General
What's new ?
Understanding Product Usage
Service IP addresses and ports
End of Life
Supported Browsers
Product Settings
Administrators
Single Sign On
Active Directory
AD Connect software
Roles
Keyword Lists
Devices & Groups
Active Directory Synchronisation Explained
Active Directory Object Synchronisation
Account Password and MFA
Role Builder
Granting access to synchronise Azure AD shared mailboxes
Add the Exchange Online API permission to an existing AAD connection
Google Workspace synchronisation
Web Security
Agents & Gateway
Configuration options for the macOS agent type
Configuration options for the Gateway agent type
Configuration options for the Windows agent type
Configuration options for the Chromebook agent type
Knowledge Base
Bypassing Office 365
Disable QUIC in Chrome Browser
Prevent Law features for UK organisations
Unclassified / Uncategorised Site Processing
Censornet Web Filtering Policy and Approach for Education
List of domains to bypass apps for SSL Interception
Bypass GoToMeeting & LogMeIn
Bypassing the Apple Store
Using Web Security with Sophos
Deployment Overview
Check for the presence of a system proxy user
YouTube appears to work despite Block or Warn final action applied
ERR_CERT_HAS_EXPIRED_ Digicert certificate expiry 2023
Processes used by the USS Agent for Mac OS X
Blocking Embedded Games in Google Search
Enable Enhanced Unpacking Engine
ESET issues identified
Active Directory Login Service
MIME Categories and Types
How to submit a URL reclassification request
Third Party Load Balancer Guides
What happens when my Web Security license is suspended or deleted?
Windows agent - force download of anti-malware database
Change the default listening port for the USS Gateway proxy
SSL/TLS Strict Mode blocked ciphers
How to add a Static Route to the USS Gateway
Export Agents using curl script
Installing an SSL Certificate on iOS 13
CVE-2020-15778
Microsoft Teams Bypass Exception list on mac OS
Custom URL parsing and overlapping patterns
YouTube Safe or Restricted mode enforced by DNS
Safari 17 Proxy Exceptions limit
Alter the default agent configuration poll time
Overview
Rules Engine Concepts
Filter Rules
Feature Control Rules
Browser Categories
Custom URLs
Bypass Categories
Deployment
Agent Configuration Profiles
Unblock Requests
Web Security: Product Configuration
Global Web Filtering Coverage
Web Categories List
Fair Usage Policy for Web & CASB (Inline)
Web Security: Quick Start
Web Security: Best Practice Guide
Deploying Web Security
USS Agent for Windows
Getting Started
Requirements
Changelog - Windows Agent
Download Microsoft Windows agent
Deploying via Wizard
Deploying via Startup/Shutdown script
Deploying the Windows agent via a custom MSI
Deployment via GPO
Deploying via Microsoft Intune
Command-line parameters
Collecting debug information - USS Agent for Windows
Processes used by USS Agent for Windows
How to disable Device Guard or Credential Guard
Upgrading the USS agent from the v3.x release to the v4.x release
Installing the USS Agent SSL certificate in Firefox
Tray icon status codes
Temporary files generated by the endpoint agent software
Windows Agent Log File Storage
Incompatibility with nmap based products such as Wireshark
Deploying via Microsoft SCCM
USS Agent for MacOS
Changelog - MacOS Agent
Download MacOS Agent
Install - Deploying via Wizard
Collecting debug information - USS Agent for mac OS
mac OS agent VPN client incompatibility
mac OS Agent Log File Storage
Deploying the Mac OS X agent using JAMF
USS Agent for Chromebook
Changelog - Chromebook Agent
Download Chromebook agent
Deploying Chromebook agent via Google Admin console
USS Gateway
Configuration
Charts
Authentication & Identification
Network
Settings
System
Advanced configuration
Configuring USS Gateway to work with LoadBalancer.org software load balancer
Regular Gateway server maintenance
Preparing the USS Gateway for use with a load balancer
Installation (v2.x)
USS Gateway - Getting Started
USS Gateway - Requirements
Download Gateway Virtual Machine
Changelog - Gateway
Installation
First time Configuration
Accessing the Command Line
Take Packet Capture From Command Line
Reset Linux Password To Log Into Gateway Command Line
Captive Portal on Samsung Devices
'The Requested Content Was Blocked' Error Message
Resizing a Partition in ESX Server Virtual Machine
Interception of iOS and Android apps (SSL Pinning)
Deploying Web Browser proxy settings
Migrating the SSL intercept certificate to a new gateway
Using an intermediate CA signed by Windows DC root CA
Installing on Hyper-V
Updating the USS Gateway
Importing an SSL Certificate into the USS Gateway
Collecting debug information - USS Gateway
Adding a Static Route on a Gateway
USS Gateway Version 1 to Version 2 Migration
Chromebook Allowlist USS Gateway Proxy
