During deployment of Advanced Threat Protection (ATP) Platform in an environment with a proxy, or after adding a proxy in an environment where ATP Platform is already deployed, the system status begins to show "ATP is Critical" in red.

• The System Health status of ATP displays "ATP is Critical" in red.
• On mouseover of "ATP is Critical", one of the messages displayed is "Unsupported proxy configuration. Configured proxy is intercepting secure communication. Component(s) affected: LicenseUpdate."

ATP does not support the interception of its SSL communication to and from the Symantec licensing servers. This behavior is by design.

Provide a network route between the ATP platform's MGMT interface and the internet where SSL traffic is not intercepted.

For proxies not published by Symantec, please consult with your manufacturer or vendor for a workaround. You may need to consult Appendix D of the Symantec™ Advanced Threat Protection 3.2 Administration Guide, available here:

• Title: DOC11183 - Symantec™ Advanced Threat Protection 3.2 Administration Guide
  URL: https://support.symantec.com/en_US/article.DOC11183.html

To workaround this behavior within Symantec ProxySG

• If the environment includes SSLV, please contact support for further assistance.
   
• If the ProxySG is transparently deployed, do one of the following:
  If the source IP is allowed out to the Internet, then add the ATP server IP as a source IP to the proxy bypass list.
  If the source IP is not allowed out to the Internet, then add a TCP Tunnel service with the source IP being the ATP Platform
   
• If the ProxySG is explicitly deployed, do one of the following:
  If the source IP is allowed out to the Internet, then disable the Network Proxy settings within the UI of the ATP Platform
  If the source IP is not allowed out to the Internet, then add the following policy lines to the local policy file of the ProxySG:
  <proxy>
client.address=IP_OF_ATP detect_protocol(no)
  
  ...where IP_OF_ATP is the actual IP address of the ATP appliance.

To add the ATP server IP as a source IP to the proxy bypass list within a transparent ProxySG

1. Navigate to Configuration> Proxy services.
2. On the Static Bypass List tab, click New.
3. In the New Bypass List Entry dialog box, click the radio button beside "Client host or subnet"
4. In the IP Address, type the IP address of the management interface of ATP appliance
5. In the Prefix/Subnet, type the Subnet
6. Click OK to exit the New Bypass List Entry dialog box and create the new Bypass List entry.
7. If an Apply button appears, click Apply.

To add a TCP Tunnel service for ATP to a transparent ProxySG

1. Navigate to Configuration> Proxy services.
2. On the Proxy Services tab, click the New Service button.
3. In the New Service dialog box, in the Name: field, type "ATP Bypass service" or another appropriate name.
4. In the dropdown box labelled "Service Group:", select 'Bypass Recommended'
   
   NOTE: Using a service group other than 'Bypass Recommended' is acceptable, but may create confusion.
    
5. In the dropdown box labelled "Proxy:", select 'TCP Tunnel'.
6. In the Listeners section, click the New button.
7. In the New Listener dialog box, click Source host or subnet.
8. In the IP Address field, type the IP address of the management interface of ATP Platform.
9. In the Subnet: field, type the valid subnet for the management interface of ATP Platform.
10. Click Transparent.
11. In the Port range field, type "443"
12. Below Action, click the radio button labelled 'Bypass'
13. Click OK to exit the New Listener dialog box and create the new Listener.
14. Click OK again to exit the New Service dialog box and create the new Service.
15. Click Apply to confirm the new settings.

To disable the Network Proxy settings within the UI of the ATP Platform

1. On the left navigation pane, click Settings.
2. On the right navigation pane, click Appliances.
3. In the list of appliances, click the row of the appliance with "Management" in the Role column.
4. If "Use Network Proxy" is checked, uncheck it.
   
   NOTE: This change may take five (5) minutes to become effective.