Cisco AnyConnect connections fail with Endpoint Protection Web Traffic Redirection

book

Article ID: 173606

calendar_today

Updated On:

Products

Endpoint Protection Web Security Service - WSS

Issue/Introduction

Cisco AnyConnect Secure Mobility Client SSL VPN connections fail when the computer is configured to use the Web Security Service (WSS) through the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) feature.

Cause

The default policy used by the Cisco AnyConnect client does not allow connections through loopback proxies such as the SEP WTR Local Proxy Service (LPS).

Resolution

There are multiple solutions for this problem. The solution you choose to implement will depend on your organization's policies, and preferences. To allow Cisco AnyConnect VPN clients to connect on computers running SEP WTR do one of the following:

  1. Configure the Cisco AnyConnect VPN client to connect directly to the VPN concentrator without using the SEP LPS proxy service
  2. Configure the Cisco AnyConnect VPN client to allow connections over a loopback proxy
  3. Use the LPSFlags.exe tool to reconfigure the SEP client's proxy.pac file to bypass the Cisco AnyConnect VPN traffic. For more information on the LPSFlags.exe tool see Bypass Endpoint Protection Web Traffic Redirection using LPSFlags.exe

Note: Contact Cisco support if you require assistance configuring your Cisco AnyConnect policies.

Configure AnyConnect to bypass the WSS proxy

Ensure your Cisco AnyConnect client policy is configured to ignore system proxy settings. The policy should include the following:

IgnoreProxy

 

Configure AnyConnect to allow loopback proxy connections

Ensure your Cisco AnyConnect client's policy allows VPN connections over localhost proxy connections. The policy should include the following:

Native
true‚Äč