Web Security Service Connectivity: WSS Agent - and Unified Agent
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Web Security Service Connectivity: WSS Agent and Unified Agent
Symantec Web Security Service/Page 2
Unified Agent Guide/Page 3 Copyrights Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
Symantec Web Security Service/Page 4
Symantec Web Security Service:
WSS Agent Guide
The Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based
product, the Web Security Service leverages Symantec's proven security technology, including the WebPulse™ cloud
community.
With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to
create and enforce granular policies that are applied to all covered users, including fixed locations and roaming users.
To provide security to employees who take corporate clients beyond the corporate network, such as taking laptops on business
trips, the WSS Agent routes web requests through WSS when connecting from a non-corporate network.
Table Of Contents
Symantec Web Security Service:WSS Agent Guide 4
Table Of Contents 4
WSS Agent 7
Connectivity: About the WSS Agent 8
Why Select This Method? 8
Connectivity: Install the WSS Agent 17
Technical Requirements 17
About the WSS Root Certificate 17
About the WSS Agent Installation or Upgrade 18
About Bypassed Non-Routable IP Addresses 18
Procedure—Prepare for Installation 18
Procedure—Install the WSS Agent 20
Connectivity: Distribute WSS Agent With GPO 27
Technical Requirements 27
Procedure 27
Connectivity: Distribute WSS Agent With JAMF 31
Technical Requirement 31
Procedure 31
Set WSSA Network/Security Options 35
About the WSS Agent UI 42
System Tray/Menu 42
Agent Interface 42
About Tab 43
Available Updates 43
Disable the WSS Agent 45
Procedure 45
Agent Logging 47
Unified Agent Guide/Page 5 SymDiag Application For WSS Agent on Windows 48 Technical Requirements 48 Procedure 48 Debugging Script for WSS Agent on Mac Systems 52 Technical Requirements 52 Procedure 52 WSS Agent 7.x—Tunnel Error 54 Uninstall the WSS Agent 55 Windows 55 macOS 55 Unified Agent 56 Connectivity: About the Unified Agent 57 Why Select This Method? 58 About the QUIC Protocol 62 About Proxy Avoidance Attempts 62 About Password Protection 62 About SSL Certificate Installation 62 About Challenge-based Authentication (Captive Portal) 63 About IPv6 IP Addresses 63 About Time Zones 63 About Hybrid Policy and Unified Agent Connections 63 Connectivity: Manually Deploy the Unified Agent (Windows) 66 Technical Requirements 66 About Bypyassed Non-Routable IP Addresses 66 Procedure 67 Connectivity: Manually Deploy the Unified Agent (Mac) 71 Technical Requirements 71 About Bypassed Non-Routable IP Addresses 71 Procedure 72 Route Remote Connections Through an HTTP Proxy 75 Deployment Notes 75 Manually Disable the Unified Agent 78 Activate the Disable Option 78 Instruct Employees How to Disable the Unified Agent 78 Uninstall the Unified Agent 79 Available Options 79 Unified Agent—With Uninstall Token 79 Information 79 Procedure 79 Windows 80 OS X 81 No Token Defined/Client Connector 82 Reference—MSI Versions 82 MSI Version Mis-Match (Unknown MSI) 82 Troubleshoot... 84 Unified Agent Connection Troubleshooting 85
Symantec Web Security Service/Page 6
Manage Web Security Service Client Connections 89
Manually Disable the Unified Agent 90
Review System Events Generated by Remote Clients 91
Capture Remote Client Trace Log 92
Verify Mobile Connections 94
About Device Visibility 94
View Devices 94
Page Options 95
Prevent a Domain From Routing to WSS 96
Notes 96
Procedure—Manually Add Domain Entries 96
Import IP Address Entries From a Saved List 97
Prevent IP/Subnet From Routing to the Web Security Service 98
Notes 98
Procedure—Manually Add IP Addresses 98
Import IP Address Entries From a Saved List 99
Reference: Windows WSSA/UA Package Versions 100
Unified Agent Guide/Page 7 WSS Agent The WSS Agent is the Symantec-recommended agent for supported Windows 10+ and macOS High Sierra+ clients. n "Connectivity: About the WSS Agent" on page 8 n "Connectivity: Install the WSS Agent" on page 17 n "Connectivity: Distribute WSS Agent With GPO" on page 27 n "Connectivity: Distribute WSS Agent With JAMF" on page 31 n "Set WSSA Network/Security Options" on page 35 n "About the WSS Agent UI" on page 42 n "Disable the WSS Agent" on page 45 n "SymDiag Application For WSS Agent on Windows" on page 48 n "Debugging Script for WSS Agent on Mac Systems" on page 52 n "Uninstall the WSS Agent" on page 55
Symantec Web Security Service/Page 8
Connectivity: About the WSS Agent
WSS Agent is a powerful, flexible, cloud-directed WSS connectivity method. WSS Agent uses a VPN tunnel to securely route
traffic from the end user’s machine to WSS. WSS Agent provides non-standard web traffic redirection and an extra layer of data
privacy to public WiFi networks, which are two major benefits of this connection solution.
When installed on client systems, the WSS Agent works as part of the client system's configuration. After the application is
installed, no further configuration is required on the client system. It directs content requests to WSS over a secure connection
(port 443). To enforce proxy avoidance, the WSS Agent detects and redirects HTTP proxy requests to any external, non-WSS
IP addresses. As such requests are redirected, the user is unable to circumvent filtering and malware scanning.
