Identifying roaming users

When the cloud service receives a web request, it attempts to recognize the user’s account and policy. If the endpoint client is installed, this automatically identifies the user to the service.

When a PAC file is being used, the service attempts to identify the user based on the source IP address of the request. The service first attempts to match the source IP address to a policy. (The source IP address is configured as a proxied connection in the Connections tab of the cloud portal. See the Defining Web Policies > Connections tab in the Forcepoint Web Security Cloud help.)

When users are roaming (working at home, at another business premises, or in a public location such as a hotel or an airport), the IP address is unlikely to be configured as a proxied connection in any account. In this case, the roaming user encounters one of the following scenarios:

• If you have deployed single sign-on for your account, upon first connecting, the roaming user must enter their email address. Once the user’s account is identified, the service authenticates the user via the identity provider configured for the account. (A long-lived cookie is set, allowing the user to be authenticated seamlessly for subsequent sessions.)
• If neither the endpoint nor single sign-on is in use and the service cannot find the source IP address in any policy, then it responds with a logon page that states: “You are connecting from an unrecognized location.” The user has to log on with their cloud service details.

  The cloud service then searches for the user in your policies. When it finds the user, the service knows who they are, which policy they are assigned, and consequently how to filter the request.

In order to log on, the user has to be registered. Roaming users must go through a one- time registration process before they can log on and browse.

For more information on setting up end user registration, see Defining Web Policies > End Users tab in the Forceoint Web Security Cloud help.