search cancel

Cisco AnyConnect connections fail with Endpoint Protection Web Traffic Redirection


Article ID: 173606


Updated On:


Endpoint Protection Web Security Service - WSS


Cisco AnyConnect Secure Mobility Client SSL VPN connections fail when the computer is configured to use the Web Security Service (WSS) through the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) feature.


The default policy used by the Cisco AnyConnect client does not allow connections through loopback proxies such as the SEP WTR Local Proxy Service (LPS).


There are multiple solutions for this problem. The solution you choose to implement will depend on your organization's policies, and preferences. To allow Cisco AnyConnect VPN clients to connect on computers running SEP WTR do one of the following:

  1. Configure the Cisco AnyConnect VPN client to connect directly to the VPN concentrator without using the SEP LPS proxy service
  2. Configure the Cisco AnyConnect VPN client to allow connections over a loopback proxy
  3. Use the LPSFlags.exe tool to reconfigure the SEP client's proxy.pac file to bypass the Cisco AnyConnect VPN traffic. For more information on the LPSFlags.exe tool see Bypass Endpoint Protection Web Traffic Redirection using LPSFlags.exe

Note: Contact Cisco support if you require assistance configuring your Cisco AnyConnect policies.

Configure AnyConnect to bypass the WSS proxy

Ensure your Cisco AnyConnect client policy is configured to ignore system proxy settings. The policy should include the following:



Configure AnyConnect to allow loopback proxy connections

Ensure your Cisco AnyConnect client's policy allows VPN connections over localhost proxy connections. The policy should include the following: