Getting Started

Getting Started Guide
TRITON AP-WEB with the Web Cloud Module
2016 Release 1 and later
2016, Forcepoint LLC

All rights reserved.
10900-A Stonelake Blvd, Quarry Oaks 1, Suite 350, Austin TX 78759
Published 2016
This document may not, in whole or in part, be copied, photocopied, reproduced, translated, or reduced to any electronic medium or
machine-readable form without prior consent in writing from Forcepoint LLC.
Every effort has been made to ensure the accuracy of this manual. However, Forcepoint LLC makes no warranties with respect to this
documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint LLC shall not
be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual
or the examples herein. The information in this documentation is subject to change without notice.
Trademarks
Forcepoint is a trademark of Forcepoint LLC. SureView, TRITON, ThreatSeeker, Sidewinder and Stonesoft are registered trademarks of
Forcepoint LLC. Raytheon is a registered trademark of Raytheon Company. All other trademarks are the property of their respective
owners.
Microsoft, Windows, Windows NT, Windows Server, and Active Directory are either registered trademarks or trademarks of Microsoft
Corporation in the United States and/or other countries.
Other product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are the
sole property of their respective manufacturers.
Contents
Chapter 1
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2
Requesting a TRITON AP-WEB Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Logging on to the Cloud TRITON Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 3
Deploying TRITON AP-WEB in the cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

How TRITON AP-WEB works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Recommendations for an evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuring a chained proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Configuring browsers to use TRITON AP-WEB. . . . . . . . . . . . . . . . . . . . . . . . . 12
Configuring Mozilla Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring Firefox with Active Directory Group Policy. . . . . . . . . . . . . 14
Configuring Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Turning on Group Policy to configure a web proxy . . . . . . . . . . . . . . . . . 19
Turning off the web proxy using Group Policy . . . . . . . . . . . . . . . . . . . . . 19
Configuring Safari manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring your firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 4
Deploying an i-Series appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Recommendations for an evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Issues to consider before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Initial portal settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Run directory synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Add new appliance information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Appliance setup and configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Installing the appliance on a virtual machine . . . . . . . . . . . . . . . . . . . . . . . . . 31
Deployment without Silicom card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Deployment with Silicom card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
First-Time Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Connecting the appliance to your network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configuring your firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Registering the appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Browser support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring Active Directory authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Running diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Contents
Monitoring appliance traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Using TRITON AP-ENDPOINT Web with an appliance . . . . . . . . . . . . . . . . . . 50
Chapter 5
Using Chained Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Microsoft ISA Server or Forefront TMG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Basic chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring NTLM pass through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Configuring X-Authenticated-User chaining . . . . . . . . . . . . . . . . . . . . . . . . . 57
Blue Coat ProxySG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Basic chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
NTLM chaining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
X-Authenticated-User chaining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Squid Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Basic chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
NTLM chaining. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Chapter 6
Adding IP Addresses to Your Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Initial settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Policy selection by IP address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 7
Setting Up End-User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Setting up TRITON AP-ENDPOINT Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Endpoint system requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Downloading and distributing the endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . 70
For Windows operating system users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
For Mac operating system users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Deploying the endpoint from the cloud service . . . . . . . . . . . . . . . . . . . . . . . 75
Updating the endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Using the endpoint with an appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Other end-user authentication options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
End-user identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Enabling browsers for NTLM transparent authentication . . . . . . . . . . . . . . . . . . 78
Configuring Internet Explorer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring NTLM via Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Configuring Firefox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
End-user registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Directory synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
End-user self registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Bulk registering end-users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
NTLM transparent identification registration . . . . . . . . . . . . . . . . . . . . . . . . . 86
ii
Websense
TRITON AP-WEB with Web Cloud Module
Contents
Authentication priority and overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Chapter 8
Working with Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

How to determine whether a browser is using TRITON AP-WEB . . . . . . . . . . . 90
Connecting from home . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Connecting from third-party corporate networks . . . . . . . . . . . . . . . . . . . . . . . . . 92
Chapter 9
Configuring Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Create content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Define regular expression content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . 95
Define key phrase content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Define dictionary content classifiers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Configure Data Security policy settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Configure privacy settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Configure reporting permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
View the dashboard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
View reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
View the audit trail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Chapter 10
Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Managing web categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Managing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Managing exceptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Chapter 11
Preparing Your End Users for Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 113

TRITON AP-ENDPOINT Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
End-user registration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
iii
Contents
iv
Websense
TRITON AP-WEB with Web Cloud Module
Introduction
Getting Started Guide | Cloud Web Protection Solutions
TRITON AP-WEB with Web Cloud Module is a fully managed service that provides
comprehensive and flexible protection against web threats such as viruses, spyware,
and phishing attacks as well as controlling employee web access.
As an alternative to the fully cloud-based service, you can deploy the i-Series
appliance as an add-on to TRITON AP-WEB. This provides fast on-premises URL
analysis and application/protocol detection for web traffic, along with centralized
policy management and reporting capabilities in the cloud.
TRITON AP-WEB is simple to use and works out of the box with a default policy.
To make full use of its features, however, you should configure your policy or add
new policies. This guide outlines the tasks that you must complete to get TRITON
AP-WEB filtering your web traffic.
Getting Started
The following steps must be completed before you can use TRITON AP-WEB. It is
important that you follow these in order:
1. Requesting a TRITON AP-WEB Account.
2. Deploying your chosen solution, either purely cloud-based (see Deploying
TRITON AP-WEB in the cloud) or with an i-Series appliance (see Deploying an iSeries appliance).
The deployment options you choose may affect which of the following steps are
necessary. This includes setting up end-user browsers, and configuring your
firewall to allow and enforce TRITON AP-WEB connectivity.
3. Adding IP Addresses to Your Policy for your Internet gateway.
4. Setting Up End-User Authentication, if required.
Other chapters discuss which proxies are supported, how to set up roaming users, how
to configure data theft protection, and how to tailor your policy for your organization.
The final chapter provides tips for preparing your end users for their new web
protection system.
Getting Started Guide 1
Introduction
Further Information
Detailed configuration advice for all TRITON AP-WEB services is available in the
Cloud TRITON Manager Help.
The Knowledge Base also contains technical information that is not included in this
guide, such as common configuration questions and known issues with workarounds.
The Knowledge Base also allows you to search for answers to a question you may
have. Enter a search phrase into the entry field and search all categories to see all the
articles in a given category. A list of related articles appears.
You should check these resources whenever you experience a problem or have a
support question.
Technical Support
If you have any questions during the set up phase, please contact your reseller or
Forcepoint Technical Support. Technical information about Forcepoint products is
available online 24 hours a day, including:
latest release information
searchable Knowledge Base
show-me tutorials
product documents
tips
in-depth technical papers
Access support on the website at:

http://support.forcepoint.com/
Click My Account to create or log in to your website account. When you create an
account, you are prompted to enter all Forcepoint subscription keys. This helps to
ensure ready access to information, alerts, and help relevant to your products and
versions.
The best practice is to create your website account when you first set up your TRITON
AP-WEB account, so that access is readily available whenever you need support or
updates.
For additional questions, the support portal offers an online support form. Just click
Contact Support.
2 TRITON AP-WEB with Web Cloud Module
Requesting a TRITON APWEB Account

If you are an existing TRITON AP-EMAIL cloud customer or are performing a

TRITON AP-EMAIL trial, you can request that TRITON AP-WEB services be
added to your account by contacting Forcepoint Sales or your reseller. Forcepoint
Technical Support notifies you by email when the services are added.
Alternatively you can request a trial online as described below.
If you are new to Forcepoint cloud-based services, request a trial online. For more
information, see Requesting a trial.
Requesting a trial
1. Go to www.forcepoint.com and select Products > Content Security > TRITON
AP-WEB, then click Get Started under the sign up for a free trial prompt.
2. On the Free Trials & Demos page, under Web Security, click TRITON AP-WEB
(Cloud).
3. If you already have a website account, log in on the page that appears. If you do
not have an account, click Register and follow the steps to enter your details, then
return to the Free Trials & Demos page and click the link again.
4. On the Registration page, fill out the request form and read the Evaluation Details
information, then click Continue.
5. When prompted, read and accept the terms and conditions, then click Confirm to
initiate the evaluation process.
Shortly after you click Confirm, you receive an email message containing the links to
the following:
the Cloud TRITON Manager
the TRITON AP-WEB Cloud Evaluation Guide
this guide
support options
If you are new to Forcepoint cloud-based products, the message also includes your
portal username and a temporary password. You will be asked to change the password
the first time you log on.
Requesting a TRITON AP-WEB Account
If you are already a Forcepoint cloud customer, TRITON AP-WEB is added to your
account. Use your existing credentials to log on to the portal.
If you prefer to talk to a representative immediately, inside the U.S., call 1-800-7231166. Outside the U.S., please visit the Partners > Find a Parnter page at
www.forcepoint.com to locate a reseller.
Logging on to the Cloud TRITON Manager

When you receive logon information in your confirmation email, log on to the Cloud
TRITON Manager by clicking the link that is provided or visiting:
https://admin.forcepoint.net/portal
Note
You must have port 443 open on your firewall to access the
Cloud TRITON Manager.
Enter your user name and password into the fields provided.
If you are a new customer, you will be asked to change your password and set a
password reminder question. You must also accept the terms of your license
agreement to proceed.
You can now configure your TRITON AP-WEB account.
A default policy has been created for you: navigate to the Web > Policy
Management > Policies page to access it. This policy reflects the most commonly
chosen policy options.
As a minimum, do the following:
Go to the Account > Contacts page to add administrator contacts for your
account. The administrator contacts can be given logons to the portal and their
permissions restricted as necessary.
If you want to synchronize your LDAP directory information with TRITON APWEB to simplify user and group management, go to the Account > Directory
Synchronization page. For more information, refer to the Directory

Synchronization Client Administrators Guide.
If you wish to use end-user self-registration for identification and reporting

purposes, define the domain or domains that you want to associate with your
account. You can configure domains at the account level and assign them to one or
more policies (for example, if all of your users are on a single email domain and
you intend having multiple policies), or define domains within individual policies.
Policy-level domains can be associated only to a single policy.
Define account-level domains on the Web > Settings > Domains page.
Define policy-level domains on the Web > Policy Management > Policies
page. Select your policy, then click the End Users tab.
If you are deploying an i-Series appliance, follow the instructions in the chapter
Deploying an i-Series appliance, page 23. If you are installing the appliance as a
virtual machine, download the OVA file from the My Account page at
forcepoint.com
You can change your account configuration at any time. Refer to the Cloud TRITON
Manager Help for full instructions on how to configure your account. You can access
the Help and other reference tools from the Help menu in the cloud portal.
Deploying TRITON AP-WEB

in the cloud
This chapter describes the deployment of TRITON AP-WEB as a purely cloud-based

solution. If you are deploying an i-Series appliance as part of your solution, see
Deploying an i-Series appliance, page 23.
Before deploying TRITON AP-WEB:
1. Read How TRITON AP-WEB works, page 9, to better understand requirements for
deployment.
2. See Recommendations for an evaluation, page 11, to help choose the right
deployment options for your organization.
To deploy the product for your organization:
1. Determine how to direct your web traffic through the TRITON AP-WEB service.
In order for the TRITON AP-WEB service to be effective, your users browsers
must be configured so that all appropriate requests go through the service.
Measures should also be taken to ensure that other applications are prevented
from bypassing the service.
If you already have a proxy within your network, you should be able to direct
it to use TRITON AP-WEB in a chained proxy configuration. (See
Configuring a chained proxy, page 11.)
Otherwise, the browsers themselves must be configured to use the TRITON

AP-WEB proxy. (See Configuring browsers to use TRITON AP-WEB, page
12.)
2. Configure your firewall to allow the host and port combinations that enable
TRITON AP-WEB to operate correctly. See Configuring your firewall, page 20.
Once you have completed these steps, you can define the IP addresses for which the
service will receive web requests (see Adding IP Addresses to Your Policy, page 65),
and choose how to manage your end users.
How TRITON AP-WEB works

TRITON AP-WEB operates as a proxy service for HTTP, Secure HTTP (HTTPS), and
FTP over HTTP. This means that the browser does not connect directly to the required
Deploying TRITON AP-WEB in the cloud
server (known as the origin server), but instead connects to a TRITON AP-WEB
proxy server, which relays the request to the origin server on behalf of the browser.
While doing this, the TRITON AP-WEB proxy server can examine the request and the
response, and make decisions such as whether to allow or block the request.
1. Depending on the browsers configuration, some requests may still go direct to the
origin server. This is indicated in the diagram by the Local server box, because
typically, such servers are local to the browser, inside the firewall.
2. Proxied HTTP requests (those that begin http://) are filtered and checked by
TRITON AP-WEB then relayed to the origin server as appropriate.
3. Proxied secure requests (those that begin https://) are carried over a tunneled
connection. This means that the TRITON AP-WEB proxy server connects to the
origin server on the browsers behalf, but takes no further part in the conversation,
passing data back and forth transparently.
You can choose to enable SSL decryption, in which case the cloud proxy
establishes SSL channels with newer browsers (Internet Explorer 8 or later, and
Firefox 3.5 or later) for HTTPS sites. This enables the proxy to serve the correct
notification page to the user for example, a block page if the SSL site is in a
category that the end user is prevented from accessing.
To implement this feature for your end users, you need a root certificate on each
client machine that acts as a Certificate Authority for SSL requests to the cloud
proxy. For more information, see the Cloud TRITON Manager Help.
4. Where the origin server is an FTP server (i.e., the URL begins ftp://), the
TRITON AP-WEB proxy server acts as a gateway, converting the HTTP request
sent by the browser into an FTP conversation with the origin server.
Recommendations for an evaluation

Some of the major benefits of TRITON AP-WEB over competing solutions are that:
As an on-demand service, it lends itself to small scale evaluation.
It allows rapid expansion of the numbers of users involved at the proof-of-concept

stage.
It allows rapid deployment into production after successful completion of the

evaluation.
During the initial stages of an evaluation, we recommend that you manually configure
a number of web browsers to access the TRITON AP-WEB PAC file. Once you are
happy that the service works as expected, you can add more users, perhaps by using
Active Directory group policy to configure browsers. Alternatively, if you have an
existing proxy, you may be able to proxy chain for a subset of users before deploying
across the complete organization.
You can also deploy endpoint client software for a small number of users to test
enforcement and seamless authentication. For more information, see Setting up
TRITON AP-ENDPOINT Web, page 67.
Configuring a chained proxy

If you already have a proxy server that your users browsers are configured to use, you
should be able to leave the browsers settings unchanged and configure your existing
proxy to forward all HTTP, HTTPS, and FTP requests to TRITON AP-WEB. If your
proxy is capable of using a PAC file, you can use the one provided by TRITON APWEB. Otherwise, we recommend that you download a copy of the TRITON AP-WEB
PAC file and duplicate its functionality in your proxys configuration.
For more information about chained proxy configurations, see Using Chained
Proxies, page 51.
Note
The TRITON AP-WEB PAC file is not static, but is generated to reflect the current
settings of your policies. If you make policy changes and are not using the PAC file in
your proxy, you may have to change your proxy configuration to match.
Configuring browsers to use TRITON AP-WEB

If your browsers are to access TRITON AP-WEB directly (i.e., not through a chained
proxy), then we recommend you use a PAC file to configure the browsers. See The
TRITON AP-WEB PAC file, page 12, for more information.
TRITON AP-WEB has been tested with most commercially available web browsers,
but for support purposes we recommend you use one of the following:
Mozilla Firefox 4 to 40 on all platforms
Microsoft Internet Explorer 7 through 11 on Microsoft Windows platforms

(desktop interface only)
Safari 3.1 on MacOS X 10.4 (Tiger)
Safari 5.x on MacOS X 10.6 and 10.7
Safari 6.x on MacOS X 10.8
Google Chrome 13 to 44
The TRITON AP-WEB PAC file

A proxy automatic configuration (PAC) file defines how web browsers choose an
appropriate proxy for fetching a given URL. They are preferable to configuring
browsers manually, because they can be easily deployed and provide more
configurable capabilities than a browsers own settings.
The PAC file contains a number of global settings and allows you to enter exclusions
of your own (for example, intranet sites) that should not use the TRITON AP-WEB
proxy.
All supported browsers have the ability to use PAC files. Users may be instructed how
to set this up for themselves. Alternatively, in a Windows environment, you can use an
Active Directory Group Policy to configure browsers.
Either way, you must tell the browsers to get their PAC file from the TRITON APWEB service. When configuring browsers to download the PAC file, you can specify
either the standard PAC file or a policy-specific PAC file.
Standard PAC file

