Recommendations for roaming users
The following are recommendations and best practices to help ensure that roaming users are protected when connecting via public or home networks.
- The best solution for roaming users who must connect from public or home networks is to deploy the Forcepoint Web Security Endpoint. The endpoint is network-aware, and is able to temporarily disable itself to allow network enrollment from public access points.
- If you cannot use the endpoint, best practice is to deploy the alternate PAC file address for roaming users. This PAC file is retrieved over port 80, meaning that users are redirected to a network’s captive portal for enrollment. This is also recommended for users who may connect from networks where non-standard ports for browsing may be locked down. See the page in the cloud portal.
- You can configure users’ browsers with their policy-specific PAC file address (visible under the General tab in your policy). Then configure the browser home page as a non-proxied destination (configurable under Proxy Bypass in the Connections tab of your policy). This will cause the browser to make the request for the home page over port 80, causing firewalls to respond with the enrollment page.
- For home users who experience connection issues, consider using or an explicit proxy configuration in addition to the PAC file URL.
- Remote users may be able to establish a VPN connection to your office, and connect from the IP address of your office network. As such, the IP address will be recognized and users will not have
to log on via the “You are connecting from an unrecognized location” page. As they are connected to the office, users will also be able to use transparent identification with their network NTLM
ID.
Note that some public networks may block ports 1723 or 47, typically used for VPN, and that captive portal enrollment may be required before the VPN can be established.VPN solutions that use port 80 are available.