Error: "Unsupported proxy configuration" on mouseover of system health status

book

Article ID: 169775

calendar_today

Updated On:

Products

Endpoint Detection and Response Advanced Threat Protection Platform

Issue/Introduction

During deployment of the Symantec Endpoint Detection and Response appliance in an environment with a proxy, or after adding a proxy in an environment where SEDR is already deployed, the system status begins to show "ATP is Critical" in red.

  • The System Health status of SEDR displays "Symantec EDR is Critical" in red.
  • On mouseover of "Symantec EDR is Critical", one of the messages displayed is "Unsupported proxy configuration. Configured proxy is intercepting secure communication. Component(s) affected: "

Cause

SEDR does not support the interception of its SSL communication to and from the Symantec licensing servers. This behavior is by design.

Environment

Traffic from SEDR passes through ProxySG or a third party proxy inserting its own certificate in an attempt to record encrypted communications.

Resolution

The System Health message will call out which service is being affected. In order to resolve this, you may need to configure an exception between the SEDR appliance's MGMT interface and the internet so SSL/TLS traffic is not intercepted. Add each one of these hosts to the exception/allow list:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/symantec-security-software/endpoint-security-and-management/endpoint-detection-and-response/4-4/INSTALL_AND_SET_UP_2/required-firewall-ports-v97213154-d38e5602.html

For proxies not sold or supported by Broadcom, please consult with your manufacturer or vendor for the required process.

To workaround this behavior within Symantec ProxySG

  • If the environment includes SSLV, please contact support for further assistance.
     
  • If the ProxySG is transparently deployed, do one of the following:
    If the source IP is allowed out to the Internet, then add the SEDR MGMT IP as a source IP to the proxy bypass list.
    If the source IP is not allowed out to the Internet, then add a TCP Tunnel service with the source IP being the SEDR
     
  • If the ProxySG is explicitly deployed, do one of the following:
    If the source IP is allowed out to the Internet, then disable the Network Proxy settings within the UI of SEDR
    If the source IP is not allowed out to the Internet, then add the following policy lines to the local policy file of the ProxySG:
    <proxy>
    client.address=IP_OF_SEDR detect_protocol(no)


    ...where IP_OF_SEDR is the actual IP address of the SEDR appliance.

 

To add the SEDR MGMT IP as a source IP to the proxy bypass list within a transparent ProxySG

  1. Navigate to Configuration> Proxy services.
  2. On the Static Bypass List tab, click New.
  3. In the New Bypass List Entry dialog box, click the radio button beside "Client host or subnet"
  4. In the IP Address, type the IP address of the management interface of SEDR appliance
  5. In the Prefix/Subnet, type the Subnet
  6. Click OK to exit the New Bypass List Entry dialog box and create the new Bypass List entry.
  7. If an Apply button appears, click Apply.

 

To add a TCP Tunnel service for SEDR to a transparent ProxySG

  1. Navigate to Configuration> Proxy services.
  2. On the Proxy Services tab, click the New Service button.
  3. In the New Service dialog box, in the Name: field, type "SEDR Bypass service" or another appropriate name.
  4. In the dropdown box labelled "Service Group:", select 'Bypass Recommended'

    NOTE: Using a service group other than 'Bypass Recommended' is acceptable, but may create confusion.
     
  5. In the dropdown box labelled "Proxy:", select 'TCP Tunnel'.
  6. In the Listeners section, click the New button.
  7. In the New Listener dialog box, click Source host or subnet.
  8. In the IP Address field, type the IP address of the management interface of SEDR.
  9. In the Subnet: field, type the valid subnet for the management interface of SEDR.
  10. Click Transparent.
  11. In the Port range field, type "443"
  12. Below Action, click the radio button labelled 'Bypass'
  13. Click OK to exit the New Listener dialog box and create the new Listener.
  14. Click OK again to exit the New Service dialog box and create the new Service.
  15. Click Apply to confirm the new settings.

 

To disable the Network Proxy settings within the UI of the SEDR

  1. On the left navigation pane, click Settings.
  2. On the right navigation pane, click Appliances.
  3. In the list of appliances, click the row of the appliance with "Management" in the Role column.
  4. If "Use Network Proxy" is checked, uncheck it.

    NOTE: This change may take five (5) minutes to become effective.