Set WSSA Network/Security Options
The Web Security Service provides several options that allow you to specify how the WSS Agent behaves on the client and how to route traffic.
In Service mode, select Mobility > WSS Agent.
Tip: This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by the displayed message.
By default, the WSS accepts traffic from the WSS Agent, that is installed on client systems, from the common gateway ports of 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP).
Tip: Migration Scenario—You are migrating security to the WSS from on-premises Blue Coat ProxySG appliances and where the WSS Agent (proxy version) accessed numerous HTTP/HTTPS sites on non-standard ports. By default, the WSS is limited to the three standard web ports.
The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPS traffic, configure the WSS to listen on those ports. For example, the WSS must also listen to ports 8000 (HTTP) and 8083 (HTTPS).
Select View/Edit Ports. Show screen...
- Ports—If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriate traffic type and entering the port. You can only enter one port in each field. You can add up to 1000 ports.
- Click Save.
If you have enabled the Cloud Firewall Service on your WSS portal account, you must select the Forward all traffic from all ports to WSS option.
Note: This option is available in the portal only your account has the CFS license provisioned.
By default, the Web Security Service bypasses the following RFC 1918 addresses.
If a destination request contains one of these IP addresses, the traffic bypasses the Web Security Service and the client connects directly.
Personal choices or business requirements might require you to configure the WSS to bypass additional IP addresses/Subnets and Domains. For example, bypass test networks.
Clicking the Network > Bypassed Sites (bottom of page) link takes you to that screen, as this is a shared configuration with other Web Security Service features.
For more details, see Prevent IP/Subnet From Routing to the Web Security Service.
- Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See Prevent a Domain From Routing to the Web Security Service.
The following configurations apply only to the Unified Agent.
Block IPv6 traffic blocks requested connections to destinations with IPv6 addresses when resolved by DNS. This includes traffic destined for non-local forwarded ports.
IPv6 addresses are allowed under the following scenarios.
- IPv6 traffic is destined for local addresses (link-local and unique local addresses).
- IPv6 traffic is destined for a non-forwarded port (80, 443, and 8080 by default).
Note: The above applies to WSS Agent 6.1+. WSSA 5x only prevents domains from resolving to IPv6 addresses.
- Select Allow Google QUIC only if you have a business requirement or a preference for the highest performance to bypass QUIC connections. For more information, see the QUIC section in Connectivity: About the WSS Agent.
- Disable Tamper Protection—Select this option if your preference is to allow WSS Agent to fail-open (allow connections) should the agent be unable to connect to the WSS. Be advised that these connections are not susceptible to policy checks and malware detection.
- Ignore Proxy Settings—The WSS Agent establishes a direct VPN tunnel, bypassing any possibly set proxy setting a endpoint user attempts to define. However, Ignore Proxy Settings applies only to the tunnel creation. If the CTC connection fails, this setting cannot be retrieved. For a successful on-premises WSS Agent to go passive, any on-premises firewall/proxy must bypass traffic to https://ctc.threatpulse.com.
By default, a WSS Agent process sends the User ID through the tunnel to the WSS. This ensures an accurate account of who initiated the request and allows for policy enforcement and reporting. Your network might have third-party products that also intercept these connections, which causes the WSS to erroneously view the username as something similar to the following. Examples of these products include anti-virus programs and applications run browsers in a secure virtual container.
This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that cause this issue, instruct the Unified Agent to send the logged-in username.
Select Logged in User ID from the Username Format drop-down list.
Tip: For a current list of known third-party applications that cause this issue, see NT AUTHORITY\SYSTEM Username Returned From the UA.
As best practice described in Connectivity: Install the WSS Agent, Symantec recommends that you select how much control your employees have with the WSS Agent before you push the agent to clients.
In Service mode; select Mobility > WSS Agent. Locate the End User Permissions area.
Decide if the following features are applicable.
Enable update prompts.
If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is enabled.
Allow the Proxy Settings tab. This option applies only to Unified Agent. More information...
The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decision performed before installation.
This is option does not change the system proxy settings for any other application on the client system; it only affects how the Unified Agent connects its tunnels. Typically, the Unified Agent honors the system proxy setting. This option disables that and connections are made direct instead; the Unified Agent never connects through a proxy (but see browser note below). This option is for the very specific case where your environment has proxy settings, but you do not want the Unified Agent to use the proxy settings when connecting to CTC or establishing their tunnels.
The proxy that is used is the proxy of the user related to the process.
- MAC OSes use one set of proxies.
- Windows—The CTC see connection requests from the SYSTEM user, which can be from WPAD, a PAC file, or explicit proxy address/port settings.
Tip: Browser configurations are completely separate. The Unified Agent cannot control the browser's behavior relating to proxies. That is, if a proxy is set in the particular browser (wherever that browser stores it), that proxy setting is honored.
Allow local ability to disable the agent.
If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent.
Require a token for uninstallation.
If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that you define.
On clients, employees are prompted for network credentials.