When a browser requests a PAC file, if TRITON AP-WEB knows which policy the
requester is using, it delivers the PAC file for that policy; otherwise it delivers a
standard PAC file. You can retrieve the standard PAC file directly from the following
URL:
http://pac.webdefence.global.blackspider.com:8082/proxy.pac
See the Cloud TRITON Manager Help for further information.
Policy-specific PAC file

If TRITON AP-WEB knows which policy the requester is using, it delivers the PAC
file specific to that policy. Alternatively, you can specify an alternative, policyspecific PAC file in the browser configuration. This ensures that the user receives the
correct PAC file regardless of location. The policy-specific PAC file URL can be
found in the General tab for each policy. It looks something like this:
http://pac.webdefence.global.blackspider.com:8082/proxy.pac?p=xxxxxxxx
Browser-specific PAC file configuration instructions

See the following sections for browser configuration instructions (note that Google
Chrome uses the settings configured in Internet Explorer):
Configuring Mozilla Firefox, page 13
Configuring Internet Explorer, page 17
Configuring Safari manually, page 20
You can also install endpoint client software to ensure all web traffic is routed via the
TRITON AP-WEB proxy. The endpoint also passes authentication information to the
cloud proxies, enabling secure transparent authentication. For more information, see
Setting up TRITON AP-ENDPOINT Web, page 67.
Enabling cookies
For the best user experience, we recommend that you allow end users browsers to
accept cookies when using TRITON AP-WEB. If a browser is unable to, or is
configured not to accept cookies, the following features do not work:
Acceptable Use Policy compliance page
Web endpoint automatic installation
Secure form-based authentication
Single sign-on using an on-premises identity provider
If any of these features are enabled and cookies are not accepted, the browser may get
stuck in a loop between the end users requested URL and the relevant TRITON APWEB notification page.
Configuring Mozilla Firefox

To configure Firefox manually

1. From the Firefox menu, select Options > Advanced.
2. Select the Network tab.
3. Under Connection, click Settings.

4. Select Automatic proxy configuration URL.
5. Insert the path to the PAC file.
6. Click Reload.
7. Click OK and click OK again to return to the browser.
Configuring Firefox with Active Directory Group Policy

Warning
Firefox is not the default or supported web browser for a Microsoft Active
Directory domain, therefore to configure this browser through Group Policy, you
must install third-party extensions to Group Policy in Active Directory. The
following extensions are not supported by Microsoft, nor are they supported and
endorsed by Forcepoint.
The following URL contains information and extensions for Firefox and Group Policy
Objects (GPO):
http://sourceforge.net/projects/firefoxadm
We strongly recommend that you read all available documentation before installing
the Active Directory extensions for Firefox. The above link provides a download of
the FirefoxADM, which is a group of Active Directory Group Policy templates. Once
you have downloaded the templates, you can install them all; however, the 2 files that
are needed to configure Firefox for TRITON AP-WEB are:
firefoxlock.adm, which is the administrative template for locking down Firefox

settings. See Turning on Group Policy to configure a web proxy, page 15.
firefox_startup.vbs, which is the startup script for locking down Firefox settings.
See Applying the policy, page 16.
Add these 2 files to AD. They are in the main FirefoxADM folder. You should save
and extract these files to an easily accessible folder on the machine that you use to
edit/create the GPO.
Turning on Group Policy to configure a web proxy

1. Log on to a server in the domain, and with administrative permissions, open up
Start > Programs > Administrative Tools > Active Directory Users &
Computers and expand your domain.
2. Right click the top-level domain or Organizational Unit where the policy should
be applied, select Properties, then select the Group Policy tab.
3. Create a GPO and give it a meaningful name (TRITON AP-WEB, for example).
4. Select the newly created GPO and click Edit. Right click Administrative
Templates from the Computer Configuration options.
5. Choose Add/Remove Templates. Click Add and browse to the folder where you
extracted the firefoxlock.adm file.
6. Click the firefoxlock.adm file and select Open. This installs the firefoxlock.adm
template in AD. Click Close in the Add/Remove Templates dialog box, refresh
your view and under Computer Configuration > Administrative Templates,
you should see a new section called Mozilla Firefox Locked Settings.
7. Double click Mozilla Firefox Locked Settings and double-click Proxy Settings.
8. Edit the proxy settings to direct the browsers to pick up settings from the PAC file,
then select Locked from the Preference State drop-down.
The Automatic Proxy Configuration URL should point at the PAC file you have
chosen to use (see The TRITON AP-WEB PAC file, page 12, for more details).
Applying the policy

Note
Firefox is not native to Active Directory and even though you have installed an
administrative template, it may not be applied the next time GP is refreshed. This is
why you should use the firefox_startup.vbs script.
1. In the TRITON AP-WEB GPO, navigate to User Configuration > Windows
Settings > Scripts (logon/logoff) and double-click Logon to open the Logon
Properties dialog box.
2. Click Show Files to open the location of any logon scripts for this GPO. This is
empty, because this is a new GPO. Leave this window open and navigate to the
folder where you extracted the firefox_startup.vbs file (this should be the same
folder as the firefoxlock.adm file).
3. Copy firefox_startup.vbs to the empty scripts folder you have previously
opened. Close both file locations.
4. In the Logon Properties dialog box, select Add to open the Add a Script option.
Click Browse and you are shown the file you have just placed in the scripts folder.
Select the firefox_startup.vbs script, click Open, then OK twice to apply this
script to the GPO.
The next time users log onto a machine, this logon script directs their Firefox browsers
to pick up the Firefox defaults set up in the earlier sections.
Turning off the web proxy using Group Policy

1. Open Active Directory Users & Computers.
2. Right-click the top-level domain or organization where the policy was originally
applied, Select Properties, then select the Group Policy tab.
3. Select the original GPO (TRITON AP-WEB) and click Edit.
4. Navigate to User Configuration > Administrative Templates > Mozilla Firefox
Default Settings and double-click Proxy Settings.
5. In the Proxy Settings dialog box, select Not Configured then click OK.
This change becomes active next time the client logs on.
Configuring Internet Explorer

Use the steps below to configure Internet Explorer manually. For instructions on using
Group Policy, see Turning on Group Policy to configure a web proxy, page 19.
1. Go to Tools > Internet Options and click the Connections tab.
2. Click LAN Settings.
3. Clear Automatically detect settings, if selected.

4. To set up a PAC file, select Use automatic configuration script.
5. Enter the location of the PAC file in the Address field (see The TRITON AP-WEB
PAC file, page 12, for more details).
6. Click OK to return to the Internet Options dialog box.
7. You must now configure settings for VPN and dial-up connections. If you do not,
it is likely that users browsers will fall back to a direct connection.
From the Connections tab, highlight the connection to be configured and click
Settings.
8. Apply the same configuration that you set for the LAN connection, as covered in
steps 4-6.
Turning on Group Policy to configure a web proxy

Log on to a server in the domain, and with administrative permissions, open up

Administrative Tools > Group Policy Management and expand your domain.
1. Right click the top-level domain or Organizational Unit where the policy should
be applied, and select Create and Link a GPO Here.
2. Create a GPO and give it a meaningful name (TRITON AP-WEB, for example).
Click OK.
3. Right-click the new GPO, and select Edit.
4. In the Group Policy Management Editor, go to User configuration > Preferences
> Control Panel Settings. Right-click Internet Settings, then select New >
Internet Explorer 8.
5. Click the Connections tab.
6. Click LAN Settings.
7. Clear Automatically detect settings, if selected.
8. To set up a PAC file, select Use automatic configuration script.
9. Enter the location of the PAC file in the Address field (see The TRITON AP-WEB
PAC file, page 12, for more details).
10. Once the configuration is complete, click OK.
Web clients using Internet Explorer pick up the settings in this GPO the next time that
group policy refreshes, which by default is every 90 minutes for clients and every 5
minutes for Domain Controllers (or the next time a user logs off and on again). You
can change the refresh interval in the default domain policy, or by going to a particular
client and entering the following at a command prompt:
gpupdate /force
Turning off the web proxy using Group Policy

If the policy needs to be reversed, it is not as simple as removing the GPO that was
originally applied. IE stores proxy settings in the registry, therefore by removing the
policy, you are keeping the same registry settings; it take another write session to reconfigure the proxy settings. To achieve this follow these steps:
1. Log on to a server in the Domain, and with administrative permissions, open up
Administrative Tools > Group Policy Management and expand your domain.
2. Right click the original GPO (TRITON AP-WEB) and select Edit.
3. From User configuration > Windows Settings > Internet Explorer
Maintenance, clear Enable Automatic Configuration.
4. From Proxy Settings, clear Enable proxy settings.
5. Click OK and close the GPO.
The clients update the next time Group Policy refreshes or, as described above, use the
command line at a particular client to achieve this manually.
Configuring Safari manually

1. In Safari, go to Safari > Preferences.

2. Click on the Advanced icon.
3. Under Proxies, click Change Settings.
4. For Mac OS 10.5 and under:
For the Configure Proxies option, select Using a PAC file.
In the PAC file URL field, enter the path to the PAC file (See The TRITON
AP-WEB PAC file, page 12).
Click Apply Now.
5. For Mac OS 10.6 and higher:
Under Select a protocol to configure, select Automatic Proxy

Configuration.
In the Proxy Configuration File URL field, enter the path to the PAC file (See
The TRITON AP-WEB PAC file, page 12).
Click OK.
6. Close and restart Safari.
Configuring your firewall

Some host and port combinations must be allowed through your firewall in order for
TRITON AP-WEB to operate correctly. Below is a description of each port.
Port
Purpose
8006
Single sign-on authentication with third-party providers.

Port 8006 is available for Oracle Identity Federation, PingFederate, and
Microsoft ADFS.
8089
Secure form authentication. This is required if you are using form-based

authentication to authenticate end users.
80
Proxy service. This is where the TRITON AP-WEB service is provided.

PAC file. This is required if your browsers (or proxy) are to fetch their PAC file
from TRITON AP-WEB.
Note that port 8081 is also available for proxy service, and port 8082 is available
for PAC files.
Notification page components. The default notification pages refer to style
sheets and images served from the cloud platform at http://
www.mailcontrol.com. For these pages to appear correctly, this website is
accessed directly (i.e., not through TRITON AP-WEB).
Unproxied home page (principally for remote users). Although this service is
principally for remote users, you may choose to configure all browsers to use this
as their home page. In this case, you need to allow access through your firewall.
Checking browser configuration. This service allows users to check whether
their browser settings are correct for accessing the proxy. The site detects
whether it has been accessed via TRITON AP-WEB and returns a page
indicating this.
PAC file and proxy service for remote users. Remote users should also use the
PAC file address for port 80 if requesting access from a network that has port
8081 or 8082 locked down.
443
Service administration. The Cloud TRITON Manager is similarly unproxied.

Otherwise, it would be possible for you to accidentally block access and then be
unable to rectify the situation.
To guarantee availability, TRITON AP-WEB uses global load balancing technology to

direct traffic across multiple geographic locations. A client using the service looks up
the webdefence.global.blackspider.com record. This record resolves to the IP address
of the nearest location of the TRITON AP-WEB service.
Static users are typically always served by proxies from the TRITON AP-WEB
service closest to them. In the event of localized or Internet-wide connectivity issues,
the global load balancing technology automatically routes requests to the next closest
location. To make the most of the resilience offered by this infrastructure, users must
be allowed to connect to the entire TRITON AP-WEB network - those IP addresses
that the service uses now and those that may be deployed in the future.
If you decide to lock down your firewall, you should permit all the IP address ranges
in use by the TRITON AP-WEB service for all the above ports. These ranges are
published in a Knowledge Base article called Cloud Service cluster IP addresses and
port numbers.
Note
Forcepoint is constantly expanding this list as we add new capacity to support our
rapidly expanding user base.
If you block port 80, you may want to add an exception for some PCs (those used by
your own IT staff) so that they can use the TRITON AP-WEB performance monitor.
This monitor compares performance through TRITON AP-WEB against direct
connection performance. It needs to be able to connect directly to the target sites.
Deploying an i-Series
appliance
This chapter describes the deployment of an i-Series appliance as part of your

TRITON AP-WEB solution. You can choose to deploy an appliance for all of your
web traffic, or as part of a larger solution that combines the different management
options that TRITON AP-WEBoffers. For example, you may wish to have an
appliance on one site, but deploy the PAC file for end users on another site, and install
Web Endpoint for roaming users.
For information on other TRITON AP-WEB deployment options, see Deploying
TRITON AP-WEB in the cloud, page 9.
Once you have a TRITON AP-WEB account and have either received your i-Series
appliance or downloaded the appliance virtual image, you can deploy your appliance
by completing the following tasks:
1. Issues to consider before you begin
2. Initial portal settings
3. Appliance setup and configuration
4. Connecting the appliance to your network
5. Registering the appliance
The Quick Start poster, which is packaged in the appliance shipping box, outlines
these tasks for the hardware version and includes a section for writing down reference
information during deployment.
Recommendations for an evaluation

Some of the major benefits of TRITON AP-WEB over competing solutions are that:
As an on-demand service, it lends itself to small scale evaluation.
It allows rapid expansion of the numbers of users involved at the proof-of-concept

stage.
It allows rapid deployment into production after successful completion of the

evaluation.
Deploying an i-Series appliance
During the initial stages of an evaluation, it is recommended that you configure all of
your IP address ranges as trusted network sources, meaning that the appliance ignores
all traffic. You can then test your deployment with a small number of clients before
opening it up to all IP addresses and ignoring only those addresses whose traffic you
do not want to be analyzed (for example, servers that receive Microsoft and antivirus
updates).
Issues to consider before you begin

Consider the following before you begin the deployment:
If you have a hardware appliance, determine appliance rack location.
If you are installing the appliance as a virtual machine, ensure the installation
machine meets the following requirements:
For a Silicom bypass card deployment, the card should be installed on ESXi
in VMDirectPath mode. For more information on Silicom card installation,
see Silicom card setup, page 32.
6 dedicated CPU cores and at least 12 GB RAM
128 GB hard disk drive
The appliance virtual machine can be installed only on VMware vSphere

ESXi 5.1, 5.5, or 6.0.
Determine appliance IP addresses for network deployment. You will require 2

addresses and it is recommended that you configure 3.
Determine your directory synchronization policy.
If you wish to use transparent NTLM authentication for your users, decide
whether to connect your appliance to a local Active Directory (see Configuring
Active Directory authentication, page 48).
If you plan to use Active Directory authentication, ensure that your appliance
hostname complies with Active Directory hostname requirements (see First-Time
Configuration Wizard, page 42).
Alternatively you can enter the domain that forms part of your users NTLM
identity when adding your appliance in the cloud service portal.
Note
To use your Active Directory for authentication, the
appliance must be able to access the directorys IP address
and port(s). You may need to edit an internal firewall
setting or LAN routing rules.
It is recommended that you provide a certificate when you add an appliance in the
cloud portal, in order to avoid browser warnings regarding SSL termination for
block, authentication, or quota/confirm operations. See Generating a certificate.
To use the cloud service SSL decryption feature, you should also install the
Forcepoint root certificate on each client machine. See the section Enabling SSL
decryption in the Cloud TRITON Manager Help.
The appliance ships with a pre-installed Web category database. After appliance
setup, an update to this database is initiated. During this update, the appliance can
analyze traffic using the pre-installed database. Because this database is out-ofdate, traffic analysis may be more accurate after the full update is complete.
A progress message displayed on the Status > General page disappears when the
update is complete.
Browsing with TRITON AP-WEB via an i-Series appliance has been tested with
most commercially available web browsers. However, note that using a Windows
XP machine with Internet Explorer 8 or below is not recommended, as HTTPS
connections are not supported on i-Series appliances for this platform and
browser.
Initial portal settings

You should have received your TRITON AP-WEB confirmation email, including a
Cloud TRITON Manager user name and temporary password if you are a new cloud
services customer, as described in Logging on to the Cloud TRITON Manager. The
initial setup involves the following tasks:
1. Run directory synchronization
2. Add new appliance information.
Run directory synchronization