Cloud App. Security (CASB)
Events not arriving for Office 365 Onedrive or Sharepoint
App Catalog
API Integrations
App Catalog List
Email Security
Example Rules
Digest generation and Quarantines
Executive Tracking
Blocking emails from hacked Gmail accounts
Stop specific users from receiving Word documents
Detect credit card numbers in an email
Disable spam filtering for specific mailboxes
Nearby Domain Rule
How to Prefix a banner to inbound emails
IP Geolocation Connection Rule
CoreService filter classifications
Reject oversized emails
Configure Office 365 for EMS
Safelisting Email Security IP addresses in Office 365
Configure GMail using Google Workspace for EMS
MX records and IP addresses for EU customers
MX records and IP addresses for USA customers
MX records and IP addresses for UAE customers
MX records and IP addresses for all regions
Reporting spam or false positives
Configure outbound email for Exchange 2007/2010
Configuring TLS encryption
LinkScan: on-demand URL protection
Bulk Email & Fair Usage
Queue retention and retry times
Personal Safe Lists and Personal Deny Lists
Configure outbound DMARC
Configure outbound DKIM
Configure outbound email for Exchange 2016
CEA - Data storage explained
Reject message due to message “550 5.1.8 sender denied”
Insufficient system resources message on inbound email delivery
Email Sandbox - Supported file types
Outbound Delivery error: 550 Unable to relay
[Marketing Medium] or [High Medium] prefixed to the subject of mails
DMARC Failure Reporting
Image Analysis for Email supported image types
Powershell Script to list Office 365 Shared Mailboxes
What happens when my Email Security license is suspended or deleted?
Example Spam Digest or Quarantine Report
No Valid MX Record NDR message
How to onboard users into the End User Portal
Installing the Outlook add-in for Email Security
How to avoid multiple disclaimers being added when forwarding or replying to emails
Cisco Fixup Protocol
Adding images to email disclaimers
Reject Top Level Domains
Adding an alias to a primary mailbox
Outlook add-in is not the newest version
Temporary Server Error
Unable to Relay error on outbound email
Notify Recipient/Sender Actions
Managing DNS in Office 365
Upgrading to LinkScan version 2
MX records and IP addresses for India customers
DLP Dictionaries
Activate the Quarantine Portal for Spam Digest users
DMARC Abuse Report received even though it passes DMARC
Display Name Detection
How to configure Authenticated Received Chain (ARC) Inbound
How to use Custom Rule Data (formerly Dictionaries)
HTML attachments
How to block double extension filenames
Upgrade Outlook Add-in for reporting spam and phishing email
How to use the Domain Name Detection rule
Email Security: Best Practice Guide
How to work with System Locked rules
How to detect simplified Chinese character sets
How does DMARC work?
Securemail (add-on)
SecureMail concepts explained
Configuring SecureMail
Using the SecureMail dashboard
Email Security: Quick Start
Message Rules
Connection Rules
Default Rules
Custom rule Data
Global Quarantine
Personal Quarantine
Spam Deny List
Spam Safe List
Mailboxes
Product Configuration
Group Management
Outlook Add-in V2
Placeholders for inserting message data into actions
Creating Custom Digests
Post Delivery Email Deletion (Retract)
Advanced Email Sandbox - Overview
Redirect emails to a different address
Configure Inbound mail on Office 365 to reject non-EMS emails
Cloud MFA
Managing an MFA lock-out
Count how many users are in an AD group
ADFS Login not being intercepted for MFA
Configure FortiGate to use PAP for Challenge-Response
Quick Start
Authentication Client (server)
Authentication App (enduser)
Third Party Guides
Configuring Windows Logon Protection
Configuring RADIUS Protection
Deploying the Cloud MFA Authentication App
Configuring RD Web Access using IIS Website Protection
Products not supporting RADIUS Challenge-Response
Configuring AD FS Protection
Analytics
Activity Reports
Schedules
Data retention periods
Admin Auditing
Account Settings
Licenses
Notifications
Branding
ASE
Rules
Threats
Event Report
Compliant Email Archive (CEA)
User Guide
CEA User Guide
Viewing and Managing History in CEA
Using the CEA Outlook Add-in
Viewing and Managing Spaces in CEA
Managing Deletion Requests from CEA
Installing the Outlook Add-in for CEA
Legal Hold in CEA
Authorised Delete in CEA
Viewing and Managing CEA results
Compliant Email Archive Quick Start Guide
Understanding Data Guardians
Email Archive End User Guide
Configuring journaling on Exchange 365
Configuring authentication with O365 via OAuth
Configuring an Impersonation Account
Folder Replication Configuration
Assigning delegation via OAuth with User Directory
Compliant Email Archive - LDAP Configuration
Configuring journaling for Exchange and Office 365
