KB Article | Forcepoint Support

Notes & Warnings

  • A Directory Agent page displays for each Policy Server with an instance of Directory Agent installed. If you do not see the Directory Agent page, then ensure you logged into the correct Policy Server instance.
  • Hybrid service identifies users via their email address. All users accounts synchronized with hybrid service must have a unique email addresses. Uploading duplicate accounts or separate accounts that share the same email address will cause the synchronization to fail.

Problem Description

I have Web Hybrid or Web Security Gateway Anywhere. Does Tech Support have a best practice guide for configuring hybrid filtering within the Forcepoint Security Manager?

Resolution

This article offers suggestions for configuring hybrid service settings within Forcepoint Security Manager.
 
The premise of this article is to provide basic hybrid configuration steps with an emphasis to avoid uploading duplicate user accounts or separate user accounts that share the same email address. Uploading duplicate email addresses is the most common tech support issue. To complete the suggestions offered in this article, you must have:
  • Access to Forcepoint Security Manager.
  • Domain administrative access to your directory service.

This article suggests creating new users, groups and OUs in your directory service. It offers a best practice view, to limit the number of directory objects sent to hybrid service. We understand some customers do not want to create new directory objects. In this case, look beyond the creation of new users, groups and OUs, to employ the same methodology for restricting the number of directory objects synched with hybrid service. Using best practice methods at the start pays off in the future with easier security filtering administration.
  
Important If you have only one domain controller listed in Directory Settings, then some of the following suggestions concerning extraneous domain controllers will not apply.
 
Phase I: Define your hybrid users and limit domain controller involvement

  1. Configure Directory Agent.
    • The Shared User Data page should list your domain controllers. If the Directory Agent page (Settings > Hybrid Configuration > Shared User Data) does not display any Domain Controllers, then go back and configure your Directory Services (Settings > General > Directory Services). In the configuration scenario for this article, the Directory Services settings contains' two Global Catalog (GC) servers. (see the following image). 
       
      User-added image
    • Mixed Mode as a method for Directory Services was removed in versions after 8.2.
  2. Check the Directory Service administrative access account.
    • The service account you enter for administrative access within Directory Service settings must have permissions to drill into the context you define in Directory Agent settings. In Directory Service settings, enter a full distinguished name. An example is shown in the following image. Do not enter the credentials in the older Windows NT format (domain\user).
       
      User-added image
  3. Prepare your directory service for Directory Agent.
    • As shown in the following image, the Directory Agent page displays the domain controllers you entered in the Directory Services settings. 
       
      User-added image
       
      Note A company with a 'single domain' can typically obtain all directory objects from a single domain controller. In this case, when the Directory Agent page lists multiple domain controllers, you need to curtail the contribution of directory objects from the extraneous/supplemental domain controllers. For these extraneous domain controllers, we accomplish this by limiting their search context to a single unused organization unit (OU). This eliminates the possibility of uploading the same user account multiple times. Additionally, narrowing the context increases speed and efficiency.  
Note If your Directory Agent page only displays one domain controller, then ignore the following suggestions referring to "extraneous" domain controllers; but ensure you complete the steps to limit the search context.
  1. From the Directory Agent page, identify the Global Catalog (GC) server that Directory Agent will obtain directory data on your hybrid users. For example, as shown in the prior image:
    • 10.212.5.210  (The primary GC. We will poll this GC for users managed by hybrid service.)
    • 10.212.11.162  (An extraneous GC. We will exclude this domain controller from contributing duplicate user accounts.)
    • Note  All domain controllers listed in Directory Services settings provide information to Directory Agent. In order to avoid duplicating the information already provided by a "Primary GC,” it is essential to curtail the data sent from these extraneous domain controllers. This step is necessary because a feature does not currently exist to disable unnecessary domain controllers listed in the Directory Agent page.
  2. In your directory service, create a security group and assign your hybrid users as member to this new group. (Best practice.)
  3. If you have extraneous GC servers:
    1. In your directory service, create an organization unit (OU). This new OU is a placeholder for defining a limited context.
    2. Within the OU (created in the prior step), add a user account with a valid email address. This user account is a placeholder that satisfies the requirement for GC servers to supply a unique user.
      • Ensure the user account has a valid and unique email address. Hybrid service differentiates all users via their email address.
    3. Repeat the prior two steps for each extraneous GC listed in the Directory Agent page.
      • Create a separate OU and user account for each extraneous GC. Ensure each new OU and user account is unique. 

 
You are now ready to specify a context for your domain controller(s), preceded to Phase II.

 
 
Phase II: Define Explicit Proxies, Filtered Locations, Unfiltered Destinations, your domain and User Access/Hybrid Identification methods
 
This phase introduces the minimum settings required for a successful hybrid deployment.

  1. Add your explicit proxy. This step is required only when employing an on-premises explicit proxy at a filtered location.
    1. Before entering your filtered location, add your explicit proxy. On the Filtered Locations page, click Manage Explicit Proxies as shown in the following image.
    2. Navigate to Settings > Hybrid Configuration > Filtered Locations.

