Secure Web Gateway

The Secure Web Gateway feature in Veltar enables administrators to effectively control and restrict access to web content on managed Android, Windows, and iOS devices. By leveraging category-based blocking, custom domain restrictions, and cloud app access controls, Secure Web Gateway helps enforce safe browsing practices and protect users from inappropriate or non-compliant web content across all enrolled devices.

This document guides you through the necessary configurations on the Scalefusion Dashboard to implement web content filtering policies tailored to your organization’s requirements.

What kind of web content can be blocked

On Scalefusion Dashboard, we have provided an extensive list of categories and sub-categories to choose from which includes education, health, social communication and many more. In general, we enable blocking the domains that fall under the categories defined here.

Pre-Requisites

1. Devices should be enrolled with Scalefusion

   1. Enrollment mode on Android: BYOD, Company Owned, COPE

   2. Enrollment mode on iOS: Kiosk, BYOD, AUE , User Authenticated & DEP/ADE

   3. Enrollment mode on Windows: Agent based enrollment, Modern Management, BYOD, User Authenticated enrollment, Serial number based enrollment

2. Agent versions that should be installed on device

   1. Android: v17.0.1 or above

   2. iOS: v4.1.1 or above

   3. Windows: v16.0.0 or above

3. Device Profile(s) should be created on Scalefusion Dashboard

4. Your account should have access to Secure Web Gateway feature

Step 1: Create Filter

1. On Scalefusion Dashboard, navigate to Veltar > Secure Web Gateway and click on Create New filter.
   

   

2. In the new window, enter Filter Name

3. On the left you will find the configurable settings under these heads. Navigate to each link:

   1. Content Filtering

   2. Cloud Apps

   3. User Facing Messages

   4. Exception/Bypass List

      
      

4. Once you have configured all the above, click Save on the top right.

5. The new filter will get created and displayed on the main Secure Web Gateway page with other related details.

   

Likewise you can create more content filters.

Content Filtering

1. Blocked Categories: Toggle on the setting Enable Category based Content Filtering and select categories of websites to block (e.g., social media, adult content).

2. Blocked Domains: Toggle on the setting Define a custom list of Blocked Domains and enter specific domains to block. This can be used if you want to block a domain that is not a part of any of the categories you have selected under Blocked Categories. There are two ways you can add domains:

   1. Add Domain: Click on Add Domain and enter URL in text area. For adding more than one domain, click on Add Domain on top right and enter the URL you want to block in the text area.

   2. Upload CSV: Add domains in bulk by downloading the Sample CSV and uploading the values.

3. Allowed Domains & IPs: Toggle on the setting Define a custom list of Allowed Domains and enter specific domains to allow (overrides blocked domains). This can be used when you have blocked a category but you want to allow a specific domain. The websites/URLs published to the Device profile are already added to the exception list. Here, you can define additional websites that you want to exempt from being blocked.

   1. Allow access via IP Address: When this setting is enabled, users can access the domain(s) by entering their IP address directly. Users will be allowed to access the IPs added through Add Domain or Upload CSV.  

   There are two ways you can add domains:

   1. Add Domain: Click on Add Domain and enter URL in text area. For adding more than one domain, click on Add Domain on top right and enter the URL you want to block in the text area.

   2. Upload CSV: Add domains in bulk by downloading the Sample CSV and uploading the values.
      

   Patterns Supported for Domain Blocking and Allowing:

   www.<domain>.com: Blocks only domains

   *.<domain>.com : Blocks only subdomains

   <domain>.* : Blocks Top level Domains

   *.<domain>.* : Blocks subdomains and Top level Domains

   <domain>.com : Blocks domain and sub-domains

Cloud Apps

Supported Platforms: Windows

This section allows administrators to manage login and access behavior for cloud applications. You can create filters to control access by specifying allowed domains. The configurations can be done for the following apps:

1. Google: Enable the Restrict Login to only below corporate domains setting and enter the allowed domain(s) in the provided text area. Only users logging in with the specified corporate domains will be granted access.

   1. Allow Login from Google Accounts like @gmail.com or @googlemail.com: Enabling this setting allows users to log in using personal Google accounts such as @gmail.com or @googlemail.com

      

2. Microsoft: Enable the Restrict Login to only below corporate domains setting and enter the allowed domain(s) in the provided text area. Only users logging in with the specified corporate domains will be granted access.

   1. Allow Login from Consumer Apps and Accounts: Enabling this setting allows users to log in using personal (consumer) accounts and access non-enterprise apps like Outlook, hotmail etc.

   

Important Points to Note:

1. Primary and Custom Domain Inheritance:

   • If you add the primary tenant domain (e.g., xyz.onmicrosoft.com), all verified custom domains associated with that Azure AD tenant are also implicitly allowed. This means users with email addresses from any custom domain tied to the same tenant will be able to log in.

2. Custom Domain Inclusion:

   • If you add any one custom domain (e.g., abc.in) from the tenant, Microsoft still recognizes the login attempts from other custom domains under the same tenant, including the primary domain (xyz.onmicrosoft.com). Therefore, login access is granted to all domains linked to that Azure AD tenant.

3. Microsoft Azure AD Directory Recognition:

   • Example:

     • Tenant primary domain: xyz.onmicrosoft.com

     • Verified custom domains: abc.in, def.com

     • If a user logs in using user@def.com, Microsoft resolves the domain to the same Azure AD tenant.

