Secure Web Gateway Integration (SWGI) provides enterprise customers with the functionality to allow their users to visit designated sites securely via Silo, rather than through their default browser.
The primary purpose of this guide is to provide Silo administrators with the SWGI configuration steps, along with a general guide on installation and set-up.
When a user attempts to access a SWGI designated site, either vxia a link or by entering a URL, the user is authenticated and the site is rendered in Silo, and not in the default browser.
The URL forwarding process is completed by setting proxy service tokens for the designated sites.
- A working Silo enterprise installation.
- Silo Access Portal must be enabled.
- A good working knowledge of your proxy service and the setting of tokens.
There are three basic SWGI user paths:
- A first time pass on a device with Silo not installed, requires a user to download and install Silo while stepping through the SWGI process.
- A first time pass on a device with Silo installed, allows the user to skip the Silo setup process and go directly to launching Silo.
- For all subsequent SWGI access after the initial pass, the user will see at most a single page regarding the launching of Silo.
The basic SWGI configuration steps are:
- Silo Portal Configuration
- Determine the designated sites to be rendered in Silo.
- Request an SWGI token from Authentic8 to be used.
- Configure your proxy service with the SWGI tokens for the designated sites, based on your customized needs.
Note: It is advised to review your SWG service provider's documentation prior to starting.
Silo Portal Configuration
The Silo Portal configuration step consists of setting the Silo Access Portal URL; this URL must be set with an active link for the SAML configuration to work.
This is a custom URL that your users will go to when accessing the Silo Access Portal.
From the Silo Admin Console, navigate to the Silo Portal configuration page.
Set the Silo Access Portal URL
SWGI Token Settings
SWGI functionality is driven by using tokens to validate URL handling requests from the customer and forwarding all designated sites to be rendered in Silo.
The general syntax is: getsilo.com/launch/<Portal ID>/<token>/?url=destination URL
|1||<Portal ID>||The Silo Access Portal URL.|
Note: Please see Silo Portal Configuration above for additional information.
|2||<token>||The required token provided by Authentic8 Support to initiate SWGI.|
|3||url=destination URL||The destination URL is the URL that is to rendered in Silo via SWGI. The destination URL must be encoded for SWGI to work.|
Note: Please contact Support if you have any questions or require further assistance on SWGI tokens.
The SWGI page flow can be customized by using these customization settings.
Proxy Setting Examples
Here are four standard examples:
|#||Example with Description|
|1||An example containing the least number of required settings.|
getsilo.com/launch/<Portal ID>/<token>/?url=destination URL
Based on the default values for the missing customized setting arguments (i.e., require_click and skip_welcome) the Welcome page will be displayed, and the Launch Silo page will be displayed.
|2||A require_click example, with require_click=true.|
The Launch Silo page will be displayed with an explicit click being required on the first pass and every pass thereafter to launch the designated site in Silo.
|3||skip_welcome example, with skip_welcome=true.|
getsilo.com/launch/<Portal ID>/<token>/?url=destination URL&skip_welcome=true
The Welcome page will be skipped, based on the setting of skip_welcome to True.
|4||An example with skip_welcome set as true and require_click set as false.|
getsilo.com/launch/<Portal ID>/<token>/?url=destination URL&skip_welcome=true&require_click=false
Based on the customization settings, the Welcome page will be not be displayed, while the Launch Silo page will be displayed and automatically open the URL in Silo.
1. The default settings (i.e., when the argument is not present) for require_click is True and for skip_welcome is False.
2. Please contact Support if you have any questions or require further assistance on SWGI setup.
SWGI Process Pages
SWGI functionality has a set of process pages, which primarily deal with ensuring that Silo is installed and that SWGI will correctly work.
