Introduction to the F1E Inline Proxy

The Forcepoint DLP Inline Proxy, which runs locally on the F1E Endpoint Client machine, is the preferred way to enforce web policies and is intended to replace the use of F1E browser extensions.

As described in the Tech Alert Urgent Action Required for DLP Endpoint Customers - Enable Inline Proxy Functionality Before June 2024 and the Inline Proxy FAQ, Google is planning on dropping support for Manifest V2 browser extensions, which includes the Forcepoint extension, starting on June 2024. Customers are recommended to configure and utilize the Inline Proxy as soon as possible on F1E environments.

In the Inline Proxy mode, DLP Administrators can choose how they want the web traffic to be 
captured and sent to the inline proxy.

There are 2 options, and both are enabled by default:

1. Set System PAC - This setting is used to enable or disable the endpoint agent from setting itself as an explicit proxy via PAC file on the machine
2. Enable Driver to Capture Web Traffic - This setting is used to enable or disable the driver on the endpoint agent that is used to capture web traffic

By default, both the Driver and PAC are set and used by the Inline Proxy. However, if there is a third-party proxy that is using either a driver or setting the PAC file, then it is possible to choose to use only the System PAC or only the Forcepoint Driver to monitor traffic. If additional Forcepoint Agents are in use, see Inline Proxy Interoperation with Other Forcepoint Products below.

Note that if the Forcepoint Driver is disabled, applications which are not PAC-aware will not have their traffic 
redirected to the Inline Proxy.

Starting with F1E v23.04 and DLP v10.0, administrators can add or remove applications for the F1E driver to monitor in the Endpoint Inline Proxy Mode within the Included Applications list found under the Properties Tab of each Endpoint Profile. Removing an application from the list causes the Inline Proxy driver to stop monitoring web traffic originating from that application. The Included Applications list only applies to the Inline Proxy Driver (not related to monitoring using the System PAC) and contains commonly used browser process names by default. The Included Applications list is currently limited to 50 entries.
 

Inline Proxy SSL Decryption & Bypass

The Inline Proxy carries out local SSL decryption on the Endpoint Client to perform required DLP analysis of browser SSL communications which may contain sensitive content. Content is decrypted locally and is re-encrypted before leaving the Endpoint.

• Some websites will not display or function correctly when there is a proxy performing SSL decryption of the traffic as means of preventing man-in-middle attacks. In these circumstances, a SSL decryption bypass can be performed:
  • In DLP v10.1, the ability to exclude domains from SSL Bypass via the DLP Manager UI was added and is found under General > Endpoint > Advanced Tab
    • This option is supported with F1E v23.11 and later.
    • The limit for this feature is 250 URLs.
  • Websites added to the SSL bypass will still pass through the local Inline Proxy, but the encrypted traffic will not be decrypted. This means that DLP policies will not be applied to encrypted content for this website.

Inline Proxy JavaScript Injection

For websites which perform End-to-End (E2E) encryption (most commonly file sharing websites), the Inline Proxy cannot always inspect the traffic reliably. In response, Forcepoint has introduced a JavaScript Injection feature to F1E. JavaScript Injection is a method used by Forcepoint F1E to intercept actions that the user takes to upload files within a browser. Though initially required to support DLP over End-to-End encrypted sites, such like messaging applications, this functionality is also needed for certain websites in which file uploads are done using chunking or other methods which are not easily decrypted. This feature allows the F1E agent to obtain the file locally and use it for the DLP analysis.

Prior to F1E v23.11, DLP Administrators needed to manually add every website to include for JavaScript Injection, which required a manual change to the configuration using a custom_config file.
As of F1E v23.11, the default behavior was changed to include all websites in general for JavaScript Injection. Instead, F1E now uses an exclusion list to include URLs that are suspected to be experiencing traffic disruptions when using JavaScript Injection.

Manually Creating a JavaScript Injection Exclusion List (Prior to Forcepoint DLP v10.2 & F1E v24.03 only):

• Create a custom_config.enc file encrypted according to the instructions in Customizing F1E Inline Proxy JavaScript Injection with custom_config.enc.

Starting from Forcepoint DLP v10.2, the ability to add URLs to the exclusion list was added to the DLP Manager UI within each Endpoint Profile under the Properties Tab > Excluded Domains for JavaScript Injection.

• This feature requires F1E v24.03 or later. For earlier F1E releases (even if the DLP Manager environment is on v10.2), this table will not take effect and requires manually deploying a custom configuration file to each Endpoint as described above.
• Not all websites require JavaScript Injection for monitoring, but in some cases, JavaScript Injection can cause websites to not display or function correctly, hence the necessity of an exclusion list. 
• The limit for this feature is 250 URLs.

Inline Proxy Port Forwarding

Additionally, the ability to set up port forwarding for third-party agents was also added in DLP v10.1 & F1E v23.11.