The WSS Agent provides additional security features.
n The WSS Agent prevents employees from stopping and starting the service from the Services Management Console,
even if the employee has Windows Administrator privileges.
n You can give employees the ability to temporarily disable the WSS Agent should they be experiencing connection issues.
Why Select This Method?
Benefits—
n Always active. The user does not have to log in to the agent.
n Works in the background and is transparent to users.
n Captures the user and system names for reporting.
n Viable security solution for a premises with fewer than 100 clients and where location-based network infrastructure (such
as a firewall) is not available.
Select another method if—
n You want to manage remote clients through multiple PAC files. SEP Solution.
n You require IPv6 support. The WSS Agent does not currently support IPv6 connections; a future update will provide
support.
Unified Agent Guide/Page 9
Use Cases
Remote, Off-Corporate Network
Your business has one or more physical locations. On-premises infrastructure, such as proxies or
firewall devices, provide security to your corporate-controlled internet connections. Some employees
work remotely or take their laptops to travel and connect through to the internet from an off-corporate
network, such as a hotel or other commercial property WiFi.
1—A Sales Person is on site at a corporate location. The client system recognizes the corporate
internet connection and the WSS Agent remains in Passive Mode. All internet requests proceed
through the on-premises gateway infrastructure. If WSS is providing security, the connection occurs
through a defined location. For example, the proxy appliance or firewall device is configured to connect
to the Santa Clara datacenter VIP. Security policies are applied for that location and/or logged-in user
or group name.
2—The Sales Person then takes a flight to the southern United States and checks into a hotel. The
WSS Agent is now engaged and connects to the nearest WSS datacenter, which in this example is
Dallas (for more details about the cloud service connections, see the next section). You might elect to
define a separate set of web-use policies for WSS Agent connections. For example, you allow access
to more leisure categories after work hours because employees are spending personal time away from
home.
Small Office
n Your business might be small—typically defined as fewer than 100 employees—and thus you do
not have advanced network infrastructure, such as firewall devices or proxies that forward
internet traffic.
n Or your business might have micro-branches, or smaller locations where it does not makes
sense to invest and support network infrastructure that your larger sites require.
Symantec Web Security Service/Page 10
In these cases, the WSS Agent is a viable, low-touch method to provide web security and enforce web-
use policies.
The WSS Agent connects through the location's ISP to the nearest WSS datacenter.
Tip: It is possible for the WSS Agent to connect to a specific datacenter. If
your business requires specific location connections, contact Symantec
Technical Support to request assistance.Unified Agent Guide/Page 11
How the WSS Agent Connects
The WSS Agent connects to WSS when a user logs on (or if there is a connection error from another
method). The agent and the service perform a series of checks in preparation for web requests as the
following flow describes.
1—A Sales Person on a business trip logs in.
n The WSS Agent initiates a connection over port 443 to the Client Traffic Controller (CTC) in the
closest WSS datacenter (the WSS can return availability from up to three geographical
datacenters).
n If the WSS Agent detects any tampering.
o The WSS Agent detects that the configuration store (which contains your customer ID,
failure mode, tamper detection settings) has been tampered with outside of theSymantec Web Security Service/Page 12
application itself.
o The WSS Agent detects an attempt to bypass WSS through entries in the hosts file.
o The WSS Agent is unable to validate the SSL connection for the VPN tunnel to the
service.
The connection is refused and the client receives an exception; otherwise, the connection
continues.
n WSS determines if the connection is from a defined corporate location, the WSS Agent remains
in passive mode.
n WSS verifies that a WSS Admin has configured the portal to block this WSS Agent (for
example, a laptop was lost or stolen and the Admin wants to prevent the connection).
n For all web content requests, WSS applies checks against WSS bypass list, acceptable web
use policies, and malware scanning results.
2—A request is for internally-hosted content or content that belongs to a bypass list never reaches WSS.Unified Agent Guide/Page 13
WSS Agent Connection Concepts
This section provides technical details about how the WSS Agent connects to the WSS.
CTC Issues
If the CTC is not able to respond, the WSS Agent uses a cached connection list and displays a
warning.
VPN Compatibility
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be
installed on client systems. You can configure full or split tunnel with additional configurations.
n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec
Location in WSS (mode Connectivity > Locations). This enables WSS to enter Passive mode
when on the Location network.
n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.
Single Tunnel Default
Applies to WSS Agent 7.1+.
By default, the agent operates in Single Tunnel Mode. This single tunnel behaves as both a system
tunnel and a user tunnel. All traffic generated by the device (regardless of originating process) is
identified as from logged-in user of the client.
Windows Only—You might have an environment where several users concurrently log in to an
environment without a physical console. For example, multiple users concurrently log in to a machine
only test environment through Remote Desktop. You can distribute WSS Agent 7.1+ with an
installation option that supports this deployment. This is described in the installation topic.
HTTP/3
HTTP/3 is a third revision of the HTTP protocol. When introduced in 2013, it was named the Quick
UDP Internet Connections (QUIC) protocol. It is transport layer designed to reduce latency when
compared to TCP (HTTP/HTTPS) connections. Browsers with HTTP/3 enabled and smaller devices
receive the benefit. Chrome 29+ has HTTP/3 enabled by default (chrome://net-internals/#quic).
Other browsers are beginning to include HTTP/3.
To allow for a seamless experience, when clients send web requests that are intercepted for
processing (such as by WSS for security purposes) the connections revert to TCP.