It is recommended that you use directory synchronization to import your users and
groups information from your LDAP directory (for example, Active Directory) into
the Cloud TRITON Manager. This is the quickest and easiest way to import end users
email addresses, and also NTLM details if you are planning to use NTLM
identification.
Note
For alternatives to directory synchronization, see Enabling
browsers for NTLM transparent authentication.
Although TRITON AP-WEB is a cloud-based service, it synchronizes with LDAP
directories via a client-resident application called the Directory Synchronization
Client. Changes made to a directory, such as deleting a former employee or adding a
new one, are picked up by the service on the next scheduled update. If you have more
than one LDAP directory, the client can merge them together before synchronizing the
data with the service.
To set up and run directory synchronization:
1. Log on to the Cloud TRITON Manager from the machine you want to use for
directory synchronization.
2. Go to Account > Directory Synchronization.
3. Download and install the appropriate version of the Directory Synchronization
Client.
4. In the Cloud TRITON Manager, go to Account > Contacts and set up an
administrator contact with Directory Synchronization permissions. The logon
credentials you define will be used by the Directory Synchronization Client to log
onto the manager.
5. Configure the Directory Synchronization Client as described in the Directory
Synchronization Client Administrators Guide, including the logon credentials you
created in the previous step.
Note
If your LDAP data does not include users email
addresses, you can change the default attribute for the
primary mail value in the Directory Synchronization Client
as follows:
When creating or modifying the Users part of your

configuration profile, go to the Data source > LDAP
search page in the wizard. Click Advanced to display
the Search attributes page.
In the Primary Mail field, replace %mail% with

another attribute.
For example, you could use %userPrincipalName% if
configured, or create a fake email address using the
sAMAccountName such as
%sAMAccountName%@mydomain.com.
6. Once you are ready to synchronize data with the cloud, go back to Account >
Directory Synchronization.
a. Click Edit.
b. Click Enable directory synchronization.
c. For User policy assignment, select Fixed.
d. For Email new users, define whether synchronized users should receive a
notification email from TRITON AP-WEB.
e. Click Submit when done.
7. Run the synchronization, and check the results both in the client and on the portal:
In the client, click on the Groups and Users tabs to view the results.
On the portal, go to Account > Directory Synchronization. The Recent

Synchronizations section shows your recent synchronization history; click the
timestamp in the date column to view details about a specific synchronization.
Add new appliance information

To add your new appliance information in the Cloud TRITON Manager:

1. Click Web > Network Devices.
2. On the Appliances tab, click Add.
Note
It is recommended that you define certificates when you
add an appliance, in order to avoid browser warnings
regarding SSL termination for block, authentication, or
quota/confirm operations. Some browsers, for example
later versions of Chrome, may block the transaction and
display an error message. See Generating a certificate.
3. In the General tab:
a. Enter a unique appliance name (1 - 512 alphanumeric characters).
b. Enter a brief description (maximum length of 1024 characters).
c. Ensure the appliance is enabled by marking the Enabled check box (default
setting). A disabled appliance can communicate with the cloud, but does not
process web traffic and allows everything through.
d. Specify the Time zone used to apply policy from this appliance.
e. Select a Default policy for this appliance.
f.
If you want to apply different policies to different internal networks whose

traffic is managed by the appliance, click Add under the Policy Assignment
table.
Provide a description, IP address range, and policy selection for the

internal network, then click OK.
Repeat the process for each internal network to which you want to apply a
policy other than the default.
g. Enable cloud forwarding is marked by default. This means that appropriate

web traffic is redirected to the nearest cloud service cluster for additional
analysis. Clear this option if you do not want traffic to be forwarded to the
cloud. All traffic will be analyzed through the appliance, but without any
cloud analytics.
4. In the Networking tab:
a. Add IP addresses or address ranges whose traffic should not be analyzed in
the Trusted Network Sources box. Click Add and enter either:
IP or network address and subnet mask
IP address range
Enter a suitable Description for the trusted network.
Select the traffic direction for the specified addresses as either Source or
Destination.
Click OK. You can delete a trusted network entry by marking the check box
next to it and clicking Remove.
Note
For the initial appliance deployment, it is recommended
that you configure all of your IP address ranges as trusted
network sources, meaning that the appliance ignores all
traffic. You can then test your deployment with a small
number of clients before opening it up to all IP addresses
and ignoring only those addresses whose traffic you do not
want to be analyzed - for example, servers that receive
Microsoft and antivirus updates.
b. For a network architecture that includes virtual LANs (VLANs), in the VLAN
Tag Support section check Support VLAN tags if you want the appliance to
analyze VLAN-tagged and untagged traffic. All VLAN traffic will be
analyzed unless you define some of that traffic as trusted. You can bypass
analysis for specific VLAN tags by entering trusted tag numbers in the VLAN
tag field, and bypass analysis for untagged traffic by checking the Trust
untagged traffic box.
The appliance supports the use of a single VLAN tag to identify management
communication traffic from the appliance to the cloud and database download
services. You can configure this tag on the Routing page of the First-Time
Configuration Wizard.
Note
The VLAN tag entered on the appliance Routing page is
also used by any client that communicates with the
appliance bridge interface, either explicitly for
management purposes or transparently, for example for
authentication, quota, or confirm actions when filtering.
Ensure you have configured valid routing between the
bridge interface and any client generating traffic that is
intercepted by the appliance, taking the VLAN tag into
account.
c. In the Ports section, enter comma-separated port numbers for HTTP and
HTTPS channels.
d. Specify how the cloud service handles requests for IPv6 destinations (allow or
block). Traffic to IPv6 destinations that is allowed (default setting) is not
filtered or logged.
5. In the Authentication tab:
a. If you wish to use transparent NTLM authentication and your appliance will
not be connected to a local Active Directory, enter the domain that forms part
of your users NTLM identity. The NTLM domain is the first part of the
domain\username with which users log on to their Windows PC; for example,
MYDOMAIN\jsmith.
Important
You must configure your end users browsers to support
transparent NTLM authentication, either manually or via
GPO or similar. See Enabling browsers for NTLM
transparent authentication, page 78.
If you are connecting your appliance to a local Active Directory for NTLM
authentication, this field is not required as the appliance retrieves this
information automatically from the local Active Directory.
b. Select a time period after which a users login and password must be
revalidated from the Session timeout drop-down list. The default is 1 day.
c. If you have users on a thin-client environment, define network addresses and
IP address ranges that should use session-based authentication. In this
environment, the mapping of end user to source IP address is no longer 1-to-1.
To overcome this issue and authenticate end users correctly, session-based
authentication takes place at configurable intervals by using cookies injected
into the web traffic that force the web client to authenticate.
Once a cookie is injected, it is analyzed by the appliance and serves as a
replacement for the user-to-source IP address mapping to associate a specific
transaction to a specific user. This authentication is then valid for the length of
time defined in the Session timeout drop-down list.
Note
When session-based authentication is enabled, the Allow
end users to bypass all certificate errors option on the
portal Bypass Settings page is not currently supported.
6. In the Certificates tab:
a. Specify the certificates used for this appliance:
Browse to the public certificate file. Open the file to enter its name in the
Public certificate field.
Browse to the private key file. Open the file to enter its name in the Private
key field.
If you have chained certificates, mark the Add chained certificate check
box and browse to the intermediate certificate. Open the file to enter its
name in the Add chained certificate field.
For information on generating your own certificate for the appliance, see
Generating a certificate below.
If you want to specify your certificates later, mark the I want to define
certificates later option.
7. Click OK.
The appliance details are displayed on the Network Devices page. The appliance is
also added as the proxied connection on the Connections tab of the policy that you
specified, ensuring your policy is applied to all requests originating from the
appliance.
Generating a certificate
We strongly recommend that each appliance has a valid version 3 X.509 identity
certificate with an unencrypted key. This avoids browser warnings regarding SSL
termination block, authentication, or quota/confirm operations.
The certificate can be generated using a variety of tools. Below is a simple procedure
using OpenSSL to generate a private key and CA that can be used for your appliance.
This section assumes that you are familiar with OpenSSL and have a working
OpenSSL installation.
The OpenSSL statement
openssl genrsa -passout pass:1234 -des3 -out
CA_key_password.pem 2048
creates a 2048-bit RSA private key with a password of 1234. You must supply a
password, as OpenSSL does not allow the creation of a private key without one. You
can then strip the password from the key as follows:
openssl rsa -in CA_key_password.pem -passin pass:1234 -out
CA_key.pem
This also renames the private key file from CA_key_password.pem to CA_key.pem.
Finally, use the following statement to create the CA:
openssl req -x509 -days 11000 -new -sha1 -key CA_key.pem out CA_cert.pem
Note that this command prompts you to input information about different parameters,
such as country, state, locality, or your organizations name.
Once you have created the private key (CA_key.pem) and public certificate
(CA_cert.pem), import the certificate to all relevant browsers, and upload the
certificate to each appliance using the Certificates tab.
Appliance setup and configuration

Perform the steps below to set up and configure your appliance. The steps for the
hardware version are also described, with diagrams, on the Quick Start poster.
1. Either:
Verify the contents of the accessory box that was shipped with the appliance.
It should include power cable, an appliance bezel, and a quick start poster.
Rack the appliance and plug it in.
Or:
Deploy the i-Series appliance OVA file on a VMware ESXi workstation

server. See Installing the appliance on a virtual machine, page 31.
2. Power the appliance on and allow the boot sequence to complete.

3. Connect a computer with DHCP enabled (such as a laptop) to the appliance C1
interface. Wait a few moments, until the automatic network setup process is
complete, to begin appliance configuration.
4. Log on to the appliance via a web browser connection (https://169.254.0.2).
Credentials are admin/admin.
5. Complete the appliance First-Time Configuration Wizard.
6. Log off the appliance and disconnect the computer from the appliance.
Installing the appliance on a virtual machine

Download the OVA file suitable for your deployment from your website account to a
local directory. There are 2 ways to install appliance on a virtual machine:
With a Silicom bypass card connected to the ESXi host, and with one
management NIC. For this scenario, use the OVA file starting Websense-i500vdio-bp-InstallImage.
Without a Silicom card, just using 3 virtual switches. In this scenario, use the
OVA file starting Websense-i500v-InstallImage.
Ensure the installation machine meets the following requirements:
For a Silicom bypass card deployment, the card should be installed on ESXi in
VMDirectPath mode. For more information on Silicom card installation, see
Silicom card setup, page 32.
6 dedicated CPU cores and at least 12 GB RAM
128 GB hard disk drive
The appliance virtual machine can be installed only on VMware vSphere ESXi
5.1, 5.5, or 6.0.
This section describes how to set up the ESXi machine, and how to install the OVA
file.
Network settings
Silicom card setup
Setting up promiscuous mode (no Silicom card)
Importing the OVA
Deployment without Silicom card
Deployment with Silicom card
Network settings
It is recommended that you have dedicated NICs for each of the 3 switches required
for the appliance. The B1 WAN and B2 LAN switches must use different physical
interfaces.
Important
Do not use the ESXi management physical interface for
the B1 or B2 switch.
To create the required network interfaces:
1. In the VMware vSphere Client, select Hosts and Clusters.
2. Select your host and click the Configuration tab.
3. Select Networking in the Hardware section, and click Add Networking.
4. Select a connection type and click Next.
5. Select Create a vSphere standard switch.
6. Select the check boxes for the network adapters that your standard switch will use
and click Next.
7. Under Port Group Properties, enter a network label for the management NIC: C1
Management.
8. Click Next.
9. Review your settings and click Finish.
10. Repeat these steps for 2 more switches: B1 WAN (for outgoing traffic) and B2
LAN (for incoming traffic).
Silicom card setup

To set up the Silicom bypass card on the ESXi machine, VMDirectPath technology is
required. To use VMDirectPath, verify that the host has Intel Virtualization
Technology for Directed I/O (VT-d) or AMD I/O Virtualization Technology

(IOMMU) enabled in the BIOS.
1. In the vSphere Client, go to the Configuration tab and select Advanced Settings
in the Hardware section.
2. Click the Edit link.
3. Mark the Silicom card check box. You can identify the Silicom card by checking
the device details for the Silicom Subvendor ID, which should be 1374.
4. Click OK.
The message Changes made to some of the devices below will not take effect
until the host is restarted appears on the Advanced Settings screen.
5. Restart the ESXi host server.
After the restart, the list of Silicom Card NICs should appear on the Advanced
Settings screen with green bullets.
Setting up promiscuous mode (no Silicom card)

If you are installing without a Silicom card, you must set the B1 and B2 NICs to be in
promiscuous mode:
1. In the vSphere Client, go to the Configuration tab and select Networking in the
Hardware section.
2. Click the Properties link for the B1 switch.
3. Select the B1 NIC in the list, then click Edit.
4. On the Security tab, mark Promiscuous Mode, and select Accept from the dropdown list.
Click OK.
5. The B1 NIC properties should now look like this:
Click Close.
6. Repeat steps 2-5 for the B2 NIC.
Importing the OVA

1. In the vSphere Client, go to File > Deploy OVF Template.
2. Browse to the OVA file that you downloaded from your Forcepoint website
account, then click Next twice.
3. Enter a name for the i-Series appliance VM, then click Next twice.
4. If you set up the network configuration on the ESXi host as described in Network
settings, you should see the following screen:
For a VM with Silicom card:
For a VM without Silicom card:
5. Click Next.
6. Click Finish, and wait for the installation to complete.
Deployment without Silicom card

If you have deployed the VM without a Silicom card, you must verify the MAC
addresses that have been generated:
1. Initially, no MAC addresses are assigned to the machine NICs. Turn on the new
VM, then right-click the VM and select Edit Settings.
Each NIC should now have a MAC address:
2.
Confirm that the generated MAC addresses are in alphabetical order, with B1
WAN having the lowest address, followed by B2 LAN and then C1 Management.
If this is not the case, change the mapping of your NICs as follows:
a. Select the NIC with the lowest MAC address.
b. Under Network Connection, change the Network label to B1 WAN.
c. Repeat the Network label change for the next lowest MAC address (setting it
to B2 LAN) and finally the highest MAC address (setting it to C1
Management).
d. Click OK when done.
Deployment with Silicom card

If you have deployed the VM with a Silicom card, you should connect the Silicom
Card NICs to the new VM as follows:
1. Right-click the new VM, and select Edit Settings.
2. Click Add.
3. Select PCI Device from the Device Type list, then click Next.
4. Choose the first NIC of the Silicom card (this is the first entry displayed on the
Configuration tab > Advanced Settings page).
5. Click Next, then click Finish.

6. Repeat steps 2-5 for the second Silicom NIC.
7. Click OK on the Virtual Machine Properties page to see the final result:
First-Time Configuration Wizard

The First-Time Configuration Wizard walks you through some initial settings that are
important for appliance operation. You must complete the wizard before you can
manage the appliance. Canceling the wizard before completing initial appliance
configuration logs you out of the appliance, and any settings you may have entered up
to that point are not saved.
Click Next on the Welcome page to start the wizard.
1. On the Hostname page, enter the appliance host name or fully-qualified domain
name (FQDN). The name can consist of 1-32 alphanumeric characters, dashes,
and periods. It must begin with a letter and cannot end with a period.
The format for an appliance hostname is hostname. You can also use the format
hostname.parentdomain.
The format for the FQDN is hostname.parentdomain.com.
If you plan to use Active Directory authentication, the following hostname
requirements are enforced:
Total length of 2 - 128 alphanumeric characters (including hostname and

parent domain name elements; format is hostname.parentdomain)
May include dashes, underscores, and periods
Must begin with an alphanumeric character
Cannot end with a dash, underscore, or period
Hostname element length should be between 2 and 15 characters
Cannot match any of the following reserved words:

ANONYMOUS
BATCH
BUILTIN
DIALUP
INTERACTIVE
INTERNET
LOCAL
NETWORK
NULL
PROXY
RESTRICTED
SELF
SERVER
SERVICE
SYSTEM
USERS
WORLD
Click Next to continue with the wizard.

2. On the Network Interfaces page:
a. In the Outbound Traffic section, specify the appliance IP address and subnet
mask for the network bridge created by the B1 and B2 interfaces. These
interfaces are used for all outbound traffic. One interface (B1) handles traffic
routed out of your network, and the other (B2) handles traffic to your internal
network.
b. To allow appliance management via the B1 and B2 bridge interfaces along
with the C1 interface, mark the Allow appliance management access in
addition to the C1 interface check box.
c. Provide the IP address and subnet mask for the C1 interface in the Appliance
Management section. This interface is used for appliance management
functions. This interface can also be used when the B1/B2 bridge interface is
in hardware bypass mode.
If you have deployed a virtual appliance that does not include the appliance
bypass function, use of the C1 interface for appliance management is
optional. If you do not define a C1 management interface, then you must use
the B1/B2 bridge interface for management purposes. In this case, the
Outbound Traffic section includes a Use this interface for appliance
management check box, which is marked and not accessible.
If you do wish to define a C1 management interface, mark the Use a
dedicated appliance management IP address check box in the Optional
Appliance Management section, and enter the IP address and subnet mask for
the C1 interface. The Allow appliance management access in addition to
the C1 interface check box is then accessible for marking or clearing.
d. In the DNS Servers section, define a DNS server by entering its IP address in
the IP address field and clicking Add. The IP address appears in the DNS
Server IP Address list.
You can define up to 3 DNS servers. You cannot define more than one server
with the same IP address.
3. On the Routing page, specify the IP address of your default gateway for outbound
traffic.
Note
In many cases, you need only a gateway specification on
this page. However, there may be cases where explicit or
static routing is required. For more information on these
scenarios, please see the knowledge article Configuring
routing for i-Series appliances.
If you need to define routing over the bridge interface,
please contact Technical Support in the first instance. You
can define routing rules over the management interface as
follows:
Click Routing Table.
Click Add and then provide the following route
information in the Route Properties dialog box:
Destination network
Subnet mask for the destination network
Gateway IP address
Interface used. In the drop-down list, select either

Bridge, (B1, B2) or Management (C1).
The appliance supports the use of a single VLAN tag to identify management
communication traffic from the appliance to the cloud and database download
services. This tag is also used by any client that communicates with the appliance
bridge interface, either explicitly for management purposes or transparently, for
example for authentication, or for quota or confirm actions when filtering.
Note
Ensure you have configured valid routing between any
client generating traffic that is intercepted by the appliance
and the bridge interface, taking into account the VLAN tag
that you define on this page.
Mark the Use the following VLAN tag check box, then enter the tag in the entry
field using a number from 0 to 4094.
4. The final page of the wizard summarizes the entries and selections you have
made. If you want to change any setting after your review, click Back to access
the desired wizard page and edit your settings.
If you are satisfied with your settings, click Finish.

You must log off the appliance and log back on for your configuration settings to take
effect.
When you log back on, you are prompted to change your initial password (if you have
not already done so) and register the appliance with TRITON AP-WEB. See
Registering the appliance for information.
Note
If you are unable to access the appliance, you can connect
to the appliance manager interface at any time using the
C1 interface via https://169.254.0.2.
Connecting the appliance to your network

Connect the appliance to your network. The appliance must have at least a valid
connection to the cloud service for registration and the subsequent database update to
succeed. You can choose either of the following methods:
Install the appliance in your network and then register it with the cloud service.
The appliance operates as a simple network bridge, forwarding all traffic, until
registration is complete.
Install the appliance offline, with only the B1 interface connected to the network
to allow an upstream connection to the cloud service. Once registration is
complete and the appliance is fully set up, you can connect it to your the rest of
your network.
The sample diagram shows a possible deployment:
Configuring your firewall

If your network includes a firewall, by default your appliance is configured to use the
standard destination TCP ports 80 and 443 for connections to the cloud service.
Ensure these ports are open.
Alternatively and depending on your corporate firewall policy, you can configure your
appliance to use the following ports, which are the ones used for non-appliance
connections to the cloud service:
Port
Purpose
8002
Configuration and policy update information retrieval from TRITON APWEB. This port must be open for an i-Series appliance to retrieve periodic
configuration and policy updates from the cloud service.
8081
Proxy service. This is where the cloud-based content analysis is provided.
80
Notification page components. The default notification pages refer to style

sheets and images served from the TRITON AP-WEB cloud platform. For these
pages to appear correctly, this Web site is accessed directly (i.e., not through the
cloud service).
This port should also be opened for standard web traffic that does not need to be
sent to the cloud for further analysis.
443
Service administration. The Cloud TRITON Manager is similarly unproxied.

Otherwise, it would be possible for you to accidentally block access and then be
unable to rectify the situation.
This port should also be opened for standard secure web traffic that does not need
to be sent to the cloud for further analysis, and for database updates.
You can switch between the standard and alternative ports at any time using the
appliance command-line interface (CLI). To switch port settings:
1. On the appliance machine, open a command-line window.
2. Type device.
cmd> device
3. Type one of the following:

device> use_standard_ports yes
for the standard ports 80 and 443

device> use_standard_ports no
for the alternative ports 8002 and 8081, plus 80 and 443
The CLI returns the confirmation Done when the ports have been switched. If the
ports are already set to the option you specify, the CLI returns Not changed.
You must also open outbound UDP port 123 to enable the appliance to synchronize its
clock with the Network Time Protocol.
To guarantee availability, TRITON AP-WEB uses global load balancing technology to
direct traffic across multiple geographic locations. Content analysis is typically
always performed by proxies from the cloud service closest to the end user. In the
event of localized or Internet-wide connectivity issues, the global load balancing
technology automatically routes requests to the next closest location. To make the
most of the resilience offered by this infrastructure, users must be allowed to connect
to the entire cloud service network, both those IP addresses that the service uses now
and those that may be deployed in the future.
If you decide to lock down your firewall, you should permit all the IP address ranges
in use by the Forcepoint cloud service for all the above ports. These ranges are
published in a Knowledge Base article called Cloud Service cluster IP addresses and
port numbers. Note that you need to log on to your Forcepoint website account to
view this article.
Registering the appliance

In order to manage your appliance, you must change the initial password and register
the appliance with TRITON AP-WEB.
When you log back in to the appliance after completing the First-Time Configuration
Wizard, the initial screen lets you change the initial password, if you have not already
done so, in the Administrator Credentials box. If you changed the password before
completing the wizard, the Administrator Credentials box does not appear on this page
when you log back in.
This initial page also lets you enter your TRITON AP-WEB registration key. To
register your appliance:
1. Log on to the Cloud TRITON Manager and click Web > Network Devices.
2. Select the row that contains this appliance.
3. Click Register at the bottom of the page to open the Register Appliance box.
4. Copy the displayed registration key and click Close.
5. Return to the appliance manager and paste the key into the Registration key field.
6. Click OK.
At this point, an update to the pre-installed Web category database begins. During this
update, the appliance can analyze traffic using the pre-installed database. Note that
this database is out-of-date, and analysis may be more accurate after the update
process completes.
A download progress message appears on the Status > General page. This message
disappears when the update is complete.
Browser support
TRITON AP-WEB has been tested with most commercially available web browsers,
but for support purposes we recommend you use one of the following:
Mozilla Firefox 4 to 38 on all platforms
Microsoft Internet Explorer 7 through 11 on Microsoft Windows platforms

(desktop interface only)
Safari 3.1 on MacOS X 10.4 (Tiger)
Safari 5.x on MacOS X 10.6 and 10.7
Google Chrome 13 to 43
When using a Windows XP machine with Internet Explorer 8 or below, HTTPS

connections are not supported on i-Series appliances.
Configuring Active Directory authentication

Use the appliance Configuration > System page to connect to an Active Directory
server for transparent NTLM authentication. When this screen first opens, the status
under Active Directory Authentication is Disconnected, and a button labeled
Connect is available.
To establish a connection to an Active Directory server for authentication:
1. Click Connect.
2. In the Active Directory Authentication dialog, enter the following server
information in the appropriate fields:
Domain name
Active Directory administrator name
Active Directory administrator password

Note that this password is used only for establishing the server connection.
The contents of this field are not stored anywhere in the system.
3. Indicate how the system finds the domain controller by selecting 1 of the
following options:
Auto-detect using DNS
Enter a domain controller name or IP address.

You can specify backup servers in a comma-separated list.
4. Click OK.
The connection cannot be made if the server hostname does not adhere to Active
Directory naming restrictions. See First-Time Configuration Wizard, page 42, for a
detailed list of Active Directory hostname requirements.
After a connection is successfully established, the button name changes from Connect
to Disconnect.
Running diagnostics
The Diagnostics tab on the appliance Status > Alerts and Diagnostics page provides
the capability to run a series of system tests to determine the current state of the cloud
service. As a best practice, it is recommended that you run these tests when you first
deploy an appliance, and if you encounter any connectivity issues.
The first time you open the Diagnostics tab, a table shows a list of the tests to run. The
tests include, for example, a status check of the network interfaces, the default
gateway, your DNS servers, or the cloud connection.
Click Run Diagnostics to start the tests. The Results column displays test status (In
progress) and results (Passed, Failed, or Could not complete). For tests that do not
complete or fail, the Details column displays more information, including suggestions
for resolving the issue that caused the failure.
Each time you open the Diagnostics tab thereafter, the results of the last test run
appear, along with the date/time of those tests.
Monitoring appliance traffic

The capability to monitor appliance traffic for troubleshooting purposes is available
via the appliance command-line interface (CLI). Access the traffic monitor using the
following commands:
cmd> status
status> monitor
Then run the monitor using the monitor command and its arguments:
monitor <arguments>
Other command options let you configure default display attributes for the log entries
as well as display custom attribute combinations and protocols. Click here to see a
Knowledge Base article that provides detailed information about the CLI monitor
command options.
Using TRITON AP-ENDPOINT Web with an appliance

If some of your end users have TRITON AP-ENDPOINT Web installed, perhaps
because they often work remotely, you can set up your appliance to handle endpoint
traffic in one of the following ways when those end users are at a site served by an
appliance:
Ignore all traffic generated by an endpoint client. This means that endpoint users
are effectively treated as roaming users even when on-site.
Manipulate PAC file requests from endpoint clients and ensure that endpoint
traffic goes direct through the appliance rather than via the cloud service proxy.
This means that end users have less latency and get a better user experience.
Both of these configurations must be enabled by Technical Support; please contact

Support for further information.
Using Chained Proxies
Note
This chapter is not applicable if you are deploying
TRITON AP-WEB with an i-Series appliance.
TRITON AP-WEB has been tested with a number of commercially available proxies
in chained proxy configuration. For support purposes, if chained proxy is your chosen
deployment method, using of one of the following is recommended:
Microsoft ISA Server or Forefront TMG, page 51
Blue Coat ProxySG, page 59
Squid Proxy, page 62
Microsoft ISA Server or Forefront TMG

A Microsoft Internet Security and Acceleration (ISA) Server or Forefront Threat

Management Gateway (TMG) server can be deployed as a downstream proxy with
TRITON AP-WEB. You can configure proxy chaining in the following ways:
Basic chaining. The ISA server does not perform any authentication before
forwarding requests to the cloud proxy. The cloud proxy can perform manual
authentication only.
NTLM pass-through. The ISA server is aware of a requirement for NTLM

identification but takes no part in the authentication, forwarding requests to the
cloud proxy which then performs NTLM identification.
X-Authenticated-User. The ISA server performs user authentication and

forwards requests to the cloud proxy using the X-Authenticated-User header.
In this guide, ISA/TMG refers to ISA Server and Forefront TMG collectively. When
instructions or information differ for the two products, they are referred to specifically
as ISA Server or Forefront TMG.
Basic chaining
To set up your ISA/TMG server to chain with the upstream cloud proxy, follow the
instructions below.
1. Log on to the ISA/TMG server and open the Server Management console.
2. Under Configuration, open the Networks option and select the Web Chaining
tab. Under this tab a default rule is present. Leave this as it is.
3. Click the Tasks tab, then click the Create New Web Chaining Rule link to start
the wizard.
4. Give the rule a meaningful name such as TRITON AP-WEB, and click Next.
5. In the next section, choose the destinations to which this rule applies (in most
cases, it applies to external networks).
6. Click Add and select the appropriate network.

7. Click Next to specify how requests are to be handled. This is where you specify
that requests be sent to an upstream server (i.e., TRITON AP-WEB).
8. Select Redirect requests to a specified upstream server and click Next.
9. On the Primary Routing page, specify the address of the TRITON AP-WEB
service: webdefence.global.blackspider.com
10. Specify port 8081 for both Port and SSL. Click Next.
11. On the Backup Action page, select the appropriate action for your organization.
Your choice depends on whether you are willing to allow requests to be served
directly, without using TRITON AP-WEB. Click Next.
12. Review your settings and click Finish.
Configuring exceptions
If there are any hosts that you do not want to use the proxy service, you must
configure an exception for them. Minimally, you should add those hosts that are in the
PAC file that is downloaded from the TRITON AP-WEB service (see The TRITON
AP-WEB PAC file, page 12, for more details).
You should also configure direct access to the Cloud TRITON Manager to allow the
following:
Correct display of block pages
End-user self-registration
If you are using the roaming user home page (http://

home.webdefence.global.blackspider.com/), that should also be configured as an
exception.
1. To configure exceptions, click Firewall Policy, then select Network Objects
from the Toolbox.
2. Right-click Domain Name Sets and click New Domain Name Set.
3. Give the new set a name (e.g., TRITON AP-WEB Unproxied).

In the Domain names included in this set section, add all TRITON AP-WEB
global exceptions (from the TRITON AP-WEB PAC file). These include the
following Microsoft Windows update sites:
download.microsoft.com
ntservicepack.microsoft.com
cdm.microsoft.com
wustat.windows.com
windowsupdate.microsoft.com
*.windowsupdate.microsoft.com
update.microsoft.com
*.update.microsoft.com
*.windowsupdate.com
Also, add the following cloud service sites:

www.blackspider.com
mailcontrol.com
home.webdefence.global.blackspider.com
webdefence.global.blackspider.com
Include any other exceptions appropriate for your environment.

4. Click OK and Apply changes.
5. Navigate back to the proxy chaining policy you created above, open the policy
and click the To tab.
6. In the Exceptions section, click Add.
7. Expand Domain Name Sets, select the domain set you just created (TRITON APWEB Unproxied), and click Add.
8. Click Close on Add Network Entities.
9. Click OK on the Web chaining policy and Apply the changes.
Configuring NTLM pass through

To chain your ISA/TMG server with the cloud proxy and perform NTLM
identification:
1. Follow the steps in Basic chaining, page 52.
2. Log on to the Cloud TRITON Manager.
3. Select Web > Policy Management > Policies > policy name > Access Control.
4. Select Authenticate users on first access, then select NTLM transparent
identification where possible. For more information, see NTLM identification in
the Cloud Security Help.
5. Click Save.
Configuring X-Authenticated-User chaining

You can pass authentication details from your ISA/TMG server to the cloud proxy via
a plug-in from Forcepoint LLC. This plug-in allows the cloud proxy to read the
X-Forwarded-For and X-Authenticated-User headers sent by the downstream ISA/

TMG server as part of a proxy chained configuration.
X-Forwarded-For
Contains the client IP address
X-Authenticated-User
When ISA authentication is turned on, this header

will be populated with the user domain and username
(domain\user).
With this setup, end users can be authenticated transparently by the cloud proxy,
removing an authentication step and improving performance.
Two versions of the plug-in are available, for 32-bit ISA servers and 64-bit TMG
servers. Zip files for both versions are available for download:
1. Log on to your Forcepoint website account.
2. Select the Downloads tab.
3. Select TRITON AP-WEB from the Product drop-down list.
4. In the list that appears, expand TMG 64-bit plugin for Websense Content
Gateway or ISA 32-bit plugin for Websense Content Gateway to see the
download details. You will need to scroll down to older product versions to see the
ISA 32-bit plug-in. Click the download link to start the download.
Install the plug-in as follows:
1. Copy the appropriate Websense-AuthForward.dll file (for 32-bit or 64-bit) to
the Microsoft ISA/TMG installation directory. The default directory for this file is
C:\Program Files\Microsoft ISA Server for ISA server, or C:\Program
Files\Microsoft Forefront Threat Management Gateway for ForefrontTMG.
For the 32-bit version, install the following files in the installation directory in
addition to Websense-AuthForward.dll:
msvcp100.dll
msvcr100.dll
2. Open a Windows command prompt and change directory to the installation
directory.
3. From the command prompt, type
regsvr32 Websense-AuthForward.dll
4.
Verify the plug-in was registered in the ISA/TMG management user interface
(Start > Programs > Microsoft ISA Server > ISA Server Management, or
Start > Programs > Microsoft Forefront TMG > Microsoft Forefront TMG
Management). In the Configuration (for 32-bit) or System (for 64-bit) section,
select Add-ins, then click the Web-filter tab. The WsAuthForward plug-in should
be listed.
To uninstall the plug-in, run the following command in a Windows command prompt
from the ISA/TMG installation directory.
regsvr32 /u Websense-AuthForward.dll
Blue Coat ProxySG

Blue Coat ProxySG can be deployed as a downstream proxy with TRITON AP-WEB.
You can configure proxy chaining in the following ways:
Basic chaining. The Blue Coat server does not perform any authentication before
forwarding requests to the cloud proxy. The cloud proxy can perform manual
authentication only.
NTLM pass-through. The Blue Coat server takes no part in authentication,

forwarding requests to the cloud proxy which then performs NTLM identification.
X-Authenticated-User. The Blue Coat server performs user authentication and

forwards requests to the cloud proxy using the X-Authenticated-User header.
Basic chaining
In this case, Blue Coat ProxySG forwards requests to the cloud proxy but performs no
authentication. End users can be authenticated using manual authentication only:
prompting users for a user name and password the first time they access the Internet
through a browser.
Use the Blue Coat Management Console to forward requests to the cloud proxy as
follows:
1. In the Blue Coat Management Console Configuration tab, select Forwarding >
Forwarding Hosts.
2. Select Install from Text Editor from the drop-down, and then click Install.
3. Update the Forwarding Hosts configuration file to point an alias name to
webdefence.global.blackspider.com, port 8081. For example, if you choose the
alias name Forcepoint_Proxy, enter the following at the end of the Forwarding
host configuration section:
fwd_host Forcepoint_Proxy webdefence.global.blackspider.com
http=8081
4. Add the following to the end of the Default fail-over sequence section:
sequence alias name
replacing alias name with the alias name that you chose in step 3.
5. When you have finished editing, click Install.
6. In the Blue Coat Management Console Configuration tab, click Policy and select
Visual Policy Manager. Click Launch.
7. In the Policy menu, select Add Forwarding Layer and enter an appropriate
policy name in the Add New Layer dialog box.
8. Select the Forwarding Layer tab that is created. The Source, Destination, and
Service column entries should be Any (the default).
9. Right-click the area in the Action column, and select Set.

