Web Security Service Connectivity: WSS Agent - and Unified Agent

Page created by Alexander Wallace
 
CONTINUE READING
Web Security Service Connectivity: WSS Agent - and Unified Agent
Web Security Service

Connectivity:
WSS Agent
and Unified Agent
Web Security Service Connectivity: WSS Agent - and Unified Agent
Symantec Web Security Service/Page 2
Web Security Service Connectivity: WSS Agent - and Unified Agent
Unified Agent Guide/Page 3

Copyrights

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term
“Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Copyright © 2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,
function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not
assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit
described herein, neither does it convey any license under its patent rights nor the rights of others.
Web Security Service Connectivity: WSS Agent - and Unified Agent
Symantec Web Security Service/Page 4

Symantec Web Security Service:
WSS Agent Guide
The Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based
product, the Web Security Service leverages Symantec's proven security technology, including the WebPulse™ cloud
community.

With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to
create and enforce granular policies that are applied to all covered users, including fixed locations and roaming users.

To provide security to employees who take corporate clients beyond the corporate network, such as taking laptops on business
trips, the WSS Agent routes web requests through WSS when connecting from a non-corporate network.

         Table Of Contents

   Symantec Web Security Service:WSS Agent Guide                                                                                 4
     Table Of Contents                                                                                                           4

   WSS Agent                                                                                                                     7
     Connectivity: About the WSS Agent                                                                                           8
        Why Select This Method?                                                                                                  8
     Connectivity: Install the WSS Agent                                                                                     17
        Technical Requirements                                                                                               17
        About the WSS Root Certificate                                                                                       17
        About the WSS Agent Installation or Upgrade                                                                          18
        About Bypassed Non-Routable IP Addresses                                                                             18
        Procedure—Prepare for Installation                                                                                   18
        Procedure—Install the WSS Agent                                                                                      20
     Connectivity: Distribute WSS Agent With GPO                                                                             27
        Technical Requirements                                                                                               27
        Procedure                                                                                                            27
     Connectivity: Distribute WSS Agent With JAMF                                                                            31
        Technical Requirement                                                                                                31
        Procedure                                                                                                            31
     Set WSSA Network/Security Options                                                                                       35
     About the WSS Agent UI                                                                                                  42
        System Tray/Menu                                                                                                     42
        Agent Interface                                                                                                      42
        About Tab                                                                                                            43
        Available Updates                                                                                                    43
     Disable the WSS Agent                                                                                                   45
        Procedure                                                                                                            45
        Agent Logging                                                                                                        47
Web Security Service Connectivity: WSS Agent - and Unified Agent
Unified Agent Guide/Page 5

 SymDiag Application For WSS Agent on Windows                                      48
   Technical Requirements                                                           48
   Procedure                                                                        48
 Debugging Script for WSS Agent on Mac Systems                                     52
   Technical Requirements                                                           52
   Procedure                                                                        52
 WSS Agent 7.x—Tunnel Error                                                        54
 Uninstall the WSS Agent                                                           55
   Windows                                                                          55
   macOS                                                                            55

Unified Agent                                                                      56
 Connectivity: About the Unified Agent                                             57
   Why Select This Method?                                                          58
   About the QUIC Protocol                                                          62
   About Proxy Avoidance Attempts                                                   62
   About Password Protection                                                        62
   About SSL Certificate Installation                                               62
   About Challenge-based Authentication (Captive Portal)                            63
   About IPv6 IP Addresses                                                          63
   About Time Zones                                                                 63
   About Hybrid Policy and Unified Agent Connections                                63
 Connectivity: Manually Deploy the Unified Agent (Windows)                         66
   Technical Requirements                                                           66
   About Bypyassed Non-Routable IP Addresses                                        66
   Procedure                                                                        67
 Connectivity: Manually Deploy the Unified Agent (Mac)                             71
   Technical Requirements                                                           71
   About Bypassed Non-Routable IP Addresses                                         71
   Procedure                                                                        72
 Route Remote Connections Through an HTTP Proxy                                    75
   Deployment Notes                                                                 75
 Manually Disable the Unified Agent                                                78
   Activate the Disable Option                                                      78
   Instruct Employees How to Disable the Unified Agent                              78
 Uninstall the Unified Agent                                                       79
   Available Options                                                                79
   Unified Agent—With Uninstall Token                                               79
   Information                                                                      79
   Procedure                                                                        79
   Windows                                                                          80
   OS X                                                                             81
   No Token Defined/Client Connector                                                82
   Reference—MSI Versions                                                           82
   MSI Version Mis-Match (Unknown MSI)                                              82
 Troubleshoot...                                                                   84
   Unified Agent Connection Troubleshooting                                         85
Web Security Service Connectivity: WSS Agent - and Unified Agent
Symantec Web Security Service/Page 6