If you have a business requirement or a preference for the highest performance, you can instruct WSS
to bypass HTTP/3 connections. Be aware of the lessened security because of this option. Because
HTTP/3 is UDP-based, these connections are bypassed at the client end-point, which means the
traffic is not checked against policy nor is reporting against the WSS Agent possible. Only select this
bypass option if the highest performance for these clients supersedes the security requirement.Symantec Web Security Service/Page 14
Proxy Connections
The CTC uses the system proxy settings (and if specified the PAC file and/or WPAD) in its connection
to ctc.threatpulse.com.
Windows—Uses the proxy settings of the currently logged-in console user (the user physically logged
into the device). If there is no currently logged-in console user (for example. a remote desktop), then the
proxy settings of the SYSTEM user is used.
macOS—Uses the proxy settings of the main network device (the one that requests for
ctc.threatpulse.com are routed from).
n If a proxy was used for the actual CTC request, then tunnels are opened using the same proxy
server that resolved for ctc.threatpulse.com.
n If a proxy was not used for ctc.threatpulse.com, then tunnels are opened using a direct
connection to the individual connect list items.
The proxy used is the same IP address and port as the proxy used in the actual CTC request.
After two consecutive CTC connection failures, the system proxy is ignored and a direct connection is
attempted instead.
Note: Authenticating proxies are not supported on either platform. This is a
limitation of the operating systems themselves.
Proxy Avoidance Attempts
To enforce proxy avoidance, the WSS Agent detects proxy HTTP requests in outbound streams for
ports other than those configured to be forwarded to the service (typically 80 and 443). Those
connections are forwarded to the WSS instead of the originally-specified proxy.
Furthermore, the WSS Agent does not interpret proxy auto-configuration (PAC) settings as a proxy
avoidance attempt. If your deployment uses a PAC control to manage outbound web connections, the
WSS Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and by default).
If the WSS Agent cannot connect with the PAC settings, it attempts a direct connection to the WSS IP
address. You can allow additional ports.
SSL Certificate Installation
The WSS Agent to CTC requires the SSL Root Certificate. WSS Agent installations also install this
certificate. If the certificate is not present, the WSS Agent remains operational but might fail to connect
to the CTC in the datacenter. If this occurs, the agent reverts to the last-received connection list.
Upon installation, the WSS Agent installs the WSS root certificate. If the certificate is not installed
because of unforeseen permission issues, you can manually download it and install it.
Challenge-based Authentication (Captive Portal)
For enhanced security, enable the Captive Portal option during configuration. When enabled, Captive
Portal displays a challenge dialog to users each time that they begin a new browser session (or 24 hours
after their previous successful entry). This eliminates cached credential access.Unified Agent Guide/Page 15
MAC CLIENT NOTE
You can install WSS Agent on Windows and Mac clients. If a Mac user's username is the same as in
the your AD and there is only one domain in your AD, then user based policy is applied for the Mac
client. The domain defaults to the single domain in the AD. You can, however, enable the Captive
Portal feature, which allows users and groups to be available for policy checks.
Hybrid Policy and WSS Agent Connections
If you are employing the Symantec Hybrid Policy solution, the WSS Agent has slightly different
connection behaviors. In this deployment, the on-premises ProxySG appliance is configured to use
common policy. The client workstations that use that common policy proxy have the WSS Agent
installed. Normally, the WSS Agent is in Passive mode on workstations connecting from behind a
proxy that is providing common policy.
Noticeable Behavior
n On the WSS portal, the Location status changes from green to red. This causes all new
WSS Agent connections to switch to active versus passive.
n After a networking event, such as a change in IP address and the Location is red, the
WSS Agent switches to active.
n When the Location status is green, the WSS Agent switches to passive mode.
If the common policy proxy is unable to establish a connection to the portal for approximately 35
minutes, then the hybrid location changes from green to red. If the WSS Agent is in passive mode, it
remains passive unless a networking event occurs. The WSS Agent goes to active mode for all new
connections from that red-status network. This is by design. If the on-premises ProxySG appliance is
experiencing issues and is configured to Fail Open, the WSS Agent must be in active mode for WSS to
provide protection.
Tip: If you notice that the WSS Agent is switching to active mode for
reasons not described above, check the hybrid location in the portal. If the
hybrid location status is red, check connectivity between the on-premises
ProxySG appliance and WSS (might require a packet capture to diagnose).
You can run the update-now command while in the cloud-service
configuration mode to generate traffic destined to the service.Symantec Web Security Service/Page 16
About WSS Agent Performance
As discussed in the topic introduction, WSS Agent uses a VPN tunnel. All VPNs impact performance.
Depending on network conditions, explicit proxy redirection might significantly outperform WSS Agent
in controlled lab testing. Fortunately, the impact is rarely noticeable in real-world usage. While it is
impossible to predict the performance impact from one user to the next, WSS Agent should easily
achieve the speeds required to handle the latency-sensitive needs of power-users. Typically, these
users rely on modern cloud applications, such as the following platforms and examples:
n HD conferencing applications (Zoom, Webex, and Microsoft Teams)
n HD video streaming (YouTube and Vimeo)
n Business productivity applications (Office 365 and G-Suite)
n Collaboration applications (Slack and Google Chat)
n Online file storage and sharing (Box, Dropbox, and Microsoft OneDrive)
Performance Best Practices
n Deploy the most recent WSS Agent release. Because Symantec provides performance
improvements in each release, maintaining the most current WSS Agent version yields the best
results.
n For trusted applications that require near line-speed performance, consider adding the application
to the WSS Agent bypass feature.
n If bypass is not possible, switching to the Symantec Endpoint Protection (SEP) Agent solution is
another option. SEP Agent connects to WSS using explicit proxy redirection, which is typically
faster than WSS Agent.Unified Agent Guide/Page 17
Connectivity: Install the WSS Agent
This topic describes what is required and how to manually install the WSS Agent on a supported Windows or macOS client.
