Difference between Forcepoint proxy connect and direct connect

I have outlined the major difference between the proxy connect and direct connect.

1) Proxy connect enforces a PAC File, whereas Direct Connect Endpoint does not

– Applications can often struggle when reading PAC Files

– Since Direct Connect Endpoint doesn’t enforce any internet settings, you are free to configure these however you would like.

2) Direct Connect, connects directly to the origin server of the site

– Purple.com resolves to 153.104.63.227

– With Direct Connect endpoint, your PC connects directly to 153.103.63.227 (unless you use a different proxy)

– With proxy connect endpoint, your PC connects to one of our clusters

– Essentially if our clusters all start failing, with direct connect endpoint you won’t be impacted

– No proxy means internet browsing will be quicker with Direct Connect Endpoint

3) Scanning

– Proxy Connect Endpoint traffic is intercepted/scanned by the Cloud Proxy

– With Direct Connect Endpoint once the traffic is received, it is uploaded to the disposition server to scan, so, it’s normally quicker, with sites we scan it could technically become slightly slower

4) Fewer issues

– Direct Connect Endpoint means you won’t come across some of the more disruptive issues which sometimes can occur with proxy connect such as:

Authentication Pop-ups, Websites blocking our clusters (this does happen!)

With proxy connect you have to enter the egress ip of the location you are at in order for you to get your credentials.

Direct connect will connect to the cloud all the time, and therefore will not need to connect to any proxy.


Endpoint connectivity overview of connectivity for the Proxy Connect and Direct Connect endpoint versions is illustrated in the following diagram.

The diagram shows the two different endpoint versions servicing a web request:

1.In the first scenario, the Proxy Connect endpoint directs all web traffic via the cloud proxy. If the request is permitted, the proxy connects to the requested website and sends content back to the end-user client. (If the request is blocked, the user is shown a block page.)
2.In the second scenario, a web request via the Direct Connect endpoint consists of two stages:
a.The endpoint connects to the cloud service to look up the user’s policy settings for the requested site.
b.If the request is permitted, the client then redirects the request directly to the Internet. (If the request is blocked, the user is redirected to a block page.)

If required, you can deploy a combination of Proxy Connect and Direct Connect endpoints in your organization. However, only one endpoint instance can be installed on a client machine at any one time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.