Overview

Secure Web Gateway Integration (SWGI) provides enterprise customers with the functionality to allow their users to visit designated sites securely via Silo, rather than through their default browser.


The primary purpose of this guide is to provide Silo administrators with the SWGI configuration steps, along with a general guide on installation and set-up.


Technical Details

When a user attempts to access a SWGI designated site, either via a link or by entering a URL, the user is authenticated and the site is rendered in Silo, and not in the default browser.


The URL forwarding process is completed by setting proxy service tokens for the designated sites.


Prerequisites

  1. A working Silo enterprise installation.
  2. Silo Access Portal must be enabled.
  3. A good working knowledge of your proxy service and the setting of tokens.


User Experience

There are three basic SWGI user paths:

  1. A first time pass on a device with Silo not installed, requires a user to download and install Silo while stepping through the SWGI process.
  2. A first time pass on a device with Silo installed, allows the user to skip the Silo setup process and go directly to launching Silo.
  3. For all subsequent SWGI access after the initial pass, the user will see at most a single page regarding the launching of Silo.


Configuration

The basic SWGI configuration steps are:

  1. Silo Portal Configuration
  2. Determine the designated sites to be rendered in Silo.
  3. Request an SWGI token from Authentic8 to be used.
  4. Configure your proxy service with the SWGI tokens for the designated sites, based on your customized needs.
    Note: It is advised to review your SWG service provider's documentation prior to starting.


Silo Portal Configuration

The Silo Portal configuration step consists of setting the Silo Access Portal URL; this URL must be set with an active link for the SAML configuration to work.


This is a custom URL that your users will go to when accessing the Silo Access Portal.


From the Silo Admin Console, navigate to the Silo Portal configuration page.


Set the Silo Access Portal URL


Press Save
 

SWGI Token Settings

SWGI functionality is driven by using tokens to validate URL handling requests from the customer and forwarding all designated sites to be rendered in Silo.


The general syntax is the following:


getsilo.com/launch/<Portal ID>/<token>/?url=destination URL


Required Settings

#
Setting
Definition
1
<Portal ID>
The Silo Access Portal URL.
Note:  Please see Silo Portal Configuration above for additional information.
2
<token>
required token provided by Authentic8 Support to initiate SWGI.
3
url=destination URL
The destination URL is the URL that is to rendered in Silo via SWGI. The destination URL must be encoded for SWGI to work.

 


Note:
Please contact Support if you have any questions or require further assistance on SWGI tokens.


Customization Settings

The SWGI page flow can be customized by using these customization settings.


#
Setting
Action
1
require_click
  • A True setting requires the user to explicitly click on a launch button.
  • A False setting prevents the Launch Silo page from displaying.
  • The default setting (i.e., when the argument is not present) is True.
Notes
  • For both SSO and PIN customers.
  • It can be used in combination with (2) skip_welcome.
  • Please see examples #2 and 4 below.
2
skip_welcome
  • A True setting skips the Welcome page.
  • A False setting displays the Welcome page.
  • The default setting (i.e., when the argument is not present) is False.
Notes
  • For both SSO and PIN customers.
  • It can be used in combination with (1) require_click.
  • Please see examples #3 and 4 below.


Proxy Setting Examples

Here are four standard examples:

#
Example with Description
1
An example containing the least number of required settings.

getsilo.com/launch/<Portal ID>/<token>/?url=destination URL
Based on the default values for the missing customized setting arguments (i.e., require_click and skip_welcome) the Welcome page will be displayed, and the Launch Silo page will be displayed.
2
A require_click example, with require_click=true.

getsilo.com/launch/<Portal ID>/<token>/?url=destination&require_click=true

The Launch Silo page will be displayed with an explicit click being required on the first pass and every pass thereafter to launch the designated site in Silo.
3
skip_welcome example, with skip_welcome=true.

getsilo.com/launch/<Portal ID>/<token>/?url=destination URL&skip_welcome=true

The Welcome page will be skipped, based on the setting of skip_welcome to True.
4
An example with skip_welcome set as true and require_click set as false.

getsilo.com/launch/<Portal ID>/<token>/?url=destination URL&skip_welcome=true&require_click=false

Based on the customization settings, the Welcome page will be displayed, while the Launch Silo page will not be displayed.



Notes:
1. The default settings (i.e., when the argument is not present) for require_click is True and for skip_welcome is False.


2. Please contact Support if you have any questions or require further assistance on SWGI setup.


SWGI Process Pages

SWGI functionality has a set of process pages, which primarily deal with ensuring that Silo is installed and that SWGI will correctly work.


SWGI Page Definition

This table lists the SWGI pages, along with a general description and display frequency.

