Unable to login to onedrive site after enabling Web Traffic Redirection in Endpoint Security.
search cancel

Unable to login to onedrive site after enabling Web Traffic Redirection in Endpoint Security.

book

Article ID: 259470

calendar_today

Updated On:

Products

Endpoint Security

Issue/Introduction

After enabling client Web Traffic Redirection ( WTR) functionality in SES console not able to access onedrive.

Environment

Endpoint Security(SES) : 14.3 RU6

Cause

Known Issue as described in the article - Bypass Endpoint Protection Web Traffic Redirection using a custom PAC file

 

Resolution

In Endpoint Security Console (SES), currently importing the custom pac file feature not yet implemented so pac script in the registry does not persist across machine reboots and service restarts. Therefore pacscript needs to be updated periodically.

This can be achieved using either of the following 2 solutions.

Solution 1:

Endpoint Security Console(SES) does not have feature to import the custom pac file, instead use LPSFlags.exe. 

e.g: LPSFlags.exe --pac-script CustomProxy.pac --restart

Note: In every reboot and smc restart deletes the Pac Script for custom pac. It is required to apply LPSFlags.exe command every time as per design.

Solution 2:

Use HI script to run the LPSFlags.exe and import the custom pac file. In this solution the customer needs to setup a web server and web directory from where HI script can download
the required files.

Below point is mandatory to run the HI script.

To do list to perform.

  1. Setup a web server.
  2. Keep "LPSFlags.exe", custom "proxy.pac" and "UpdatePac.CMD" on the server in the same folder. Please check that all the 3 files can be downloaded using any browser e.g Chrome, Edge
  3. Import the HI script attached to the KB in the SEPM console HI policy section.
  4. Modify the URLs for the above files in the HI Script so that HI script could download those files from the file server and do the execution.

              e.g. http://xx.xx.xx.xx/lpsflags.exehttp://xx.xx.xx.xx/proxy.pacand http://xx.xx.xx.xx/updatepac.cmd

          Note: To download Proxy.pac and updatepac.cmd need to add MimeType in the website so that those files can be downloaded to the target folder mentioned in the HI script.

          Note: This can also be achieved using system management software too.

     5. Apply the HI Policy.

 

Additional Information

The custom pac file is provided as parameter to LPSFlags.exe. 

  1. Create cmd file with the script to Run from command prompt and execute the command:
    LPSFlags.exe --pac-script proxy.pac --restart
  2. It executes and creates below Registry:

             "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SepLpsService\Parameters" -->PacScript

     3. After SMC -restart, since EnableLPSCustomPac=0 in case of SES client it deletes the above registry every time. But since we have added the HI script the registry gets added once SMC starts loading     profile and applies HI policy.

 

Attachments

1675831094458__LPSFlags.exe get_app
1675831078391__Update_WTR_proxy.pac_v3.5.dat get_app
Powered by Wolken Software