Technical Requirements
n Supported clients—
o 64-bit Windows 10 Professional, Enterprise or Education version 1703
o macOS High Sierra+
Note: You must use the fully-patched vendor-provided versions of the operating systems.
All attempts to install on an unsupported OS fail.
n SEP 14.2 with WTR running in parallel with WSS Agent is not a supported configuration
n Protocols: UDP, SSL, TCP
n Port 443 to ctc.threatpulse.com (for TCP, UDP, and software updates)
n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to WSS. For more
information, consult the following Knowledge Base article:
https://knowledge.broadcom.com/external/article?legacyId=TECH242793
n On macOS, the contents of the stamped installer are notarized using Apple's notarization process. This means that the
driver, service, and all parts of WSS Agent function correctly on a system that requires notarization. However, the .pkg
file itself is not notarized. If you require a notarized .pkg file, contact Symantec Technical Support.
n The WSS Agent currently does not support IPv6 connections. The best practice is to you disable IPv6 on client
systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.
n Not supported:
o Long-term Servicing Channel (LTSC) is not supported. Microsoft intends for LTSC to be used only for specialized
systems.
o WSS Agent version 7.x does not support Captive Portal. If this is a current requirement, do not upgrade to WSSA
7.x.
About the WSS Root Certificate
n When you install WSS Agent on endpoint clients, the WSS root certificate is also installed.
n If you install or upgrade to WSS Agent version 7.x, the installation removes the root certificate that expires in September
of 2021 and installs the new certificate that expires in September of 2036.
n If you do not want the new certificate, remove it from the trust store. Be advised without a certificate, the clients receiveSymantec Web Security Service/Page 18
certificate errors when SSL sites are intercepted.
n If you want to retain the older certificate, add it to the trust store after installation or upgrade.
About the WSS Agent Installation or Upgrade
n You can upgrade from the Unified Agent or previous versions of the WSS Agent; however, if the Unified Agent was
installed with custom options, they are not preserved or migrated to the WSS Agent.
n You can configure the portal to automatically update the WSS Agent; however, if you upgrading from the Unified Agent to
the WSS Agent, you must push a new installation notification to all clients and clients require a reboot.
n Subsequent WSS Agent upgrades do not require a client system reboot.
About Bypassed Non-Routable IP Addresses
By default, WSS bypasses the following RFC 1918 addresses.
n 10.0.0.0/8
n 169.254.0.0/16
n 172.16.0.0/12
n 192.168.0.0/16
If a destination request contains one of these IP addresses, the traffic bypasses WSS and the client connects directly.
Procedure—Prepare for Installation
VPN Compatibility
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client
systems. You can configure full or split tunnel with additional configurations.
n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in the WSS
(Connectivity > Locations). This enables WSS to enter Passive mode when on the Location network.
n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.
Step 1—Select End User Permissions
As best practice, Symantec recommends that you select how much control your employees have with the WSS Agent before
you push the agent to clients.
Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.Unified Agent Guide/Page 19 Decide if the following features are applicable. Enable Update Prompts If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is enabled. Allow the Proxy Settings Tab This option applies only to Unified Agent. Allow Local Ability to Disable the Agent If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent. Require Token for Uninstalling If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that you define. Step 2—Download the WSS Agent Installer. 1. In the Installers area, click the WSS Agent Download button. 2. If this is the first time you are attempting to download the application, the service displays the Profile dialog.
Symantec Web Security Service/Page 20
As a company that provides security services across the globe, Symantec supports and complies with United States and
local export controls. As an authorized member of your enterprise/organization, you must complete this form before
downloading the WSS Agent.
a. Click the Ensure...enterprise account link, which opens your Broadcom profile page.
b. Complete your enterprise information and click Next.
c. Verify and click Upgrade Account. Broadcom sends you a confirmation email.
d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent.
3. Download the installation file and place it in a network location that is accessible by test clients.
Procedure—Install the WSS Agent
The installation varies depending on the OS and if you want to install with additional options.
Installation Options
When installing on clients, you can install the app with default settings or use the CLI to install with additional options.
n MSI (Windows clients only)—The Microsoft CLI provides multiple options, which are detailed on their website.
https://docs.microsoft.com/en-us/windows/desktop/Msi/command-line-options
The following commands are most relevant to the WSS Agent.
o /passive—Installs without user intervention
o /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log).
This command provides installation debugging information.
n Configuration Options—You can append the following options to an installation:
n Specify whether or not to attempt UDP connections. By default, the WSS Agent attempts a UDP connection, but
reverts to TCP if not possible. You can elect to always connect through TCP or exclusively through UDP (neverUnified Agent Guide/Page 21
attempt TCP); however, if the connection cannot be established using the given protocol, the connection fails
and the agent enters the configured failure mode.
n Specify the packet size attempted when sending a PMTU check, which is an option when the connection
continues to fall back to TCP transport because the ping containing the default byte size never receives a
response.
n Disable all real-time statistics collection. No new data is collected; no data purging occurs. You might do this if
the WSS Agent is experiencing performance issues.
n Specify the number of days to retain real-time statistics.
n (WSS Agent 7.1+ only) Enable Multiple Concurrent Users instead of the default Single Tunnel Mode.
