search cancel

How to enable DNS stickiness for Web Traffic Redirection so that users always go to the same data center


Article ID: 175971


Updated On:


Endpoint Protection Cloud Secure Web Gateway - Cloud SWG


When running Symantec Endpoint Protection (SEP) with Web Traffic Redirection (WTR) in an environment where users are roaming, and multiple Web Security Service (WSS) data centers are geographically very close, web browsing and applications may sporadically hang or become unresponsive,. 


WTR Engine
Users located in a country with multiple data centers available (India, China, UK)
Users flap between different data centers


This can happen because the SEP client may be sending traffic to different data centers within the same user session. 


Make sure that the Proxy Auto-Config (PAC) file pointed to by the SEP WTR client is configured to send proxy traffic to and not the default What this will do is enable stickiness for DNS, and avoid the round robining that could potentially send the SEP WTR workstation to multiple data centers.

The advantage of this round robin approach is that it is basic and makes sure that we evenly balance between the two local data centers. The downside is that certain applications that require an element of persistence to work well (SEP WTR, or SAML based authentication) may experience issues. To combat the problem, Symantec WSS offers the ability to enable stickiness for the DNS responses. This addresses the SEP WTR issues described above, as well as SAML auth problems.

To enable persistence, make sure the WSS administrator does the following:

  • Go to the PAC file configuration that SEP client uses and replace the existing hostname  e.g. with
  • When we get the DNS request we now respond with the same IP address each time, i.e. the IP address of the nearest data center.

For more details on issues seen, refer to Roaming Web Traffic Redirection users experience random browsing errors