Web Security Service Connectivity: WSS Agent - and Unified Agent
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Unified Agent Guide/Page 3 Copyrights Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others.
Symantec Web Security Service/Page 4 Symantec Web Security Service: WSS Agent Guide The Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based product, the Web Security Service leverages Symantec's proven security technology, including the WebPulse™ cloud community. With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to create and enforce granular policies that are applied to all covered users, including fixed locations and roaming users. To provide security to employees who take corporate clients beyond the corporate network, such as taking laptops on business trips, the WSS Agent routes web requests through WSS when connecting from a non-corporate network. Table Of Contents Symantec Web Security Service:WSS Agent Guide 4 Table Of Contents 4 WSS Agent 7 Connectivity: About the WSS Agent 8 Why Select This Method? 8 Connectivity: Install the WSS Agent 17 Technical Requirements 17 About the WSS Root Certificate 17 About the WSS Agent Installation or Upgrade 18 About Bypassed Non-Routable IP Addresses 18 Procedure—Prepare for Installation 18 Procedure—Install the WSS Agent 20 Connectivity: Distribute WSS Agent With GPO 27 Technical Requirements 27 Procedure 27 Connectivity: Distribute WSS Agent With JAMF 31 Technical Requirement 31 Procedure 31 Set WSSA Network/Security Options 35 About the WSS Agent UI 42 System Tray/Menu 42 Agent Interface 42 About Tab 43 Available Updates 43 Disable the WSS Agent 45 Procedure 45 Agent Logging 47
Unified Agent Guide/Page 5 SymDiag Application For WSS Agent on Windows 48 Technical Requirements 48 Procedure 48 Debugging Script for WSS Agent on Mac Systems 52 Technical Requirements 52 Procedure 52 WSS Agent 7.x—Tunnel Error 54 Uninstall the WSS Agent 55 Windows 55 macOS 55 Unified Agent 56 Connectivity: About the Unified Agent 57 Why Select This Method? 58 About the QUIC Protocol 62 About Proxy Avoidance Attempts 62 About Password Protection 62 About SSL Certificate Installation 62 About Challenge-based Authentication (Captive Portal) 63 About IPv6 IP Addresses 63 About Time Zones 63 About Hybrid Policy and Unified Agent Connections 63 Connectivity: Manually Deploy the Unified Agent (Windows) 66 Technical Requirements 66 About Bypyassed Non-Routable IP Addresses 66 Procedure 67 Connectivity: Manually Deploy the Unified Agent (Mac) 71 Technical Requirements 71 About Bypassed Non-Routable IP Addresses 71 Procedure 72 Route Remote Connections Through an HTTP Proxy 75 Deployment Notes 75 Manually Disable the Unified Agent 78 Activate the Disable Option 78 Instruct Employees How to Disable the Unified Agent 78 Uninstall the Unified Agent 79 Available Options 79 Unified Agent—With Uninstall Token 79 Information 79 Procedure 79 Windows 80 OS X 81 No Token Defined/Client Connector 82 Reference—MSI Versions 82 MSI Version Mis-Match (Unknown MSI) 82 Troubleshoot... 84 Unified Agent Connection Troubleshooting 85
Symantec Web Security Service/Page 6 Manage Web Security Service Client Connections 89 Manually Disable the Unified Agent 90 Review System Events Generated by Remote Clients 91 Capture Remote Client Trace Log 92 Verify Mobile Connections 94 About Device Visibility 94 View Devices 94 Page Options 95 Prevent a Domain From Routing to WSS 96 Notes 96 Procedure—Manually Add Domain Entries 96 Import IP Address Entries From a Saved List 97 Prevent IP/Subnet From Routing to the Web Security Service 98 Notes 98 Procedure—Manually Add IP Addresses 98 Import IP Address Entries From a Saved List 99 Reference: Windows WSSA/UA Package Versions 100
Unified Agent Guide/Page 7 WSS Agent The WSS Agent is the Symantec-recommended agent for supported Windows 10+ and macOS High Sierra+ clients. n "Connectivity: About the WSS Agent" on page 8 n "Connectivity: Install the WSS Agent" on page 17 n "Connectivity: Distribute WSS Agent With GPO" on page 27 n "Connectivity: Distribute WSS Agent With JAMF" on page 31 n "Set WSSA Network/Security Options" on page 35 n "About the WSS Agent UI" on page 42 n "Disable the WSS Agent" on page 45 n "SymDiag Application For WSS Agent on Windows" on page 48 n "Debugging Script for WSS Agent on Mac Systems" on page 52 n "Uninstall the WSS Agent" on page 55
Symantec Web Security Service/Page 8 Connectivity: About the WSS Agent WSS Agent is a powerful, flexible, cloud-directed WSS connectivity method. WSS Agent uses a VPN tunnel to securely route traffic from the end user’s machine to WSS. WSS Agent provides non-standard web traffic redirection and an extra layer of data privacy to public WiFi networks, which are two major benefits of this connection solution. When installed on client systems, the WSS Agent works as part of the client system's configuration. After the application is installed, no further configuration is required on the client system. It directs content requests to WSS over a secure connection (port 443). To enforce proxy avoidance, the WSS Agent detects and redirects HTTP proxy requests to any external, non-WSS IP addresses. As such requests are redirected, the user is unable to circumvent filtering and malware scanning. The WSS Agent provides additional security features. n The WSS Agent prevents employees from stopping and starting the service from the Services Management Console, even if the employee has Windows Administrator privileges. n You can give employees the ability to temporarily disable the WSS Agent should they be experiencing connection issues. Why Select This Method? Benefits— n Always active. The user does not have to log in to the agent. n Works in the background and is transparent to users. n Captures the user and system names for reporting. n Viable security solution for a premises with fewer than 100 clients and where location-based network infrastructure (such as a firewall) is not available. Select another method if— n You want to manage remote clients through multiple PAC files. SEP Solution. n You require IPv6 support. The WSS Agent does not currently support IPv6 connections; a future update will provide support.
