.
  2. Browse to Other Elements > Engine Properties > ECA Configurations.
  3. Right-click ECA Configurations, then select New ECA Configuration.
  4. Configure the settings, then click OK.
    Note: If Advertise Firewall's Contact Address to ECA Clients is selected, the Engine can send ICMP or ICMPv6 discovery messages to endpoint clients that are not aware that the contact address for the Engine has changed or that the Engine can receive Forcepoint F1E metadata. The ICMP message is Destination Unreachable, and the type is Communication Administratively Prohibited.

Next steps

Enable Forcepoint Endpoint Context Agent (ECA) on the Engines, and select the ECA Configuration element that you created.

ECA Configuration Properties dialog box

Use this dialog box to define settings for integrating Forcepoint F1E with Engine.

Option Definition
Name The name of the element.
ECA Configuration CAs The Trusted Certificate Authority elements that are used to secure communication between the Engine and the Forcepoint F1E clients. Click Add to add an element to the table, or Remove to remove the selected element.
Advertise Firewall's Contact Address to ECA Clients When selected, the Engine can send ICMP or ICMPv6 discovery messages to endpoint clients that are not aware that the contact address for the Engine has changed or that the Engine can receive Forcepoint F1E metadata. The ICMP message is Destination Unreachable, and the type is Communication Administratively Prohibited.

If the Engine detects connections from networks that contain endpoint clients and there is a match for an Access rule that requires Forcepoint F1E metadata, but the connections do not include Forcepoint F1E metadata information, the Engine sends ICMP or ICMPv6 discovery messages to the network, advertising the contact address for the Firewall. The messages contain the shared secret that is also defined in the XML configuration file that is deployed to the endpoint clients. If a client responds and successfully authenticates, the Engine sends the latest XML configuration file to the client.
Category

(Optional)

 Includes the element in predefined categories. Click Select to select a category.
Comment

(Optional)

 A comment for your own reference.