search cancel

How to configure WSSA to manually connect to a Data Center

book

Article ID: 200262

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

WSSA Agent users are typically connected to their nearest data center based on responses from WSS Cloud Traffic Controller service (CTC).

The CTC service determines the nearest data center to connect to based on the GEO location of the users egress IP.

In certain cases, it may be useful to test against a different data center to verify whether the issue/problem being experienced is specific to one data versus another.

This possible with WSSA, and helpful in terms of troubleshooting - It should only be done as part of the troubleshooting process to narrow down communication issues. 

Environment

WSS Agent connecting to WSS

Resolution

Note! This is meant for troubleshooting and debugging purposes only, and configuring this will require disabling Tamper Protection (which customers should NOT do long-term, and is a potential security risk).

To control where the WSSA client connects to, the wssad application is used. The admin must first disable tamper protection for WSSA in the WSS Portal, and then use the following syntax on the workstation:

Windows - run from Administrator command prompt

"C:\Program Files\Symantec\WSS Agent\wssad.exe -p dpOverride=<IPAddr_Of_DataCenter>"

where the data center IP addresses are available from Web Security Service (WSS) ingress and egress IP addresses

After completing the test, make sure that you remove the option else the user will continue to go to this IP address. To remove the option, simply run:

"C:\Program Files\Symantec\WSS Agent\wssad.exe -e dpOverride"

macOS (Catalina and prior) - using sudo to run as root

To switch to another data center use:

/opt/symantec/wssa/wssad -p dpOverride=<IPAddr_Of_DataCenter> 

 and to remove the change and revert to CTC:

/opt/symantec/wssa/wssad -e dpOverride

macOS (Big Sur and later) - using sudo to run as root

To switch to another data center use:

sudo "/Applications/Symantec WSS Agent.app/Contents/MacOS/wssad" -p dpOverride=<IPAddr_Of_DataCenter>

And to remove the change and revert to CTC:

sudo "/Applications/Symantec WSS Agent.app/Contents/MacOS/wssad" -e dpOverride

Additional Information

If this is needed for a handful of users on a regular basis, and Admin does not want to disable tamper detection globally for all users on tenant, the following install option will allow dpOverride changes without disabling tamper detection:

\path\to\install.msi TPE=0 

Once installed, dpOverride can be executed successfully even when tamper detection is enabled.

 

To install an agent and persistently send them automatically to the same DC, the following options can be used at install time

\path\to\install.msi TPE=0 CUSTOM_CONFIG=dpOverride=x.x.x.x 

where x.x.x.x is the IP address of the WSS data center user will connect to.

CUSTOM_CONFIG=dpOverride=1.2.3.4  

 

NOTE that all failover logic implemented via CTC fails when using this approach. Any data center failures will not result in an automatic switch to nearest available center. Only manual changes with dpOverride will switch data centers when in this mode.