Unified Agent Guide/Page 9 Use Cases Remote, Off-Corporate Network Your business has one or more physical locations. On-premises infrastructure, such as proxies or firewall devices, provide security to your corporate-controlled internet connections. Some employees work remotely or take their laptops to travel and connect through to the internet from an off-corporate network, such as a hotel or other commercial property WiFi. 1—A Sales Person is on site at a corporate location. The client system recognizes the corporate internet connection and the WSS Agent remains in Passive Mode. All internet requests proceed through the on-premises gateway infrastructure. If WSS is providing security, the connection occurs through a defined location. For example, the proxy appliance or firewall device is configured to connect to the Santa Clara datacenter VIP. Security policies are applied for that location and/or logged-in user or group name. 2—The Sales Person then takes a flight to the southern United States and checks into a hotel. The WSS Agent is now engaged and connects to the nearest WSS datacenter, which in this example is Dallas (for more details about the cloud service connections, see the next section). You might elect to define a separate set of web-use policies for WSS Agent connections. For example, you allow access to more leisure categories after work hours because employees are spending personal time away from home. Small Office n Your business might be small—typically defined as fewer than 100 employees—and thus you do not have advanced network infrastructure, such as firewall devices or proxies that forward internet traffic. n Or your business might have micro-branches, or smaller locations where it does not makes sense to invest and support network infrastructure that your larger sites require.
Symantec Web Security Service/Page 10 In these cases, the WSS Agent is a viable, low-touch method to provide web security and enforce web- use policies. The WSS Agent connects through the location's ISP to the nearest WSS datacenter. Tip: It is possible for the WSS Agent to connect to a specific datacenter. If your business requires specific location connections, contact Symantec Technical Support to request assistance.
Unified Agent Guide/Page 11 How the WSS Agent Connects The WSS Agent connects to WSS when a user logs on (or if there is a connection error from another method). The agent and the service perform a series of checks in preparation for web requests as the following flow describes. 1—A Sales Person on a business trip logs in. n The WSS Agent initiates a connection over port 443 to the Client Traffic Controller (CTC) in the closest WSS datacenter (the WSS can return availability from up to three geographical datacenters). n If the WSS Agent detects any tampering. o The WSS Agent detects that the configuration store (which contains your customer ID, failure mode, tamper detection settings) has been tampered with outside of the
Symantec Web Security Service/Page 12 application itself. o The WSS Agent detects an attempt to bypass WSS through entries in the hosts file. o The WSS Agent is unable to validate the SSL connection for the VPN tunnel to the service. The connection is refused and the client receives an exception; otherwise, the connection continues. n WSS determines if the connection is from a defined corporate location, the WSS Agent remains in passive mode. n WSS verifies that a WSS Admin has configured the portal to block this WSS Agent (for example, a laptop was lost or stolen and the Admin wants to prevent the connection). n For all web content requests, WSS applies checks against WSS bypass list, acceptable web use policies, and malware scanning results. 2—A request is for internally-hosted content or content that belongs to a bypass list never reaches WSS.
Unified Agent Guide/Page 13 WSS Agent Connection Concepts This section provides technical details about how the WSS Agent connects to the WSS. CTC Issues If the CTC is not able to respond, the WSS Agent uses a cached connection list and displays a warning. VPN Compatibility The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You can configure full or split tunnel with additional configurations. n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in WSS (mode Connectivity > Locations). This enables WSS to enter Passive mode when on the Location network. n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping. Single Tunnel Default Applies to WSS Agent 7.1+. By default, the agent operates in Single Tunnel Mode. This single tunnel behaves as both a system tunnel and a user tunnel. All traffic generated by the device (regardless of originating process) is identified as from logged-in user of the client. Windows Only—You might have an environment where several users concurrently log in to an environment without a physical console. For example, multiple users concurrently log in to a machine only test environment through Remote Desktop. You can distribute WSS Agent 7.1+ with an installation option that supports this deployment. This is described in the installation topic. HTTP/3 HTTP/3 is a third revision of the HTTP protocol. When introduced in 2013, it was named the Quick UDP Internet Connections (QUIC) protocol. It is transport layer designed to reduce latency when compared to TCP (HTTP/HTTPS) connections. Browsers with HTTP/3 enabled and smaller devices receive the benefit. Chrome 29+ has HTTP/3 enabled by default (chrome://net-internals/#quic). Other browsers are beginning to include HTTP/3. To allow for a seamless experience, when clients send web requests that are intercepted for processing (such as by WSS for security purposes) the connections revert to TCP. If you have a business requirement or a preference for the highest performance, you can instruct WSS to bypass HTTP/3 connections. Be aware of the lessened security because of this option. Because HTTP/3 is UDP-based, these connections are bypassed at the client end-point, which means the traffic is not checked against policy nor is reporting against the WSS Agent possible. Only select this bypass option if the highest performance for these clients supersedes the security requirement.