If you think one or more these options might suit your deployment or testing needs, consult the configuration descriptions in the
next sections. They contain command syntax and more details.
Windows Application
1. Put the installer on the test client.
2. Launch the installer.
a. In Windows, navigate to the directory where you saved the wssa-5.0.1..msi file.
Symantec strongly recommends that you record the full MSI name; it might be required for future uninstallation
tasks.
b. Double-click the file, which launches the installer.
3. Follow the prompts in the wizard. Select a directory for installation. Click Next.
4. Click Install. The installation begins.
5. Click Finish to complete the installation. The service displays the Installer Information dialog.
6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.
Windows CLI—Options Available
You must have Administrator privilege.
1. Put the installer on the test client.
2. Syntax: msiexec -i \Path\To\wssa-installer.msi MSI_optionsconfiguration_options
Where \Path\To is the location of the installer on your client system. For example: C:\Downloads\.
msiexec -i C:\downloads\wssa-installer.msi
3. Follow the prompts in the wizard. Select a directory for installation. Click Next.
4. Click Install. The installation begins.Symantec Web Security Service/Page 22
5. Click Finish to complete the installation. The service displays the Installer Information dialog.
6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.
Example—Install with MSI options.
n /passive—Installs without user intervention
n /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log). This
command provides installation debugging information.
msiexec -i C:\downloads\wssa-installer.msi /passive
Example—Install with MSI and configuration options.
n minPMTU = [0-1500]
The Path Maximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpoints
without fragmentation. This has implication for UDP connections, which requires retransmissions if packets are
fragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. This
is used in conjunction with the enableUDP option (below) to determine the required minimum MTU to automatically
connect using UDP. The default is 1492.
n enableUDP = [true | false | exclusive]
o true—Attempt UDP connections. The WSS Agent sends an ICMP ping with a large payload to determine if PMTU
is limited along the path. If UDP is not possible, the connection defaults to TCP.
o false—Never attempt UDP connections. PMTU is never attempted.
o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection is
dropped.
n disableStats = [true | false]
The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data is
added, nor will any purging occur.
n statsRetentionDays = [0-14]
Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data since midnight, UTC
for the current day. Any data occurring before midnight UTC specified days ago is removed. For example, if the setting is
1, then data before midnight UTC yesterday is purged. The purging occurs every time the client is started and roughly
every 30 minutes while WSS Agent is running. If disableStats is set to true, this option has no effect.
msiexec -i C:\downloads\wssa-installer.msi /passive CUSTOM_
CONFIG=enableUDP=exclusive,statsRetentionDays=1
n MCU=1
Applies to WSS Agent 7.1+. Enables Multiple Concurrent Users Mode. This is for the use cases where multiple users log
in to a machine through remote desktop or for console-less users.Unified Agent Guide/Page 23
macOS Application
1. Put the installer on the test client.
2. Launch the installer.
a. Open the wssa-5.0.1..dmg file by double-clicking on it.
Symantec strongly recommends that you record the full .dmg name; it might be required for future uninstallation
tasks.
b. Double-click the .pkg file, which launches the installer.
3. Follow the prompts in the wizard. Select a directory for installation. Click Next.
4. Click Install. The installation begins.
5. Click Finish to complete the installation. The service displays the Installer Information dialog.
6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.
macOS CLI—Options Available
1. Open the .dmg file using the macOS hdiutil attach command and install the .pkg file using the macOS installer
command. Consult the Apple man pages for more details.
For example, the following three commands attach the disk image, install the package, and detach the disk image.
$ hdiutil attach /path/to/wssa-installer.dmg
$ sudo installer -pkg /path/to/mounted/wssa-installer.pkg -target /
$ hdiutil detach /path/to/mounted
2. Follow the prompts in the wizard. Select a directory for installation. Click Next.
3. Click Install. The installation begins.
4. Click Finish to complete the installation. The service displays the Installer Information dialog.
5. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.
Example—Install with configuration options.
Tip: The command can be run multiple times with multiple configuration options; however, each
individual option is set once only. Attempting to write the same option after it has already been
set overwrites the previous setting.Symantec Web Security Service/Page 24
n minPMTU = [0-1500]
The Path Maximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpoints
without fragmentation. This has implication for UDP connections, which requires retransmissions if packets are
fragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. This
is used in conjunction with the enableUDP option (below) to determine the required minimum MTU to automatically
connect using UDP. The default is 1492.
n enableUDP = [true | false | exclusive]
o true—Attempt UDP connections. The WSS Agent sends an ICMP ping with a large payload to determine if PMTU
is limited along the path. If UDP is not possible, the connection defaults to TCP.
o false—Never attempt UDP connections. PMTU is never attempted.
o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection is
dropped.
n disableStats = [true | false]
The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data is
added, nor will any purging occur.
n statsRetentionDays = [0-14]
Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data since midnight, UTC
for the current day. Any data occurring before midnight UTC specified days ago is removed. For example, if the setting is
1, then data before midnight UTC yesterday is purged. The purging occurs every time the client is started and roughly
every 30 minutes while the WSS Agent is running. If disableStats is set to true, this option has no effect.
