Connectivity: About the WSS Agent
The Symantec WSS Agent provides web security to remote users when a route through the corporate network is not possible or practical.
When installed on client systems, the WSS Agent works as part of the client system's configuration; after the application is installed, no further configuration is required on the client system. It directs content requests to WSS over a secure connection (port 443). To enforce proxy avoidance, the WSS Agent detects and redirects HTTP proxy requests to any external, non-WSS IP addresses. As such requests are redirected, the user is unable to circumvent filtering and malware scanning.
Furthermore, the WSS Agent provides additional security features.
- The WSS Agent prevents employees from stopping and starting the service from the Services Management Console, even if the employee has Windows Administrator privileges.
- You can give employees the ability to temporarily disable the WSS Agent should they be experiencing connection issues.
Tip: This and related topics refer to the agent as the WSS Agent, which is the recommended agent. However, until further notice, Symantec will continue to support Unified Agent on Windows 7/8 and macOS Sierra Operating Systems only until those operating systems reach end-of-life by their respective vendors.
Why Select This Method?
- Always active. The user does not have to log in to the agent.
- Works in the background and is transparent to users.
- Captures the user and system names for reporting.
- Viable solution for a premises with fewer than 100 clients and where location-based network infrastructure (such as a firewall) is not available.
Select another method if—
- The clients are 32-bit Windows, pre-Windows 10 or macOS High Sierra. See
See Connectivity: About the Unified Agent..
- You want to manage remote clients through multiple PAC files. SEP Solution. See
See Connectivity: About Symantec Endpoint Protection..
- You require IPv6 support. The WSS Agent does not currently support IPv6 connections; a future update will provide support.
Remote, Off-Corporate Network
Your business has one or physical locations. On-premises infrastructure, such as proxies or firewall devices, provide security to your corporate-controlled internet connections. Some employees work remotely or take their laptops to travel and connect through to the internet from an off-corporate network, such as a hotel or other commercial property WiFi.
1—A Sales Person is on site at a corporate location. The client system recognizes the corporate internet connection and the WSS Agent remains in Passive Mode. All internet requests proceed through the on-premises gateway infrastructure. If the Web Security Service is providing security, the connection occurs through a defined location. For example, the proxy appliance or firewall device is configured to connect to the Santa Clara datacenter VIP. Security policies are applied for that location and/or logged-in user or group name.
2—The Sales Person then takes a flight to the southern United States and checks into a hotel. The WSS Agent is now engaged and connects to the nearest WSS datacenter, which in this example is Dallas (for more details about the cloud service connections, see the next section). You might elect to define a separate set of web-use policies for WSS Agent connections. For example, you allow access to more leisure categories after work hours because employees are spending personal time away from home.
- Your business might be small—as a best practice defined as fewer than 100 employees—and thus you do not have advanced network infrastructure such as firewall devices or proxies that forward internet traffic.
- Or your business might have micro-branches, or smaller locations where it does not makes sense to invest and support network infrastructure that your larger sites require.
In these cases, the WSS Agent is a viable, low-touch method to provide web security and enforce web-use policies.
The WSS Agent connects through the location's ISP to the nearest WSS datacenter.
Tip: It is possible for the WSS Agent to connect to a specific datacenter. If your business requires specific location connections, contact Symantec Technical Support to request assistance.
The WSS Agent connects to the WSS when a user logs on (or if there is a connection error from another method). The agent and the service perform a series of checks in preparation for web requests as the following flow describes.
1—A Sales Person on a business trip logs in.
The WSS Agent initiates a connection over port 443 to the Client Traffic Controller (CTC) in the closest WSS datacenter (the WSS can return availability from up to three geographical datacenters).
If the WSS Agent detects any tampering.
- The WSS Agent detects that the configuration store (which contains your customer ID, failure mode, tamper detection settings) has been tampered with outside of the application itself.
- The WSS Agent detects an attempt to bypass the WSS through entries in the hosts file.
- The WSS Agent is unable to validate the SSL connection for the VPN tunnel to the service.
The connection is refused and the client receives an exception; otherwise, the connection continues.
- The WSS determines if the connection is from a defined corporate location, the WSS Agent remains in passive mode.
- The WSS verifies that a WSS Admin has configured the portal to block this WSS Agent (for example, a laptop was lost or stolen and the Admin wants to prevent the connection).
- For all web content requests, the WSS applies checks against the WSS bypass list, acceptable web use policies, and malware scanning results.
2—A request is for internally-hosted content or content that belongs to a bypass list never reaches the WSS.
This section provides technical details about how the WSS Agent connects to the WSS.
If the CTC is not able to respond, the WSS Agent uses a cached connection list and displays a warning.
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You can configure full or split tunnel with additional configurations.
- Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in the WSS (Service mode > Network > Locations). This enables the WSS to enter Passive mode when on the Location network.
- Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.
The CTC uses the system proxy settings (and if specified the PAC file and/or WPAD) in its connection to ctc.threatpulse.com.
Windows—Uses the proxy settings of the currently logged-in console user (the user physically logged into the device). If there is no currently logged-in console user (for example. a remote desktop), then the proxy settings of the SYSTEM user is used.
macOS—Uses the proxy settings of the main network device (the one that requests for ctc.threatpulse.com are routed from).
- If a proxy was used for the actual CTC request, then tunnels are opened using the same proxy server that resolved for ctc.threatpulse.com.
- If a proxy was not used for ctc.threatpulse.com, then tunnels are opened using a direct connection to the individual connect list items.
The proxy used is the same IP address and port as the proxy used in the actual CTC request.
After two consecutive CTC connection failures, the system proxy is ignored and a direct connection is attempted instead.
If you select Ignore Proxy Settings in the portal, the WSS Agent establishes a direct VPN tunnel, bypassing any possibly set proxy setting a endpoint user attempts to define. However, Ignore Proxy Settings applies only to the tunnel creation. If the CTC connection fails, this setting cannot be retrieved. For a successful on-premesis WSS Agent to go passive, any on-premesis firewall/proxy must bypass traffic to https://ctc.threatpulse.com.
Note: Authenticating proxies are not supported on either platform. This is a limitation of the operating systems themselves.
To enforce proxy avoidance, the WSS Agent detects proxy HTTP requests in outbound streams for ports other than those configured to be forwarded to the service (typically 80 and 443). Those connections are forwarded to the WSS instead of the originally-specified proxy.
Furthermore, the WSS Agent does not interpret proxy auto-configuration (PAC) settings as a proxy avoidance attempt. If your deployment uses a PAC control to manage outbound web connections, the WSS Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and by default). If the WSS Agent cannot connect with the PAC settings, it attempts a direct connection to the WSS IP address. You can allow additional ports.
The WSS Agent to CTC requires the SSL Root Certificate. WSS Agent installations also install this certificate. If the certificate is not present, the WSS Agent remains operational but might fail to connect to the CTC in the datacenter. If this occurs, the agent reverts to the last-received connection list.
Upon installation, the WSS Agent installs the WSS root certificate. If the certificate is not installed because of unforeseen permission issues, you can manually download it and install it
For enhanced security, enable the Captive Portal option during configuration. When enabled, Captive Portal displays a challenge dialog to users each time that they begin a new browser session (or 24 hours after their previous successful entry). This eliminates cached credential access.
MAC CLIENT NOTE
You can install WSS Agent on Windows and Mac clients. If a Mac user's username is the same as in the your AD and there is only one domain in your AD, then user based policy is applied for the Mac client. The domain defaults to the single domain in the AD. You can, however, enable the Captive Portal feature, which allows users and groups to be available for policy checks.
If you are employing the Symantec Hybrid Policy solution, the WSS Agent has slightly different connection behaviors. In this deployment, the on-premises ProxySG appliance is configured to use common policy. The client workstations that use that common policy proxy have the WSS Agent installed. Normally, the WSS Agent is in Passive mode on workstations connecting from behind a proxy that is providing common policy.
- On the WSS portal, the Network Location status changes from green to red. This causes all new WSS Agent connections to switch to active versus passive.
- After a networking event, such as a change in IP address and the Network Location is red, the WSS Agent switches to active.
- When the Network Location status is green, the WSS Agent switches to passive mode.
If the common policy proxy is unable to establish a connection to the portal for approximately 35 minutes, then the hybrid location changes from green to red. If the WSS Agent is in passive mode, it remains passive unless a networking event occurs. The WSS Agent goes to active mode for all new connections from that red-status network. This is by design. If the on-premises ProxySG appliance is experiencing issues and is configured to Fail Open, the WSS Agent must be in active mode for the WSS to provide protection.
Tip: If you notice that the WSS Agent is switching to active mode for reasons not described above, check the hybrid location in the portal. If the hybrid location status is red, check connectivity between the on-premises ProxySG appliance and the WSS (might require a packet capture to diagnose). You can run the update-now command while in the cloud-service configuration mode to generate traffic destined to the service.