This article is intended for users of SymDiag. Though general readers may benefit from the article’s contents, any solutions, insights, or guidance are geared toward those using SymDiag.

Problem

The Threat Isolation Engine (TIE) gateway’s public Domain Name System (DNS) name is assigned to the local intranet zone. As a security measure, Internet Explorer browser blocks any resource downloaded from the TIE. This includes opening a web-socket connection, which is crucial for the proper functionality of Web Isolation.

When an end user browses to a website and is isolated/blocked by a policy, Symantec Threat Isolation’s proxy will return a block page (aka index.html). This page, which is considered to be downloaded from the internet, will open a web socket to the TIE gateway.

Internet Explorer’s security measures prevent this web-socket from opening, which then interferes with the isolation flow.

Ensure that the TIE gateways have a public DNS name that appears in the FQDN. For example, if the organization’s domain name is myorganization.com, the TIE’s public DNS name should be tie1.myorganization.com.

If the Group Policy Object (GPO) for your organization has defined the FQDN of the TIEs in the local intranet list explicitly, the TIE gateway’s name should be assigned to a sub-domain. For example, if the organization’s domain name is myorganization.com, the TIE’s name should be similar to tie1.isolation.myorganization.com.

For further information, see the Symantec Threat Isolation Platform (STIP) Guide for Administrators section on Installing the Symantec Threat Isolation Platform > Preparation for Installing of All Topologies -> Defining networking -> TIE Public DNS Name Considerations.