Cannot access internet via WSS using SEP Web Traffic Redirection
Article ID: 203959
Updated On:
Products
Issue/Introduction
All Windows workstations using SEP WTR to access internet via WSS
A handful of workstations claim that they cannot access anything when SEP WTR is enabled
Users on these machines report "502 Bad Gateway" when attempting to access websites
http://localhost:2968/resolver.pac is showing empty for download, indicating no PAC file pointing to WSS can be downloaded
Manually going to the https://pfms.wss.symantec.com/ via browser reports an issuer certificate warning
Environment
SEP WSS agent with Web Traffic Redirection
PFMS server configured with PAC files to download
Cause
Digicert trusted root certificate missing from the browser trusted root store
The SEP agent would try and download the PAC file from PFMS server but fail. When this happens, there's no information on how to get to WSS.
PCAP from workstation when SEP WTR initialised shows that we connect to PFMS, negotiate a shared secret via SSL handshake but never send any GET request for the PAC file.
Resolution
Manually copy the following certificate to the Trusted Root Certification Authorities store on the Windows host. This can be done by
- going to https://pfms.wss.symantec.com/ from a browser
- exporting the trusted root certificate to file (CN = DigiCert Global Root G2, OU = www.digicert.com, O = DigiCert Inc, C = US)
- importing the certificate into the Trusted Root Certification Authorities of the Windows host
- Use Internet Explorer -> Internet Options -> COntent -> Certificates -> Trusted Root Certification Authorities
- Select import and import the certificate exported above
Attachments
Feedback
