Fortinet black logo

SIA Agentless SWG Deployment Guide

Home FortiSASE SIA Agentless SWG Deployment Guide

(Optional) Installing and configuring the SWG Chrome extension

(Optional) Installing and configuring the SWG Chrome extension

FortiSASE supports a Chrome extension that allows enforcing FortiSASE secure web gateway (SWG) connectivity for selected endpoints with the Chrome browser installed, including Chromebooks, based on the endpoint operating system (OS) and the corresponding extension policy that the Google Workspace administrator configured.

This extension relies on the following features being configured in FortiSASE:

  • SWG single sign-on
  • SWG configuration

The extension also requires that the user has already downloaded and installed the SWG certificates to the device certificate store as Installing the FortiSASE CA certificate on endpoints describes. Alternatively, you can use Google Workspace to install certificates on Chromebooks as Managed Chromebook describes.

Since this extension is not installed in Chrome incognito mode, the administrator should disable incognito mode in Google Workspace.

This extension allows you to configure the following settings on an endpoint through Google workspace:

  • Default or custom hosted PAC file URL
  • User ability to view PAC file URL within the extension
  • Configuration of supported platforms (ChromeOS, Linux, macOS, and Windows) where SWG is enforced
To disable incognito mode in Google Workspace:

Since this extension is not installed in incognito mode, SWG policies are not enforced when using incognito mode. The Google Workspace administrator must disallow incognito mode to ensure that SWG is always enforced on the Chromebook and other devices with managed Chrome browsers.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the desired organizational unit (OU).
  3. Scroll to Security > Incognito mode.
  4. From the dropdown menu, select Disallow incognito mode.
  5. Click Save.

To configure the extension policy for FortiSASE SWG Chrome extension:

You can apply the FortiSASE SWG extension to one or more user OUs within Google Workspace. All users assigned within an OU that the FortiSASE SWG extension is applied to have the extension installed and SWG enforced on their Chromebook and Chrome browser.

  1. In the Google Admin console, go to Devices > Chrome > Apps & extensions > Users & browsers.
  2. Select the desired OU to install and enforce the FortiSASE SWG extension.
  3. Add the Chrome extension to the OU by clicking the + button on the bottom right, clicking Chrome app or extension by ID, and searching using the ID aecejhdejcnfihadbfidmndehobfdpcc.
  4. Select the FortiSASE Secure Web Gateway extension to push to Chromebooks and devices with managed Chrome browsers.
  5. Configure the policy using the following parameters:

    Parameter

    Description

    pacFileUrl

    PAC file that the extension will enforce. Configure one of the following:

    showProxyInfo

    Possible values: false or true.

    • Setting this to false hides the PAC file URL from the extension.
    • Setting this value to true makes the PAC file URL visible to the extension.

    supportedPlatforms

    Possible values include cros, linux, mac, and win to specify ChromeOS (Chromebook), Linux, macOS, and Windows, respectively.

    To exempt a device from SWG enforcement, you can set one of these options:

    • Remove the device OS from the supportedPlatforms array
    • Set pacFileUrl to an empty string
    • Remove the pacFileUrl key-value pair from the policy configuration
  6. Click Save.

Following is an example extension policy configuration using a custom PAC file hosted on a LAN server with the PAC file URL hidden from extension and the extension applied to ChromeOS, macOS, and Windows devices:

{
    "pacFileUrl": {
        "Value": "https://192.168.1.115/proxy.pac"
    },
    "showProxyInfo": {
        "Value": false
    },
    "supportedPlatforms": { 
    	"Value": ["cros", "mac", "win"]
    }
}

The following shows the FortiSASE SWG extension and example extension policy applied to users within the Marketing OU:

To verify the policy has been enforced on the device with the extension installed:

On the Chromebook or device with Chrome browser installed, go to chrome://policy from the Chrome browser to verify the aforementioned example policy has been enforced on the Chromebook or device with managed Chrome browser:

Previous
Next

(Optional) Installing and configuring the SWG Chrome extension

FortiSASE supports a Chrome extension that allows enforcing FortiSASE secure web gateway (SWG) connectivity for selected endpoints with the Chrome browser installed, including Chromebooks, based on the endpoint operating system (OS) and the corresponding extension policy that the Google Workspace administrator configured.