• The port forwarding feature allows environments using more than one local proxy to specify multiple IP addresses and port numbers of these local proxies to F1E, thus enabling the Inline Proxy to forward the web traffic to the environment's local proxies. 
• This feature can be used if a third-party agent is also running on the F1E machine which is intercepting traffic using a PAC file and redirecting it to a local proxy. In this case, the IP address and port of the local proxy need to be configured to ensure the Forcepoint F1E Endpoint also receives the traffic:
  • This option is in the Endpoint Profile > Properties Tab under Enter the IP address and port number of the local proxy to which the traffic should be forwarded from the inline proxy
  • When this feature is enabled and configured, the Inline Proxy will listen on the specified port, intercept and analyze the data, and then release it to its original destination.
  • To use this feature, "Set System PAC" must be disabled, as the F1E will only use the driver to perform this functionality.

Inline Proxy Interoperation with Other Forcepoint Products

• The supported combinations of the F1E DLP Inline Proxy with other F1E Agents is described in Forcepoint Agent Compatibility (F1A, F1E, NEO, SEA)
• F1E DLP using Inline Proxy Mode is NOT compatible with Neo or F1A.
• F1E Web (PCEP/DCEP) is NOT compatible with Neo or F1A.

Additional Resources

Additional information about the Inline Proxy component can be found in the following articles:

• Inline Proxy FAQ
• Video: Configuring the DLP F1E Inline Proxy

Featured Inline Proxy Articles

The remainder of this article lists Inline Proxy articles relevant to specific F1E versions:

Table of Contents

• F1E v22.12 (BETA)
• F1E v23.04
• F1E v23.10
• F1E v23.11+
• Related Resources

F1E v22.12 (BETA)

• 22.12 Release Notes - Initial implementation of the Inline Proxy in a beta state.
• Forcepoint F1E 22.12 DLP Inline Proxy (Beta Implementation) - Installation and configuration steps for the F1E v22.12 beta implementation of the Inline Proxy. Forcepoint recommends customers upgrade to latest version if possible.

F1E v23.04

• Enabling Inline Proxy Mode in FSM - Latest deployment steps from the F1E End User Guide documentation
• Configuring F1E Inline Proxy on Zscaler/Bitglass PAC Environments - Additional configuration changes may be needed for the Forcepoint F1E DLP Inline Proxy to function along other  proxy technologies.
• Unable to use ChatGPT on Inline Proxy DLP F1E Configurations - Excluding SSL Decryption on additional domains to prevent errors using the OpenAI ChatGPT client.
• F1E Inline Proxy SSL Bypass Modifications Not Applied on Forcepoint DLP v10.0 - Forcepoint Security Manager 10.0 limits how many entries in the SSL Bypass list you can list in the UI.

F1E v23.10

F1E v23.11+

• Release Notes for Forcepoint F1E v23.11
• Enabling Inline Proxy Mode in FSM - Latest deployment steps from the F1E End User Guide documentation.
• Customizing F1E Inline Proxy JavaScript Injection with custom_config.enc - custom_config.enc can be utilized to configure the end-to-end encryption JS injection feature in 4 different modes.
• Configuring F1E Inline Proxy on Zscaler/Bitglass PAC Environments - Additional configuration changes may be needed for the Forcepoint F1E DLP Inline Proxy to function with other proxies.
• Unable to use ChatGPT on Inline Proxy DLP F1E Configurations - Bypass SSL Decryption on additional domains to prevent errors using the OpenAI ChatGPT client.
• F1E Inline Proxy SSL Bypass Modifications Not Applied on Forcepoint DLP v10.0 - The inline proxy configuration file has a limited character count on Forcepoint DLP v10.0.
• Adding Domains to the SSL Bypass List - Starting on DLP v10.0, Excluded Domains For SSL Decryption can be configured in the FSM
• Port Forwarding to Support Third Party Agents

Related Resources

• Inline Proxy FAQ - Google has announced the discontinuation of support for browser-based extensions by June 2024. This FAQ helps answer questions you may have on moving to the alternative inline proxy setup.
• Forcepoint Agent Compatibility (F1E, NEO, SEA) - Configuration updates needed if using inline proxy in conjunction with Forcepoint's other endpoint software.
• VPN Disconnects Frequently with F1E Inline Proxy Active
• Inline Proxy Fails to Intercept Traffic When Connected to VPN
• Distributing custom_config.enc to Multiple DLP Endpoints Using Group Policy
• Video: Configuring the DLP F1E Inline Proxy - Footage and topics covered in this video are from a v23.04 F1E connected to a Forcepoint DLP v10.1 environment and may differ in appearance from later versions.
• Office Hours: Forcepoint DLP Inline Proxy - November 14, 2023
• Office Hours: Inline Proxy Ask Me Anything - February 8th, 2024