Configuring a local user account
Re-enabling Outlook Homepage Tab
Ingest mail via Mailbox Reader for Exchange 2013 - 2019
Ingest mail via Mailbox Reader
End User Email Archive Authentication with ADFS
Legal
Introduction
Privacy Policy
Master Services Agreement (MSA)
Standard Contractual Clauses (SCCs)
Website Usage and Cookie Policies
Posture Management
Google Cloud Platform Onboarding Guide
Microsoft Azure Onboarding Guide
Posture Management Overview
Microsoft 365 Onboarding Guide
Upgrade Notice
AWS Onboarding Guide
Salesforce Onboarding Guide
DLP
Grammar Regular Expression Engine
Applying a DLP policy in Email Security
Grammar Entity Short Names
DLP Policies
SAT
Safelisting
Allow SAT Domains for EMS customers
Allow SAT Domains for non EMS customers
Google Workspace - SAT Safelisting
How to allow download of images within emails
M365 - SAT Safelisting
Reports
Export SAT Reports
Using SAT Reporting
SAT Reporting Levels
User Import
Adding a New Admin on the SAT Portal
Manually Adding A New User to the SAT portal
Deleting Multiple Users via a CSV tempate
Setup AD-Sync on the SAT Portal
Upload Multiple Users via CSV template
Configure Google User Sync for SAT
On-Demand
Building a Simulation using On-Demand
Using the SAT Sim Creation Tool
Using the On-Demand Feature within the SAT Portal
Calendared Sends via On-Demand
Setup Guide for SAT Portal
Single Sign On (SSO) / M365 Configuration on the SAT Portal
How To See Your Automated SAT Journey
IDaaS
Identity Provider Configuration Guides
Service Provider Configuration Guides
Configuring Microsoft Azure as an Identity Provider
Configuring JumpCloud as an Identity Provider
Dropbox SSO
Salesforce SSO
Google Workspace SSO
Office 365 SSO with External Identity Provider
Product Notice - IDaaS and Office 365 apps
Adding an Office 365 app tile for convenience
Log Streaming
Log Streaming Overview
Log Streaming to Microsoft Sentinel
Log Streaming record format
Log Streaming to Rapid7 InsightIDR
Log Streaming to Amazon S3
Log Streaming to Google Cloud Storage
Log Streaming for Splunk Enterprise or Cloud
Log Streaming to Sumo Logic
Quick Fixes
USS Gateway failing to install
Troubleshooting Filter Rules
Allow partial websites/specific YouTube videos
Gateway failing to join the domain - the address handle that was given to the transport was invalid
Gateway proxy authentication pop-up login dialog
Bypasses not applying
USS Gateway IP changes unexpectedly
All Categories > Web Security > Knowledge Base
34 articles
By Microsoft's own admission, Office 365 can be problematic when trying to access Office 365 services through Filtering Software/Proxies. For this, they have a provided a list of URLs/IPs that need t…
Updated 2 years ago
Enabling the QUIC feature within Google's Chrome browser can prevent accurate visibility reports in the Cloud Application Control Analyze reports section. To disable it, there are two methods you can…
Updated 4 years ago
In the UK, the Prevent Law or Prevent Duty , is a duty that certain UK organisations (e.g. schools, government, etc) have to prevent people being drawn into terrorism. To support this, the USS Web Se…
Updated 1 year ago
An Unclassified or Uncategorised Site is a URL that is not yet listed in the Web Categories List and therefore does not have a category assigned for URL reputation. To configure whether Unclassified…
Updated 5 years ago
With over ten years’ experience in the education sector the Censornet platform includes numerous predefined template policies, Rules and keyword dictionaries to simplify implementation and ensure rap…
If you intend to bypass an app from SSL Interception, you will lose all visibility of that app in the App Analyse report. For some apps, this is the only option to allow them to work. Add the followi…
Updated 2 months ago
Newer Cloud USS accounts will have a number of System-level Bypasses provided by default, including Bypasses for GoToMeeting , GoToMyPC , etc. The manual configuration detailed below is only necessar…
By default, if you try to access the Apple Store on an iOS device going through Captive/Guest portal, you will be presented with a blank screen or a connection error. This is because the Apple store…
The Sophos line of security and malware prevention tools require some extra configuration in order to work alongside Cloud USS. Configuring Sophos Endpoint Security with Cloud USS. Open your Sophos C…
Unified Security Service is a multi-tenanted cloud (SaaS) solution that delivers a range of Internet security products from a single, unified, user interface. Deployment varies depending on the produ…
If you are experiencing unexpected behaviour with the Web Security endpoint agents or gateway, it may be that a proxy configuration exists for the Windows "system" user account. This can be left behi…