This extension relies on the following features being configured in FortiSASE:

  • SWG single sign-on
  • SWG configuration

The extension also requires that the user has already downloaded and installed the SWG certificates to the device certificate store as Installing the FortiSASE CA certificate on endpoints describes. Alternatively, you can use Google Workspace to install certificates on Chromebooks as Managed Chromebook describes.

Since this extension is not installed in Chrome incognito mode, the administrator should disable incognito mode in Google Workspace.

This extension allows you to configure the following settings on an endpoint through Google workspace:

  • Default or custom hosted PAC file URL
  • User ability to view PAC file URL within the extension
  • Configuration of supported platforms (ChromeOS, Linux, macOS, and Windows) where SWG is enforced
To disable incognito mode in Google Workspace:

Since this extension is not installed in incognito mode, SWG policies are not enforced when using incognito mode. The Google Workspace administrator must disallow incognito mode to ensure that SWG is always enforced on the Chromebook and other devices with managed Chrome browsers.

  1. Go to Devices > Chrome > Settings > Users & browsers.
  2. Select the desired organizational unit (OU).
  3. Scroll to Security > Incognito mode.
  4. From the dropdown menu, select Disallow incognito mode.
  5. Click Save.

To configure the extension policy for FortiSASE SWG Chrome extension:

You can apply the FortiSASE SWG extension to one or more user OUs within Google Workspace. All users assigned within an OU that the FortiSASE SWG extension is applied to have the extension installed and SWG enforced on their Chromebook and Chrome browser.

  1. In the Google Admin console, go to Devices > Chrome > Apps & extensions > Users & browsers.
  2. Select the desired OU to install and enforce the FortiSASE SWG extension.
  3. Add the Chrome extension to the OU by clicking the + button on the bottom right, clicking Chrome app or extension by ID, and searching using the ID aecejhdejcnfihadbfidmndehobfdpcc.
  4. Select the FortiSASE Secure Web Gateway extension to push to Chromebooks and devices with managed Chrome browsers.
  5. Configure the policy using the following parameters:

    Parameter

    Description

    pacFileUrl

    PAC file that the extension will enforce. Configure one of the following:

    showProxyInfo

    Possible values: false or true.

    • Setting this to false hides the PAC file URL from the extension.
    • Setting this value to true makes the PAC file URL visible to the extension.

    supportedPlatforms

    Possible values include cros, linux, mac, and win to specify ChromeOS (Chromebook), Linux, macOS, and Windows, respectively.

    To exempt a device from SWG enforcement, you can set one of these options:

    • Remove the device OS from the supportedPlatforms array
    • Set pacFileUrl to an empty string
    • Remove the pacFileUrl key-value pair from the policy configuration
  6. Click Save.

Following is an example extension policy configuration using a custom PAC file hosted on a LAN server with the PAC file URL hidden from extension and the extension applied to ChromeOS, macOS, and Windows devices:

{
    "pacFileUrl": {
        "Value": "https://192.168.1.115/proxy.pac"
    },
    "showProxyInfo": {
        "Value": false
    },
    "supportedPlatforms": { 
    	"Value": ["cros", "mac", "win"]
    }
}

The following shows the FortiSASE SWG extension and example extension policy applied to users within the Marketing OU:

To verify the policy has been enforced on the device with the extension installed:

On the Chromebook or device with Chrome browser installed, go to chrome://policy from the Chrome browser to verify the aforementioned example policy has been enforced on the Chromebook or device with managed Chrome browser:

Previous
Next