$ sudo defaults write com.symantec.wssa CUSTOM_CONFIG -string
"enableUDP=exclusive,statsRetentionDays=1"
Modify Options Post-Installation
After you install the WSS Agent, you can add or delete the options (described in the previous option sections). For example, you
have already installed the agent, but now want to push out the option to lower the PMTU. To achieve this, you use the wssad
command.
Windows
You must run the command as an Admin. The following example uses the default agent path and sets multiple options.
"c:\Program Files\Symantec\WSS Agent\wssad.exe -p enableUDP=exclusive,statsRetentionDays=1"
macOS
$ sudo /opt/symantec/wssad -p enableUDP=exclusive,statsRetentionDays=1
Delete Options
To delete options, run the same command but use -e instead of -p.
"c:\Program Files\Symantec\WSS Agent\wssad.exe -e enableUDP"Unified Agent Guide/Page 25
$ sudo /opt/symantec/wssad -e enableUDP
Tip: When deleting options, you cannot delete more than one option per command.
WSS Agent 6.x with CloudSOC
If your portal account has integrated with the CloudSOC (CASB) service for deeper web application security, some thick
clients—for example, Dropbox—do not work through WSS Agent. This is because of the thick clients' pinning the certificate,
which breaks because of the WSS SSL certificate. Using an installation option, you can bypass all traffic sent to the WSS from
a specific executable (thick client) on a WSS Agent 6.x client. You can bypass these applications, plus other elements such as
VPN IP addresses.
If you have deployed WSS Agent 7.1+, see WSS Agent—Bypass Applications.
Caution: This option weakens security protections because the bypassed traffic is not
susceptible to malware scanning and policies. Also, a savy user with admin privileges on the
client could modify the file.
STEP 1—Disable Tamper Protection
1. In the WSS portal, navigate to Service mode > Mobility > WSS Agent.
2. Select the Disable Tamper Protection option.
STEP 2—Create a JSON File
Create a JSON file that contains the executable bypass information.
{
"bypassExecutables": [
{
"executablePath": "C:\Path\To\Executable.exe"
},
...
]
}
Where the value for exectuablePath is the path on the machine of the executable that is allowed.
When traffic is seen for a new process ID (PID), the WSS Agent driver queries the service to find the executable making the
call. If a PID is provided, which represents an executable that matches an executablePath, then all traffic from that process is
allowed and not sent to the WSS.
Your JSON must be well-formed. In particular, all values must be properly escaped, quoted, and there should be no trailing
hanging commas. You can use an online JSON validator to validate your JSON file.
https://jsonformatter.curiousconcept.comSymantec Web Security Service/Page 26
STEP 3—Host the JSON File
This file can be located local to the endpoint (and accessed through the file:// URI) or on an http:// or https:// website. If
hosting on an https:// website, the endpoint must trust the server certificate.
STEP 4—Send the WSS Agent Configuration Update
Use the CLI to modify the WSS Agent installation.
Windows
"c:\Program Files\Symantec\WSS Agent\wssad.exe -p additionalBypassUrl string"
macOS
$ sudo /opt/symantec/wssad -p additionalBypassUrl string
Where string is the URL of the JSON file.
The bypass takes affect following the next WSS Agent reconnection.
Next Step
n Proceed to "Set WSSA Network/Security Options" on page 35.Unified Agent Guide/Page 27
Connectivity: Distribute WSS Agent With GPO
This topic describes how to use Group Policy Object (GPO) to distribute the WSS Agent or Unified Agent to multiple Windows
clients so they can connect to the Web Security Service.
Tip: This method does not support using a command line to add optional parameters.
Technical Requirements
This method requires the following.
n An understanding of the solution.
o "Connectivity: About the WSS Agent" on page 8—The Symantec-recommended solution.
o "Connectivity: About the Unified Agent" on page 57
Tip: This topic refers to the WSS Agent but also applies to the Unified Agent.
n A Windows 2008 or 2012 domain controller.
n A DNS server.
n The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller.
n Verify the client system can resolve the name of the AD server that contains the client library.
n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to WSS. For more
information, consult the following Knowledge Base article:
https://knowledge.broadcom.com/external/article?legacyId=TECH242793
n The WSS Agent currently does not support IPv6 connections. The current best practice is to disable IPv6 on client
systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.
Procedure
VPN Client Compatibility
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client
systems. You can configure full or split tunnel with additional configurations.
n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in WSS
(Connectivity > Locations). This enables the WSS Agent to enter Passive mode when on the Location network.
n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.
For WSS Agent deployment, proceed to Step 2.Symantec Web Security Service/Page 28
Step 1—HTTP Proxy Connection Required?
For WSS Agent deployment, proceed to Step 2.
Navigate to Connectivity > WSS Agent.
n A scenario might require this or other clients to connect to the WSS through an HTTP proxy. For example, you have a test
or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to
Proxy Settings in agent, which allows Proxy tab to be visible after its installation.
n For increased security in a production installation, clear this option. That the Proxy tab is not visible nor available on the
Unified Agent application on the employee's client system.
Tip: You cannot regain visibility of the Proxy tab post-installation. You must re-install the
Unified Agent with this option enabled.
Step 2—Entrust Certificate Prerequisite
Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the WSS. For more
notes and installation steps, consult the following Symantec Knowledge Base article:
https://knowledge.broadcom.com/external/article?legacyId=TECH242793
Step 3—Download the Agent Installer.
If you downloaded the agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client.
