Working with remote users

When the cloud service receives a URL request, it first checks the source IP address of the request and searches all customer policies for a matching address. (The source IP address is configured as a connection in a policy’s Connections tab in the cloud portal.) For roaming users, no match will be found. In this situation, the roaming user encounters one of the following scenarios:

• If the user’s device has Neo, Classic Proxy Connect endpoint, or Classic Direct Connect endpoint installed, the endpoint client sends account and user information, allowing the service to identify the user seamlessly.
• If you have deployed single sign-on for your users, the roaming user is first asked to enter an email address, in order to identify the user’s account, and is then authenticated by the identity provider. (Users are typically only required to enter an email address once; following a successful authentication, a long-lived cookie is set, allowing the service to recognize the user's account.)
• If neither Forcepoint Web Security Endpoint nor single sign-on is in use, and the service cannot find the source IP address in a policy, it responds with a logon page that states: “You are connecting from an unrecognized location.” The user has to log on with their cloud service details. The service then searches for the user in its policies. When it finds the user, the appropriate policy settings are applied.

  In order to log on, the user has to be registered. If they have not already set a password to access the service, roaming users can go through a one-time self- registration process. See User registration methods, page 20.

  Note: Some browsers can exhibit inconsistent behavior in certain circumstances, such as when used in public Internet access points in hotels and airports. For more information on configuring and troubleshooting access for roaming users, see Using cloud web protection from public Internet access points on the Forcepoint Support website.