The configurations in this document do not cover how to connect devices to an Active Directory or how to manage or distribute Group Policy within Active Directory. It will cover how to create the necessary Group Policy that distributes the proxy configuration to Windows systems.

SurePath AI distributes its proxy information via a Proxy Auto-Config (PAC) file. This PAC file contains all the information needed to direct only generative AI traffic to the SurePath AI proxy service while sending other traffic via their normal route.

The use of a PAC file also allows SurePath AI to update the list of generative AI domains. Most operating systems and browsers will request the PAC file every 1-2 hours and if a new file can’t be retrieved the current one will continue to be used.

Just like other network security and SASE vendors, certificate trust allows SurePath AI to intercept and apply policy to connections to generative AI website. The SurePath AI root CA certificate needs to be trusted by all devices that need to be governed by SurePath AI.

All configuration in this section takes place within the Group Policy Management console available on an Active Directory server or on a client system with the Remote Server Administration Tools (RSAT) tools installed.

The final Group Policy setting provides the actual PAC URL to the devices. There are two ways to achieve this and both are outlined below. Only configure one of these settings to avoid potentially conflicting Group Policy configurations.

After adding the three settings into the new Group Policy Object, the policy needs to be applied to either the root of the domain or a specific OU within the Active Directory structure.

SurePath AI provides a tool for verifying that an endpoint is configured to properly integrate with SurePath AI's platform. After completing the steps above and verifying the configuration has been deployed to the desired devices administrators can verify the integration by visiting https://ready.surepath.ai.

A test will be run as soon as the page is loaded. If both tests show green Valid results, the endpoint is properly integrated and GenAI traffic originating from that endpoint will be processed by SurePath AI.

If the Certificate Trust test shows a red Invalid result, it means that the SurePath AI root certificate is not trusted by the device or browser. This could be the result of certificate not being deployed to the device yet. Please check the device's local certificate trust store for the SurePath AI Root CA certificate. If the certificate has been deployed (and/or verified installed), it's possible the device might need to be restarted for the browser to read the newly added SurePath AI root CA certificate.

If the Network Configuration test shows a red Invalid result, it means that the SurePath AI platform is not receiving traffic from the endpoint. This is most likely due to the network configuration not being pushed to the device. Some browsers or applications, like Firefox, ignore system-level proxy settings and have internal proxy settings that will need to be configured separately from the system-level settings that are configured in this document.

This section outlines a few user experiences and other caveats that administrators should be aware of when using this deployment model.

Group Policy can take a significant amount of time to propagate throughout an organization. To test on a specific Windows host immediately a simple command can be given to the device to force it to download the latest Group Policy from Active Directory.

Open a command prompt (CMD) on the Windows device with administrative privileges

SurePath AI is designed to enhance security and control access to generative AI web services, such as ChatGPT, by requiring users to authenticate through a web browser. This authentication process ensures that only authorized individuals have access. However, this approach presents a challenge for certain applications and platforms that have integrated or embedded generative AI capabilities directly into their systems.

These embedded AI services are tightly integrated within their host applications and are not designed to operate through external web browsers. As a result, they cannot complete the web-based authentication process required by SurePath AI. When attempts are made to route these embedded services through SurePath AI, they may encounter difficulties and may not function as intended.

Recognizing this limitation, the development team at SurePath AI is actively working on a solution to support these embedded generative AI services. This effort aims to expand the versatility of SurePath AI and ensure it can work seamlessly with a wider range of AI-powered applications and platforms.

As progress is made in developing this support for embedded services, this documentation will be updated to reflect new features and capabilities. Users and administrators are encouraged to check back regularly for the latest information on how SurePath AI can be used with various types of generative AI services, including embedded ones.

Some applications have the ability to bypass system-level network configurations such as proxies. Mozilla Firefox is an example of a browser that can either use the system-level settings or be configured to override those settings. These applications usually have the ability to control this behavior through the use of group policies or configurations, but some may not.