1. Navigate to Connectivity > WSS Agent.
2. In the Installers area, click the Windows:WSS Agent Download.
3. If this is the first time you are attempting to download the application, the service displays the Profile dialog.Unified Agent Guide/Page 29
As a company that provides security services across the globe, Symantec supports and complies with United States
and local export controls. As an authorized member of your enterprise/organization, you must complete this form before
downloading the WSS Agent.
a. Click the Ensure...enterprise account link, which opens your Broadcom profile page.
b. Complete your enterprise information and click Next.
c. Verify and click Upgrade Account. Broadcom sends you a confirmation email.
d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent.
4. Download the installation file. If the location of the file is not a Windows share, create a share. Verify that the directory
and files have Read and Execute file system rights.
Step 4—Distribute the Agent
1. On the domain controller, click Start and select Control Panel > Administrative Tools > Active Directory Users and
Computers.
2. Right-click the domain and select Properties.
3. On the Group Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPO object
and click Edit.
4. Navigate to Computer Configuration > Software Settings > Software installation.
a. Right-click Software Installation and select New > Package.
Note: Verify that you have a valid UNC path. Click My Network Places > Entire
Network > Microsoft Windows Network >server_domain>server_name >client_
binary_share_name >select_the_binary.Symantec Web Security Service/Page 30
b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-click Software
Installation and click Refresh.
5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the first bootup) and
executes policy. The workstation installs the client and reboots once more.
6. Test.
Next Selection
WSS Agent
n "Set WSSA Network/Security Options" on page 35.
Unified Agent
n If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an
HTTP Proxy" on page 75.
n If not, proceed to "Set WSSA Network/Security Options" on page 35.Unified Agent Guide/Page 31
Connectivity: Distribute WSS Agent With JAMF
To provide Web Security Service to remote users, you must download the WSS Agent and install it on client systems. See
"Connectivity: About the WSS Agent" on page 8.
JAMF provides a widely used software solution to distribute applications. This section describes how to distribute the
WSS Agent to clients. For general information about using JAMF polices and packages, see the user documentation for JAMF
at www.jamfsoftware.com.
Technical Requirement
n The WSS Agent currently does not support IPv6 connections. Symantec recommends that you disable IPv6 on client
systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.
Procedure
VPN Client Compatibility
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client
systems. You can configure full or split tunnel with additional configurations.
n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in WSS
(Connectivity > Locations). This enables the WSS Agent to enter Passive mode when on the Location network.
n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.
Step 1—Select End User Permissions
As best practice, Symantec recommends that you select how much control your employees have with the WSS Agent before
you push the agent to clients.
Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.Symantec Web Security Service/Page 32
Decide if the following features are applicable.
Enable Update Prompts
If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for
downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is
enabled.
Allow the Proxy Settings Tab
This option applies only to Unified Agent.
Allow Local Ability to Disable the Agent
If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent.
Require Token for Uninstalling
If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that
you define.
Step 2—Download the WSS Agent Installer.
If you downloaded the WSS Agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client.
1. In the Installers area, Download the agent.
2. If this is the first time you are attempting to download the application, the service displays the Profile dialog.
As a company that provides security services across the globe, Symantec supports and complies with United States and
local export controls. As an authorized member of your enterprise/organization, you must complete this form before
downloading the Unified Agent. The fields with blue asterisks (*) are required.
Click Save to update your profile and then close the dialog.
3. Download the installation file.Unified Agent Guide/Page 33
Step 3—High-Level JAMF Procedure
1. Create the upgrade packages for WSS Agent installation.
Tip: If you deploy both the on-box and cloud versions of the agent on your network, create
two packages with different names.
2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory.
3. Create a policy with the following settings.
n Category—Select the appropriate setting for your network.
n Triggers—Select the appropriate setting for your network.
n Execution Frequency—Once per device.
n Priority—Before. This permits the CMURL to be set before installation.
n Scope—Add the devices to update. Each of the devices must be marked as Managed.
n Restart—Not needed.
The interface displays the new policy in the list.
What Occurs on Employee Clients?
After you use JAMF to push the update package, the following events occur on the employee OS X client.
1. The client displays a Management Notification dialog.
2. The employee follows the prompts to accept and install the WSS Agent application.
Employee Template
(Optional) To notify your impacted employees and provide them with instructions, consider using the following template. Copy
contents in an email; edit as needed; send.
[Company] is distributing a security update to your corporate Mac client. You will be prompted to [install / update] an application
called WSS Agent. Perform the following steps.
1. When your Mac client receives the update, the client displays a Management Notification.
2. To complete the installation, click through the prompts.
3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application.
If you have any questions or issues, contact IT.Symantec Web Security Service/Page 34
Next Selection
WSS Agent
n "Set WSSA Network/Security Options" on page 35.
Unified Agent
n If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an
HTTP Proxy" on page 75.
n If not, proceed to "Set WSSA Network/Security Options" on page 35.Unified Agent Guide/Page 35 Set WSSA Network/Security Options The Web Security Service provides several options that allow you to specify how the WSS Agent behaves on the client and how to route traffic. Navigate to Connectivity > WSS Agent. Tip: This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by the displayed message. Determine Failure Behavior. By default, the WSS allows remote clients unabated web access if the service becomes unavailable. For maximum security, set the Fail Behavior to Block All Traffic until IT or Symantec restores the service. Change Listening Ports (No CFS). By default, the WSS accepts traffic from the WSS Agent, that is installed on client systems, from the common gateway ports of 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP). Tip: Migration Scenario—You are migrating security to the WSS from on-premises Blue Coat ProxySG appliances and where the WSS Agent (proxy version) accessed numerous HTTP/HTTPS sites on non-standard ports. By default, the WSS is limited to the three standard web ports.
