Required exclusions for proxy servers to allow Endpoint Protection to connect to reputation and licensing servers

book

Article ID: 154433

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

 After installing Symantec Endpoint Protection (SEP), you see the following:

  • Traffic to the Download Insight servers is blocked when using proxy servers with authentication defined by URL or .PAC proxy settings.
    As a result, Endpoint Protection cannot use the reputation data on the Download Insight servers to evaluate potential threats.
  • Endpoint Protection licenses cannot be activated when using a proxy server.
  • Symantec Endpoint Protection Manager (SEPM) cannot be enrolled with Cloud services when using a proxy server or other network traffic filtering device.
  • Symantec Endpoint Protection Manager is having trouble communicating with Cloud services post enrollment when using a proxy server or other network traffic filtering device.

Cause

Endpoint Protection is designed to communicate with specific URLs owned by Symantec to validate licenses, submit samples of suspicious files, and use file reputation security features.

If a proxy or corporate firewall blocks access to these URLs, these issues can occur.

Resolution

Exclude the appropriate URLs listed in this article within your proxy server's configuration, which allows the necessary traffic to Symantec's servers.

Note: If your proxy is configured to perform SSL inspection, you must bypass SSL inspection for these URLs, otherwise some services, such as Insight, will not function due to pinned certificates. 

Ping submissions

  • https://stnd-avpg.crsi.symantec.com
  • https://avs-avpg.crsi.symantec.com
  • https://stnd-ipsg.crsi.symantec.com
  • https://bash-avpg.crsi.symantec.com

Ping submissions are per definition type (for example, antivirus), and allow Symantec to judge the effectiveness of a set of definitions that are not yet taking any action, such as beta detections, based on the number of "pings" each detection or definition creates. For example, if a detection creates a number of ping replies to Symantec, this detection may be a false positive detection and will be investigated for effectiveness.

This system and related URLs are part of Symantec's false positive avoidance system.

Sample submissions

  • https://central.ss.crsi.symantec.com
  • https://central.nrsi.symantec.com
  • https://central.avsi.symantec.com
  • https://central.b6.crsi.symantec.com
  • https://central.crsi.symantec.com
  • https://shasta-sfg.norton.com

These URLs are designed to accept samples of any detections that are made by the clients. If a client gets a detection, the client queries Symantec to see if a sample is needed (that is, no formal definition created for this item yet).

If a sample is not needed because a formal definition is already created, the client will not submit the sample. This query response system effectively reduces the network traffic created by SEP, and makes SEP more responsive to new and emerging threats.

CAT submissions

Client Authentication Token.  This is how a client authenticates itself to Symantec to make use of the reputation servers for Download Insight, for example.  This is required.

  • https://tus1gwynwapex01.symantec.com

Error submissions

  • https://stnd-lueg.crsi.symantec.com

If SEP generates an error report due to a component crash, SEP uses this URL to report the error and associated data back to Symantec.

Insight reports

  • https://ent-shasta-mr-clean.symantec.com

Data sent back to the client from a reputation query.

Insight

  • https://ent-shasta-rrs.symantec.com
  • https://shasta-mr-healthy.symantec.com

URL that SEP clients send reputation requests to.  Note that client traffic to ent-shasta-rrs.symantec.com.ntn.symantec.com may also be observed.  This URL is used for DNS name resolution to ent-shasta-rrs.symantec.com.

License activation

  • https://services-prod.symantec.com/service/IPLService.serviceagent/IPLendpoint1

URL that SEP uses to verify if the license being used is current and active.

LiveUpdate

  • http://liveupdate.symantecliveupdate.com
  • http://liveupdate.symantec.com
  • https://liveupdate.symantecliveupdate.com (SEP 14.2 RU1 onwards)
  • https://liveupdate.symantec.com (SEP 14.2 RU1 onwards)

URL that SEP uses to connect to for definition updates.

Endpoint Protection Manager Windows definitions "Latest from Symantec"

  • http://securityresponse.symantec.com
     

Telemetry

  • https://tses.broadcom.com
  • https://telemetry.broadcom.com

Data sent to Symantec about the SEP or SEPM install, i.e. how SEP is being utilized by the customer base.

SETI

  • https://tses.symantec.com

Data sent to Symantec about installation related events.

SymQual

  • faults.norton.com

Data and crash dumps for processes sent to Symantec to help make the product better.

Web pulse reputation

  • sp.cwfservice.net

SEPM Cloud services

Portal

  • https://sep.securitycloud.symantec.com/cc/#/landing
  • https://sep.securitycloud.symantec.com/cc/#/login

Cloud console access.

Onboarding

  • https://sep.securitycloud.symantec.com/cc/#/onboard

Enroll and Unenroll of SEPM.

R3

  • usea1.r3.securitycloud.symantec.com

REST Request Router.

SPOC

  • us.spoc.securitycloud.symantec.com
  • spoc-pool-gtm.norton.com (old URL that may be used by the agents with older versions)

SEPM Cloud notification service.

AWS S3

  • https://us-east-1-s3-symc-prod-saep-cis.s3.amazonaws.com
  • https://global-s3-cpe-prod-saep-hub.s3.amazonaws.com
  • https://us-east-1-s3-symc-prod-ses-shared-content.s3.amazonaws.com

Cloud storage services.


See How test connectivity with Insight and Symantec Licensing servers for troubleshooting steps.

See also Proxy error messages appear in the Endpoint Protection Manager Cloud tab > Troubleshooting.