      User-added image
  2. For details on adding your explicit proxy, see:
    1. Define your filtered locations.
      • Decide which offices or sites you want to define as filtered location. A filtered location is the external IP address, IP address range or subnet from which browsers connecting to hybrid service appear to be originating. For more details, see Define hybrid service filtered locations.
    2. Add your filtered locations.
      1. This is a site managed the hybrid service (like a branch office, remote site or satellite campus). For more details, see Adding or editing hybrid service filtered locations.
      2. Navigate to Settings > Hybrid Configuration > Filtered Locations.
    3. Define your unfiltered destinations.
      1. Clients can access these sites directly, without sending their request to either the hybrid service or an on-premises explicit proxy in a filtered location, if used. These destinations are added to the Proxy Auto-Configuration (PAC) file, which defines how filtered users' browsers connect to the hybrid service.
      2. Navigate to Settings > Hybrid Configuration > Unfiltered Destinations.
      3. For more details, see:
      4. As a best practice, add your organization’s webmail address as an unfiltered destination. This ensures that off-site users can retrieve a forgotten hybrid service password via email.
    4. Add your domains and determine off-site behavior.
      1. Navigate to Settings > Hybrid Configuration > User Access.
      2. Under Registered Domains, identify the domains and subdomains (if any) belonging to your organization. This allows users with email addresses in the specified domains to self-register with hybrid service. See following image. For more details, see Adding domains
         
        User-added image
    5. Under Off-site Users, choose how to handle users coming from an unknown IP address. See prior image.
      • With the option enabled, the PAC file enforces hybrid filtering on users coming from an unknown IP address.
      • With the option disabled, the PAC file DOES NOT enforce hybrid filtering on users coming from an unknown IP address.
      • For more details, see Configuring hybrid filtering for off-site users.
    6. Specify the identification methods.
      1. The default settings, shown in the following image, work for most deployments. For more information, see Identification of hybrid users
         
        User-added image
      2. Navigate to Settings > Hybrid Configuration > Hybrid User Identification. Available options:
        • Use NTLM to identify users when possible 
           This option uses directory information gathered by Directory Agent to identify users transparently, if possible. In this case hybrid uses NTLM to identify the user (if the client supports it) otherwise the user sees a logon prompt.
  • Use secure form authentication 
     This option displays a secure logon form. Users must enter their email address (already synched with hybrid service) and hybrid password. If the self-registration option is enabled, the self-register button appears. This button is useful for users not synchronized with hybrid service.
  • Always authenticate users on first access 
    This enables transparent NTLM identification or manual authentication when users first connect to hybrid service.
     
  • Configure Welcome Page 
    This option specifies whether unidentified users receive a Welcome page.


Phase III: Define your search context
 
Your goal in this phase is to ensure the Directory Agent search context is unique for each domain controller. It is best to provide a context that includes only users managed by the hybrid service. All hybrid user accounts require a unique email address. Important DO NOT synchronize user accounts, such as service accounts, that share a common email address.
 
In Phase I above, you selected a primary GC and created some directory objects. We will now implement a small-medium business scenario.

  • We have selected a GC (example below: 10.212.5.210) as our primary domain controller, which will provide directory information for our managed hybrid users. In addition, on this primary GC, we will limit the context to the container where the managed hybrid users reside.
  • For all other domain controllers, we want to curtail their involvement in providing data to Directory Agent. In this endeavor, on these extraneous domain controllers (example below: 10.212.11.162), we will define a search context limited to a single OU. This OU acts as a placeholder for one user account. As a result, directory objects outside this OU are not sent to the hybrid service. Important This is how you avoid synchronizing duplicate user and group objects.
     
  1. Define an Include Context and Exclude Context for your primary GC. (An Exclude Context is only required if the Shared User Data page displays multiple domain controllers.)
    1. Navigate to Settings > Hybrid Configurations > Shared User Data.
    2. The Directory Agent page appears displaying your GCs. Under the ‘Name or IP Address’ column, click the link associated with the primary GC.
User-added image
  1. If ‘Default context’ appears in the context column, tick the box and delete it as shown in the following image. You must remove the default context before replacing it with additional entries.
User-added image
  1. From the same window, click the Add button. At this point, you can add a valid context.
    • Any other action results in producing the following error. 
       
      User-added image
  2. Add an Include Context.
    1. The administrative access account defined in Directory Service settings should have sufficient permissions to allow you to browse the context tree.
    2. Browse the tree and click the OU that represents the location where your managed hybrid users reside. (Earlier in Phase I, you created a new OU and a new security group. Your hybrid users should already be members of this security group.)
    3. Click the 'Set as Include Context' button.
    4. The Specify Include Context window appears.
    5. Choose your filters and then click OK
User-added image
 
Note For more details on these settings, see Adding and editing directory contexts for the hybrid service or select the Explain This Page menu option under Help, within the Forcepoint Security manager. 
 
Note If you have multiple domain controllers, then proceed to the next step.
 