10. Select the alias name that you created (for example, Forcepoint_Proxy) from the
list, and click OK.
11. Right-click the alias name in the Action column and select Edit.
12. Choose the forwarding behavior if your Blue Coat proxy cannot contact the cloud
proxy: either to connect directly, or to refuse the browser request.
13. Click OK.
14. Click Install Policy in the Blue Coat Visual Policy Manager.
NTLM chaining
To chain Blue Coat ProxySG with the cloud proxy and perform NTLM identification:
1. Follow the steps in Basic chaining, page 59.
3. Select Web > Policy Management > Policies > policy name > Access Control.
4. Select Always authenticate users on first access, then select NTLM
transparent identification where possible. For more information, see NTLM
identification in the Cloud TRITON Manager Help.
5. Click Save.
X-Authenticated-User chaining
You can pass authentication details from your Blue Coat proxy to send
X-Forwarded-For and X-Authenticated-User headers to the cloud proxy either by
manually editing a policy text file, or defining the policy in Blue Coat Visual Policy
Manager.
X-Forwarded-For
Contains the client IP address
X-Authenticated-User
When Blue Coat authentication is turned on, this

header will be populated with the user domain and
username (domain\user).
With this setup, end users can be authenticated transparently by the cloud proxy,
removing an authentication step and improving performance.
Note that for Blue Coat to service HTTPS requests properly with the following setup,
you must have a Blue Coat SSL license and hardware card.
Editing the local policy file

In the Blue Coat Management Console Configuration tab, click Policy in the left
column and select Policy Files. Enter the following code in the current policy text file,
using an Install Policy option:
<Proxy>
action.Add[header name for authenticated user](yes)
define action dd[header name for authenticated user]
set(request.x_header.X-Authenticated-User, "WinNT://
$(user.domain)/$(user.name)")
end action Add[header name for authenticated user]
action.Add[header name for client IP](yes)
define action dd[header name for client IP]
set(request.x_header.X-Forwarded-For,$(x-client-address))
end action Add[header name for client IP]
Using the Blue Coat graphical Visual Policy Manager

Before you configure the Blue Coat header policy, ensure that NTLM authentication is
specified in the Blue Coat Visual Policy Manager (Authentication > Windows SSO).
Set TRITON AP-WEB as the forwarding host (in the Blue Coat Management Console
Configuration tab, Forwarding > Forwarding Hosts). The address of the TRITON
AP-WEB service is webdefence.global.blackspider.com, port 8081.
In the Blue Coat Management Console Configuration tab, click Policy and select
Visual Policy Manager. Click Launch and configure the header policy as follows:
1. In the Policy menu, select Add Web Access Layer and enter an appropriate
policy name in the Add New Layer dialog box.
2. Select the Web Access Layer tab that is created.
3. The Source, Destination, Service, and Time column entries should be Any (the
default).
4. Right-click the area in the Action column, and select Set.
5. Click New in the Set Action Object dialog box and select Control Request
Header from the menu.
6. In the Add Control Request Header Object dialog box, enter a name for the client
IP Action object in the Name entry field.
7. Enter X-Forwarded-For in the Header Name entry field.
8. Select the Set value radio button and enter the following value:
$(x-client-address)
9. Click OK.
10. Click New and select Control Request Header again.
11. In the Add Control Request Header Object dialog box, enter a name for the
authenticated user information Action object in the Name entry field.
12. Enter X-Authenticated-User in the Header Name entry field.
13. Select the Set value radio button and enter the following value:
WinNT://$(user.domain)/$(user.name)
14. Click OK.

15. Click New and select Combined Action Object from the menu.
16. In the Add Combined Action Object dialog box, enter a name for a proxy chain
header in the Name entry field.
17. In the left pane, select the previously created control request headers and click
Add.
18. Select the combined action item in the Set Action Object dialog box and click
OK.
Click Install Policy in the Blue Coat Visual Policy Manager.
Squid Proxy
TRITON AP-WEB supports the configuration of a chained Squid open source

downstream proxy, in the following cases:
Basic chaining
For policies where NTLM is enabled and end users are asked to authenticate for
TRITON AP-WEB
The Squid proxy must be version 3.1.5 or later.
Basic chaining
In this case, Squid forwards requests to the cloud proxy but performs no
authentication. End users can be authenticated using manual authentication only:
prompting users for a user name and password the first time they access the Internet
through a browser.
Configure Squid to forward requests to the cloud proxy as follows:
1. Define one or more ACLs to identify sites that should be not be filtered through
TRITON AP-WEB. These must include certain service-specific sites, and should
include any other sites that are not normally handled through the cloud service.
You can identify these sites by examining the service-generated PAC file available
at http://pac.webdefence.global.blackspider.com:8082/proxy.pac.
You should also configure direct access to the Cloud TRITON Manager to allow
the following:
Correct display of block pages
End-user self-registration
If you are using the roaming user home page (http://

home.webdefence.global.blackspider.com/), that should also be configured as an
ACL.
The following sites must be included in the ACLs:
acl WBSN dstdomain .mailcontrol.com
acl WBSN dstdomain www.blackspider.com
acl WBSN dstdomain webdefence.global.blackspider.com
always_direct allow WBSN
2. Force all other sites to use the cloud proxy as follows:
never_direct allow all
3. Tell Squid the location of the upstream cloud proxy:

cache_peer webdefence.global.blackspider.com parent 8081 0
no-query default no-digest
NTLM chaining
The Squid proxy performs local NTLM identification, then forwards the appropriate
Proxy-Authorization headers as an NTLM Type 3 message to the cloud proxy for
further transparent user authentication. Squid can maintain multiple connections to the
cloud proxy, allowing the sharing of connections across users but ensuring that each
request is associated with the correct user. When Squid reassigns a connection to
another user, only then is a new Proxy-Authorization header sent for that user.
To use this setup, configure Squid to do the following:
1. Perform NTLM authentication.
2. Forward requests to the cloud proxy.
3. Forward user information to the cloud proxy.
Configuring Squid for NTLM authentication

To configure Squid to perform NTLM authentication of users, refer to the Squid
documentation:
http://wiki.squid-cache.org/ConfigExamples/Authenticate/Ntlm
Forwarding requests to the cloud proxy

To configure Squid to forward requests to the cloud proxy:
1. Define one or more ACLs to identify sites that should be not be filtered through
TRITON AP-WEB. These must include certain service-specific sites, and should
include any other sites that are not normally handled through the cloud service.
You can identify these sites by examining the service-generated PAC file available
at http://pac webdefence.global.blackspider.com:8082/proxy.pac.
The following sites must be included in the ACLs:
acl WBSN dstdomain .mailcontrol.com

acl WBSN dstdomain www.blackspider.com
acl WBSN dstdomain webdefence.global.blackspider.com
always_direct allow WBSN
2. Force all other sites to use the cloud proxy as follows:
never_direct allow all
3. Tell Squid the location of the upstream cloud proxy:

no-query default no-digest
Forwarding user information to the cloud proxy

To configure squid to forward user information, add option login=PASS to the cachepeer line:
no-query default no-digest login=PASS
Adding IP Addresses to
Your Policy
Note
This chapter is not applicable if you are deploying
TRITON AP-WEB with an i-Series appliance.
When a TRITON AP-WEB proxy receives a request, its first task is to identify the
correct policy to use. First, it checks the IP address that is the source of the request.
Typically, this is the external IP address of your firewall. If this IP address matches a
proxied connections setting in a policy, then that policy is used. Alternatively, if you
have deployed Web Endpoint, the endpoint passes authentication details to the cloud
proxies, enabling the cloud service to associate the correct policy with the user.
Otherwise, the user is invited to log onto the TRITON AP-WEB service (by an email
address that is used as a unique logon name), and the users email address is used to
find the correct policy.
Initial settings
In the Cloud TRITON Manager, under Web, there is a single policy called DEFAULT.
Initially, this policy has no proxied connections. It is possible to use TRITON APWEB like this, but it may be inconvenient because users always have to authenticate
and you have to manually invite each user to register on the service.
Policy selection by IP address

There are two reasons for allowing policy selection by IP address:
To allow users to use the service anonymously - they dont have to authenticate.
To provide different policies for parts of your organization, each being

distinguished by different IP addresses. This is typically used by remote offices
Adding IP Addresses to Your Policy
with their own Internet gateway and can be used, for example, to delegate user
administration and reporting to local support personnel.
To add IP addresses to your policy:
2. Go to Web > Policy Management > Policies.
3. Select the DEFAULT policy.
4. Select the Connections tab.
5. Click Add under Proxied Connections.
6. Enter a Name and Description for the connection.
7. Select the connection type. A proxied connection can be an IP address, an IP
range, or an IP subnet.
8. Enter the IP address, range, or subnet details.
9. Define the connections time zone.
Each proxied connection has a time zone setting. If you have a single policy for
multiple Internet gateways in different countries, you may want to set each to a
different time zone. If all connections are in the same time zone, it is easier to set
the time zone for the whole policy on the General tab and leave the connection
setting as use policy time zone.
10. Click Submit.
Setting Up End-User
Authentication
The TRITON AP-WEB service works out of the box for many organizations. A
single policy applied to an organizations web traffic provides protection from
malware and inappropriate content. Most companies, however, want to tailor the
service to align it with their Internet usage policy, which may require granular
configuration on a per-user and per-group basis. Also companies usually want to
report on the surfing habits of their employees, which requires users to identify
themselves.
Authentication and identification options are set up on the Access Control tab within a
policy, meaning that you can specify different authentication methods for different end
users. Log on to the cloud portal, go to Web > Policy Management > Policies, click
your policy name, then select Access Control.
TRITON AP-WEB offers the following options for user identification and
authentication:
Installing TRITON AP-ENDPOINT Web on end users machines ensures that

those users are both authenticated and always filtered by TRITON AP-WEB. See
Setting up TRITON AP-ENDPOINT Web, page 67.
If you have an on-network identity provider, you can use this to provide secure
clientless authentication to TRITON AP-WEB. See the Cloud TRITON Manager
Help for details.
You can register your end users with TRITON AP-WEB to enable NTLM
identification, secure form-based authentication, or manual authentication.
Alternatively, you can request users to self-register, or identify themselves for
NTLM. See End-user registration, page 85.
Setting up TRITON AP-ENDPOINT Web

TRITON AP-ENDPOINT Web is designed to provide a seamless experience to end

users for authenticating and directing traffic to the TRITON AP-WEB infrastructure.
Administrators can create policies that provide full visibility into inbound and
outbound traffic, but that don't restrict use of the device.
Setting Up End-User Authentication
The endpoint appends two additional headers into each HTTP request. One header
tells TRITON AP-WEB which version of the endpoint is installed; the other is an
encrypted token which identifies the end user. This enables TRITON AP-WEB to
apply the appropriate policy for that user and correctly log reporting data. These
headers do not include any domain passwords or other security information, meaning
that there is no security risk in using the endpoint. The headers are then stripped from
the requests by the TRITON AP-WEB proxy.
The endpoint has been designed to consume minimal CPU, memory, and disk
resources. It can be deployed on Windows and Mac operating systems (excludes iOS
devices, such as iPhones, iPods, or iPads).
To enable the use of the endpoint for some or all of your end users, you must deploy it
to those users.
You can deploy TRITON AP-ENDPOINT Web in the following ways:
Windows operating system users
Download the endpoint installation file for Windows and push it manually to
selected client machines using your preferred distribution method. For example,
you might deploy it using Microsoft Group Policy Object (GPO). Alternatively
you can send users a URL from which they can download and install the endpoint
themselves.
Deploy the endpoint to the end users in a Web policy directly from the cloud. Each
user will be asked to install the endpoint software on their machine when they start a
browsing session.
Mac operating system users
Download the endpoint installation package for Mac on individual client

machines and launch the installer by double-clicking the package.
Remotely install the endpoint using Apple Remote Desktop software, which
distributes the installation package to a group of machines and performs the
installation on that group.
If a user does not install the endpoint, he or she is authenticated according to the
options you have selected on the Access Control tab for their policy. Single sign-on is
used if configured; otherwise the cloud service falls back to NTLM identification or
basic authentication. The user is again asked to install the endpoint next time they start
a browsing session.
The endpoint has a number of key protections against tampering, which should
prevent the majority of end users from uninstalling or deleting the endpoint even if
they have local administrator rights:
Windows and Mac operating systems
Endpoint files and folders are protected from deletion and cannot be modified,
moved, or renamed.
The endpoint process will automatically restart if it is stopped or killed.
A password is required to uninstall the endpoint or stop the endpoint service.
Windows operating systems only
Endpoint registry settings cannot be modified or deleted.
The Service Control command to delete the endpoint service is blocked.
Endpoint system requirements

Windows operating systems

TRITON AP-ENDPOINT Web is supported on the following 32-bit and 64-bit
operating systems:
Windows XP with Service Pack 2 or higher
Windows Vista with Service Pack 1 or higher
Windows 7
Windows 8 and 8.1
The following Web browsers fully support the endpoint for Windows operating
system users.
Internet Explorer 7 to 11
Firefox 3.x to 38
Chrome 15 to 43
Opera 11 to 30
The endpoint can be installed either by GPO or directly from the cloud service. Once
installed on these browsers, the endpoint provides user authentication, enforces
filtering via TRITON AP-WEB, and is able to manipulate proxy settings in real time
for example, to temporarily disable itself at public Internet access points to allow a
roaming user to complete the billing requirements. Updates directly from the cloud
service are also supported.
If your end users have browsers other than those listed above, you can download the
endpoint installer and deploy it to those users. Once installed, the endpoint provides
user authentication and enforces filtering via TRITON AP-WEB, but cannot perform
proxy manipulation and cannot be updated directly from the cloud service.
The Windows installer is less then 5MB in size, and requires less than 10MB in hard
disk space and less than 6MB in memory usage.
Full support means that the browser supports all installation methods, and both Web
analysis and filtering and proxy manipulation.
Mac operating systems
TRITON AP-ENDPOINT Web is supported on the following 64-bit operating
systems:
Mac OS X v10.7
Mac OS X v10.8
Mac OS X v10.9
Mac OS X v10.10
The following browsers fully support the endpoint on the Mac:
Safari 5.x to 7.x
Firefox 3.x to 38
Chrome 15 to 43
Opera 11 to 30
If your end users have browsers other than those listed above, you can download the
endpoint installer and deploy it to those users. Once installed, the endpoint provides
user authentication and enforces filtering via TRITON AP-WEB. Proxy manipulation
is supported.
For Mac end users, no option exists to auto-update the endpoint. You must uninstall
the endpoint first.
The installer for the Mac is less than 2MB in size and requires less than 10MB in hard
disk space.
Downloading and distributing the endpoint

Download the latest version of the endpoint from the Web > Settings > Endpoint
page in the Cloud TRITON Manager. If you are using a Windows operating system,
the endpoint is available in separate installation packages for 32-bit and 64-bit
operating systems.
The endpoint for the Mac consists of only one installation package for both 32-bit and
64-bit operating systems. Note that you do not need to reinstall Web Endpoint for the
Mac if you switch between these systems.
Before you can download the installation file or enable deployment from the cloud
service, you must define an anti-tampering password to be used to stop the endpoint
service or uninstall the endpoint. The password is automatically linked to any
deployments of the endpoint, including Web deployments. To set the password, do the
following:
1. Under Set Anti-Tampering Password, click Set Password.
2. Enter and confirm your anti-tampering password, then click Submit.
Important
For security reasons, TRITON AP-WEB does not retain a
copy of your anti-tampering password. If you forget your
password, you can reset it in the Cloud TRITON Manager
by entering and confirming a new password. All installed
endpoints will be updated to use the new password next
time they connect to the Internet.
Windows operating system users should note the script command displayed on screen
and use it to configure your GPO deployment script or manual installation. This
command is in the format:
WSCONTEXT=xxxx
where xxxx is a unique code for your account.