#
Page Name
Description
Display Frequency
1
Welcome
A welcome page providing options for users to learn about Silo, proceed with Silo Setup and the SWGI process.
One-time, on a new user's initial pass.
2
About Silo
A general information page on the Silo product.
One-time, on a new user's initial pass.
3
Silo Setup
 A page for Silo setup, providing a download and install link.
One-time, on a new user's initial pass.
4
Silo Sign-in
A page displayed for PIN users only, requiring a sign-in to proceed with the SWGI process.
One-time, on a new user's initial pass.
5
Troubleshooting
A page providing troubleshooting options on setting-up and launching Silo.
One-time, on a new user's initial pass.
6
Download and Install
Provides Silo downloading and installation for SWGI users and is linked from the Troubleshooting page.
One-time, on a new user's initial pass.
7
Silo Support
Provides mail contact to Support, linked from the Troubleshooting page.
One-time, on a new user's initial pass.
8
Launch Silo
A page that provides a button for the launching of the designated URL in Silo.
Displayed on every SWGI pass.
9
Relaunch Silo
Follows the same functionality as the Launch Silo page.
One-time, on a new user's initial pass.
10
Silo
The designated site is rendered in Silo.
Displayed on every SWGI pass.



SWGI Page Flow

The following diagram details the SWGI page flow for both Single Sign-on (SSO) and Pin customers.




SWGI Page Definition

Please see SWGI Process Pages for complete display, content and navigation information, for all SWGI pages.


Additional Requirements and Best Practices

This section provides a set of additional requirements and best practices that need to be reviewed, since some tasks are required to make the SWGI process work.


The additonal requirements and best practices are divided into three areas:

  • HTTP/HTTPS Whitelisting

  • User Interface (UI) Limitations

  • Forwarded Traffic Limitations

HTTP/HTTPS Whitelisting

This table lists the URLs to be whitelisted, along with the reason for whitelisting and if whitelisting the URL is required or optional for SWGI to perform properly.  The URLs that are listed as required, must be whitelisted or the SWGI process will not successfully run.


#

URL

Reason for Whitelisting

Required/Optional

1

authentic8.com
Domain
Required 

2

getsilo.com 
Domain 
Required

3

yui-s.yahooapis.com 
Not whitelisting this URL willbreak the SWGI process.
Required

4

s.yimg.com 
Not whitelisting this URL willbreak the SWGI process.
Required

5

d3ebp2875iucq9.cloudfront.net
Not whitelisting this URL willbreak the SWGI process, by causing icon issues.
Required

6

d1fyc34zgepog4.cloudfront.net
Not whitelisting this URL willbreak the SWGI process, by causing client downloading issues.
Required

7

fonts.googleapis.com 
Not whitelisting will not breakthe SWGI process, but it may generate display issues.
Optional

8

fonts.gstatic.com 
Not whitelisting will not breakthe SWGI process, but it may generate display issues.
Optional

9

ssl.google-analytics.com 
Not whitelisting will not breakthe SWGI process or generate display issues, but it may impactGoogle analytic reporting.
Optional

10

www.google-analytics.com
Not whitelisting will not break the SWGI process or generate display issues, but it may impact Google analytic reporting.
Optional


Additionally, proxy rules for the HTTP/HTTPS set should be restricted to HTTP/HTTPS protocols. Narrowing the rules to these protocols varies by proxy vendor and it's advised to review the proxy vendor's documentation.


User Interface (UI) Limits

Beyond the underlying limitations, the UI also enforces various limits around URL length. For instance, the browser address bar is capped at 2047 characters. Start> Run is limited to 259 characters (the MAX_PATH limit is 260,which leaves one character for the null-terminator).  Internet Explorer versions up to version 11 do not allow you to bookmark URLs longer than 260 characters. The Windows RichEdit v2 control’s Automatic Hyperlink behavior (EM_AUTOURLDETECT) truncates the link after around 512 characters; this limit is higher in RichEdit5Wcontrols.


Notes:

1.

Microsoft Internet Explorer has a maximum uniform resource locator (URL) length of 2,083 characters.Internet Explorer also has a maximum path length of 2,048 characters. This limit applies to both POST request and GET request URLs.  If you are using the GET method, you are limited to a maximum of 2,048 characters, minus the number of characters in the actual path.  However, the POST method is not limited by the size of the URL for submitting name/value pairs.  RFC 2616,"Hypertext Transfer Protocol -- HTTP/1.1," does not specify any requirement for URL length. These pairs are transferred in the header and not in the URL.
This section is taken from Microsoft's help page:  IE'sMaximum URL Length.  For your convenience, the help page has been copied in its entirety.


2.

For additional information please see thisMicrosoft sponsored blog: IEURL Length Limits.


Forwarded Traffic Limitations

For the best SWGI performance, forwarded traffic should be limited to HTTP/HTTPS traffic only.


Resources

SWGI End User Guide

SWGI Process Pages

IE'sMaximum URL Length

IEURL Length Limits


Additional Notes

Please Contact Authentic8 Support if you have additional questions or concerns.