Important If you DO NOT have multiple domain controllers, then save your changes. Click the next three OK buttons and then click Save and Deploy. After saving your changes, jump to step three below titled "Send your updated user and group settings to the hybrid service."
  1. Add an Exclude Context. (Skip this step if you have only one domain controller listed in the Directory Agent page. Jump to step three below titled "Send your updated user and group settings to the hybrid service.")
    1. Uncheck all checkmarks in the context tree and then tick the OU you want to set as an Exclude Context.
    2. Click the 'Set as Exclude Context(s)' button.
    3. The Specify Exclude Context window appears.
    4. Choose your filters and then click OK
       
      User-added image
  2. Your 'Add Context settings' should now look as follows; such that a red 'X' identifies the excluded OU. Click OK
     
    User-added image
  3. At this point, save your changes. Click the next three OK buttons and then click Save and Deploy.
 
  1. Define an Include Context for your extraneous GCs. (Skip this step if you have only one domain controller listed in the Directory Agent page. Jump to step three below titled "Send your updated user and group settings to the hybrid service.")
    • From the Directory Agent page, locate an extraneous domain controller under the ‘Name or IP Address’ column and then click the link. 
       
      User-added image
  2. If ‘Default context’ appears in the context column, tick the box and delete it as shown in the following image. You must remove the default context before adding additional entries. 
User-added image
   

 
Phase IV: How to resolve a failed user and group sync with hybrid service
 
For ease of troubleshooting, it is best practice to install Directory Agent and Sync Service components on the same server. Installing these components with Log Server allows access to configuration files, logging data and debugging options. If you have a failed synchronization with hybrid service, complete the following steps.

 

  1. From the same window, click the Add button. At this point, you can add a valid context.
    • Any other action results in producing the following error. 
       
      User-added image
  2. Add an Include Context. (The following image illustrates the next four steps.)
    1. Browse the tree and click the OU that represents the placeholder for synchronizing your single unused user account. (Note The OU and user account were created in Phase I above. The extraneous domain controller will only synchronize directory objects within this OU; such that, all other directory objects outside this OU are ignored.)
    2. Click the 'Set as Include Context' button.
    3. The Specify Include Context window appears.
    4. Choose your filters and then click OK
       
      User-added image
  3. At this point, save your changes. Click the next three OK buttons and then click Save and Deploy.
  4. Send your updated user and group settings to the hybrid service.
    1. Navigate to Setting > Hybrid Configuration > Scheduling > Send User Data.
    2. Click the Send button as shown. 
       
      User-added image
  5. Check hybrid status.
    1. Navigate to Main > Status > Hybrid Service > Sync Service Communication Results.
    2. We are looking for a successful result in the ‘Directory information sent by Sync Service' communication type column. The following image shows a failed attempt. 
       
      User-added image
Note It may take several minutes for your updates to work their way across all Forcepoint Data Centers. Periodically click the Refresh button to update the sync results. 
 
User-added image
 
If the Sync status has failed:
  1. Stop Sync Service and Directory Agent service (DAS). Stop Sync Service first.
  2. Navigate to the "C:\Program Files (x86)\Websense\Web Security\bin\ssdata" folder.
    1. Backup the ssdata folder.
    2. Delete the contents of the ssdata folder.
  3. Navigate to the "C:\Program Files (x86)\Websense\Web Security\bin\snapshots" folder.
    1. Backup the snapshots folder.
    2. Important DO NOT delete the backup folder.
    3. Delete the temp folder and all other files residing in the snapshots folder.
  4. Restart Sync Service and Directory Agent service (DAS). Start Directory Agent first.
  5. Log into Forcepoint Security Manager and navigate to Settings > Hybrid Configuration > Scheduling.
  6. Click the Send buttons for ‘Send User Data’ and ‘Send Policy Data Now' as shown. The process to update your policy and user data across all Data Center is scheduled.
 User-added image
 
  1. To view the hybrid service status, navigate to Main > Status > Dashboard > Hybrid Service > Sync Service Communication Results, and then click the Refresh button.
    • Typically the update should occur within several minutes. However for a large organization with thousands of directory objects and multiple policies, the update time may take 30 minutes to an hour for the synchronization process to complete.
    • All green checkmarks means the sync was successful.
User-added image
  1. Run Sync Viewer when communication results are not positive as shown below.
User-added image
 
To run Sync Viewer
  1. Open a web browser and enter the following URL:
    • http://<Sync Service IP>:55832/viewer
    • Where the "Sync Service IP" is the IP address of the server with Sync Service installed.
  2. Sync Viewer displays all issues and errors Sync Service encounters when attempting to send data to the hybrid service.
  3. When a problem exists, the information returned to Sync Viewer may help identify the problem.
  4. Once users and policies are successfully synchronized, your users should receive correct policy enforcement. 
  5. The Hybrid Authentication Report can show you who is using the hybrid service. The displayed pie chart shows you all users and how they are identified. For granular details, simply click any pie chart element.

Article Feedback



Thank you for the feedback and comments.