Enable Executive Spoofing feature in ForcePoint Cloud

The Internal Executive Spoofing feature provides protection against spear phishing attacks targeting individuals within your organization. Such emails may come from legitimate (non-spoofed) email addresses, thereby passing other spoofing checks, but use the display name of a known user (often an executive), with the intention of tricking employees into sending money or information.

To enable the internal executive spoofing check:
1.Select Apply internal executive spoofing check to these names.
2.Click the these names link to configure the list of executive and their approved email addresses:
Click Add, and enter a first name and last name (both fields are required). Various combinations of the name are protected (for example, “John Smith” as well as “Smith, John”).
Enter a list of approved email addresses for the executive, separated with a comma or a line break. This list should include any addresses the executive uses, including work or personal addresses.
Click Add to repeat the process for each executive whose name and addresses you wish to check. Click Save when finished.

3. Select an action to perform on messages detected as potentially spoofed.

The options are:

  1. Quarantine. This is the default option. Messages are kept in quarantine for up to 30 days.
  2. Discard. Spoofed messages are discarded.
  3. Tag subject with. The subject line of spoofed messages are tagged with a custom tag that you enter.

Outlook Crash and Add-in Problem in Outlook 2016

Over the last week, five staff in our office have started to have random crashes of Outlook 2016. The issue is not reproducible at will and in each case, Outlook restarts and opens an error dialogue banner stating that add-ins have caused Outlook to start slowly or crash.

I start to troubleshoot and i found out that in workstations without Forcepoint Client installed that not having this issue.

So the first thing i did i add the application to the bypass endpoint policy in the force-point admin portal.

And then i checked with forcepoint and find out they release a new endpoint client that resolve this issue.

After deploying the new endpoint using GPO the problem has resolved.

Difference between Forcepoint proxy connect and direct connect

I have outlined the major difference between the proxy connect and direct connect.

1) Proxy connect enforces a PAC File, whereas Direct Connect Endpoint does not

– Applications can often struggle when reading PAC Files

– Since Direct Connect Endpoint doesn’t enforce any internet settings, you are free to configure these however you would like.

2) Direct Connect, connects directly to the origin server of the site

– Purple.com resolves to 153.104.63.227

– With Direct Connect endpoint, your PC connects directly to 153.103.63.227 (unless you use a different proxy)

– With proxy connect endpoint, your PC connects to one of our clusters

– Essentially if our clusters all start failing, with direct connect endpoint you won’t be impacted

– No proxy means internet browsing will be quicker with Direct Connect Endpoint

3) Scanning

– Proxy Connect Endpoint traffic is intercepted/scanned by the Cloud Proxy

– With Direct Connect Endpoint once the traffic is received, it is uploaded to the disposition server to scan, so, it’s normally quicker, with sites we scan it could technically become slightly slower

4) Fewer issues

– Direct Connect Endpoint means you won’t come across some of the more disruptive issues which sometimes can occur with proxy connect such as:

Authentication Pop-ups, Websites blocking our clusters (this does happen!)

With proxy connect you have to enter the egress ip of the location you are at in order for you to get your credentials.

Direct connect will connect to the cloud all the time, and therefore will not need to connect to any proxy.


Endpoint connectivity overview of connectivity for the Proxy Connect and Direct Connect endpoint versions is illustrated in the following diagram.

The diagram shows the two different endpoint versions servicing a web request:

1.In the first scenario, the Proxy Connect endpoint directs all web traffic via the cloud proxy. If the request is permitted, the proxy connects to the requested website and sends content back to the end-user client. (If the request is blocked, the user is shown a block page.)
2.In the second scenario, a web request via the Direct Connect endpoint consists of two stages:
a.The endpoint connects to the cloud service to look up the user’s policy settings for the requested site.
b.If the request is permitted, the client then redirects the request directly to the Internet. (If the request is blocked, the user is redirected to a block page.)

If required, you can deploy a combination of Proxy Connect and Direct Connect endpoints in your organization. However, only one endpoint instance can be installed on a client machine at any one time.

Forcepoint DLP Endpoint agents not registering with the Managment Server.

Open the URL in your management server.

http://localhost:17515/data-batch-services/

You should see two folders in here

WEB-INF
META-INF

If you only have one then this is what is most likely causing the lack of endpoint updates. To resolve this if you Stop and disable the Data Security Batch Server service from services.msc and then go to the folder

C:\Program Files (x86)\Websense\Data Security\Data-Batch-Server\service-container\container\work

and move all of the folders in here to a new folder.

Now re-start the data batch service back up again. Then you need to give it a few minutes and then re-check the URL

http://localhost:17515/data-batch-services/

and check now if you have the META-INF and WEB-INF in here.

If so then check now to see if you see endpoints now showing as updated

Forcepoint Web Proxy Pacfile.

function FindProxyForURL(url, host) {

host = host.toLowerCase();
url = url.toLowerCase();

// If the hostname matches, send direct.
if (dnsDomainIs(host, “.apple.com”) || host == “apple.com”) ||
(dnsDomainIs(host, “.skype.com”) || host == “skype.com”) ||
(dnsDomainIs(host, “.office365.com”) || host == “office365.com”) ||
(dnsDomainIs(host, “.azure.com”) || host == “azure.com”) ||
(dnsDomainIs(host, “.altium.com”) || host == “altium.com”))

{
return “DIRECT”;
}

// If the hostname matches, send direct.
if ( shExpMatch(url, “greenhulk:8080/“) ) { return “DIRECT”; } if ( shExpMatch(url, “greenhulk:8082/“) ) { return “DIRECT”; }
if ( shExpMatch(url, “greenhulk:8081/“) ) { return “DIRECT”; } if ( shExpMatch(url, “greenhulk:8083/“) ) { return “DIRECT”; }

var allowedUrls = new Array(
office365“,
gov.il“,
mrclab.com“,
sharepoint“,
cloudapp“,
outlook.cn“,
microsoftonline“,
netflix“,

);

for (index in allowedUrls)
{
if (shExpMatch(url, allowedUrls[index]))
{
return “DIRECT”;
}
}

// If its internal lan, send direct

if (isPlainHostName(host))
{
return “DIRECT”;
}

else
return “PROXY Servername.Domain.com:8080; DIRECT”;

}

%d bloggers like this: