Attempts to route CTC requests through a proxy using a PAC file, without changing the network route for ctc.threatpulse.com, can lead to issues. PAC files operate at the application layer, and WSSA lacks visibility into their changes or rules. This can cause various problems, as WSSA monitors traffic at the network layer.

Symantec Enterprise Agent

WSS Agent

SEP Tunnel Agent 

PAC Files and Routing:

• PAC files operate at the application layer.
• WSSA cannot see changes or rules within PAC files.
• Resolution of PAC files is managed by the operating system.

Split Tunnel VPN Example:

• A split tunnel VPN may not route the default route and gateway through the VPN.
• A PAC file can send ctc.threatpulse.com through the VPN to an on-prem proxy.
• This setup is not supported by WSSA and can cause several issues:
• Agent goes active when it should be passive.
• Problems connecting to CTC.
• Network change detection issues.

Network Layer Monitoring:

• WSSA monitors traffic at the network layer, not the application layer.
• If CTC requests need to go through a PAC file to an on-prem proxy, VPN routing rules must also include ctc.threatpulse.com (130.211.30.2).

Routing Rule Implementation:

• Requests to 130.211.30.2 should be routed through the VPN.
• Direct requests to this address through the VPN can be blocked by the customer’s network if desired.
• Routing rules help determine network condition changes locally on the endpoint.

Programmatic Reconnect:

• Triggering a reconnect after proxy settings change can reestablish the connection and re-read proxy settings. See KB 226831.
• Use the skipDirectCTCAttempt option to avoid connections outside the proxy during a proxy error. See skipDirectCTCAttempt=[true | false]
• Another consideration is that if ctc.threatpulse.com is explicitly routed through the proxy, the `alwaysSendTunnelsDirect` option can be set to ensure that the tunnels do not use a proxy, even if the CTC does.  See alwaysSendTunnelDirect=[true | false]

Best Practice:

Do not route ctc.threatpulse.com using a PAC file unless a corresponding network-layer routing rule for 130.211.30.2 is also set through the same path.