Web Traffic Redirection (WTR) is a new feature of the Symantec Endpoint Protection (SEP) client that allows customers who own both SEP and Web Security Service (WSS) to redirect their Windows and Macintosh client's Web traffic through the SEP client. This removes the need for a 3rd party WSS agent, or 3rd party proxy server configurations on clients, and allows users to access the Web through WSS both on premise, and while roaming. The WTR engine leverages the SEP client's functionality to seamlessly identify clients based on user name and domain.
The WTR engine creates a Local Proxy Service (LPS) and configures supported browsers and the operating system to forward Web requests to the LPS via a PAC file. When Web clients make a request for a resource, the request is sent to the LPS, which forwards the request to the downstream proxy (WSS, or on-premise proxy), the filtered Web responses are sent back to the LPS, which returns them to the Web client.
If you are already using a Unified Agent to redirect traffic to WSS, you do not necessarily need the SEP agent (client). However, if you are looking to fortify endpoint defenses with an endpoint detect and response product such as SEP, and want a singular management location for PAC file designation you can use the SEP agent to redirect the traffic to WSS without the use of multiple agents.
SEP also provides the following additional benefits:
Yes, see Best practices for Endpoint Protection Web Security Services Traffic Redirection for more information.
The SEP client's WTR engine makes the appropriate system proxy settings. On Windows clients, LAN Settings in Internet Explorer/Chrome and Proxy Settings for Edge and Firefox, the WTR engine makes the appropriate proxy changes and then locks the UI. This prevents users from changing their proxy settings manually in Internet Explorer, Edge and Chrome.
On the SEP for Mac client, system proxy settings are configured but not locked.
On both operating systems, the WTR engine checks the proxy settings on a 3 minute interval to ensure they haven't been modified by other means, and, if changed, sets them back to the Integrations policy defined configuration.
Note: Proxy configurations set in a Windows Group Policy Object (GPO) will override WTR proxy settings when the GPO applies. It's also possible to lock the WTR engine from being able to make proxy settings by disabling the option to make proxy settings computer specific and not user specific. See Endpoint Protection Web Traffic Redirection fails to set proxy settings for more details.
The SEP Manager provides multiple options (server, client, mixed mode) to an administrator to configure the SEP client to allow or deny control over client settings. A SEP admin can choose to retain full control, in which case, only the system admin is allowed to modify the WTR PAC file URL or other settings. See Preventing and allowing users to change the client's user interface for more details.
Furthermore, the Integrations policy can be locked to prevent end-user changes. And, for even more protection, the SEP client can be configured to require a password to be opened. See Password-protecting the Symantec Endpoint Protection client for more information.
Each SEP Integrations policy can only be configured to specify a single PAC file URL. Clients can be directed to different PAC files by specifying different Integrations policies for different SEP client groups and locations.
PAC files can be hosted on any Web server in the customer's environment, or through Pac File Management Service (PFMS) in WSS can be leveraged. PFMS allows users to create and manage PAC files and WSS locations through the WSS portal.
At this time, Symantec Endpoint Security does not provide WTR functionality.
Similar functionality to WTR is available in the SEP mobile client. See Connectivity: Integrate SEP Mobile for more information.
Web Security Services Unified Agent