Symantec Web Security Service/Page 36
The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPS
traffic, configure the WSS to listen on those ports. For example, the WSS must also listen to ports 8000 (HTTP) and 8083
(HTTPS).
1. Select View/Edit Ports.
2. Ports—If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriate
traffic type and entering the port. You can only enter one port in each field. You can add up to 1000 ports.
3. Click Save.Unified Agent Guide/Page 37
Forward All Ports (CFS Only).
If you have enabled the Cloud Firewall Service on your WSS portal account, you must select the Forward all traffic from all
ports to WSS option.
Note: This option is available in the portal only your account has the CFS license provisioned.
Bypass IP addresses/subnets and domains.
By default, WSS bypasses the following RFC 1918 addresses.
n 10.0.0.0/8
n 169.254.0.0/16
n 172.16.0.0/12
n 192.168.0.0/16
If a destination request contains one of these IP addresses, the traffic bypasses WSS and the client connects directly.
Personal choices or business requirements might require you to configure WSS to bypass additional IP addresses/Subnets
and Domains. For example, bypass test networks.
Clicking the Connectivity > Bypassed Traffic (bottom of page) link takes you to that screen, as this is a shared configuration
with other WSS features.Symantec Web Security Service/Page 38
n For more details, see "Prevent IP/Subnet From Routing to the Web Security Service" on page 98.
n Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See "Prevent a Domain
From Routing to WSS" on page 96.
Define Agent Connection Options.
a. Block IPv6 traffic—Applies to WSS Agent v5.x and below.
Blocks requested connections to destinations with IPv6 addresses when resolved by DNS. This includes traffic destined
for non-local forwarded ports.
IPv6 addresses are allowed under the following scenarios.
n IPv6 traffic is destined for local addresses (link-local and unique local addresses).
n IPv6 traffic is destined for a non-forwarded port (80, 443, and 8080 by default).
b. Select Allow HTTP/3 only if you have a business requirement or a preference for the highest performance to bypass
HTTP/3 (formerly QUIC) connections. For more information, see the HTTP/3 section in "Connectivity: About the
WSS Agent" on page 8.
c. Disable Tamper Protection—Select this option if your preference is to allow WSS Agent to fail-open (allow connections)
should the agent be unable to connect to WSS. Be advised that these connections are not susceptible to policy checks
and malware detection.
d. Ignore Proxy Settings—Applies to WSS Agent v4.x and below.
The WSS Agent establishes a direct VPN tunnel, bypassing any possibly set proxy setting a endpoint user attempts to
define. However, Ignore Proxy Settings applies only to the tunnel creation. If the CTC connection fails, this setting
cannot be retrieved. For a successful on-premises WSS Agent to go passive, any on-premises firewall/proxy must
bypass traffic to https://ctc.threatpulse.com.
e. Applies to WSS Agent v6.x and below.
By default, a WSS Agent process sends the User ID through the tunnel to WSS. This ensures an accurate account of
who initiated the request and allows for policy enforcement and reporting. Your network might have third-party productsUnified Agent Guide/Page 39
that also intercept these connections, which causes WSS to erroneously view the username as something similar to the
following. Examples of these products include anti-virus programs and applications run browsers in a secure virtual
container.
NT AUTHORITY\SYSTEM
This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that cause
this issue, instruct the WSS Agent to send the logged-in username.
Select Logged in User ID from the Username Format drop-down list.
Tip: For a current list of known third-party applications that cause this issue, see NT
AUTHORITY\SYSTEM Username Returned From the UA.
Select End User Permissions
As best practice described in "Connectivity: Install the WSS Agent" on page 17, select how much control your employees have
with the WSS Agent before you push the agent to clients.
On the WSS Agent page, locate the End User Permissions area.
Decide if the following features are applicable.
n Enable update prompts.
If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for
downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default
is enabled.
n Allow the Proxy Settings tab. This option applies only to the Unified Agent.
The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decision
performed before installation.Symantec Web Security Service/Page 40
This is option does not change the system proxy settings for any other application on the client system; it only affects
how the Unified Agent connects its tunnels. Typically, the Unified Agent honors the system proxy setting. This option
disables that and connections are made direct instead; the Unified Agent never connects through a proxy (but see
browser note below). This option is for the very specific case where your environment has proxy settings, but you do not
want the Unified Agent to use the proxy settings when connecting to CTC or establishing their tunnels.
The proxy that is used is the proxy of the user related to the process.
n MAC OSes use one set of proxies.
n Windows—The CTC see connection requests from the SYSTEM user, which can be from WPAD, a PAC file, or
explicit proxy address/port settings.
Tip: Browser configurations are completely separate. The Unified Agent cannot control the
browser's behavior relating to proxies. That is, if a proxy is set in the particular browser
(wherever that browser stores it), that proxy setting is honored.
n Allow local ability to disable the agent.
If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent.
n Require a token for uninstallation.
If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a
token that you define.
(Optional) Enable challenge-based authentication (Captive Portal).
Applies to WSS Agent v6.x and below. This option requires deployment of the Auth Connector application, which integrates with
your Active Directory to provide username and group information.
To enforce accurate user credentials rather than rely on locally cached credentials:
1. Navigate to Identity > Authentication Policy (or click the link on the WSS Agent page).
2. Expand the Authentication Policy area.
3. Click the Edit icon at the end of Rule G4.You can also read