Updated 3 years ago by admin
Applies to Chrome and Opera browsers (November 2021). It is a common requirement to restrict YouTube (and related services) using the Web Security product Filter Rules, either with a time based, user…
Updated 2 years ago by admin
An important Digicert Certificate has expired today (8th March 2023) causing TLS validation issues on the USS Gateway. The USS Gateway proxy uses the Ubuntu OpenSSL library, and it appears that this…
Updated 1 year ago by admin
It may be beneficial to add the following processes to endpoint Anti-Malware software: Processes /Applications/UssAgent.app/Contents/MacOS/UssAgent /Applications/UssAgent.app/Contents/MacOS/UssAgentP…
This article discusses embedded games from Google Search and techniques for controlling them. When searching for keywords like snake , minesweeper , solitaire or pacman, Google Search returns an embe…
This feature is reserved for the upcoming Agent 4.4 release.
Updated 5 months ago by admin
We have identified an issue with certain versions of ESET software that causes incompatibility with software that also uses the Microsoft WFP (Windows Filtering Platform) layer for intercepting netwo…
This software is no longer maintained and is considered End of Life. This page has been kept available for reference only. The AD Login Service is a user identification tool for use with the USS Gate…
The Web Security product (gateway and endpoint agent) can perform MIME Type scanning of downloaded files through the use of a Filter Rule and the MIME Type action. This allows an administrator to blo…
Updated 4 years ago by admin
The Web Security product uses many techniques to ensure a URL is classified correctly however from time to time an existing URLs may require reclassifying. You can request a URL reclassification from…
The following guides are available to assist configuring the USS Cloud Gateway with third party load balancer products. Please note that these documents are provided as a guide. Familiarity with the…
The following article describes the behaviour if your Web Security license is suspended or deleted. License or Account Suspended. Gateways and Agents will continue to process web traffic however no f…
By default the USS Agent for Windows will manage the downloading of the anti-malware database and continous updates automatically. In some cases, you may want to force the database to be cleared and…
This article explains how to change the default listening port for the USS Gateway proxy. In this example, the steps will demonstrate changing the default listening port from 8080 to 50000. From the…
Updated 3 months ago by admin
Activating the Use strict SSL/TLS ciphers option within the Windows or Mac OS X Agent Configuration Profile will block the following ciphers as they are considered weak. This may cause unexpected beh…
Updated 5 years ago by admin
This article will provide the steps required to add a Static Route to the USS Gateway via the command line. Ensure you have logged in to the USS Gateway command line. Elevate permissions to root by t…
This article describes how to connect to the Platform API and download a list of agents as shown in the Web Security -> Deployment section. You will need: an admin user credential that has been assig…
Updated 8 months ago by admin
How to install the USS Cloud Gateway SSL certificate on Apple iOS 13. First, you need to download the SSL certificate to the device. The simplest way if using the captive portal is to click on the li…
This article relates to the recently announced CVE-2020-15778 vulnerability and the USS Gateway 2.0.50+ Ubuntu based virtual machine. This vulnerability is primarily a risk from inbound connections a…
Updated 9 months ago by admin
The following Bypass with Proxy Exception patterns should be added for Microsoft Teams: Bypass Pattern emea.pptservicescast.officeapps.live.com s-ring.msedge.net definitionupdates.microsoft.com.event…
Updated 2 months ago by admin
The Web Security rules engine uses a category based system for controlling access to custom web sites (URL's, domains) known as patterns. The rules engine optimises the categories and their patterns…
YouTube Safe mode (also known as Restricted mode) can be enforced globally by altering the DNS for specific domains. This may be required in addition to the Feature Control rule restriction. If you a…
This article is superseded by the introduction of Bypass by Proxy Exception for macOS available with agent v4.3.22 and above. Please also see Microsoft Teams Bypass Exception list on mac OS. Safari v…
By default the Windows Agent will poll for configuration changes every 15 minutes, offset from the time when the agent was installed. To override this, you can add a special string (REG_SZ) value cal…
Powered by HelpDocs (opens in a new tab)
