Web Traffic Redirection prompts for authentication

book

Article ID: 175508

calendar_today

Updated On:

Products

Endpoint Protection Web Security Service - WSS

Issue/Introduction

When browsing Web sites on a computer configured to use the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) component, instead of receiving the requested Web content, a Web Security Service (WSS) roaming log on portal is displayed.

Web browsers display the following message:

Corporate Network Credentials Required
Web access from this device or location requires that you enter your credentials.
Be advised, your corporate security service opens all secure (HTTPS) Web requests for the purpose of validating your identity, enforcing WEb use policy and scanning Web content form malware.
Reason for challenge: Credentials are missing.

 

Cause

This problem happens when the SEP client is unable to authenticate the user with the Seamless Identification server at https://client-id.wss.symantec.com. The most common reasons for this to happen are:

  1. The SEP client Integrations policy doesn't specify a Symantec Endpoint Suite Integration token from the WSS service
  2. A network device between the client and the WSS ins blocking access to the Seamless Identification URL
  3. The downstream PAC file includes logic that directs the client to send requests to the Seamless Identification URL direct instead of through the WSS
  4. The WSS policy includes either the symantec.com domain, the Seamless Identification URL, or the IP address(es) of the Seamless Identification service in the Bypassed Sites list

All Web clients connecting to the WSS must be authenticated to ensure the client is authorized to access the service, and to apply the required policies for the customer tenant the client is associated with. If a Web client is unable to authenticate to the WSS, the service will return a roaming logon page to the Web client in effort to authenticate the client manually.

Resolution

Ensure the following on all affected clients:

  1. The Integrations Policy applied to the SEP client contains a valid integration token - see Connectivity: WSS-SEP With Seamless Authentication for more information on obtaining and applying an integration token
  2. The symantec.com domain, or any sub-domain that would match the Seamless Identification server's URL (e.g. https://client-id.wss.symantec.com) is not bypassed in the WSS portal or downstream PAC file
  3. The client is not blocked from accessing https://client-id.wss.symantec.com by any firewalls or networking devices between the Web client and the WSS