Best practices for integrating Symantec Endpoint Protection (SEP) and Web Security Service (WSS) using the Web Traffic Redirection (WTR) feature of the SEP client.
Ensure your clients regularly update to the latest WTR content in order to maintain the best possible performance and functionality.
Symantec has made several enhancements to the WSS integration feature of the SEP client since the its initial release in SEP 14.0.1 MP1. One example of these enhancements is Seamless Integration, which was added to the SEP 14.2 client for Windows clients. In order to take advantage of the latest functionality enhancements, and to remove known product issues or vulnerabilities which may impact WTR, ensure your clients use the latest version of the SEP client.
Ensure that there are no entries for Symantec.com domains (e.g. *.wss.symantec.com) in the WSS bypass list. If wss.symantec.com is bypassed, the SEP Local Proxy Service will be unable to complete the seamless authentication handshake when using a SEP Integration Token.
For situations that require bypassing network traffic from the Windows Local Proxy Service, Symantec provides an exe utility called LPSFlags.exe. This tool allows swapping out the default proxy.pac hosted by LPS with a custom PAC file to bypass the necessary traffic (e.g. SSL VPNs).
For more information on LPSFlags.exe, refer to Bypass Endpoint Protection Web Traffic Redirection using LPSFlags.exe.
SEP for Mac clients cannot make use of custom proxy settings for LiveUpdate while WTR is enabled, instead sending the traffic direct. This is by design and requires custom proxy settings be disabled when WTR is in use. For more information, see Mac clients do not honor custom proxy settings for LiveUpdate with Web Traffic Redirection.
If your clients connect to the Internet through a corporate proxy or firewall, ensure you allow unrestricted access to the DNS addresses the SEP client will need for access/authentication.
|proxy.threatpulse.net||8080||Default WSS proxy URL|
|sep-wtr.threatpulse.net||8080||WTR-specific WSS proxy URL|
The seamless identification involves the process of identifying the endpoint organisation and negotiating a session key to encrypt an authorisation token for each requests sent to WSS. This process is done seamlessly between the agent and secure gateway handling the web-traffic over the WSS ingress data-path. As such, you need to ensure that the client-id url is not bypassing WSS.
Clients using the SEP WTR feature should be configured to use a PAC file that directs them to sep-wtr.threatpulse.net instead of the default proxy.threatpulse.net. This DNS name has been optimized for roaming clients and helps prevent rapid switching between datacenters. This rapid switching between datacenters can cause the following problems with WSS:
The egress IP must be static when using WTR. In situations where multiple egress IPs are available and load balanced end-users utilizing WTR will observe frequent and intermittent 407 Proxy Authentication Required responses resulting in a disruptive web browsing experience.
The WTR engine automatically sets the system proxy settings to point to the local loopback proxy service (http://localhost:2968/proxy.pac by default). Active Directory (AD) Group Policy Object (GPO) configurations for proxy settings will override WTR proxy settings temporarily when computers process GPO configurations. Disable or remove any Group Policy Object (GPO) configurations that set proxy settings to prevent conflicts between GPO and WTR proxy configurations. Additionally, prevent any 3rd party applications from configuring system proxy settings. Examples of 3rd party applications that set proxy settings are Virtual Private Network (VPN) clients, Web traffic debugging utilities, such as Fiddler, and Web traffic anonymizer software. See Endpoint Protection Web Traffic Redirection fails to configure proxy settings for more information.
Citrix Receiver and Citrix Workspace clients must be configured to bypass WTR to ensure reliable connectivity/functionality of the Citrix client. See Citrix clients fail to connect with Web Traffic Redirection for more details.
Ensure any 3rd party agents that normally inject a monitoring module (.dll) into running processes are configured to exclude the SEP client's main processes (ccSvcHst.exe) from injection. The SEP client contains security features that will cause the application to crash rather than allow 3rd party code to be injected into the running process.
Some common examples of 3rd party applications that perform process injection are Citrix agents, and AppSense.
Web browsing performance can be significantly impacted by slow DNS responses. For best results, Consider using a DNS provider with a Service Level Agreement, or proven track record of providing DNS responses within a range of no longer than 50 milliseconds.
Clients leveraging Cisco's Umbrella DNS service must be configured to bypass the WSS for the Umbrella DNS service IP addresses. Sending Umbrella traffic through the WSS will result in DNS response times well above 1 to 2 seconds and will result in Web page load times orders of magnitude slower than on a client using a DNS server with a sub-50 millisecond response time. See Slow web browsing through Endpoint Protection Web Traffic Redirection with Cisco Umbrella DNS service for more information on bypassing Cisco's Umbrella DNS server addresses.