Bypass the Web Security.Cloud Service
search cancel

Bypass the Web Security.Cloud Service

book

Article ID: 164404

calendar_today

Updated On:

Products

Web Security.cloud

Issue/Introduction

The client machine is unable to access an URL through Web security.cloud proxy service and requires a bypass.

Any URLs that are bypassed will go directly out to the internet and will not be scanned by Symantec.  In this article we will discuss how to apply bypass for SmartConnect, Client Site Proxy and at the browser level. A determination will need to be made on which bypass to apply based on your infrastructure proxy deployment.

Resolution

Smart Connect Bypass:

It is important to note that the bypass section within the agentconfigure.xml file is commented out by default, so it will not be referenced. Make sure you check the following first when adding a bypass to the file or if the bypasses appear to not work.

Anything between a <!-- and --> is a comment and will be ignored.

Example default agentconfigure.xml bypass section please note the comment commands at the top and bottom:

 <!--   Bypass List
  
  This is the URL list to bypass the request to upstream proxy. Each bypass can 
  contain the url, pattern, and mode, where the url is the URL to match. The 
  pattern can be Exact, ISAWildcard and Regex(default). The mode can be OnLAN, 
  OffLAN, Never and Always(default). The url field is mandatory and the other 
  two tags are optional. User can define zero to more bypass tags.
  
  The Exact, ISAWildcard and Regex are all case insensitve. The Exact match will
  match the whole URL exactly. The ISAWildcard follows the rules for the ISA URL
  Set (http://technet.microsoft.com/en-us/library/cc302531.aspx#URLSets). The
  Regex uses the POSIX Extended regular expression syntax.
  
  Only the first bypass_list tag will take effect if multiple bypass_list tags are defined.

  <bypass_list>
    <bypass>
      <url>http://*.update.microsoft.com</url>
      <pattern>ISAWildcard</pattern>
      <mode>OffLAN</mode>
    </bypass>
    
    <bypass>
      <url>http://*.download.windowsupdate.com</url>
      <pattern>ISAWildcard</pattern>
      <mode>OffLAN</mode>
    </bypass>    
  </bypass_list>
  
  -->

To activate bypass move the bottom comment --> up above the actual bypass strings like this:
 

 <!--   Bypass List
  
  This is the URL list to bypass the request to upstream proxy. Each bypass can 
  contain the url, pattern, and mode, where the url is the URL to match. The 
  pattern can be Exact, ISAWildcard and Regex(default). The mode can be OnLAN, 
  OffLAN, Never and Always(default). The url field is mandatory and the other 
  two tags are optional. User can define zero to more bypass tags.
  
  The Exact, ISAWildcard and Regex are all case insensitve. The Exact match will
  match the whole URL exactly. The ISAWildcard follows the rules for the ISA URL
  Set (http://technet.microsoft.com/en-us/library/cc302531.aspx#URLSets). The
  Regex uses the POSIX Extended regular expression syntax.
  
  Only the first bypass_list tag will take effect if multiple bypass_list tags are defined.

  --> 

  <bypass_list>
    <bypass>
      <url>http://*.update.microsoft.com</url>
      <pattern>ISAWildcard</pattern>
      <mode>OffLAN</mode>
    </bypass>
    
    <bypass>
      <url>http://*.download.windowsupdate.com</url>
      <pattern>ISAWildcard</pattern>
      <mode>OffLAN</mode>
    </bypass>    
  </bypass_list>

Client Site Proxy Bypass:

Copy and paste the below lines in-between the dotted lines to the squid.conf file. You can paste the lines just below the ACL section of the squid.conf file.  If you already have a bypass_domian.txt file you can simply add the destination domian you wish to bypass.

------------------------------------------------------------------

#URLS to bypass the trip
 acl BYPASS_DOMAIN dstdomain "C:\ClientSiteProxy\etc\bypass_domain.txt"
 
 #TAG: Bypass NTLM & Trip
 http_access allow BYPASS_DOMAIN
 always_direct allow BYPASS_DOMAIN

---------------------------------------------------------------------

Then create a txt file: "C:\ClientSiteProxy\etc\bypass_domain.txt" and add the destination domain (one per line) like this:

 .bbc.com
 .bbc.net
 .bbc.net.uk
 .whatismyproxy.com

You may also create a bypass_ip.txt file for IPs rather than host names.

Save the file, and reload squid from the cmd line as shown in the below command or restart the client site proxy service.

C:\ClientSiteProxy\sbin\squid.exe -k reconfigure -n squidnt

Browser Level Bypass:

Internet Explorer/Chrome:

  1. Select Internet Options from the Tools menu
  2. Select the Connections tab
  3. Select LAN Settings
  4. In the area labeled Proxy Server, verify your proxy settings. If the Use a proxy server for your LAN check box is not selected
  5. Select Advanced
  6. In the exceptions list, enter the URL(s) you wish to add to the Proxy Exceptions List

FireFox:

  1. Select Tools
  2. Select Options
  3. Select Advanced
  4. Select Network
  5. Select Settings
  6. Enter the URL you wish to bypass under No Proxy for
Powered by Wolken Software