     • As a result, Secure Web Gateway permits the login, assuming any of the tenant’s domains have been listed.

User Facing Messages

Supported Platforms: Windows

1. Configure a Heading message when a website is blocked: Allows you to set a custom message or title that users will see when access to a blocked website is attempted. It helps inform users why the site is blocked or provide guidance, such as company policies or support contact info.

2. Configure a Information message when a website is blocked: Allows you to set a custom information message that appears when a user tries to access a blocked website. You can provide additional details, such as the reason for the block, policy explanation, or next steps the user can take.

   

Exception/Bypass list

Supported Platforms: Windows

To ensure compatibility and smooth operation of widely used enterprise services, certain domains are included in an Exception (Bypass) List by default. These entries are based on extensive internal testing and real-world usage analysis. The Exception List is designed to bypass specific network controls or security features for trusted, commonly used applications and services. This helps avoid disruptions and ensures critical enterprise tools function as expected. Following are the configurations:

1. Domains & URLs: Select the platforms where you want to apply exceptions or bypass rules. A pre-populated list of commonly used enterprise domains is displayed. Based on your platform selection, these domains will be bypassed. You can also search for specific domains using the search bar.

   Actions:

   • Delete: Removes the selected domain from both the list and the view.

   

2. Windows Apps: Use this section to create a custom list of applications that are allowed to bypass web traffic restrictions. To add an app, click Add App, then enter either the application name (e.g., chrome.exe) or its full file path (e.g., C:\Program Files\Google\Chrome\Application\chrome.exe).

   Actions:

   • Delete: Removes the selected app from the bypass list. The Delete button appears next to each entry.

   

Additional Actions

You can edit or delete a filter once created by clicking on three dots under Actions.

Step 2: Publish filter

To apply filter on devices, the next step is to Publish it.  

1. Click on publish by clicking on three dots under Actions
   

2. In the new window, select the device profile(s) on which you want to publish the filter. The list contains Android, iOS and Windows Device profiles.

3. Click Submit
   

User Experience on Device

Event Logs

From this section you can get detailed logs which are recorded for accessing websites/domains blocked or allowed under Secure Web Gateway configuration, providing valuable insights into device usage. Click on Event Logs tab under Secure Web Gateway.

Summary View

The Summary view provides an overview of Secure Web Gateway (SWG) activity and status. The information can be viewed under following heads:

1. Configuration Details

   1. Secure Web Gateway Pushed: Displays the total number of devices to which the Secure Web Gateway configuration has been published.

   2. Secure Web Gateway Active: Displays the total number of devices on which Secure Web Gateway is currently active or enabled.

2. Activity Details

   1. Domains Blocked: Displays the total count of unique domains that have been blocked.

   2. Domains Allowed: Displays the total count of unique domains that have been explicitly allowed.

3. Top 3 Blocked Categories and Sub-Categories

   1. Displays the top 3 categories and subcategories that have been blocked, ranked by the frequency with which domains within those blocked categories/subcategories have been accessed.
      

      

Events Info

This section shows detailed information on the events, under following heads

1. Device Name: The name of the device where the event occurred.

2. Domain: The domain name that is allowed or blocked. This will include blocked domains, explicitly allowed domains, and allowed domains.

3. Resolution: The action taken on the domain (as per filters created):

   1. Allowed

   2. Blocked

4. Category: The category the domain belongs to (displayed only when the domain is blocked).  Displays N/A if the domain is allowed.

5. Sub-category: The sub-category the domain belongs to (displayed only when the domain is blocked). Displays N/A if the domain is allowed.

6. Timestamp: The date and time when the user tried to access the website which is allowed/blocked.
   

   

Additional Features

Filters

There are filtering options available for viewing activity logs. You can filter them by:

1. Resolution: Filters events based on the action taken on the domain:

   1. All: Includes both Allowed and Blocked events

   2. Allowed: Displays only Allowed events.

   3. Blocked: Displays only Blocked events.

2. Date Range: Filters events based on a specific date range. Provide the start and end date. Here, start date can be from current Date to 7 days prior and you cannot select a date more than 30 days in the past.

3. Search: Search for specific events using Device Name or Domain.

4. Page Size: Select the number of records to be displayed on one page
   

   Note: Logs older than 30 days are automatically deleted.
   

   

Download CSV

Clicking the button downloads a CSV report containing the filtered activity data. Please note the report can be downloaded for a duration of 7 days at the maximum.

Known Behaviors

iOS

1. You may encounter issues with managed apps accessing the internet after publishing or unpublishing Secure Web Gateway flows on iOS devices, you can try the following workarounds:

   1. Kill and Relaunch the Scalefusion MDM App: Force-quit the Scalefusion MDM app and then relaunch it.

   2. Restart the Device: If the issue persists, restarting the iOS device can help refresh the system and resolve network connectivity problems.

2. Scalefusion's Secure Web Gateway currently has limitations in filtering the content of certain native iOS applications, such as Facebook and Instagram. We are actively working with Apple to investigate this behavior and identify potential solutions.

3. On Unsupervised Devices ,

   1. URLs will be blocked on All Managed Browsers Except Safari Browser.

   2. Secure Web Gateway is not supported below OS 16

4. If Any Browser Shortcuts are Published from Device Profile then those URLs will be accessible on All browsers even if the Category related to it is blocked.