Symantec Web Security Service/Page 14 Proxy Connections The CTC uses the system proxy settings (and if specified the PAC file and/or WPAD) in its connection to ctc.threatpulse.com. Windows—Uses the proxy settings of the currently logged-in console user (the user physically logged into the device). If there is no currently logged-in console user (for example. a remote desktop), then the proxy settings of the SYSTEM user is used. macOS—Uses the proxy settings of the main network device (the one that requests for ctc.threatpulse.com are routed from). n If a proxy was used for the actual CTC request, then tunnels are opened using the same proxy server that resolved for ctc.threatpulse.com. n If a proxy was not used for ctc.threatpulse.com, then tunnels are opened using a direct connection to the individual connect list items. The proxy used is the same IP address and port as the proxy used in the actual CTC request. After two consecutive CTC connection failures, the system proxy is ignored and a direct connection is attempted instead. Note: Authenticating proxies are not supported on either platform. This is a limitation of the operating systems themselves. Proxy Avoidance Attempts To enforce proxy avoidance, the WSS Agent detects proxy HTTP requests in outbound streams for ports other than those configured to be forwarded to the service (typically 80 and 443). Those connections are forwarded to the WSS instead of the originally-specified proxy. Furthermore, the WSS Agent does not interpret proxy auto-configuration (PAC) settings as a proxy avoidance attempt. If your deployment uses a PAC control to manage outbound web connections, the WSS Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and by default). If the WSS Agent cannot connect with the PAC settings, it attempts a direct connection to the WSS IP address. You can allow additional ports. SSL Certificate Installation The WSS Agent to CTC requires the SSL Root Certificate. WSS Agent installations also install this certificate. If the certificate is not present, the WSS Agent remains operational but might fail to connect to the CTC in the datacenter. If this occurs, the agent reverts to the last-received connection list. Upon installation, the WSS Agent installs the WSS root certificate. If the certificate is not installed because of unforeseen permission issues, you can manually download it and install it. Challenge-based Authentication (Captive Portal) For enhanced security, enable the Captive Portal option during configuration. When enabled, Captive Portal displays a challenge dialog to users each time that they begin a new browser session (or 24 hours after their previous successful entry). This eliminates cached credential access.
Unified Agent Guide/Page 15 MAC CLIENT NOTE You can install WSS Agent on Windows and Mac clients. If a Mac user's username is the same as in the your AD and there is only one domain in your AD, then user based policy is applied for the Mac client. The domain defaults to the single domain in the AD. You can, however, enable the Captive Portal feature, which allows users and groups to be available for policy checks. Hybrid Policy and WSS Agent Connections If you are employing the Symantec Hybrid Policy solution, the WSS Agent has slightly different connection behaviors. In this deployment, the on-premises ProxySG appliance is configured to use common policy. The client workstations that use that common policy proxy have the WSS Agent installed. Normally, the WSS Agent is in Passive mode on workstations connecting from behind a proxy that is providing common policy. Noticeable Behavior n On the WSS portal, the Location status changes from green to red. This causes all new WSS Agent connections to switch to active versus passive. n After a networking event, such as a change in IP address and the Location is red, the WSS Agent switches to active. n When the Location status is green, the WSS Agent switches to passive mode. If the common policy proxy is unable to establish a connection to the portal for approximately 35 minutes, then the hybrid location changes from green to red. If the WSS Agent is in passive mode, it remains passive unless a networking event occurs. The WSS Agent goes to active mode for all new connections from that red-status network. This is by design. If the on-premises ProxySG appliance is experiencing issues and is configured to Fail Open, the WSS Agent must be in active mode for WSS to provide protection. Tip: If you notice that the WSS Agent is switching to active mode for reasons not described above, check the hybrid location in the portal. If the hybrid location status is red, check connectivity between the on-premises ProxySG appliance and WSS (might require a packet capture to diagnose). You can run the update-now command while in the cloud-service configuration mode to generate traffic destined to the service.
Symantec Web Security Service/Page 16 About WSS Agent Performance As discussed in the topic introduction, WSS Agent uses a VPN tunnel. All VPNs impact performance. Depending on network conditions, explicit proxy redirection might significantly outperform WSS Agent in controlled lab testing. Fortunately, the impact is rarely noticeable in real-world usage. While it is impossible to predict the performance impact from one user to the next, WSS Agent should easily achieve the speeds required to handle the latency-sensitive needs of power-users. Typically, these users rely on modern cloud applications, such as the following platforms and examples: n HD conferencing applications (Zoom, Webex, and Microsoft Teams) n HD video streaming (YouTube and Vimeo) n Business productivity applications (Office 365 and G-Suite) n Collaboration applications (Slack and Google Chat) n Online file storage and sharing (Box, Dropbox, and Microsoft OneDrive) Performance Best Practices n Deploy the most recent WSS Agent release. Because Symantec provides performance improvements in each release, maintaining the most current WSS Agent version yields the best results. n For trusted applications that require near line-speed performance, consider adding the application to the WSS Agent bypass feature. n If bypass is not possible, switching to the Symantec Endpoint Protection (SEP) Agent solution is another option. SEP Agent connects to WSS using explicit proxy redirection, which is typically faster than WSS Agent.
Unified Agent Guide/Page 17 Connectivity: Install the WSS Agent This topic describes what is required and how to manually install the WSS Agent on a supported Windows or macOS client. Technical Requirements n Supported clients— o 64-bit Windows 10 Professional, Enterprise or Education version 1703 o macOS High Sierra+ Note: You must use the fully-patched vendor-provided versions of the operating systems. All attempts to install on an unsupported OS fail. n SEP 14.2 with WTR running in parallel with WSS Agent is not a supported configuration n Protocols: UDP, SSL, TCP n Port 443 to ctc.threatpulse.com (for TCP, UDP, and software updates) n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to WSS. For more information, consult the following Knowledge Base article: https://knowledge.broadcom.com/external/article?legacyId=TECH242793 n On macOS, the contents of the stamped installer are notarized using Apple's notarization process. This means that the driver, service, and all parts of WSS Agent function correctly on a system that requires notarization. However, the .pkg file itself is not notarized. If you require a notarized .pkg file, contact Symantec Technical Support. n The WSS Agent currently does not support IPv6 connections. The best practice is to you disable IPv6 on client systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page. n Not supported: o Long-term Servicing Channel (LTSC) is not supported. Microsoft intends for LTSC to be used only for specialized systems. o WSS Agent version 7.x does not support Captive Portal. If this is a current requirement, do not upgrade to WSSA 7.x. About the WSS Root Certificate n When you install WSS Agent on endpoint clients, the WSS root certificate is also installed. n If you install or upgrade to WSS Agent version 7.x, the installation removes the root certificate that expires in September of 2021 and installs the new certificate that expires in September of 2036. n If you do not want the new certificate, remove it from the trust store. Be advised without a certificate, the clients receive
Symantec Web Security Service/Page 18 certificate errors when SSL sites are intercepted. n If you want to retain the older certificate, add it to the trust store after installation or upgrade. About the WSS Agent Installation or Upgrade n You can upgrade from the Unified Agent or previous versions of the WSS Agent; however, if the Unified Agent was installed with custom options, they are not preserved or migrated to the WSS Agent. n You can configure the portal to automatically update the WSS Agent; however, if you upgrading from the Unified Agent to the WSS Agent, you must push a new installation notification to all clients and clients require a reboot. n Subsequent WSS Agent upgrades do not require a client system reboot. About Bypassed Non-Routable IP Addresses By default, WSS bypasses the following RFC 1918 addresses. n 10.0.0.0/8 n 169.254.0.0/16 n 172.16.0.0/12 n 192.168.0.0/16 If a destination request contains one of these IP addresses, the traffic bypasses WSS and the client connects directly. Procedure—Prepare for Installation VPN Compatibility The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You can configure full or split tunnel with additional configurations. n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in the WSS (Connectivity > Locations). This enables WSS to enter Passive mode when on the Location network. n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping. Step 1—Select End User Permissions As best practice, Symantec recommends that you select how much control your employees have with the WSS Agent before you push the agent to clients. Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.
Unified Agent Guide/Page 19 Decide if the following features are applicable. Enable Update Prompts If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is enabled. Allow the Proxy Settings Tab This option applies only to Unified Agent. Allow Local Ability to Disable the Agent If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent. Require Token for Uninstalling If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that you define. Step 2—Download the WSS Agent Installer. 1. In the Installers area, click the WSS Agent Download button. 2. If this is the first time you are attempting to download the application, the service displays the Profile dialog.
Symantec Web Security Service/Page 20 As a company that provides security services across the globe, Symantec supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the WSS Agent. a. Click the Ensure...enterprise account link, which opens your Broadcom profile page. b. Complete your enterprise information and click Next. c. Verify and click Upgrade Account. Broadcom sends you a confirmation email. d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent. 3. Download the installation file and place it in a network location that is accessible by test clients. Procedure—Install the WSS Agent The installation varies depending on the OS and if you want to install with additional options. Installation Options When installing on clients, you can install the app with default settings or use the CLI to install with additional options. n MSI (Windows clients only)—The Microsoft CLI provides multiple options, which are detailed on their website. https://docs.microsoft.com/en-us/windows/desktop/Msi/command-line-options The following commands are most relevant to the WSS Agent. o /passive—Installs without user intervention o /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log). This command provides installation debugging information. n Configuration Options—You can append the following options to an installation: n Specify whether or not to attempt UDP connections. By default, the WSS Agent attempts a UDP connection, but reverts to TCP if not possible. You can elect to always connect through TCP or exclusively through UDP (never
Unified Agent Guide/Page 21 attempt TCP); however, if the connection cannot be established using the given protocol, the connection fails and the agent enters the configured failure mode. n Specify the packet size attempted when sending a PMTU check, which is an option when the connection continues to fall back to TCP transport because the ping containing the default byte size never receives a response. n Disable all real-time statistics collection. No new data is collected; no data purging occurs. You might do this if the WSS Agent is experiencing performance issues. n Specify the number of days to retain real-time statistics. n (WSS Agent 7.1+ only) Enable Multiple Concurrent Users instead of the default Single Tunnel Mode. If you think one or more these options might suit your deployment or testing needs, consult the configuration descriptions in the next sections. They contain command syntax and more details. Windows Application 1. Put the installer on the test client. 2. Launch the installer. a. In Windows, navigate to the directory where you saved the wssa-5.0.1..msi file. Symantec strongly recommends that you record the full MSI name; it might be required for future uninstallation tasks. b. Double-click the file, which launches the installer. 3. Follow the prompts in the wizard. Select a directory for installation. Click Next. 4. Click Install. The installation begins. 5. Click Finish to complete the installation. The service displays the Installer Information dialog. 6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer. Windows CLI—Options Available You must have Administrator privilege. 1. Put the installer on the test client. 2. Syntax: msiexec -i \Path\To\wssa-installer.msi MSI_optionsconfiguration_options Where \Path\To is the location of the installer on your client system. For example: C:\Downloads\. msiexec -i C:\downloads\wssa-installer.msi 3. Follow the prompts in the wizard. Select a directory for installation. Click Next. 4. Click Install. The installation begins.
