Agentconfigure.xml Syntax

Products

Web Security.cloud Advanced Threat Protection Roaming

Issue/Introduction

Resolution

As part of the installation process, a configuration file is created, specifying the location of components on your company's network.

If you accept the default installation location, the path to the file is:

C:\Program Files (x86)\Symantec.cloud\Smart Connect

The following configuration file cannot be used as presented here. It must be modified to suit the environment within which you deploy it.

<?xml version="1.0" encoding="iso-8859-1"?>

<roaming_agent>

<license_key>XXXXXX-XXXX-XXXX-XXXXXX-XXXXXX-XXXXXX</license_key> <http_port>80</http_port> <user_session_override>NO</user_session_override> <bypass_list> <bypass> <url>http://*.update.microsoft.com</url> <pattern>ISAWildcard</pattern> <mode>OffLAN</mode> </bypass> <bypass> <url>http://*.download.windowsupdate.com</url> <pattern>ISAWildcard</pattern> <mode>OffLAN</mode> </bypass> </bypass_list> <upstream_proxy> <address>proxy-1.ip-or-hostname.com</address> <port>3128</port> </upstream_proxy> <upstream_proxy> <address>192.168.2.123</address> <port>3128</port> </upstream_proxy> </roaming_agent>

The latest version of this configuration file is available for download: agentconfigure.xml

You must configure the following elements for your own environment.

Table: Elements to configure in Smart Connect

Element

Description

<http_port>

The proxy's listening port (web browsers point here)

Default: 80

The TCP port that the Smart Connect service listens for incoming connections from the web browser.

We recommend that you use a privileged port (under 1024). . You may need to change the port number from port 80 if other software (such as a web server) listens on this port.

When redirecting the browser to the Smart Connect service, http_port is the port that must be specified (e.g. local host:80 or 127.0.0.1:80).

<upstream_proxy>

The address and the port number of any upstream proxies that your employees use to access the Internet from your LAN

(no default setting)

If you have multiple proxies, this element should be repeated once for each proxy

Warning:

If you have no proxies to configure, omit this element.

When On-LAN, these entries indicate the proxy servers that the Smart Connect service should use. When the endpoint is On-LAN, traffic from your web browser is forwarded to one of these proxy servers. This traffic then goes through the Web Security infrastructure to enforce your policy and to block any malware.

What you enter here depends on your specific networking requirements. Typically, one of these two options:

The host name or IP address of your CSP (or other on-site proxy)
The regional host name of the Web Security infrastructure

These settings are typically the same that your web browser uses to access the Internet.

The order in which these proxies are listed is not significant. Smart Connect agent resolves the names using DNS and uses the one that is quickest to respond.

If you do not have an explicit proxy, but rely on a transparent proxy to access the Web Security infrastructure, this list can remain empty.

Using the optional property priority (introduced in v2.0.0), you can define the priority of the upstream proxies for the agent to connect to the infrastructure while the user is on the corporate LAN. The value of priority should be a positive integer, with a lower number indicating higher priority. The priority property takes precedence over the isprimary property and the responsiveness of other proxies.

<license_key>

Your license key as provided by the Support team.

(no default setting)

Your organization's license key is available by logging into the portal. Copy it and paste it into the configuration file here. Without a license key, the Smart Connect service does not function.

<debug_level>

The logging level of the proxy. Valid values are (in order of verbosity):

FATAL

(least verbose)
ERROR
WARN
INFO
DEBUG
TRACE

(most verbose)

Default: INFO

Increasing the debug level can produce very large log files.

<connect_timeout>

The time, in seconds, before connection attempts timeout.

Default: 10

<idle_connection_timeout>

The time, in seconds, of no traffic before idle OnLAN proxy connections are dropped.

Default: 60

<idle_offlan_connection_timeout>

The time, in seconds, of no traffic before idle OffLAN connections (Secure Mode SSL tunnels) are dropped.

Default: 600

<dns_timeout>

The time, in seconds, before entries in the DNS cache expire.

Default: 30

<ned_server>

The host name of the NED server.

ned.webscanningservice.com

<failure_mode>

The failure_mode can be

CLOSED
OPEN

Default: OPEN

Setting is case-sensitive.

When the agent cannot connect to RAS in OFFLAN, it generates an error page if it is CLOSED. Otherwise, it tries again to connect to web server directly if it is OPEN.

<bypass_ned>

The bypass_ned can be

YES
NO

Default: NO

Setting is case-sensitive.

<bypass_list>

bypass_list is the URL list to bypass the request to the upstream proxy. It can contain multiple bypass tags (or none).

Default: (empty)

Only the first bypass_list tag takes effect if multiple bypass_list tags are defined.

bypass should be defined under bypass_list tag. Each bypass can contain the url, pattern, and mode, where the url is the URL to match.

(no default setting)

All matches are case-insensitive.

<url>

url should be defined under bypass tag. It is the URL pattern to match.

Default: (cannot be empty)

pattern should be defined under the bypass tag. The pattern can be

Exact
ISAWildcard
Regex.

Default: Regex

Exact matches the whole URL exactly.

ISAWildcard follows the rules for the ISA URL Set.

Regex uses the POSIX Extended regular expression syntax.

<mode>

mode should be defined under bypass tag. It defines when to bypass:

OnLAN
OffLAN
Never
Always

Default: Always

Attachments

agentconfigure.xml get_app