Important: Some of the technical information covered in this guideline is considered legacy, and is maintained primarily for historical reference. Please contact the Authentic8 Support team for the latest configuration details based on your organization's existing (Firewall) solution


Secure Web Gateway Integration (SWGI) provides enterprise customers with the functionality to redirect web browser requests over to the Silo for Safe Access environment, rather than through the local machine's default web browser



Technical Details

When a SWGI designated website is accessed via a hyperlink, or by manually entering a URL, the request is processed within the Silo for Safe Access environment


The URL forwarding process is completed by setting proxy service tokens for the designated sites

Prerequisites

  1. Silo Access Portal must be configured
  2. A good working knowledge of your Firewall or Web Proxy service, along with setting of tokens

User Experience

There are three basic SWGI user paths:

  1. A SWGI designated URL pass on a machine with the Silo Windows client installed can be launched directly into Silo for Safe Access — with prompt or no-prompt
  2. A SWGI designated URL can be launched directly into the Silo Web Client — with prompt or no-prompt

Configuration

The basic SWGI configuration steps are:

  1. Silo Portal Configuration
  2. Determine the designated sites to be rendered in Silo for Safe Access
  3. Request an SWGI token from Authentic8 Support
  4. Configure your proxy service with the SWGI tokens for the designated sites, based on your use-case


Silo Portal Configuration

The Silo Portal configuration step consists of setting the Silo Access Portal URL; this URL must be set with an active link for the SAML configuration to work


This is a custom URL value, which activates the Silo Access Portal for your organization



From the Silo Admin Console, click Manage right below Policies, then navigate to Access & Authentication > Silo Access Portal > Edit




Set the Silo Access Portal URL value and click Save




SWGI Token Settings

SWGI functionality is driven by using tokens to validate URL handling requests from the customer and forwarding all designated sites to be rendered in Silo.


The general syntax is: getsilo.com/launch/<vanity_url>/<token>/?url=destination URL


Required Settings

#SettingDefinition
1<Portal ID>The Silo Access Portal URL
2<token>The required token provided by Authentic8 Support to initiate SWGI
3url=destination URLThe destination URL is the URL that is to rendered in Silo via SWGI. The destination URL must be encoded for SWGI to work

 


Customization Settings

The SWGI page flow can be customized by using these customization settings.


#SettingAction
1require_click
  • A True setting requires the user to explicitly click on a launch button
  • A False setting prevents the Launch Silo page from displaying
  • The default setting (i.e., when the argument is not present) is True
Notes
  • For both SSO and PIN customers.
  • It can be used in combination with (2) skip_welcome
  • Please see examples #2 and 4 below
2skip_welcome
  • A True setting skips the Welcome page
  • A False setting displays the Welcome page
  • The default setting (i.e., when the argument is not present) is False
More Info
  • For both SSO and PIN customers.
  • It can be used in combination with (1) require_click.
  • Please see examples #3 and 4 below



Web Proxy Setting Examples

#Example with Description
1An example containing the least number of required settings

getsilo.com/launch/<vanity_url>/<token>/?url=destination URL
Based on the default values for the missing customized setting arguments (i.e., require_click and skip_welcome) the Welcome page will be displayed, and the Launch Silo page will be displayed
2A require_click example, with require_click=true

getsilo.com/launch/<vanity_url>/<token>/?url=destination&require_click=true

The Launch Silo page will be displayed with an explicit click being required on the first pass and every pass thereafter to launch the designated site in Silo
3skip_welcome example, with skip_welcome=true

getsilo.com/launch/<vanity_url>/<token>/?url=destination URL&skip_welcome=true

The Welcome page will be skipped, based on the setting of skip_welcome to True
4An example with skip_welcome set as true and require_click set as false

getsilo.com/launch/<vanity_url>/<token>/?url=destination URL&skip_welcome=true&require_click=false

Based on the customization settings, the Welcome page will be not be displayed, while the Launch Silo page will be displayed and automatically open the URL in Silo



More Info:

The default settings (i.e., when the argument is not present) for require_click is True and for skip_welcome is False