Symantec Web Security Service/Page 22 5. Click Finish to complete the installation. The service displays the Installer Information dialog. 6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer. Example—Install with MSI options. n /passive—Installs without user intervention n /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log). This command provides installation debugging information. msiexec -i C:\downloads\wssa-installer.msi /passive Example—Install with MSI and configuration options. n minPMTU = [0-1500] The Path Maximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpoints without fragmentation. This has implication for UDP connections, which requires retransmissions if packets are fragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. This is used in conjunction with the enableUDP option (below) to determine the required minimum MTU to automatically connect using UDP. The default is 1492. n enableUDP = [true | false | exclusive] o true—Attempt UDP connections. The WSS Agent sends an ICMP ping with a large payload to determine if PMTU is limited along the path. If UDP is not possible, the connection defaults to TCP. o false—Never attempt UDP connections. PMTU is never attempted. o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection is dropped. n disableStats = [true | false] The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data is added, nor will any purging occur. n statsRetentionDays = [0-14] Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data since midnight, UTC for the current day. Any data occurring before midnight UTC specified days ago is removed. For example, if the setting is 1, then data before midnight UTC yesterday is purged. The purging occurs every time the client is started and roughly every 30 minutes while WSS Agent is running. If disableStats is set to true, this option has no effect. msiexec -i C:\downloads\wssa-installer.msi /passive CUSTOM_ CONFIG=enableUDP=exclusive,statsRetentionDays=1 n MCU=1 Applies to WSS Agent 7.1+. Enables Multiple Concurrent Users Mode. This is for the use cases where multiple users log in to a machine through remote desktop or for console-less users.
Unified Agent Guide/Page 23 macOS Application 1. Put the installer on the test client. 2. Launch the installer. a. Open the wssa-5.0.1..dmg file by double-clicking on it. Symantec strongly recommends that you record the full .dmg name; it might be required for future uninstallation tasks. b. Double-click the .pkg file, which launches the installer. 3. Follow the prompts in the wizard. Select a directory for installation. Click Next. 4. Click Install. The installation begins. 5. Click Finish to complete the installation. The service displays the Installer Information dialog. 6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer. macOS CLI—Options Available 1. Open the .dmg file using the macOS hdiutil attach command and install the .pkg file using the macOS installer command. Consult the Apple man pages for more details. For example, the following three commands attach the disk image, install the package, and detach the disk image. $ hdiutil attach /path/to/wssa-installer.dmg $ sudo installer -pkg /path/to/mounted/wssa-installer.pkg -target / $ hdiutil detach /path/to/mounted 2. Follow the prompts in the wizard. Select a directory for installation. Click Next. 3. Click Install. The installation begins. 4. Click Finish to complete the installation. The service displays the Installer Information dialog. 5. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer. Example—Install with configuration options. Tip: The command can be run multiple times with multiple configuration options; however, each individual option is set once only. Attempting to write the same option after it has already been set overwrites the previous setting.
Symantec Web Security Service/Page 24 n minPMTU = [0-1500] The Path Maximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpoints without fragmentation. This has implication for UDP connections, which requires retransmissions if packets are fragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. This is used in conjunction with the enableUDP option (below) to determine the required minimum MTU to automatically connect using UDP. The default is 1492. n enableUDP = [true | false | exclusive] o true—Attempt UDP connections. The WSS Agent sends an ICMP ping with a large payload to determine if PMTU is limited along the path. If UDP is not possible, the connection defaults to TCP. o false—Never attempt UDP connections. PMTU is never attempted. o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection is dropped. n disableStats = [true | false] The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data is added, nor will any purging occur. n statsRetentionDays = [0-14] Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data since midnight, UTC for the current day. Any data occurring before midnight UTC specified days ago is removed. For example, if the setting is 1, then data before midnight UTC yesterday is purged. The purging occurs every time the client is started and roughly every 30 minutes while the WSS Agent is running. If disableStats is set to true, this option has no effect. $ sudo defaults write com.symantec.wssa CUSTOM_CONFIG -string "enableUDP=exclusive,statsRetentionDays=1" Modify Options Post-Installation After you install the WSS Agent, you can add or delete the options (described in the previous option sections). For example, you have already installed the agent, but now want to push out the option to lower the PMTU. To achieve this, you use the wssad command. Windows You must run the command as an Admin. The following example uses the default agent path and sets multiple options. "c:\Program Files\Symantec\WSS Agent\wssad.exe -p enableUDP=exclusive,statsRetentionDays=1" macOS $ sudo /opt/symantec/wssad -p enableUDP=exclusive,statsRetentionDays=1 Delete Options To delete options, run the same command but use -e instead of -p. "c:\Program Files\Symantec\WSS Agent\wssad.exe -e enableUDP"
Unified Agent Guide/Page 25 $ sudo /opt/symantec/wssad -e enableUDP Tip: When deleting options, you cannot delete more than one option per command. WSS Agent 6.x with CloudSOC If your portal account has integrated with the CloudSOC (CASB) service for deeper web application security, some thick clients—for example, Dropbox—do not work through WSS Agent. This is because of the thick clients' pinning the certificate, which breaks because of the WSS SSL certificate. Using an installation option, you can bypass all traffic sent to the WSS from a specific executable (thick client) on a WSS Agent 6.x client. You can bypass these applications, plus other elements such as VPN IP addresses. If you have deployed WSS Agent 7.1+, see WSS Agent—Bypass Applications. Caution: This option weakens security protections because the bypassed traffic is not susceptible to malware scanning and policies. Also, a savy user with admin privileges on the client could modify the file. STEP 1—Disable Tamper Protection 1. In the WSS portal, navigate to Service mode > Mobility > WSS Agent. 2. Select the Disable Tamper Protection option. STEP 2—Create a JSON File Create a JSON file that contains the executable bypass information. { "bypassExecutables": [ { "executablePath": "C:\Path\To\Executable.exe" }, ... ] } Where the value for exectuablePath is the path on the machine of the executable that is allowed. When traffic is seen for a new process ID (PID), the WSS Agent driver queries the service to find the executable making the call. If a PID is provided, which represents an executable that matches an executablePath, then all traffic from that process is allowed and not sent to the WSS. Your JSON must be well-formed. In particular, all values must be properly escaped, quoted, and there should be no trailing hanging commas. You can use an online JSON validator to validate your JSON file. https://jsonformatter.curiousconcept.com
Symantec Web Security Service/Page 26 STEP 3—Host the JSON File This file can be located local to the endpoint (and accessed through the file:// URI) or on an http:// or https:// website. If hosting on an https:// website, the endpoint must trust the server certificate. STEP 4—Send the WSS Agent Configuration Update Use the CLI to modify the WSS Agent installation. Windows "c:\Program Files\Symantec\WSS Agent\wssad.exe -p additionalBypassUrl string" macOS $ sudo /opt/symantec/wssad -p additionalBypassUrl string Where string is the URL of the JSON file. The bypass takes affect following the next WSS Agent reconnection. Next Step n Proceed to "Set WSSA Network/Security Options" on page 35.
Unified Agent Guide/Page 27 Connectivity: Distribute WSS Agent With GPO This topic describes how to use Group Policy Object (GPO) to distribute the WSS Agent or Unified Agent to multiple Windows clients so they can connect to the Web Security Service. Tip: This method does not support using a command line to add optional parameters. Technical Requirements This method requires the following. n An understanding of the solution. o "Connectivity: About the WSS Agent" on page 8—The Symantec-recommended solution. o "Connectivity: About the Unified Agent" on page 57 Tip: This topic refers to the WSS Agent but also applies to the Unified Agent. n A Windows 2008 or 2012 domain controller. n A DNS server. n The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller. n Verify the client system can resolve the name of the AD server that contains the client library. n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to WSS. For more information, consult the following Knowledge Base article: https://knowledge.broadcom.com/external/article?legacyId=TECH242793 n The WSS Agent currently does not support IPv6 connections. The current best practice is to disable IPv6 on client systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page. Procedure VPN Client Compatibility The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You can configure full or split tunnel with additional configurations. n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in WSS (Connectivity > Locations). This enables the WSS Agent to enter Passive mode when on the Location network. n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping. For WSS Agent deployment, proceed to Step 2.
Symantec Web Security Service/Page 28 Step 1—HTTP Proxy Connection Required? For WSS Agent deployment, proceed to Step 2. Navigate to Connectivity > WSS Agent. n A scenario might require this or other clients to connect to the WSS through an HTTP proxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation. n For increased security in a production installation, clear this option. That the Proxy tab is not visible nor available on the Unified Agent application on the employee's client system. Tip: You cannot regain visibility of the Proxy tab post-installation. You must re-install the Unified Agent with this option enabled. Step 2—Entrust Certificate Prerequisite Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the WSS. For more notes and installation steps, consult the following Symantec Knowledge Base article: https://knowledge.broadcom.com/external/article?legacyId=TECH242793 Step 3—Download the Agent Installer. If you downloaded the agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client. 1. Navigate to Connectivity > WSS Agent. 2. In the Installers area, click the Windows:WSS Agent Download. 3. If this is the first time you are attempting to download the application, the service displays the Profile dialog.
Unified Agent Guide/Page 29 As a company that provides security services across the globe, Symantec supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the WSS Agent. a. Click the Ensure...enterprise account link, which opens your Broadcom profile page. b. Complete your enterprise information and click Next. c. Verify and click Upgrade Account. Broadcom sends you a confirmation email. d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent. 4. Download the installation file. If the location of the file is not a Windows share, create a share. Verify that the directory and files have Read and Execute file system rights. Step 4—Distribute the Agent 1. On the domain controller, click Start and select Control Panel > Administrative Tools > Active Directory Users and Computers. 2. Right-click the domain and select Properties. 3. On the Group Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPO object and click Edit. 4. Navigate to Computer Configuration > Software Settings > Software installation. a. Right-click Software Installation and select New > Package. Note: Verify that you have a valid UNC path. Click My Network Places > Entire Network > Microsoft Windows Network >server_domain>server_name >client_ binary_share_name >select_the_binary.
Symantec Web Security Service/Page 30 b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-click Software Installation and click Refresh. 5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the first bootup) and executes policy. The workstation installs the client and reboots once more. 6. Test. Next Selection WSS Agent n "Set WSSA Network/Security Options" on page 35. Unified Agent n If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an HTTP Proxy" on page 75. n If not, proceed to "Set WSSA Network/Security Options" on page 35.
Unified Agent Guide/Page 31 Connectivity: Distribute WSS Agent With JAMF To provide Web Security Service to remote users, you must download the WSS Agent and install it on client systems. See "Connectivity: About the WSS Agent" on page 8. JAMF provides a widely used software solution to distribute applications. This section describes how to distribute the WSS Agent to clients. For general information about using JAMF polices and packages, see the user documentation for JAMF at www.jamfsoftware.com. Technical Requirement n The WSS Agent currently does not support IPv6 connections. Symantec recommends that you disable IPv6 on client systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page. Procedure VPN Client Compatibility The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You can configure full or split tunnel with additional configurations. n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in WSS (Connectivity > Locations). This enables the WSS Agent to enter Passive mode when on the Location network. n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping. Step 1—Select End User Permissions As best practice, Symantec recommends that you select how much control your employees have with the WSS Agent before you push the agent to clients. Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.
Symantec Web Security Service/Page 32 Decide if the following features are applicable. Enable Update Prompts If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is enabled. Allow the Proxy Settings Tab This option applies only to Unified Agent. Allow Local Ability to Disable the Agent If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent. Require Token for Uninstalling If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that you define. Step 2—Download the WSS Agent Installer. If you downloaded the WSS Agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client. 1. In the Installers area, Download the agent. 2. If this is the first time you are attempting to download the application, the service displays the Profile dialog. As a company that provides security services across the globe, Symantec supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the Unified Agent. The fields with blue asterisks (*) are required. Click Save to update your profile and then close the dialog. 3. Download the installation file.
Unified Agent Guide/Page 33 Step 3—High-Level JAMF Procedure 1. Create the upgrade packages for WSS Agent installation. Tip: If you deploy both the on-box and cloud versions of the agent on your network, create two packages with different names. 2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory. 3. Create a policy with the following settings. n Category—Select the appropriate setting for your network. n Triggers—Select the appropriate setting for your network. n Execution Frequency—Once per device. n Priority—Before. This permits the CMURL to be set before installation. n Scope—Add the devices to update. Each of the devices must be marked as Managed. n Restart—Not needed. The interface displays the new policy in the list. What Occurs on Employee Clients? After you use JAMF to push the update package, the following events occur on the employee OS X client. 1. The client displays a Management Notification dialog. 2. The employee follows the prompts to accept and install the WSS Agent application. Employee Template (Optional) To notify your impacted employees and provide them with instructions, consider using the following template. Copy contents in an email; edit as needed; send. [Company] is distributing a security update to your corporate Mac client. You will be prompted to [install / update] an application called WSS Agent. Perform the following steps. 1. When your Mac client receives the update, the client displays a Management Notification. 2. To complete the installation, click through the prompts. 3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application. If you have any questions or issues, contact IT.
Symantec Web Security Service/Page 34 Next Selection WSS Agent n "Set WSSA Network/Security Options" on page 35. Unified Agent n If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an HTTP Proxy" on page 75. n If not, proceed to "Set WSSA Network/Security Options" on page 35.
Unified Agent Guide/Page 35 Set WSSA Network/Security Options The Web Security Service provides several options that allow you to specify how the WSS Agent behaves on the client and how to route traffic. Navigate to Connectivity > WSS Agent. Tip: This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by the displayed message. Determine Failure Behavior. By default, the WSS allows remote clients unabated web access if the service becomes unavailable. For maximum security, set the Fail Behavior to Block All Traffic until IT or Symantec restores the service. Change Listening Ports (No CFS). By default, the WSS accepts traffic from the WSS Agent, that is installed on client systems, from the common gateway ports of 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP). Tip: Migration Scenario—You are migrating security to the WSS from on-premises Blue Coat ProxySG appliances and where the WSS Agent (proxy version) accessed numerous HTTP/HTTPS sites on non-standard ports. By default, the WSS is limited to the three standard web ports.
Symantec Web Security Service/Page 36 The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPS traffic, configure the WSS to listen on those ports. For example, the WSS must also listen to ports 8000 (HTTP) and 8083 (HTTPS). 1. Select View/Edit Ports. 2. Ports—If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriate traffic type and entering the port. You can only enter one port in each field. You can add up to 1000 ports. 3. Click Save.
Unified Agent Guide/Page 37 Forward All Ports (CFS Only). If you have enabled the Cloud Firewall Service on your WSS portal account, you must select the Forward all traffic from all ports to WSS option. Note: This option is available in the portal only your account has the CFS license provisioned. Bypass IP addresses/subnets and domains. By default, WSS bypasses the following RFC 1918 addresses. n 10.0.0.0/8 n 169.254.0.0/16 n 172.16.0.0/12 n 192.168.0.0/16 If a destination request contains one of these IP addresses, the traffic bypasses WSS and the client connects directly. Personal choices or business requirements might require you to configure WSS to bypass additional IP addresses/Subnets and Domains. For example, bypass test networks. Clicking the Connectivity > Bypassed Traffic (bottom of page) link takes you to that screen, as this is a shared configuration with other WSS features.
Symantec Web Security Service/Page 38 n For more details, see "Prevent IP/Subnet From Routing to the Web Security Service" on page 98. n Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See "Prevent a Domain From Routing to WSS" on page 96. Define Agent Connection Options. a. Block IPv6 traffic—Applies to WSS Agent v5.x and below. Blocks requested connections to destinations with IPv6 addresses when resolved by DNS. This includes traffic destined for non-local forwarded ports. IPv6 addresses are allowed under the following scenarios. n IPv6 traffic is destined for local addresses (link-local and unique local addresses). n IPv6 traffic is destined for a non-forwarded port (80, 443, and 8080 by default). b. Select Allow HTTP/3 only if you have a business requirement or a preference for the highest performance to bypass HTTP/3 (formerly QUIC) connections. For more information, see the HTTP/3 section in "Connectivity: About the WSS Agent" on page 8. c. Disable Tamper Protection—Select this option if your preference is to allow WSS Agent to fail-open (allow connections) should the agent be unable to connect to WSS. Be advised that these connections are not susceptible to policy checks and malware detection. d. Ignore Proxy Settings—Applies to WSS Agent v4.x and below. The WSS Agent establishes a direct VPN tunnel, bypassing any possibly set proxy setting a endpoint user attempts to define. However, Ignore Proxy Settings applies only to the tunnel creation. If the CTC connection fails, this setting cannot be retrieved. For a successful on-premises WSS Agent to go passive, any on-premises firewall/proxy must bypass traffic to https://ctc.threatpulse.com. e. Applies to WSS Agent v6.x and below. By default, a WSS Agent process sends the User ID through the tunnel to WSS. This ensures an accurate account of who initiated the request and allows for policy enforcement and reporting. Your network might have third-party products
Unified Agent Guide/Page 39 that also intercept these connections, which causes WSS to erroneously view the username as something similar to the following. Examples of these products include anti-virus programs and applications run browsers in a secure virtual container. NT AUTHORITY\SYSTEM This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that cause this issue, instruct the WSS Agent to send the logged-in username. Select Logged in User ID from the Username Format drop-down list. Tip: For a current list of known third-party applications that cause this issue, see NT AUTHORITY\SYSTEM Username Returned From the UA. Select End User Permissions As best practice described in "Connectivity: Install the WSS Agent" on page 17, select how much control your employees have with the WSS Agent before you push the agent to clients. On the WSS Agent page, locate the End User Permissions area. Decide if the following features are applicable. n Enable update prompts. If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is enabled. n Allow the Proxy Settings tab. This option applies only to the Unified Agent. The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decision performed before installation.
Symantec Web Security Service/Page 40 This is option does not change the system proxy settings for any other application on the client system; it only affects how the Unified Agent connects its tunnels. Typically, the Unified Agent honors the system proxy setting. This option disables that and connections are made direct instead; the Unified Agent never connects through a proxy (but see browser note below). This option is for the very specific case where your environment has proxy settings, but you do not want the Unified Agent to use the proxy settings when connecting to CTC or establishing their tunnels. The proxy that is used is the proxy of the user related to the process. n MAC OSes use one set of proxies. n Windows—The CTC see connection requests from the SYSTEM user, which can be from WPAD, a PAC file, or explicit proxy address/port settings. Tip: Browser configurations are completely separate. The Unified Agent cannot control the browser's behavior relating to proxies. That is, if a proxy is set in the particular browser (wherever that browser stores it), that proxy setting is honored. n Allow local ability to disable the agent. If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent. n Require a token for uninstallation. If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that you define. (Optional) Enable challenge-based authentication (Captive Portal). Applies to WSS Agent v6.x and below. This option requires deployment of the Auth Connector application, which integrates with your Active Directory to provide username and group information. To enforce accurate user credentials rather than rely on locally cached credentials: 1. Navigate to Identity > Authentication Policy (or click the link on the WSS Agent page). 2. Expand the Authentication Policy area. 3. Click the Edit icon at the end of Rule G4.
You can also read