SWGI Page Definition
This table lists the SWGI pages, along with a general description and display frequency.
|1||Welcome||A welcome page providing options for users to learn about Silo, proceed with Silo Setup and the SWGI process.||One-time, on a new user's initial pass.|
|2||About Silo||A general information page on the Silo product.||One-time, on a new user's initial pass.|
|3||Silo Setup||A page for Silo setup, providing a download and install link.||One-time, on a new user's initial pass.|
|4||Silo Sign-in||A page displayed for PIN users only, requiring a sign-in to proceed with the SWGI process.||One-time, on a new user's initial pass.|
|5||Troubleshooting||A page providing troubleshooting options on setting-up and launching Silo.||One-time, on a new user's initial pass.|
|6||Download and Install||Provides Silo downloading and installation for SWGI users and is linked from the Troubleshooting page.||One-time, on a new user's initial pass.|
|7||Silo Support||Provides mail contact to Support, linked from the Troubleshooting page.||One-time, on a new user's initial pass.|
|8||Launch Silo||A page that provides a button for the launching of the designated URL in Silo.||Displayed on every SWGI pass.|
|9||Relaunch Silo||Follows the same functionality as the Launch Silo page.||One-time, on a new user's initial pass.|
|10||Silo||The designated site is rendered in Silo.||Displayed on every SWGI pass.|
SWGI Page Flow
The following diagram details the SWGI page flow for both Single Sign-on (SSO) and Pin customers.
SWGI Page Definition
Please see SWGI Process Pages for complete display, content and navigation information, for all SWGI pages.
Additional Requirements and Best Practices
This section provides a set of additional requirements and best practices that need to be reviewed, since some tasks are required to make the SWGI process work.
The additional requirements and best practices are divided into three areas:
User Interface (UI) Limitations
Forwarded Traffic Limitations
This table lists the URLs to be whitelisted, along with the reason for whitelisting and if whitelisting the URL is required or optional for SWGI to perform properly. The URLs that are listed as required, must be whitelisted or the SWGI process will not successfully run.
Reason for Whitelisting
|yui-s.yahooapis.com||Not whitelisting this URL will break the SWGI process.||Required|
|s.yimg.com||Not whitelisting this URL will break the SWGI process.||Required|
|d3ebp2875iucq9.cloudfront.net||Not whitelisting this URL will break the SWGI process, by causing icon issues.||Required|
|d1fyc34zgepog4.cloudfront.net||Not whitelisting this URL will break the SWGI process, by causing client downloading issues.||Required|
|fonts.googleapis.com||Not whitelisting will not break the SWGI process, but it may generate display issues.||Optional|
|fonts.gstatic.com||Not whitelisting will not break the SWGI process, but it may generate display issues.||Optional|
|ssl.google-analytics.com||Not whitelisting will not break the SWGI process or generate display issues, but it may impact Google analytic reporting.||Optional|
|www.google-analytics.com||Not whitelisting will not break the SWGI process or generate display issues, but it may impact Google analytic reporting.||Optional|
Additionally, proxy rules for the HTTP/HTTPS set should be restricted to HTTP/HTTPS protocols. Narrowing the rules to these protocols varies by proxy vendor and it's advised to review the proxy vendor's documentation.
User Interface (UI) Limits
Beyond the underlying limitations, the UI also enforces various limits around URL length. For instance, the browser address bar is capped at 2047 characters. Start> Run is limited to 259 characters (the MAX_PATH limit is 260,which leaves one character for the null-terminator). Internet Explorer versions up to version 11 do not allow you to bookmark URLs longer than 260 characters. The Windows RichEdit v2 control’s Automatic Hyperlink behavior (EM_AUTOURLDETECT) truncates the link after around 512 characters; this limit is higher in RichEdit5Wcontrols.
1. Microsoft Internet Explorer has a maximum uniform resource locator (URL) length of 2,083 characters.Internet Explorer also has a maximum path length of 2,048 characters. This limit applies to both POST request and GET request URLs. If you are using the GET method, you are limited to a maximum of 2,048 characters, minus the number of characters in the actual path. However, the POST method is not limited by the size of the URL for submitting name/value pairs. RFC 2616,"Hypertext Transfer Protocol -- HTTP/1.1," does not specify any requirement for URL length. These pairs are transferred in the header and not in the URL.
This section is taken from Microsoft's help page: IE'sMaximum URL Length. For your convenience, the help page has been copied in its entirety.
2. For additional information please see thisMicrosoft sponsored blog: IEURL Length Limits.
Forwarded Traffic Limitations
For the best SWGI performance, forwarded traffic should be limited to HTTP/HTTPS traffic only.