Introduction

Secure Web Gateway Integration (SWGI) provides enterprise customers with the functionality to allow their users to visit designated sites securely via Silo, rather than through their default browser.


The primary purpose of this guide is to provide Silo administrators with the SWGI configuration steps, along with a general guide on installation and set-up.


Technical Details

When a user attempts to access a SWGI designated site, either vxia a link or by entering a URL, the user is authenticated and the site is rendered in Silo, and not in the default browser.


The URL forwarding process is completed by setting proxy service tokens for the designated sites.

Prerequisites

  1. A working Silo enterprise installation.
  2. Silo Access Portal must be enabled.
  3. A good working knowledge of your proxy service and the setting of tokens.

User Experience

There are three basic SWGI user paths:

  1. A first time pass on a device with Silo not installed, requires a user to download and install Silo while stepping through the SWGI process.
  2. A first time pass on a device with Silo installed, allows the user to skip the Silo setup process and go directly to launching Silo.
  3. For all subsequent SWGI access after the initial pass, the user will see at most a single page regarding the launching of Silo.

Configuration

The basic SWGI configuration steps are:

  1. Silo Portal Configuration
  2. Determine the designated sites to be rendered in Silo.
  3. Request an SWGI token from Authentic8 to be used.
  4. Configure your proxy service with the SWGI tokens for the designated sites, based on your customized needs.

Note: It is advised to review your SWG service provider's documentation prior to starting.


Silo Portal Configuration

The Silo Portal configuration step consists of setting the Silo Access Portal URL; this URL must be set with an active link for the SAML configuration to work.


This is a custom URL that your users will go to when accessing the Silo Access Portal.


From the Silo Admin Console, navigate to the Silo Portal configuration page.



Set the Silo Access Portal URL



Press Save


SWGI Token Settings

SWGI functionality is driven by using tokens to validate URL handling requests from the customer and forwarding all designated sites to be rendered in Silo.


The general syntax is: getsilo.com/launch/<Portal ID>/<token>/?url=destination URL


Required Settings

#SettingDefinition
1<Portal ID>The Silo Access Portal URL.
Note:   Please see Silo Portal Configuration above for additional information.
2<token>The required token provided by Authentic8 Support to initiate SWGI.
3url=destination URLThe destination URL is the URL that is to rendered in Silo via SWGI. The destination URL must be encoded for SWGI to work.

 

Note: Please contact Support if you have any questions or require further assistance on SWGI tokens.


Customization Settings

The SWGI page flow can be customized by using these customization settings.


#SettingAction
1require_click
  • A True setting requires the user to explicitly click on a launch button.
  • A False setting prevents the Launch Silo page from displaying.
  • The default setting (i.e., when the argument is not present) is True.
Notes 
  • For both SSO and PIN customers.
  • It can be used in combination with (2) skip_welcome.
  • Please see examples #2 and 4 below.
2skip_welcome
  • A True setting skips the Welcome page.
  • A False setting displays the Welcome page.
  • The default setting (i.e., when the argument is not present) is False.
Notes 
  • For both SSO and PIN customers.
  • It can be used in combination with (1) require_click.
  • Please see examples #3 and 4 below.


Proxy Setting Examples

Here are four standard examples:

#Example with Description
1An example containing the least number of required settings.

getsilo.com/launch/<Portal ID>/<token>/?url=destination URL
Based on the default values for the missing customized setting arguments (i.e., require_click and skip_welcome) the Welcome page will be displayed, and the Launch Silo page will be displayed.
2A require_click example, with require_click=true.

getsilo.com/launch/<Portal ID>/<token>/?url=destination&require_click=true

The Launch Silo page will be displayed with an explicit click being required on the first pass and every pass thereafter to launch the designated site in Silo.
3skip_welcome example, with skip_welcome=true.

getsilo.com/launch/<Portal ID>/<token>/?url=destination URL&skip_welcome=true

The Welcome page will be skipped, based on the setting of skip_welcome to True.
4An example with skip_welcome set as true and require_click set as false.

getsilo.com/launch/<Portal ID>/<token>/?url=destination URL&skip_welcome=true&require_click=false

Based on the customization settings, the Welcome page will be not be displayed, while the Launch Silo page will be displayed and automatically open the URL in Silo.


Notes

1. The default settings (i.e., when the argument is not present) for require_click is True and for skip_welcome is False.

2. Please contact Support if you have any questions or require further assistance on SWGI setup.


SWGI Process Pages

SWGI functionality has a set of process pages, which primarily deal with ensuring that Silo is installed and that SWGI will correctly work.


SWGI Page Definition

This table lists the SWGI pages, along with a general description and display frequency.

