KB Article | Forcepoint Support

Notes & Warnings

To assure proper behavior, your firewall should allow ports 80, 443 and 8080 through 8100 to the Cloud Service cluster IP addresses.

Ports to open:
  • Forcepoint Security Portal: 80 and 443
  • Forcepoint Web Security Cloud:
    • 8082 and 8081 if you are retrieving the PAC file and routing web traffic through the standard cloud web ports. (If you are using port 80 for the PAC file, you do not need to open these ports.)
    • 8087 if you are retrieving the PAC file via HTTPS. Port 8081 must also be opened for browsing. (If you are using port 443 for the HTTPS PAC file, you do not need to open these ports.)
    • 8006 if you are using single sign-on integration.
    • 8089 if you are using secure form authentication.


Problem Description

I installed endpoint client for Web filtering and end users receive the default PAC file. As a result, they do not obtain my custom non-proxied destination list. Why is endpoint not receiving my customer specific PAC file?


There can be several reasons for this behaviour.

By default, the cloud proxy does not accept the authentication details provided by Endpoint Client when the end user is browsing from a non-domain computer. If a customer requires that non-domain users are able to access the internet through the cloud proxy, work with Support to enable the custom template 'Allow endpoint non-domain users' for all policies, and ensure that the 'apply to future policies' box is also ticked. Logging in with cached domain credentials is supported.


  • Did you install endpoint client without the WSCONTEXT=xxxx parameter? 

This parameter uniquely identifies a specific customer's Cloud account. If not supplied during installation, endpoint cannot identify the specific Cloud account. To correct this problem, uninstall and then reinstall endpoint client. For example, an installation command looks like the following:

msiexec /package "\\path\Websense Endpoint.msi" /quiet /norestart WSCONTEXT=xxxx
  • For Cloud Web, you can find the WSCONTEXT identifier in the Cloud Web Portal. After logging in, select Web  > Settings > Endpoint > General > Deployment  Settings > GPO Code.
  • For a Hybrid on-premises, you can find the WSCONTEXT identifier in Forcepoint Web Security console. After logging in, navigate to Settings > Hybrid Configuration > Hybrid User Identification  and see Deploy Web Endpoint Manually.


  •  If you supplied the correct WSCONTEXT=xxxx but end-users still receive the default PAC file.

The end user may not have synchronized correctly with Cloud services during endpoint installation. The user may not have correctly associated with your unique customer account. In this case, instead of seeing a policy specific PAC file, they receive the default PAC file. To correct this problem, uninstall endpoint. When reinstalling, ensure the user installing endpoint is synced to the Cloud, then run the installer again.

  • If the user synchronized, the correct WSCONTEXT=xxxx was supplied during installation, but they still receive the default PAC file. 

Verify connectivity on the Cloud service proxy on ports 8081 and 8082.

  • For Cloud Web, run the following two commands:
    • telnet webdefence.global.blackspider.com 8081
    • telnet webdefence.global.blackspider.com 8082
  • For a Hybrid on-premises Websense Content Gateway Anywhere installation,  run the following two commands:
    • telnet hybrid-web.global.blackspider.com 8081
    • telnet hybrid-web.global.blackspider.com 8082

If your connection is refused, you need to open up a port on your firewall.


pcep; proxy connect; endpoint; pac; port; 80; 8081; 8082; webdefence.global.blackspider.com; hybrid-web.global.blackspider.com; wscontext;

Article Feedback

Thank you for the feedback and comments.