search cancel

Roaming Web Traffic Redirection users experience random browsing errors

book

Article ID: 175970

calendar_today

Updated On:

Products

Endpoint Protection Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing Web Security Service (WSS) off net (roaming outside of the corporate network) through the Windows-based Symantec Endpoint Protection (SEP) Web Traffic Redirection (WTR) client randomly experience errors accessing web resources. Browsers on these hosts would be able to navigate through all sites and then would report 'Site can't be reached' and 'too many redirects' errors as shown below. Skype and other Applications also fail at the same time.

When browsing or accessing Web resources from inside the network, using the same client, no problems are seen at all.
 

 

The following messages were visible when the problem happened:

Environment

WTR Engine 1.1.0.300
Windows 10 workstation with latest security patches applied
PAC file pushed down from WSS PFMS service pointing SEP client to proxy.threatpulse.net:8080
Problems appear regardless of browser used (IE, Firefox and Chrome showing same problems)

Cause

By default, Proxy Auto-Config (PAC) files pushed down to SEP clients point to proxy.threatpulse.com:8080. During the DNS resolution for this host, clients are ideally sent to the nearest available data center local to that country. When two data centers exist for a specific country (China, India, UK - does not apply to US), the DNS responses are round-robined so that user load is distributed. This means that traffic from SEP users within these countries can be sent to two different data centers, causing the problems we see above. There is no stickiness to keep the SEP traffic to the same data center with this domain.

Resolution

Modify PAC file settings so that SEP clients are sent to sep-wtr.threatpulse.net:8080 instead of proxy.threatpulse.com:8080. The sep-wtr.threatpulse.net domain allows for stickiness - when a SEP client resolves this host to a local data center, all future DNS resolutions from the same server will return the same IP address. No flaps will occur and the users will not experience the problems above.