Cannot import custom LPS PAC file with SEP NTR policy
search cancel

Cannot import custom LPS PAC file with SEP NTR policy

book

Article ID: 231616

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

SEP NTR enabled for users accessing internet via WSS

Need to apply bypass at the Application layer (as opposed to WSS bypass)

LPSFLAGS.EXE works well but want to push PAC file bypasses out via SEP NTR integration policy

Admin sees following "Symantec Endpoint Protection cannot validate the custom PAC file. Try different file" error when importing a valid Proxy PAC file

 

Environment

SEP NTR policy enabled on the clients

Symantec Endpoint Protection Manager running SEP 14.3 RU1+ 

 

Cause

File system rights issue on Windows server where access to required resources are denied.

Resolution

Run the Symantec Endpoint Protection Manager application in Administrator mode

Additional Information

When troubleshooting these type of issues, we need to verify whether the PAC file is actually valid, or we have a seperate issue. Fortunately, there is an easy to to determine validity of the PAC file on the SEP Manager host, using the following instructions: 

- Ensure the logged on user is a local administrator. Otherwise, the tool to validate the pac file cannot run.  
 
- Execute the standalone tool to check pac file. 

1) Open elevated cmd prompt
2) cd to <SEPM install dir>\bin
3) execute TestPAC.exe <full path to pac> -debug 
 
A zero returned to caller means the pac file is valid. 

 

Assuming PAC file is valid and we still have issues importing it into SEP Manager, check the scm-ui-<date>.err for TestPAC.exe. This scm-ui-*.err file is in the %temp% dir. In the above scenario, we found the following warning that indicated where the issue was coming from:

Nov 16, 2021 1:43:20 PM  STDERR:  at java.desktop/java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101)
Nov 16, 2021 1:43:20 PM  STDERR:  at java.desktop/java.awt.EventDispatchThread.run(EventDispatchThread.java:90)
Nov 16, 2021 1:43:20 PM  STDERR: Caused by: java.io.IOException: CreateProcess error=5, Access is denied
Nov 16, 2021 1:43:20 PM  STDERR:  at java.base/java.lang.ProcessImpl.create(Native Method)
Nov 16, 2021 1:43:20 PM  STDERR:  at java.base/java.lang.ProcessImpl.<init>(ProcessImpl.java:478)
Nov 16, 2021 1:43:20 PM  STDERR:  at java.base/java.lang.ProcessImpl.start(ProcessImpl.java:154)
Nov 16, 2021 1:43:20 PM  STDERR:  at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1107)
Nov 16, 2021 1:43:20 PM  STDERR:  ... 88 more
Nov 16, 2021 3:16:32 PM  STDERR: java.io.IOException: Cannot run program ""D:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\tomcat\..\bin\TestPAC.exe"": CreateProcess error=5, Access is denied
Nov 16, 2021 3:16:32 PM  STDERR:  at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1128)
Nov 16, 2021 3:16:32 PM  STDERR:  at java.base/java.lang.ProcessBuilder.start(ProcessBuilder.java:1071)
Nov 16, 2021 3:16:32 PM  STDERR:  at java.base/java.lang.Runtime.exec(Runtime.java:592)

Adding rights for the App to read this file would address the issue, as well as running the SEP Manager app in admin mode.

Attachments

Powered by Wolken Software