SWGI Process Pages

SWGI functionality has a set of process pages, which primarily deal with ensuring that Silo for Safe Access is installed and that SWGI will function correctly


SWGI Page Definition

This table lists the SWGI pages, along with a general description and display frequency

#Page Name
Description
Display Frequency
1WelcomeA welcome page providing options for users to learn about Silo, proceed with Silo Setup and the SWGI processOne-time, on a new user's initial pass
2About SiloA general information page on the Silo productOne-time, on a new user's initial pass
3Silo Setup A page for Silo setup, providing a download and install linkOne-time, on a new user's initial pass
4Silo Sign-inA page displayed for PIN users only, requiring a sign-in to proceed with the SWGI processOne-time, on a new user's initial pass
5TroubleshootingA page providing troubleshooting options on setting-up and launching SiloOne-time, on a new user's initial pass
6Download and InstallProvides Silo downloading and installation for SWGI users and is linked from the Troubleshooting pageOne-time, on a new user's initial pass
7Silo SupportProvides mail contact to Support, linked from the Troubleshooting pageOne-time, on a new user's initial pass
8Launch SiloA page that provides a button for the launching of the designated URL in SiloDisplayed on every SWGI pass
9Relaunch SiloFollows the same functionality as the Launch Silo pageOne-time, on a new user's initial pass
10SiloThe designated site is rendered in SiloDisplayed on every SWGI pass



SWGI Page Flow

The following diagram details the SWGI page flow for both SAML SSO and PIN authentication




SWGI Page Definition

Please see SWGI Process Pages for complete display, content and navigation information, for all SWGI pages


Best Practices

This section provides a set of additional requirements and best practices that need to be reviewed, since some tasks are required to make the SWGI process work


The additional requirements and best practices are divided into three areas:

  • HTTP/HTTPS Whitelisting

  • User Interface (UI) Limitations

  • Forwarded Traffic Limitations

HTTP/HTTPS AllowList

This table lists the URLs to be whitelisted, along with the reason for AllowListing, and whether AllowListing the URL is required or optional for SWGI to perform properly. The URLs that are listed as required must be provisioned in the AllowList, or the SWGI process may not run successfully


#

URL

Reason for Whitelisting

Required/Optional

1

authentic8.comDomainRequired 

2

getsilo.com Domain Required

3

yui-s.yahooapis.com Not whitelisting this URL will break the SWGI processRequired

4

s.yimg.com Not whitelisting this URL will break the SWGI processRequired

5

d3ebp2875iucq9.cloudfront.netNot whitelisting this URL will break the SWGI process, by causing icon issuesRequired

6

d1fyc34zgepog4.cloudfront.netNot whitelisting this URL will break the SWGI process, by causing client downloading issuesRequired

7

fonts.googleapis.com Not whitelisting will not break the SWGI process, but it may generate display issuesOptional

8

fonts.gstatic.com Not whitelisting will not break the SWGI process, but it may generate display issuesOptional

9

ssl.google-analytics.com Not whitelisting will not break the SWGI process or generate display issues, but it may impact Google analytic reportingOptional

10

www.google-analytics.comNot whitelisting will not break the SWGI process or generate display issues, but it may impact Google analytic reportingOptional



Additionally, proxy rules for the HTTP/HTTPS set should be restricted to HTTP/HTTPS protocols. Narrowing the rules to these protocols varies by proxy vendor and it's advised to review the proxy vendor's documentation


User Interface (UI) Limits

Beyond the underlying limitations, the UI also enforces various limits around URL length. For instance, the browser address bar is capped at 2047 characters. Start> Run is limited to 259 characters (the MAX_PATH limit is 260,which leaves one character for the null-terminator).  Internet Explorer versions up to version 11 do not allow you to bookmark URLs longer than 260 characters. The Windows RichEdit v2 control’s Automatic Hyperlink behavior (EM_AUTOURLDETECT) truncates the link after around 512 characters; this limit is higher in RichEdit5Wcontrols



Forwarded Traffic Limitations

For the best SWGI performance, forwarded traffic should be limited to HTTP/HTTPS traffic only

Additional Resources

Please contact Support for any additional questions