The command is required during installation to associate the endpoint with your
customer account and enable your end users to log on transparently.
For Windows operating system users

Distributing the endpoint via GPO

Follow the steps below to deploy endpoint clients through an Active Directory group
policy object (GPO). You need to write different installation scripts for a 32-bit versus
a 64-bit operating system. Check in your script to see if the endpoint is installed,
because your script should only install the endpoint if it is not already installed.
1. Unzip the downloaded endpoint file to a location of your choice.
2. Create a shared folder (create a folder and turn on sharing in the Properties menu).
3. Create a batch file (.bat) in the shared folder, for example installmsi.bat. This
can be done in any text editor.
Type the following msiexec command into the batch file and save it.
msiexec /package "\\path\Websense Endpoint.msi" /quiet /
norestart WSCONTEXT=xxxx
Where:
path is the path to the unzipped installer
WSCONTEXT=xxxx is the script command noted from the Endpoint page in the
Cloud TRITON Manager

4. Test your batch file manually to make sure it runs on other workstations. You can
do this by opening the server path to the file on a workstation and attempting to
run the file. If the file does not run, check your permissions.
5. Open the Group Policy Management Console (GPMC).
6. Create a new (or open an existing) GPO on the organization unit (OU) in which
your computer accounts reside. To create a new GPO:
a. In the console tree, right-click Group Policy Objects in the forest and
domain in which you want to create a Group Policy object (GPO).
b. Click New.
c. In the New GPO dialog box, specify a name for the new GPO, and the click
OK.
7. Open Computer Configuration > Windows Settings > Scripts, and doubleclick Startup in the right pane of the screen.
8. Click Add.
9. In the Script Name field type the full network path and filename of the script
batch file you created in step 2.
10. Click OK.
11. Close the GPMC.
12. Run the gpupdate /force command at the command prompt to refresh the group
policy.
The application should be installed on startup. The client may not be fully functional
until a reboot occurs.
Installing the endpoint on a single machine

Follow the steps below to deploy an endpoint client on a single machine. Note that
you must have administrator rights on the machine.
1. Unzip the downloaded endpoint file to a location on the machine.
2. Open a command-line window, and navigate to the location of the unzipped
endpoint files.
3. Enter the following command:
msiexec /package "Websense Endpoint.msi" /norestart
WSCONTEXT=xxxx
Where WSCONTEXT=xxxx is the script command noted from the Endpoint

Download screen in the Cloud TRITON Manager
4. Use the Windows Services tool to confirm the endpoint is installed and running.
Check that Websense SaaS Service is present in the Services list, and is started.
Uninstalling the endpoint from Windows

You can uninstall the endpoint by doing the following:
1. Go to Control Panel > Programs and Features, and select Websense Endpoint.
2. Click Uninstall.
3. Click Yes to continue. Then enter the endpoint anti-tampering password that you
set in the Cloud TRITON Manager.
4. Click OK to begin uninstalling the endpoint.
5. You will receive a confirmation message if the endpoint was successfully
uninstalled
You can also uninstall the endpoint through the command line by running this
command:
msiexec /uninstall "<path>\Websense Endpoint.msi" /qb /
promptrestart XPSWD=xxxx
where <path> is the path to your endpoint package, and xxxx is the anti-tampering
password you set in the Cloud TRITON Manager.
Important
If you uninstall the endpoint, be sure to restart your
operating system or your web browsing experience may be
affected.
To stop the endpoint, navigate to the endpoint installation folder and run this
command:
wepsvc -stop -password <password> wspxy
replacing <password> with the anti-tampering password.
For Mac operating system users

To deploy the endpoint manually on a single machine, follow these steps:

1. Under Mac Endpoint Client, click on the version number to download the
endpoint zip file.
2. When you download the endpoint, it should include the endpoint.pkg file along
with a file called HWSConfig.xml, which is specific to your account. This file
needs to be in the same directory as the .pkg file for the endpoint to successfully
install.
Note that if you wish to use the endpoint over port 80 for proxying and PAC file
retrieval, you need to do the following before installing the endpoint:
Ask your endpoint support representative to add the Send HWS endpoint to
port 80 template to your account. You can add this template to specific
policies or globally.
Change the HWSConfig line from the following:

<PACFile URL="http://
webdefence.global.blackspider.com:8082/proxy.pac" />
To this:
<PACFile URL="http://
pac.webdefence.global.blackspider.com/proxy.pac" />
By applying this template, you will also move to port 80 any endpoints that are
already installed.
3. Double-click the endpoint package to open an introductory screen for the installer.
Click Continue for step-by-step instructions on the installation process.
4. When you reach the Standard install on Macintosh HD screen, click Install to
begin the installation process.
You must install the endpoint on the local hard disk. You can change the
installation location on this screen by clicking Change Install Location.
5. Enter a user name and password for a user with administrator rights to install the
software.
If the installation process fails, check that the HWSConfig.xml file is present and
is in the correct format if you have edited it.
6.
A confirmation screen informs you if the installation is successful. Click Close.
7. After installation, go to System Preferences > Other.

8. Click the icon for the endpoint program.
This brings you to a page where you can see available components for the version
you have installed. You can also do the following:
Save Debug Logs to Desktop
Uninstall Endpoint.
Save Debug Logs to Desktop allows your endpoint support team to quickly
access all troubleshooting logs in one place. Clicking it creates an archive file on
the Mac desktop beginning with ClientInfo*.zip. If you need to open a support
ticket about the endpoint, include this zip file with your request.
Identifying Mac end users of endpoint

When a Mac user is logged into an active directory-based domain, the endpoint
identifies users in the same way that it does for Windows operating system users. For
Mac users not logged into a domain, however, the endpoint formats the user details in
TRITON AP-WEB as mac.local.[local_username]@[local_address].
For example, if you are logged in as Joe Bloggs, it might appear as
mac.local.joebloggs@123-nosuchdomain.autoregistration.proxy.
To search for all locally logged-on Mac users, do the following:
1. Go to Account > End Users.
2. In the Name field, enter mac.local*
3. Click Search.
This brings up a list of all Mac users that are logged on locally.
Changing the policy of a Mac end user

To change the policy of a Mac user, do the following:
1. After searching for all locally logged-on users (see Identifying Mac end users of
endpoint, page 74), in the Please select an action drop-down menu, select
Change Web policy.
2. Choose the policy that you want to move the selected Mac user to.
3. Select each of the displayed Mac users you want to move and click the Go button.
The new policy is applied to these users.
Note that two Mac usernames will be common across all of your Mac users:
mac.local.root and mac.local._softwareupdate. These users receive software
updates from the Internet. It is best practice to limit access by these users to just a
few categories, such as Information Technology.
Uninstalling endpoint from the Mac

You can uninstall the endpoint by doing the following:
1. Go to System Preferences > Other, and click the icon for the endpoint software.
2. Click Uninstall Endpoint.
3. Enter the local administrator name and password.
4. Click OK. Then enter the endpoint anti-tampering password that you set in the
Cloud TRITON Manager.
5. Click OK to begin uninstalling the endpoint.
6. You will receive a confirmation message if the endpoint was successfully
uninstalled
7. Click OK to finish the process.
You can also uninstall the endpoint through the command line:
1. After entering the Mac administrator password, run this command:
sudo wepsvc --uninstall
2. You will be asked for the service password, which is the default password unless
the password was changed in the Cloud TRITON Manager.
To stop the endpoint, do the following through the command line:
1. After entering the Mac administrator password, run this command:
sudo wepsvc --stop
2. You will be asked for the service password, which is the default password unless
the password was changed in the Cloud TRITON Manager.
Deploying the endpoint from the cloud service

You can deploy the endpoint on a per-policy basis to either the roaming users or all
users in a policy directly from the cloud service.
When you select this option, on the Endpoint tab of a policy in the Cloud TRITON
Manager, end users are prompted to install the endpoint next time they open a
browser. See Local users, page 76, and Roaming users, page 76. You can customize
the text on the first page of the installer to make it clear that the installation is
sanctioned by your organization.
The endpoint installer for Windows operating system users is available in English,
French, German, Italian, Spanish, Dutch, Simplified Chinese, and Japanese. The
language used for the installation is picked up from the browser settings.
Local users
For Windows operating system users, when the endpoint has been deployed to all
users in a policy, an end user opening Internet Explorer or Firefox sees the following:
If the user clicks Install Secure Browsing, they are redirected to an assistance page
that explains the installation process for their browser. They then click Continue with
the installation to install the endpoint.
If the user clicks Ask me next time, TRITON AP-WEB falls back to alternative
authentication or identification methods if enforced in the Access Control tab for the
users policy. The endpoint installer will reappear next time the user opens a Web
browser.
Roaming users
For Windows operating system users, when the endpoint is deployed to roaming users,
the user must first authenticate using their basic authentication credentials, if they
have them. If they do not already have credentials, they must self-register with
TRITON AP-WEB (see End-user self registration, page 86).
Once they are registered and have logged in using basic authentication, the endpoint
installer starts and the process is the same as for local users. If the user clicks Ask me
next time, the user is presented with a manual authentication login page each time
they access the Internet as a roaming user, followed by the endpoint installation page.
Updating the endpoint

For Windows operating system users, the Endpoint tab in Web policies includes an
auto-update feature which can automatically deploy newer versions, without desktop
administrators getting involved. If you select this option, it applies to all users in the
policy who have installed the endpoint, regardless of whether it has been deployed via
GPO or directly from the policy, assuming their browser supports deployment from
the cloud service.
Mark Automatically update installations when a new version is released on the
Endpoint tab if you want to ensure that endpoints on your client machines have the
latest version when it is available.
The setting is disabled by default, as most organizations like to control the software on
the desktop themselves and test newer versions before deploying them. You may want
to enable the option once you have tested the new software so all users (including
roaming users) get the latest endpoint installed. Once they have all updated the
endpoint, you can then disable updates again.
Note that while an endpoint update is taking place (which can take several minutes),
end users will be unable to browse, but will be shown a web page stating that the
endpoint is updating. This page will continue to retry the requested web page every 10
seconds until the endpoint has finished updating, and will then display the requested
page correctly if the user is allowed to access this URL, or alternatively will display a
block page.
Mac operating system users

For Mac operating system users, the endpoint for the Mac can automatically deploy
newer versions to browsers without involvement from desktop administrators.
Using the endpoint with an appliance

If your endpoint end users sometimes browse from a location served by an i-Series
appliance, you may wish to either direct that traffic through the appliance when
appropriate, or have the appliance ignore endpoint-generated traffic. For more
information, see Using TRITON AP-ENDPOINT Web with an appliance, page 50.
Other end-user authentication options

End users can use the details entered during registration to authenticate with TRITON
AP-WEB when working remotely or, if forced authentication is configured within the
policy, whenever they access the Internet.
For secure form-based authentication, users are asked to authenticate the first time
they open a browser. Users who have authenticated once do not then have to reauthenticate for subsequent web browsing sessions, for a period of time defined by the
Session Timeout option on the Access Control tab.
For basic authentication, users are asked to authenticate when opening a new browser
instance. Once authenticated, they are not asked to authenticate again as long as the
browser remains open.
Warning
If you want to protect remote users, instruct them to log onto the service using their
email address and the password with which they registered. NTLM transparent
identification is not used when the browser has connected from a remote location.
End-user identification
If the policy dictates that NTLM is to be used to identify users unless they are working
remotely, end users never have to login, but their surfing habits can be monitored and
per-user configuration can be applied. In this case, the users are transparently
identified.
If you have an i-Series appliance deployment and have enabled transparent NTLM
authentication on the appliances Authentication tab, see Enabling browsers for NTLM
transparent authentication.
Enabling browsers for NTLM transparent authentication

In an i-Series appliance deployment, NTLM transparent authentication is available for

your end users if:
you have chosen to connect your appliance to a local Active Directory, or you
entered your NTLM domain on the Authentication tab when you added your
appliance to TRITON AP-WEB
you select NTLM transparent identification where possible on the Access

Control tab in your TRITON AP-WEB policy.
Note
If validating against a local Active Directory for NTLM
authentication, an end user cannot use their email
addresses as their user name, and must use the
domain\username format (for example,
MYCOMPANY\jsmith).
You must also configure your end users browsers to support this form of
authentication. In order for a browser to work with NTLM transparent authentication,
the machine on which the browser is hosted must be part of the domain.
This section describes how to configure supported browsers, either manually or via a
Group Policy.
Configuring Internet Explorer

Note
The settings in this section will also be applied to a Google
Chrome browser on the same machine.
To enable NTLM on a single Internet Explorer browser:
1. Go to Tools > Internet Options.
2. Select the Security tab.
3. Select Local Intranet, then click Sites to open the list of Trusted Sites for the
Intranet zone.
4. For Internet Explorer 8 and above, click Advanced on the window that appears.
5. Enter the IP address of the B1/B2 bridge interface on your appliance, then click
Add.
6. Clear the Require server verification box.
7. Click Close.
8. With Local Intranet still selected, click Custom level.
9. Scroll down to the User Authentication section, and ensure Automatic logon only
in Intranet zone is selected.
10. Click OK, and exit Internet Options.
Configuring NTLM via Group Policy

To create an NTLM transparent authentication policy using a Group Policy Object

(GPO):
1. Log on to your Active Directory domain controller (DC) using a domain admin
account.
2. Perform the steps listed in Configuring Internet Explorer to enable NTLM in the
Internet Explorer or Chrome browser on the DC.
3. Turn off Internet Explorer Enhanced Security Configuration as follows (these
steps apply to a Windows 2008 server):
a. Open Server Manager.
b. Scroll down to Security Information, and click Configure IE ESC.
c. Turn ESC Off for administrators and users, and close the window.
4. Open Group Policy Management.

5. Right click your domain name (or the OU that contains the end users who will
receive this policy), and click Create a GPO in this domain, and link it here.
6. Give your new policy a name, and click OK.
7. Right-click your newly-created policy, and select Edit.
8. Navigate to User Configuration > Policies > Windows Settings > Internet
Explorer Maintenance > Security > Security Zones and Content Ratings.
9. Select Import the current security zones and privacy settings.
10. You may receive a warning about Enhanced Security Configuration. This is why
the enhanced configuration was disabled in step 3, so that this policy will apply to
workstations without enhanced security turned on. Click Continue.
11. Turn on Enhanced Security Configuration again, and repeat steps 4-9 to create a
policy with ESC enabled. This ensures that workstations with either configuration
are supported.
12. Close all open windows.
The changes will take time to replicate though your Active Directory, depending on
your setup. This may be from 15 minutes to an hour; if you have a multi-site AD
setup, it may take a day or two.
You can then set up a login script that will install the policy when end users log on to
their workstations.
This method uses 2 files:
login.bat
ntlm.reg
The login.bat script contains two lines:

@echo off
regedit /s \\path\ntlm.reg
In the ntlm.reg script, replace <Box IP> with the IP address of your appliance:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
\Internet Settings\ZoneMap\Ranges\Range5]
"*"=dword:00000001
":Range"="<Box IP>"
Configuring Firefox
Note
If you are configuring Firefox v38 or later on Linux, you
must perform step 6 in the procedure below to ensure the
browser falls back to NTLM v1. This is due to the Linux
version having issues with NTLM v2 that can cause
authentication failures.
To enable NTLM transparent authentication in Firefox:
1. Open Firefox, and type about:config in the address bar.
2. Click I'll be careful, I promise! to open the advanced configuration page.
3. Type ntlm in the Search field.

4. Select network.ntlm.send-lm-response and double-click it to toggle it to on.
5. Double-click network.automatic-ntlm-auth-trusted-uris. In the box that

appears, enter the IP address of the B1/B2 bridge interface on your appliance, and
click OK.
6. If you are configuring Firefox on a Linux machine, double-click

network.auth.force-generic-ntlm-v1.
The Status is changed to user set, and the Value is changed to true.
End-user registration
If you do not deploy Web Endpoint or single sign-on, the following options are
available for end-user registration, and subsequent authentication or identification:
Directory synchronization
End-user self registration
Bulk registering end-users
NTLM transparent identification registration
Authentication priority and overrides
These options are also used as a fallback if either the endpoint or single sign-on fails.
Note that manual authentication is always used if none of the above methods is
available.
Directory synchronization
TRITON AP-WEB includes a directory synchronization feature for organizations with

an LDAP-compliant directory (such as Active Directory). If you have a directory like
this and you use the synchronization feature, you do not need to register end users.
When you synchronize your directory with the cloud service, users are automatically
registered.
If directory synchronization includes NTLM IDs, you can enable NTLM
identification on the Access Control tab; then your users can use the service
immediately after synchronization. This is the easiest way to get users going with the
service.
If you enable NTLM identification but for some reason do not synchronize NTLM
IDs from your directory, your users are required to self-register and then associate
their NTLM IDs with their user accounts on the service.
If you dont want to use NTLM identification, you can configure the service to send
invitations to all newly synchronized users. They can then complete the selfregistration process and log in using email address (or name) and password.
Through the directory synchronization feature, you have the option to notify new
users that they are protected by the cloud service when they surf the Web.
End-user self registration

One way to register users is to invite them to self-register. For those using secure
form-based or manual authentication, there are 3 steps for individual end-user self
registration:
1. You enter your email domains into the policy or account.
2. Users complete stage 1 registration (enter name and email address into a form).
3. Users complete stage 2 registration (create a password).
Users can access the stage 1 registration form at:
https://www.mailcontrol.com/enduser/reg/index.mhtml
or by clicking Register on the default pre-login welcome page or NTLM registration
page that is presented when they are forced to identify or authenticate themselves.
Once users have entered their name and email address into the form, they receive an
email from TRITON AP-WEB. This contains a link, that when clicked, takes them to
a page where they can complete registration stage 2 by creating a password.
Bulk registering end-users

Bulk end-user registration simplifies the self-registration process by reducing it from

2 steps to 1. Rather than end users visiting the portal and entering their name and
email address into a form, you upload all their names and addresses at once. End users
automatically receive email notification once the bulk upload is finished. They can
then click a link on the email they receive and create a password on the portal.
NTLM transparent identification registration

If you do not have an LDAP directory and your users are using NTLM transparent
identification, an additional one-time step is required.
The first time these users send a request to TRITON AP-WEB, an NTLM registration
form appears where they must enter their email address and password. TRITON APWEB associates these user credentials with the NTLM credentials automatically
obtained from the browser. This association is saved and the user does not have to
complete this step again.
Note
If you are using directory synchronization and have
synchronized NTLM IDs, users are not prompted for this
information. Only NTLM users who self-registered, were
invited to register, or were bulk registered have to perform
this step.
Authentication priority and overrides

You can select multiple authentication options for your end users on the Access
Control tab of a policy. The options are prioritized as follows:
TRITON AP-ENDPOINT Web is always used if installed on an end users

machine.
If the endpoint is not installed or fails, single sign-on is used if:
it has been deployed in your network, and
it has been selected on the Access Control tab for the end users policy.
If neither the endpoint nor single sign-on is available, the end user is authenticated
via either NTLM identification or basic authentication.
Secure form-based authentication is used if:
it has been selected on the Access Control tab, and
the user agent or application requesting authentication supports form-based

authentication via an HTML page.
When this option is selected, applications that do not support form-based

authentication use basic authentication.
Basic authentication is always used if you have chosen to enforce end-user

authentication and none of the other options are either selected or available.
You can also enforce a specific authentication option for certain end users, overriding
the authentication settings in the policy, by deploying a PAC file URL in the following
format:
http://webdefence.global.blackspider.com:8082/proxy.pac?a=X
The a= parameter controls the authentication option, and X can be one of the
following:
Parameter
Description
a=n
NTLM identification or basic authentication is used,

depending on the policy settings and the browser or
application capability.
a=t
Authentication is performed using single sign-on.

If the application or user agent cannot use single signon, NTLM identification or basic authentication is used.
If a remote user cannot log on using single sign-on, they
are given the option to try again or log on using other
credentials.
a=f
Authentication is performed using secure form-based

authentication.
We recommend that you deploy PAC files with the a= parameter if you want some of
your users in a policy to use single sign-on, and others to use secure form-based
authentication. This is because the two methods use different ports on the cloud
service (see Configuring your firewall, page 20).
Working with Remote

Users
TRITON AP-WEB can protect and monitor users even when they are not in their
normal office location, such as when they are traveling. This section describes how
TRITON AP-WEB handles users who are roaming from their network domains.
TRITON AP-WEB works on the basis of source IP. When the service receives a
request, for example www.google.com, TRITON AP-WEB checks the source IP
address of the requests and searches all the customer policies to find the policy with
that source IP address. The source IP address is configured as a proxied connection on
a policys Connections tab in the Cloud TRITON Manager.
If users are roaming, they are most likely either at home, an Internet cafe, a hotel, or
an airport. It is unlikely that the IP addresses of these places are configured in any of
your proxied connections. In this situation, the roaming user encounters one of the
following scenarios:
If the user has a laptop with TRITON AP-ENDPOINT Web installed, the endpoint
forces a connection to TRITON AP-WEB to send authentication and get the PAC
file and policy settings appropriate for the user.
If you have deployed single sign-on, the roaming user is authenticated seamlessly
as long as you have a suitable proxy on your network.
If neither TRITON AP-ENDPOINT Web nor single sign-on is in use and the
service cannot find the source IP address in any of the customer policies, then
TRITON AP-WEB responds with a logon page stating, You are connecting from
an unrecognized location. The user has to log on. When they do, TRITON APWEB searches for them in the policies. When it finds the user, the service knows
who they are, which policy they are using, and how to filter the request (in other
words, whether to allow or block the request).
In order to log on, the user has to be registered. Roaming users must go through
the one-time registration process to be covered.
Some browsers exhibit inconsistent behavior in certain circumstances, such as when

used in public Internet access points in hotels and airports. If the browser is configured
to get the PAC file from the TRITON AP-WEB service, it is possible that it may not
be able to immediately do so. In such situations, some browsers fall back to direct
connections bypassing TRITON AP-WEB. This can occur in the following situations:
Working with Remote Users
1. The web browser is launched and the laptop does not have Internet access because
it does not have IP connectivity, nor is it connected to another device, such as a
router, with IP connectivity. The browser cannot get the PAC file from the
TRITON AP-WEB service. This typically occurs in home office environments.
2. The laptop has full network connectivity but is unable to connect to the Internet
because it is located behind a firewall that is preventing this. This typically occurs
when the user is connected to a third-partys network either corporate or public.
These scenarios are expanded upon in the next sections.
How to determine whether a browser is using TRITON APWEB

A tool is available to help identify whether a browser has a proxied connection to

TRITON AP-WEB. Run the tool by clicking the Proxy query page link on the Web >
Settings > General page in the cloud portal.
The returned page looks like this if you are using the TRITON AP-WEB proxy:
If you are not using the TRITON AP-WEB proxy, it looks like this:
This proxy query page link has also been embedded in the TRITON AP-WEB remote
user home page: http://home.webdefence.global.blackspider.com/. This home page is
also used to help resolve other challenges associated with remote user connectivity. As
a best practice, make this the home page for all remote users.
You can customize the remote user home page if required. The URL for the resulting
account-specific page is available from your account in the Cloud TRITON Manager.
It looks like the figure above, but has an account-specific identifier appended to it.
Connecting from home

In some circumstances, home users might connect to a network, launch a browser, and
find that they are not using TRITON AP-WEB.
This can happen for two main reasons:
The user launches the browser before the computer receives its IP configuration
information.
The computer connects to a network that uses a router that does not have an IP
address assigned. This can occur with some Internet connections that use
dynamically assigned IP addresses such as some home broadband connections. If
the connection hasnt been used for some time, the routers lease for its IP address
may have expired.
In both of the above cases, the browser tries to get the PAC file and fails. If the
computer then gets its IP address immediately after the failure to get the PAC file, the
browser then accesses the Internet directly without retrying the PAC file.
Solutions
Deploy TRITON AP-ENDPOINT Web
Installing the endpoint, either for roaming users or all users, ensures all Web traffic is
routed via TRITON AP-WEB. In the above scenario, Internet access will be denied
until the endpoint can access TRITON AP-WEB to send user authentication and get
the PAC file and policy settings appropriate for the user.
For more information, see Setting up TRITON AP-ENDPOINT Web, page 67.
The benefit of this is that use of TRITON AP-WEB is enforced regardless of delays
with network connectivity.
Use a local copy of the PAC file

Download a copy of the PAC file, save it locally, and configure the browsers to use it.
This ensures that the browsers can always access it regardless of network connectivity.
The benefits of this solution are that the users browsers are always able to access the
PAC file regardless of any delay in the laptop receiving IP configuration, and no user
intervention is required. The disadvantage is that you must download the PAC file to
the laptop every time an unproxied destination is added to your TRITON AP-WEB
policy. It is unlikely for this to occur often and you can automate distribution of the
PAC file.
Connecting from third-party corporate networks

When connecting from a third-party corporate network, users most likely are behind a
firewall that may restrict Internet connectivity.
Why this may occur:
The laptop is connected to a network behind a firewall that does not allow
connectivity using port 8082, and the browser is unable to get the standard PAC
file from TRITON AP-WEB.
The laptop is connected to a network behind a firewall that does not allow
connectivity using port 8081, and the browser is not able to communicate with the
proxy.
Solution
Use the PAC file available via port 80
If port 8082 is locked down, a URL is available that enables the remote user to access
the PAC file and cloud service over port 80. Remote users should also use the PAC file
address for port 80 if requesting access from a network that has port 8081 locked
down. Even if they can access the PAC file on port 8082, port 8081 is the standard
required port to be able to use TRITON AP-WEB filtering.
This URL is available on the Web > Settings > General page, and a policy-specific
version is displayed on the General tab of each policy.
Use the security solution on the corporate network

If port 8081 is locked down, it is likely that in this scenario, the organization to whose
network the laptop is connected has its own security policy in place and wishes the
user to be governed by it, requiring reconfiguration of the laptop. Alternatively some
organizations have public networks that they provide visitors.
Configuring Data Security
The Data Security feature in TRITON AP-WEB for the cloud provides visibility into
the loss of sensitive data and intellectual property via the web channel, and helps you
to assess your risk exposure to data loss via the web. This includes intellectual
property, data that is protected by national legislation or industry regulation, and data
suspected to be stolen by malware or malicious activities.
To get started, follow these steps:
1. Create content classifiers
This is helpful for monitoring intellectual property.
2. Configure Data Security policy settings
3. Configure reporting permissions (if you want to view Data Security reports)
In addition, you can do the following (optional):
1. Configure privacy settings
2. View the dashboard
3. View reports
4. View the audit trail
Create content classifiers

Content classifiers can be used to identify intellectual property and data types that are
not covered by the out of the box Personally Identifiable Information (PII), Payment
Card Industry (PCI), and Protected Health Information (PHI) rules. For example, a
key phrase custom classifier can be created to identify a document classification
marker.
The content classifiers that you create can then be used on the Data Security tab of
your web policies.
If you are concerned only about regulatory compliance and data theft, you can skip
this step.
Cloud Web DLP 93
1. In the Cloud TRITON Manager, select Web > Policy Management > Content
Classifiers from the main toolbar.
2. Click Add and select the type of classifier you want to create:
Key Phrase: a keyword or phrase that indicates sensitive or proprietary data

(such as product code names or patents).
Regular Expression: a pattern used to describe a set of search criteria based

on syntax rules.
For example, the pattern a\d+ detects all strings that start with the letter a
and are followed by at least one digit, where \d represents any digit and +
represents at least one.
Dictionary: a container for words and expressions relating to your business.
3. Complete the fields as described in the appropriate section, and then click Save.
Define key phrase content classifiers, page 96
Define regular expression content classifiers, page 95
Define dictionary content classifiers, page 97
4. Repeat steps 2-3 until youve added all the classifiers you require.
94Getting Started Guide
Define regular expression content classifiers

Regular expression (regex) patterns can be detected within content, such as the pattern
of an internal account number or alphanumeric document code.
When extracted text from a transaction is scanned, the system searches for strings that
match regular expression patterns and may be indicative of confidential information.
To create a regular expression classifier:
1. Enter a unique Name for the pattern.
2. Enter a Description for the pattern.
3. Enter the Regular expression pattern (regex) that you want the system to search
for, using Perl syntax.
For syntax and examples, click Help > Explain This Page.
4. Use the Pattern Testing section of the page to test your regular expression.
Because a regular expression patterns can be quite complex, it is important that
you test the pattern before saving it. If improperly written, a pattern can create
many false-positive incidents and slow down the system.
a. Create a .txt file (less than 1 MB) that contains values that match this regex
pattern. The file must be in plain text UTF8 format.
b. Browse to the file and click Test to test the validity of your pattern syntax. If
the pattern you entered is invalid, youre given an opportunity to fix it. You
cannot proceed until the test succeeds.
You can have up to 100 regular expression classifiers.
Cloud Web DLP 95
Define key phrase content classifiers

The presence of a keyword or phrase (such as Top Secret or Project X) in a web

post may indicate that classified information is being exposed. You can learn about
activity like this by defining a key phrase classifier.
To create a key phrase classifier:
1. Enter a unique Name for the key phrase classifier.
2. Enter a Description for the key phrase.
3. Enter the key word or phrase that might indicate classified information, up to 255
characters. Key phrases are case-insensitive.
Leading and trailing white spaces are ignored. If you need to use slashes, tabs,
hyphens, underscores, or carriage returns, define a regular expression classifier
rather than a key word classifier.
Key phrases also identify partial matches. For example, the key phrase uri reports a
match for security. Note that wildcards are not supported for key phrases.
You can have up to 100 key phrase classifiers.
Define dictionary content classifiers

A dictionary is a container for words and expressions pertaining to your business.

To create a dictionary classifier:
1. Enter a unique Name for the dictionary classifier.
2. Enter a Description for the dictionary.
3. Dictionaries can have up to 100 phrases. To add content to the dictionary, click
Add under Dictionary content.
4. Complete the fields on the resulting dialog box as follows:

a. Phrase: Enter a word or phrase to include. This phrase, when found in the
content, affects whether the content is considered suspicious.
Cloud Web DLP 97
b. Weight: Select a weight, from -999 to 999 (excluding 0). When matched with
a threshold, weight defines how many instances of a phrase can be present, in
relation to other phrases, before triggering a policy.
5. If you have many phrases to include, create a text file listing the phrases, then
click Import and navigate to the text file.
6. Mark The phrases in this dictionary are case-sensitive if you want the phrases
that you entered to be added to the dictionary with the same case you applied.
You can have up to 100 dictionary classifiers. Each is limited to 100 phrases.
For examples and restrictions, click Help > Explain This Page.
Configure Data Security policy settings

To configure options for detecting data loss over web channels:

1. In the Cloud TRITON Manager, go to the Web > Policy Management > Policies,
page, then open the policy you want to configure.
2. Click the Data Security tab in the policy.
3. Select Enable data security (monitor only).

4. Complete the fields as described in the following sections:
Enable Data Security regulations in policies, page 99
Enable data theft detection in policies, page 100
Enable custom Data Security classifiers in policies, page 101
Trusted Domains, page 102
5. When you are finished, click Save.

The system will search for sensitive data that is being posted to HTTP and HTTPS
sites, and report on it in an Incident report (available from the Reporting > Report
Catalog > Standard Reports > Data Security page). This includes intellectual
property, data that is protected by national legislation or industry regulation, and data
suspected to be stolen by malware or malicious activities.
Important
The system monitors and reports on potential data
exposure. It does not block them.
To search for data over HTTPS, be sure SSL decryption is enabled by following the
instructions provided on the SSL Decryption tab.
Enable Data Security regulations in policies

Most countries and certain industries have laws and regulations that protect
customers, patients, or staff from the loss of personal information such as credit card
numbers, social security numbers, and health information.
To set up rules for the regulations that pertain to you:
1. Click No region selected.
2. Select the regions in which you operate.
3. Select the regulations of interest:
Field
Description
Personally Identifiable
Information (PII)
Detects Personally Identifiable Informationfor example,

names, birth dates, driver license numbers, and identification
numbers. This option is tailored to specific countries.
Protected Health
Information (PHI)
Detects Protected Health Informationfor example, terms

related to medical conditions and drugstogether with
identifiable information.
Payment Card Industry

(PCI DSS)
Conforms to the Payment Card Industry (PCI) Data Security

Standard, a common industry standard that is accepted
internationally by all major credit card issuers. The standard
is enforced on companies that accept credit card payments,
as well as other companies and organization that process,
store, or transmit cardholder data.
Cloud Web DLP 99
4. Select a sensitivity to indicate how narrowly or widely to conduct the search.

Select Wide for the strictest security. Wide has a looser set of detection criteria
than Default or Narrow, so false positives may result and performance may be
affected. Select Narrow for tighter detection criteria. This can result in false
negatives or undetected matches. Default is a balance between the two.
Severity is automatically calculated for these regulations.
Enable data theft detection in policies

Use this section to detect when data is being exposed due to malware or malicious
transactions. When you select these options, TRITON AP-WEB searches for and
reports on outbound passwords, encrypted files, network data, and other types of
information that could be indicative of a malicious act.
To see if your organization is at risk for data theft:
1. Select the types of data to look for.
Information Type
Description
Common password
information
Searches for outbound passwords in plain text
Encrypted file - known

format
Searches for outbound transactions comprising common

encrypted file formats
Encrypted file - unknown

format
Searches for outbound files that were encrypted using

unknown encryption formats
IT asset information
Searches for suspicious outbound transactions, such as

those containing information about the network, software
license keys, and database files.
Malware communication
Identifies traffic that is thought to be malware phoning

home or attempting to steal information. Detection is
based on the analysis of traffic patterns from known
infected machines.
Password files
Searches for outbound password files, such as a SAM

database and UNIX / Linux passwords files
2. Select a sensitivity to indicate how narrowly or widely to conduct the search.

Select Wide for the strictest security. Wide has a looser set of detection criteria
than Default or Narrow, so false positives may result and performance may be
affected. Select Narrow for tighter detection criteria. This can result in false
negatives or undetected matches. Default is a balance between the two.
Severity is automatically calculated for these types.
Enable custom Data Security classifiers in policies

Use this section if you want to detect intellectual property or sensitive data using
custom phrases, dictionaries, or regular expressions containing business-specific
terms or data.
1. Select the classifiers that you want to enable for the policy. If you skipped the
section Create content classifiers, page 93, go there now to populate the list.
2. Select a severity for each classifier to indicate how severe a breach would be.
Select High for the most severe breaches. Severity is used for reporting purposes.
It allows you to easily locate High, Medium, or Low severity breaches when
viewing reports.
Cloud Web DLP 101
3. Configure a threshold for each classifier.
a. Click the link in the Threshold column.

b. Indicate how many times this classifier should be matched to trigger an
incident. You can indicate a range if desired, such as between 3 and 10. By
default, the threshold is 1.
c. Indicate whether you want the system to count each match, even if it is a
duplicate, against the threshold, or whether youd prefer to only count unique
matches.
d. Click OK.
Trusted Domains
Select Enable trusted domains if you do not want certain domains to be monitored,
then enter URLs for the trusted domains separated by commas.
The system does not analyze content passed between trusted domains. This means
users can send them any type of sensitive information via HTTP, HTTPS, or other web
channels from your network.
The domains you enter apply only to data security and only to the current web policy.
Duplicate URLs are not permitted. Wildcards and ? are supported.
Configure privacy settings

Use the Account > Settings > Privacy Protection page to prevent end-user
identifying information, data security incident trigger values, or both from appearing
in logs and web reports. If required, you can still collect this information for security
threats.
By default, incident data is not captured, stored, or displayed. Administrators with

permission to view incident data are able to see the number of matches in the report,
but not the match values or context.
Select Store and display incident data under Data Security Incident Settings if you
want the values that triggered data security incidents to be captured, stored in the
incident database, and displayed in reports.
Cloud Web DLP 103
Credit card numbers, social security numbers, and email addresses are masked when
they are stored, as are passwords in certain instances.
Changing this setting has no impact on incident data that has already been collected.
Configure reporting permissions

You can control which administrators can view data security reports (and potentially
sensitive information). This setting is assigned at the account level.
To give administrators these permissions:
1. Navigate to Account > Settings > Contacts.
2. Select the contact whose permissions you want to edit.
3. In Contact Details, click the user name (email address) to view the contact login
details.
4. On the Login Details screen, click Edit.
5. Under Account Permissions, select View All Reports and Data Security
Reports, and then click Save.
This enables users to view data security reports, which may or may not contain
incident forensics and trigger data, depending on your privacy protection settings. It
does not change their ability to manage data security configuration settings.
View the dashboard

For a high-level view of activity in your organization, click Dashboard, and then
click the Data Security tab. Data Security charts include:
Incident Count Timeline shows a daily incident count for the designated period.
With it, you can quickly identify trends and make policy changes as required.
Total Incidents by Content Type shows the number of regulatory incidents, data
theft incidents, and custom classifier incidents in the designated period.
Top Sources shows the users, machines, or IP addresses most frequently

instigating data security violations as well as the severity of their incidents.
Top Destination Domains shows the Internet domains most frequently targeted
with sensitive data.
Top Web Categories shows the website categories most frequently targeted with
sensitive data. These can be custom categories or the categories classified by the
URL category database.
View reports
For a more granular view, access the data security reports.

1. Go to the Reporting > Report Catalog page.
2. Select Standard Reports > Data Security from the left navigation pane, and then
select a report category: Content Type, Incidents, or Sources & Destinations.
3. Select a report from the list that displays. Following are descriptions of each
report.
Report
Description
Content Type
Compliance Summary
Find out which compliance rules are most often

violated in your organization and view a
breakdown of the incident count for each policy or
rule.
Custom Classifier Summary
See which custom classifiers triggered the most

incidents during the designated period.
Data Theft Summary
View a list of data theft classifiers that triggered

the most incidents during the designated period.
Incidents
Incident List
View list or chart of all data loss incidents that

were detected during the designated period, along
with incident details such as the destination,
severity, and transaction size.
Cloud Web DLP 105
Report
Description
Sources & Destinations

Destination Summary
See the destination URLs or IP addresses involved

with the most violations, broken down by severity.
Users Summary
See the users, machines, or IP addresses most

frequently violating data security policies and the
severity of their breaches.
4. After you select a report, select a time period (last 7 days by default) and any
required attributes, then click the Update Report button.
Tip
To view only incidents that meet a certain threshold (not
every single match), filter the report using the Top
Matches attribute.
Top Matches indicates the number of matches on the
incident's most violated rule. For example, if rule A in
MyPolicy has 2 matches, rule B has 5 matches, and rule C
has 10 matches, top match equals 10.
When you apply the filter, enter the threshold to include in
the report, and then select the operator to use: equal to,
greater than, etc.
Refer to the Cloud TRITON Manager Help for details on adding attributes to a
report.
View the audit trail

Click Account > Settings > Audit Trail, and then click View Results to view an
audit trail of all policy configuration changes.
You can search by user, action type, and date range.
Cloud Web DLP 107
10
Next Steps
You should now be directing all Internet traffic through the TRITON AP-WEB service
and be protected from Internet threats. TRITON AP-WEB works out of the box, but
to get best use of its features, you probably want to tailor your policy. Specific areas of
interest may be:
Creating additional administrators to delegate responsibilities
Setting the time zone for your policies
Customizing your notification pages
Adding internal or other trusted sites to your non-proxied destinations
Adjusting the website category dispositions to suit the nature of your business
Creating custom categories to allow whitelisting or blacklisting of specific

websites
Creating custom protocols to handle non-HTTP Internet traffic. Custom protocols

are available only if your subscription includes the i-Series appliance.
Creating groups of users
Creating exceptions to override category or protocol dispositions for specified

users, groups, and times of day. The protocol exception capability is available
only if your subscription includes the i-Series appliance.
Configuration advice for all of these features and others can be found in the Cloud
TRITON Manager Help in the Technical Library. Some basic steps for configuring
your policy and managing reporting in the Cloud TRITON Manager are outlined in
the sections below.
Managing web categories

TRITON AP-WEB includes dozens of website categories. These categories are

designed to help you apply policy to your organizations web surfing. If a website has
not previously been categorized, we assign it the category Unknown.
Click the Web Categories tab to configure the action you want TRITON AP-WEBto
take when users try to access websites in each of the categories.
Next Steps
The category list on the Web Categories tab includes standard categories and any
custom categories that you have defined on the Policy Management > Custom
Categories page.
In the Standard Categories section, child categories are indented under their parent
categories. Parent categories allow specific categories to be grouped by a more
generic description. However, there is no hierarchical relationship between parent
categories and the child categories within them: you can set a filtering action for a
parent category without it affecting the child category, and vice versa.
To edit the web filtering action for a category:
1. Select a web category from the category list.
You can select a category directly from the list, or enter text in the search box to
locate the category you want.
To select multiple categories, use the Shift and/or Ctrl keys. You can also use the
drop-down menu above the category list to select or deselect the following
categories:
all categories
privacy categories
Web 2.0 categories
2. Select an Action for the category:
Allow access means that any website within the category is always accessible,
regardless of whether it exists in another category that has the Block access
action.
Do not block ensures that the site is not blocked under this rule, but if it also
exists in another category that has an action of Block access, it is blocked
under that category.
Confirm means that users receive a block page, asking them to confirm that
the site is being accessed for business purposes. Clicking Continue enables
the user to view the site and starts a timer. During the time period that you
configure (10 minutes by default), the user can visit other sites in the
confirmed category without receiving another block page. Once the time
period ends, browsing to any other Confirm site results in another block page.
Use Quota means that users receive a block page, asking them whether to use
quota time to view the site. If a user clicks Use Quota Time, he can view the
site.
Clicking Use Quota Time starts two timers: a quota session timer and a total
quota allocation timer. The session length and total quota time available for
each category depend on the options selected on the General tab.
Block access blocks access to websites in this category unless they exist in
another category with a filtering action of Allow access. When a site is
blocked, you can choose a notification page to be displayed.
3. To apply the setting to all categories within the selected category, mark Apply to
all sub-categories.
Next Steps
4. Click Save.
Note
To ensure that notification pages appear for HTTPS sites,
mark Use Websense certificate to serve notifications for
HTTPS pages on the Web > Policy Management >
Block and Notification Pages page.
Managing protocols
This feature is available for i-Series appliance deployments only. Click the Protocols
tab to manage how protocols, or non-HTTP Internet traffic, are handled by a policy.
The list of protocols appears in a 2-level tree display similar to that in the Categories
tab. Protocol groups can be expanded to show the individual protocols within each
group.
The list on the Protocols tab includes both standard protocols and any custom
protocols that you have defined on the Policy Management > Protocols page. The
standard protocol groups are updated regularly.
Configure how a protocol is filtered by selecting it in the protocols tree and specifying
an action (Allow or Block) from the box on the right. You can select a protocol
directly from the list, or enter text in the search box to locate the protocol you want.
Use the Shift and/or Ctrl keys to select multiple protocols.
Managing exceptions
Exceptions allow the default action for a web category or protocol to be overridden for
specified users and groups of users. Exceptions are listed at the bottom of the
Protocols (for i-Series appliance deployments only) and Web Categories tabs. Click
a protocol or category to view exception rules that may apply to it.
Click Add to add a new exception.
Reporting
The available reports for web traffic and analysis are located in the navigation pane
under Reporting.
Next Steps
The Report Catalog contains a number of predefined reports that cover common
scenarios, available in bar chart, trend chart, and tabular formats. You can copy any
predefined report to apply your own filters to create a custom report, and share your
reports with other administrators.
The Report Builder offers an enhanced model for creating multi-level, flexible
reports that allow you to analyze information from different perspectives and gain
insight into your organizations Internet usage. If a high-level summary shows areas of
potential concern, you can drill down to find more details and use Transaction
Viewer for granular reports on individual transactions.
You can also do the following:
Download report results as a comma-separated values (CSV) file or as a PDF file.
Save the reports you generate most frequently and want to be able to locate
quickly.
Schedule one or more saved reports for regular delivery.
For more information about reporting and the full list of available reports, see the
Cloud TRITON Manager Help.
11
Preparing Your End Users

for Deployment
Before deploying TRITON AP-WEB, you should inform your users what the service
does and how it impacts them. This may even be a legal requirement in some
countries. Below is some sample text that you can use in an initial communication.
You can also customize the registration email templates and pre-logon welcome page,
if you are going to use them.
Note that text in italics is instructional and not meant for inclusion in any
communication.
Introduction to the TRITON AP-WEB with Web Cloud Module service
TRITON AP-WEB is an advanced web protection service that we have deployed to
protect Internet users from computer viruses and other web-based threats such as
spyware. All of our Internet traffic is directed to data centers where these threats are
filtered out and our Internet acceptable use policy is enforced.
Many websites exist that contain viruses or inappropriate content that might offend
you. Often links to these sites are returned by search engines and you do not realize
what you are accessing until you have clicked a link and it is too late. The TRITON
AP-WEB service allows us to block such sites so that you are not exposed to this
content.
Internet acceptable use policy
We have published an Internet acceptable use policy that outlines your responsibilities
as an individual when using company resources to access the Internet. TRITON APWEB allows us to enforce this policy, report on web usage and block inappropriate
downloads. In the event that a website is blocked, you are presented with a page
explaining why.
We recognize that different people need to access different types of websites to
perform their jobs, so if sites that you are trying to access are being blocked, please
email XXXX, include the website address and the reason why you need to access it.
The full website address can be copied from your browser address bar.
Please click the link below to access our corporate Internet acceptable use policy.
Preparing Your End Users for Deployment
http://link_to_corporate_acceptable_use_policy
Note
The acceptable use policy feature is not available for i-Series appliance
deployments.
You may have the option to display a notice to users that informs them of your
organizations acceptable use policy for Internet use and asks them to agree to
accept its terms before they can continue browsing. You can select how frequently
you would like to display the notice. The choices are 1, 7, and 30 days. As with all
notification pages, you can tailor the default to meet your needs. See Notification
pages in the Cloud TRITON Manager Help.
TRITON AP-ENDPOINT Web

Deploying TRITON AP-ENDPOINT Web via the Internet

To use the TRITON AP-WEB service, you will be asked to install a Secure Browsing
application next time you open a browser. Follow the instructions in the installer. This
application ensures your browsing is always protected by TRITON AP-WEB, whether
inside or outside the office.
End-user registration
Registering to use TRITON AP-WEB

To use the TRITON AP-WEB service, you first need to complete a simple, one-time
registration process:
If not using bulk registration
Click the link below. It takes you to the end-user registration portal. https://
www.mailcontrol.com/enduser/reg/index.mhtml
Enter your name and email address and click Submit.
When you receive an email from Forcepoint, click the link it contains.
If using bulk registration

You will receive an email containing a link that you should click.
If using basic authentication:
This takes you to the end-user registration portal. Enter the password that you want to
use when you access the web (twice), and click Submit.
Registration is now complete, and you are not required to register again. To check that
you are correctly registered, shut down all browsers and open a new one. When you
try and access a website, you are first asked to log in. Type the email address and
password that you used to register with TRITON AP-WEB and click OK. You may
want to check the box that invites you to save these login details to simplify future
logins.
If using NTLM transparent identification without directory synchronization:
This takes you to the end-user registration portal. Enter the password that you
want to use when you access the web (twice), and click Submit.
Now enter a URL, such as www.forcepoint.com, into your browser address bar
and you are presented with the final registration page.
Type the email address and password that you used to register with TRITON APWEB into the appropriate boxes.
If using basic authentication:

Logging in when you access the web
You need to log in every time you open a new browser to access the Internet. If you
leave your browser open, you are not required to log in again. If you need a second
browser window, do not launch a new browser. In your existing one, click File > New
Window. This opens a new browser session without you having to log in again.
For remote users who use TRITON AP-WEB with basic authentication when working
remotely:
Accessing the Internet when you are not in the office
When you are working in the office, TRITON AP-WEB is able to recognize that you
work for COMPANY NAME and can protect you from Internet threats according to
our policy. To ensure that you are still protected when you are not working from the
office, when you access the Internet, you are asked to log in. You must use the email
address and password that you entered during TRITON AP-WEB registration before
you can continue.

Getting Started

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Getting Started

Încărcat de

Drepturi de autor:

Formate disponibile

Getting Started Guide

TRITON AP-WEB with the Web Cloud Module

2016 Release 1 and later

2016, Forcepoint LLC

Requesting a TRITON AP-WEB Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Deploying TRITON AP-WEB in the cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Deploying an i-Series appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Getting Started Guide

Monitoring appliance traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Using Chained Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Adding IP Addresses to Your Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Setting Up End-User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

TRITON AP-WEB with Web Cloud Module

Authentication priority and overrides. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Working with Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring Data Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Preparing Your End Users for Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Getting Started Guide

TRITON AP-WEB with Web Cloud Module

Getting Started Guide | Cloud Web Protection Solutions

Getting Started Guide 1

latest release information

searchable Knowledge Base

in-depth technical papers

Access support on the website at:

2 TRITON AP-WEB with Web Cloud Module

Requesting a TRITON APWEB Account

If you are an existing TRITON AP-EMAIL cloud customer or are performing a

the Cloud TRITON Manager

the TRITON AP-WEB Cloud Evaluation Guide

Getting Started Guide 3

Requesting a TRITON AP-WEB Account

Logging on to the Cloud TRITON Manager

4 TRITON AP-WEB with Web Cloud Module

Requesting a TRITON AP-WEB Account

As a minimum, do the following:

Getting Started Guide 5

Requesting a TRITON AP-WEB Account

Synchronization page. For more information, refer to the Directory

If you wish to use end-user self-registration for identification and reporting

6 TRITON AP-WEB with Web Cloud Module

Requesting a TRITON AP-WEB Account

Getting Started Guide 7

Requesting a TRITON AP-WEB Account

8 TRITON AP-WEB with Web Cloud Module

Deploying TRITON AP-WEB

This chapter describes the deployment of TRITON AP-WEB as a purely cloud-based

Otherwise, the browsers themselves must be configured to use the TRITON

How TRITON AP-WEB works

Getting Started Guide 9

Deploying TRITON AP-WEB in the cloud

10 TRITON AP-WEB with Web Cloud Module

Deploying TRITON AP-WEB in the cloud

Recommendations for an evaluation

As an on-demand service, it lends itself to small scale evaluation.

It allows rapid expansion of the numbers of users involved at the proof-of-concept

It allows rapid deployment into production after successful completion of the

Configuring a chained proxy

Getting Started Guide 11

Deploying TRITON AP-WEB in the cloud

Configuring browsers to use TRITON AP-WEB

Mozilla Firefox 4 to 40 on all platforms

Microsoft Internet Explorer 7 through 11 on Microsoft Windows platforms