Limitations and known issues

The following items are the known limitations of using this method to direct traffic to the cloud service.

• Certain websites might redirect from a single URL to multiple domains. This causes multiple redirects to proxy-login.blackspider.com for authentication, which may result in the number of redirects exceeding the browser redirect limit. If this occurs, the browser may display a “too many redirects” or “redirection loop” error page. As a workaround, administrators can increase the redirect limit for Firefox and Internet Explorer, or users can refresh the page. See Increasing the browser redirection limit, for more information.
• The acceptable use policy button is not enabled in environments that use firewall redirect. This will be addressed in a future release.
• When user authentication is enabled in a policy, decryption bypass is not possible, and SSL decryption bypass settings are ignored. It is, however, still possible to do authentication decryption bypass, which causes requests to be processed anonymously.
• As internal IP addresses are not visible in deployments that use firewall redirect, authentication bypass based on internal IP address is not available. Likewise, policy enforcement based on internal IP address is not supported.
• When using firewall redirection, Dropbox is not supported for use with the Protected Cloud Apps feature in Forcepoint Web Security Cloud.
• Firewall redirect does not support automatic data center failover. This is planned for a future release. Where transparent redirection with automatic failover is required, please use the Forcepoint GRE or IPsec service.
• SNI is required for HTTPS traffic when using transparent proxy.
  • Windows XP does not support SNI and is, therefore, not supported for Forcepoint Firewall redirect.
  • Encrypted Client Hello (aka Encrypted SNI) is not supported when using transparent proxy.