Deploying the Web Sensor

The Web Sensor works as a web proxy between the requested cloud resources and the users' devices of your company.

By configuring the Web Sensor data source,

  • You apply the proxy and CA certificate settings of the Web Sensor to the users' devices.

    This allows end users' HTTP and HTTPS web traffic that goes to and comes from accessed cloud applications and websites to be forwarded to the Web Sensor.

  • You allow the Web Sensor to collect and send end users' web related data to Trend Micro data lakes.

Trend Micro Vision One provides the following Web Sensor deployments:

  • If you are a Trend Micro Web Security (TMWS) customer and have provisioned your TMWS management console, your TMWS acts as the Web Sensor.

    Follow the onscreen instructions to connect TMWS and enable the data connection.

    For details on connecting your TMWS, see Product Connector.


    After TMWS is successfully connected, the Data upload permission toggle for the data source is automatically turned on.

  • If you are not using TMWS, Trend Micro Vision One deploys a Web Sensor to your corporate network.

Before you begin deploying the Web Sensor,

  • Make sure you have configured SAML single sign-on under Administration > Single Sign-On.

    Trend Micro Vision One works with your SAML-based IDP vendor to authenticate your company's end users whose HTTP and HTTPS web traffic is forwarded to the Web Sensor.

  • Determine the users that you want to apply the Web Sensor to.

    The domains of these user accounts are needed in step 2 for user authentication, and their corresponding AD domains are needed in step 3 for proxy and certificate configuration.

  1. Turn on Data upload permission.
  2. Specify the domains to let end users in these domains forward web traffic to the Web Sensor.

    Provide the domains of user accounts you use to let your IDP vendor authenticate end users. It can be the domain of an email account, for example, if a user's email account is When receiving HTTP or HTTPS requests from users' devices, the Web Sensor redirects the end users to your IDP vendor to verify their identity by requesting their authentication credentials.

  3. Choose either to manually or automatically apply the system proxy settings and CA certificates of the Web Sensor to users' devices in the specified domains.

    Trend Micro Vision One provides a default Proxy Auto Configuration (PAC) file for traffic forwarding, and installs two default CA certificates to supported browsers for user authentication.

    • Manually apply the PAC file and CA certificates to the users' devices.

      1. Get the URL of the PAC file address and download the CA certificates.

      2. Use either of the following ways to apply the PAC file and CA certificates.

        • Create a GPO on the corresponding AD domain controller to enforce the use of the PAC file and CA certificates.

        • Provide the PAC file address and CA certificates to the required end users, and then instruct them to configure supported browsers to reference the PAC file address and to install the certificates.

    • Use a PowerShell script to automatically enforce the use of the PAC file and CA certificates using GPO.

      1. Click Download to download script tmvo_websensor.ps1 to each AD domain controller corresponding to the domains specified in step 2.

      2. Launch Windows PowerShell as an administrator and navigate to the directory where the script lives.

      3. Run the following command to execute the script:

      4. Follow the instructions to apply the GPO.


      If you have specified multiple domains or added new domains in step 2, make sure you execute the script for each required domain.

    If your company enforces traffic using a company proxy server, configure your proxy server to point upstream traffic to the Web Sensor.


    To let proxy chaining work, make sure to:

    • Disable authentication on your company proxy server.

    • Enable the X-Forwarded-For HTTP request header field on your company proxy server.

    • Bypass the Web Sensor's certificate verification if your company proxy server enables server certificate check.

    • Configure to bypass your SSO URL domain in the browser proxy settings or in your PAC file.

    For assistance in setting up proxy chaining, contact your support provider.

  4. Click Save.

    After the Web Sensor is successfully deployed, end users can access the Internet through the Web Sensor and their web activity data is sent to Trend Micro Vision One for risk analysis and insights.


    Instruct end users to provide their logon account credentials when they are prompted for a username and password to access the Internet.