Warning: "Using CTCv1 (missing enrollment token)" in the Web and Cloud Access Protection on the SEP client 14.3 RU7
search cancel

Warning: "Using CTCv1 (missing enrollment token)" in the Web and Cloud Access Protection on the SEP client 14.3 RU7

book

Article ID: 262880

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Security Endpoint Security Complete

Issue/Introduction

Symantec Endpoint Protection (SEP) client users may see the following Status message on the Help > Troubleshooting > Web and Cloud Access Protection page: "Warning: Using CTCv1 (missing enrollment token)" 

  • The warning appears regardless of which Cloud SWG POP the user connects to.
  • The warning appears when SEP clients are connected in tunnel mode.
  • The warning does not appear with SEP clients 14.3 RU6 and earlier.

Environment

This occurs in the following situations:

1. On SEP clients 14.3 RU7 that you upgraded from an earlier version.

2. If you assigned a WSS V1 token in the Web and Cloud Access Protection policy (SEPM or ICDm) for 14.3 RU7 clients.

3. The Cloud SWG portal > WSS Agent Configuration > Block legacy CTC communications checkbox is disabled. 
Only updated CTC communications are allowed from SEP clients to Cloud SWG. When this option is enabled, SEP clients must use enhanced CTC (CTCv2) communications to connect to Cloud SWG. 

Cause

The SEP client enrollment token is not included with upgrade installations, which results in the warning.

In this state, enhanced CTC (CTCv2) does not function, even though it is supported on SEP clients 14.3 RU7.

Resolution

To eliminate the warning, enable the SEP clients to use CTCv2.

Do one of the following tasks:

1) In the SEPM or ICDm Web and Cloud Access Protection policy, add a new CTCv2 token from the Cloud SWG portal. 
Note: If you run a SEPM 14.3 RU6 with 14.3 RU7 clients, you can ignore the status message. However, you cannot disable legacy CTCv1 communications until you upgrade SEPM to RU7 or later.

2) Instead of an upgrade, uninstall the SEP 14.3 RU6 or earlier client and perform a fresh install of the SEP 14.3 RU7 or later client.
The fresh install triggers the installation of the enrollment token, which is necessary for enhanced CTC.

3) Upgrade the WSS token from V1 to V2. WSS V2 is not supported on 14.3 RU6 and earlier.

Additional Information

The message does not impact normal SEP client functionality.

However, it does prevent the ability to use new enhanced CTC services.  Therefore, you should NOT enable the "Block legacy CTC communications" option in the Cloud SWG portal until ALL of your SEP clients connect to the service.

IMPORTANT:

  • Do NOT disable legacy CTCv1 WSSA clients by enabling the "Block legacy CTC communications" option in the WSS Agent settings in the Cloud SWG portal when this warning is present. Doing so will result in WSS Agents (prior to v8.3.1) from being unable to connect to the Cloud SWG service.
  • KB on: "Block legacy CTC communications"