Install Web Security Endpoint for Private Access (standalone)

Create an endpoint client installation package using the Forcepoint One Endpoint package builder. The endpoint can be deployed manually to end user machines via a deployment mechanism such as Windows Group Policy Object (GPO).

Important: The endpoint installation procedure detailed in this topic is for Private Access standalone only. If you are using Cloud Security Gateway, follow the installation procedure to install the Web Security Endpoint for Forcepoint Web Security Cloud.
Endpoint installation for Private Access standalone is performed by creating an installation package, creating a configuration file, and installing the package using command line parameters.

For more information about creating and deploying installation packages using the Forcepoint One Endpoint, see Forcepoint One Endpoint Solutions Installation and Deployment Guide.

Steps

  1. Download a supported build of the Forcepoint One Endpoint.

    For a list of the supported endpoints for Private Access, see Knowledge Base article 19118. Endpoint can be downloaded from the Downloads page on the Forcepoint Support site:

    https://⁠support.forcepoint.com/⁠Downloads

  2. Go to the Administration > Proxy > Endpoint General page, and download the template HWSConfig.xml file.
  3. Go to the Administration > Proxy > Hosted PAC Files page in the management portal, copy the URL for the PAC file you want to use.
  4. Using the Forcepoint One Endpoint package builder, create an installer for the Web Security Endpoint – Proxy Connect Endpoint.
    The installer wizard guides you through the process of creating an installer package.
    As part of wizard installation, you can optionally set an anti-tampering password: this password must be entered by users who attempt to uninstall the client. The anti-tampering password cannot be changed later, so ensure you carefully record the password.
    Note: The wizard also prompts you to enter a PAC file URL, and specify the end-user override Allow users to disable endpoints option. These values will be specified later using the HWSConfig.xml file, and any values you enter here will be overwritten. Please leave these options at their default values.
  5. Close the wizard. The package builder creates an executable file in the location you selected (for example, FORCEPOINT-ONE-ENDPOINT-x64.exe).
  6. Using a text editor, open the HWSConfig.xml file you downloaded, and populate the following entries within the <ProxySetting> section:
    • PAC file URL: the URL to retrieve the appropriate PAC file. (From the Administration > Proxy > Hosted PAC Files page.)
      <PACFile URL="[URL]">
    • Account token: a string used to identify your account to the service. (From the Administration > Proxy > Endpoint General page.)
      <Context InitContext=[account_token]>
    • Application bypass list: a pipe-separated (|) list of applications that bypass Private Access traffic processing (optional). Add application filenames, including the file extension, as regular expressions. 
      <AppWhiteList AppNames="[application1\.exe]|[application2\.exe]"
      Important: Filenames are entered as regular expressions. Backslash (\) is required as an escape character before the dot in the filename extension. In regular expressions, the dot character (.) is used as a wildcard representing a single character.
    • End-user override option: a setting that determines whether users can temporarily disable the endpoint client. Set EnableLocalProxySetting to 1 to enable end user control, or 0 to disable end user control of the endpoint client. The default setting is disabled (users cannot disable the endpoint).
      Disabled: <LocalProxySetting AutoOverrideMode="1" EnableLocalProxySetting="0" />
      Enabled: <LocalProxySetting AutoOverrideMode="1" EnableLocalProxySetting="1" />
    Note: Leave all other entries in the HWSConfig.xml file unchanged.
    An example, fully populated HWSConfig.xml file is shown below.
    <?xml version="1.0" encoding="utf-8"?>
<ProxySetting>
  <PACFile URL="https://example-url.pac.amer.forcepoint.io/proxy.pac?p=6653876" />
  <Context InitContext="751bd19c06024415b653705a586b3e33-0" />
  <UPDATE URL="http://download.forcepoint.io/epud/" />
  <AppWhiteList AppNames="OUTLOOK\.EXE|WORDPAD\.EXE" />
  <LocalProxySetting AutoOverrideMode="1" EnableLocalProxySetting="0" />
</ProxySetting>
    Tip: If you want to support a different PAC file URL, application bypass list, or endpoint user control setting for different users, you can install the client using different versions of the HWSConfig.xml file.
  7. Using an archive extraction tool such as 7-zip, extract the executable file you created using the package builder (for example, FORCEPOINT-ONE-ENDPOINT-x64.exe).
    Important: Do not run the executable file. Extract the contents of the executable package to a new folder using your archive extraction tool.
  8. In the extracted folder, place a copy of the HWSConfig.xml file you created in step 6.
  9. Using the file setup.exe in the extracted folder, deploy the endpoint setup package, either manually or via a deployment mechanism such as Windows GPO.
    Note: In order to make changes to the anti-tampering password, account token, PAC file location, application bypass list, or end user control option, the client must be uninstalled and reinstalled.