#Page Name
Description
Display Frequency
1WelcomeA welcome page providing options for users to learn about Silo, proceed with Silo Setup and the SWGI process.One-time, on a new user's initial pass.
2About SiloA general information page on the Silo product.One-time, on a new user's initial pass.
3Silo Setup A page for Silo setup, providing a download and install link.One-time, on a new user's initial pass.
4Silo Sign-inA page displayed for PIN users only, requiring a sign-in to proceed with the SWGI process.One-time, on a new user's initial pass.
5TroubleshootingA page providing troubleshooting options on setting-up and launching Silo.One-time, on a new user's initial pass.
6Download and InstallProvides Silo downloading and installation for SWGI users and is linked from the Troubleshooting page.One-time, on a new user's initial pass.
7Silo SupportProvides mail contact to Support, linked from the Troubleshooting page.One-time, on a new user's initial pass.
8Launch SiloA page that provides a button for the launching of the designated URL in Silo.Displayed on every SWGI pass.
9Relaunch SiloFollows the same functionality as the Launch Silo page.One-time, on a new user's initial pass.
10SiloThe designated site is rendered in Silo.Displayed on every SWGI pass.



SWGI Page Flow

The following diagram details the SWGI page flow for both Single Sign-on (SSO) and Pin customers.




SWGI Page Definition

Please see SWGI Process Pages for complete display, content and navigation information, for all SWGI pages.


Additional Requirements and Best Practices

This section provides a set of additional requirements and best practices that need to be reviewed, since some tasks are required to make the SWGI process work.


The additional requirements and best practices are divided into three areas:

  • HTTP/HTTPS Whitelisting

  • User Interface (UI) Limitations

  • Forwarded Traffic Limitations

HTTP/HTTPS Whitelisting

This table lists the URLs to be whitelisted, along with the reason for whitelisting and if whitelisting the URL is required or optional for SWGI to perform properly.  The URLs that are listed as required, must be whitelisted or the SWGI process will not successfully run.


#

URL

Reason for Whitelisting

Required/Optional

1

authentic8.comDomainRequired

2

getsilo.com Domain Required

3

yui-s.yahooapis.com Not whitelisting this URL will break the SWGI process.Required

4

s.yimg.com Not whitelisting this URL will break the SWGI process.Required

5

d3ebp2875iucq9.cloudfront.netNot whitelisting this URL will break the SWGI process, by causing icon issues.Required

6

d1fyc34zgepog4.cloudfront.netNot whitelisting this URL will break the SWGI process, by causing client downloading issues.Required

7

fonts.googleapis.com Not whitelisting will not break the SWGI process, but it may generate display issues.Optional

8

fonts.gstatic.com Not whitelisting will not break the SWGI process, but it may generate display issues.Optional

9

ssl.google-analytics.com Not whitelisting will not break the SWGI process or generate display issues, but it may impact Google analytic reporting.Optional

10

www.google-analytics.comNot whitelisting will not break the SWGI process or generate display issues, but it may impact Google analytic reporting.Optional


Additionally, proxy rules for the HTTP/HTTPS set should be restricted to HTTP/HTTPS protocols. Narrowing the rules to these protocols varies by proxy vendor and it's advised to review the proxy vendor's documentation.


User Interface (UI) Limits

Beyond the underlying limitations, the UI also enforces various limits around URL length. For instance, the browser address bar is capped at 2047 characters. Start> Run is limited to 259 characters (the MAX_PATH limit is 260,which leaves one character for the null-terminator).  Internet Explorer versions up to version 11 do not allow you to bookmark URLs longer than 260 characters. The Windows RichEdit v2 control’s Automatic Hyperlink behavior (EM_AUTOURLDETECT) truncates the link after around 512 characters; this limit is higher in RichEdit5Wcontrols.


Notes

1. Microsoft Internet Explorer has a maximum uniform  resource locator (URL) length of 2,083 characters.Internet Explorer also  has a maximum path length of 2,048 characters. This limit applies to  both POST request and GET request URLs.  If you are using the GET  method, you are limited to a maximum of 2,048 characters, minus the  number of characters in the actual path.  However, the POST method is  not limited by the size of the URL for submitting name/value pairs.  RFC  2616,"Hypertext Transfer Protocol -- HTTP/1.1," does not specify any  requirement for URL length. These pairs are transferred in the header  and not in the URL.

This section is taken from Microsoft's help page: IE'sMaximum URL Length.  For your convenience, the help page has been copied in its entirety.


2. For additional information please see thisMicrosoft sponsored blog: IEURL Length Limits.


Forwarded Traffic Limitations

For the best SWGI performance, forwarded traffic should be limited to HTTP/HTTPS traffic only.

Resources


Additional Notes  

Please contact Support if you have any additional questions and/or require further information.