Bypass Endpoint Protection Web Traffic Redirection using a custom PAC file

book

Article ID: 175105

calendar_today

Updated On:

Products

Endpoint Protection Web Security Service - WSS

Issue/Introduction

Some 3rd party applications, such as SSL VPN clients do not support connecting though a loopback proxy. Use this document to update the proxy.pac file hosted by the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) Local Proxy Service (LPS).

Environment

Microsoft Windows

Resolution

Configure the Proxy Auto Configuration (PAC) file

Before making any changes, compile a list of addresses that need to be exempted from connecting through LPS. The default PAC file hosted by LPS directs clients to send requests to internal (RFC1918, and APIPA) addresses, and plain hostname addresses directly instead of through LPS. Any resources hosted on a public IP address, or accessed by DNS name will need to be added to the PAC file. These can be specified either by Fully Qualified Domain Name (FQDN), IP address, or IP address range.

Note: See Verify a Proxy Auto Configuration file using Web Security Service PAC File Management to learn how to check the PAC file syntax before deployment.

Use the PAC File Management Service (PFMS) PAC file

  1. Add the required addresses to the Bypassed Sites in the WSS portal (see Add sites to the bypass list in Web Security Service for more information on configuring Bypassed Sites)
  2. To export the PFMS PAC file:
    1. Browse to http://portal.threatpulse.com and log in to your WSS account
    2. Click Service > Mobility > PAC File Management, click on the correctly configured PAC file, and click Download
    3. Save the file to an accessible folder as proxy.pac, and open the saved file in a text editor
    4. Locate the following line:
      return "PROXY ";
    5. Replace the WSS DNS name/port, with the LPS DNS name/port (localhost:2968 by default)
    6. Save the changes to the proxy.pac

Replace the PAC file

SEP 14.3 introcued the ability to import a custom PAC file directly in the Integrations policy. Use this method for SEP 14.3 and newer clients managed by a SEP 14.3 or newer Symantec Endpoint Protection Manager (SEPM).

Import the PAC file into Integrations Policy

  1. Locate the custom PAC file and open it in a text or PAC file editor
  2. Locate the LPS DNS name/portset in the steps above, and replace the LPS port with the following token:
    <<port>>
  3. Log in to the SEPM Console and click Policies > Network Traffic Mitigation > Integrations
    1. To edit an existing Integrations policy, select the policy and click Edit the policy
    2. To create a new Integrations policy, click Add a Integrations policy
  4. Check Enable LPS Custom PAC file and click Import
  5. Browse to the saved custom PAC file and click Import
  6. Click OK to save the policy

Note:  The above configuration is only available in SEPM 14.3 or later. Additionally, Computers running pre 14.3 SEP clients will not make use of this setting. For pre-14.3 computers, use the Manual steps below.


Manually replace the PAC file

  1. Download LPSFlags.exe attached to this document to the same folder as the modified proxy.pac file
  2. Open a command-prompt as Administrator and change directories to the folder containing LPSFlags.exe and proxy.pac
  3. Enter the following command:
    LPSFlags.exe --pac-script proxy.pac --restart
  4. Download a copy of the LPS PAC file from http://localhost:2968/proxy.pac and confirm the changes

Attachments

1587748116716__Update WTR proxy.pac v3.5.dat get_app
LPSFlags.exe get_app