       Manage Web Security Service Client Connections            89
       Manually Disable the Unified Agent                        90
       Review System Events Generated by Remote Clients          91
       Capture Remote Client Trace Log                           92

   Verify Mobile Connections                                     94
     About Device Visibility                                     94
     View Devices                                                94
     Page Options                                                95

   Prevent a Domain From Routing to WSS                          96
     Notes                                                       96
     Procedure—Manually Add Domain Entries                       96
     Import IP Address Entries From a Saved List                 97

   Prevent IP/Subnet From Routing to the Web Security Service    98
     Notes                                                       98
     Procedure—Manually Add IP Addresses                         98
     Import IP Address Entries From a Saved List                 99

   Reference: Windows WSSA/UA Package Versions                  100
Web Security Service Connectivity: WSS Agent - and Unified Agent
Unified Agent Guide/Page 7

WSS Agent
The WSS Agent is the Symantec-recommended agent for supported Windows 10+ and macOS High Sierra+ clients.

   n   "Connectivity: About the WSS Agent" on page 8

   n   "Connectivity: Install the WSS Agent" on page 17

   n   "Connectivity: Distribute WSS Agent With GPO" on page 27

   n   "Connectivity: Distribute WSS Agent With JAMF" on page 31

   n   "Set WSSA Network/Security Options" on page 35

   n   "About the WSS Agent UI" on page 42

   n   "Disable the WSS Agent" on page 45

   n   "SymDiag Application For WSS Agent on Windows" on page 48

   n   "Debugging Script for WSS Agent on Mac Systems" on page 52

   n   "Uninstall the WSS Agent" on page 55
Web Security Service Connectivity: WSS Agent - and Unified Agent
Symantec Web Security Service/Page 8

Connectivity: About the WSS Agent
WSS Agent is a powerful, flexible, cloud-directed WSS connectivity method. WSS Agent uses a VPN tunnel to securely route
traffic from the end user’s machine to WSS. WSS Agent provides non-standard web traffic redirection and an extra layer of data
privacy to public WiFi networks, which are two major benefits of this connection solution.

When installed on client systems, the WSS Agent works as part of the client system's configuration. After the application is
installed, no further configuration is required on the client system. It directs content requests to WSS over a secure connection
(port 443). To enforce proxy avoidance, the WSS Agent detects and redirects HTTP proxy requests to any external, non-WSS
IP addresses. As such requests are redirected, the user is unable to circumvent filtering and malware scanning.

The WSS Agent provides additional security features.

    n   The WSS Agent prevents employees from stopping and starting the service from the Services Management Console,
        even if the employee has Windows Administrator privileges.

    n   You can give employees the ability to temporarily disable the WSS Agent should they be experiencing connection issues.

Why Select This Method?
Benefits—
    n   Always active. The user does not have to log in to the agent.

    n   Works in the background and is transparent to users.

    n   Captures the user and system names for reporting.

    n   Viable security solution for a premises with fewer than 100 clients and where location-based network infrastructure (such
        as a firewall) is not available.

Select another method if—
    n   You want to manage remote clients through multiple PAC files. SEP Solution.

    n   You require IPv6 support. The WSS Agent does not currently support IPv6 connections; a future update will provide
        support.
Web Security Service Connectivity: WSS Agent - and Unified Agent
Unified Agent Guide/Page 9

 Use Cases

Remote, Off-Corporate Network
Your business has one or more physical locations. On-premises infrastructure, such as proxies or
firewall devices, provide security to your corporate-controlled internet connections. Some employees
work remotely or take their laptops to travel and connect through to the internet from an off-corporate
network, such as a hotel or other commercial property WiFi.

1—A Sales Person is on site at a corporate location. The client system recognizes the corporate
internet connection and the WSS Agent remains in Passive Mode. All internet requests proceed
through the on-premises gateway infrastructure. If WSS is providing security, the connection occurs
through a defined location. For example, the proxy appliance or firewall device is configured to connect
to the Santa Clara datacenter VIP. Security policies are applied for that location and/or logged-in user
or group name.

2—The Sales Person then takes a flight to the southern United States and checks into a hotel. The
WSS Agent is now engaged and connects to the nearest WSS datacenter, which in this example is
Dallas (for more details about the cloud service connections, see the next section). You might elect to
define a separate set of web-use policies for WSS Agent connections. For example, you allow access
to more leisure categories after work hours because employees are spending personal time away from
home.

Small Office
    n   Your business might be small—typically defined as fewer than 100 employees—and thus you do
        not have advanced network infrastructure, such as firewall devices or proxies that forward
        internet traffic.

    n   Or your business might have micro-branches, or smaller locations where it does not makes
        sense to invest and support network infrastructure that your larger sites require.
Web Security Service Connectivity: WSS Agent - and Unified Agent
Symantec Web Security Service/Page 10

            In these cases, the WSS Agent is a viable, low-touch method to provide web security and enforce web-
            use policies.

            The WSS Agent connects through the location's ISP to the nearest WSS datacenter.

               Tip: It is possible for the WSS Agent to connect to a specific datacenter. If
               your business requires specific location connections, contact Symantec
               Technical Support to request assistance.
Unified Agent Guide/Page 11

 How the WSS Agent Connects
The WSS Agent connects to WSS when a user logs on (or if there is a connection error from another
method). The agent and the service perform a series of checks in preparation for web requests as the
following flow describes.

1—A Sales Person on a business trip logs in.

    n   The WSS Agent initiates a connection over port 443 to the Client Traffic Controller (CTC) in the
        closest WSS datacenter (the WSS can return availability from up to three geographical
        datacenters).

    n   If the WSS Agent detects any tampering.

            o   The WSS Agent detects that the configuration store (which contains your customer ID,
                failure mode, tamper detection settings) has been tampered with outside of the
Symantec Web Security Service/Page 12

                            application itself.

                        o   The WSS Agent detects an attempt to bypass WSS through entries in the hosts file.

                        o   The WSS Agent is unable to validate the SSL connection for the VPN tunnel to the
                            service.

                    The connection is refused and the client receives an exception; otherwise, the connection
                    continues.

                n   WSS determines if the connection is from a defined corporate location, the WSS Agent remains
                    in passive mode.

                n   WSS verifies that a WSS Admin has configured the portal to block this WSS Agent (for
                    example, a laptop was lost or stolen and the Admin wants to prevent the connection).

                n   For all web content requests, WSS applies checks against WSS bypass list, acceptable web
                    use policies, and malware scanning results.

            2—A request is for internally-hosted content or content that belongs to a bypass list never reaches WSS.
Unified Agent Guide/Page 13

 WSS Agent Connection Concepts
This section provides technical details about how the WSS Agent connects to the WSS.

CTC Issues

If the CTC is not able to respond, the WSS Agent uses a cached connection list and displays a
warning.

VPN Compatibility

The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be
installed on client systems. You can configure full or split tunnel with additional configurations.

    n   Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec
        Location in WSS (mode Connectivity > Locations). This enables WSS to enter Passive mode
        when on the Location network.

    n   Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.

Single Tunnel Default

Applies to WSS Agent 7.1+.

By default, the agent operates in Single Tunnel Mode. This single tunnel behaves as both a system
tunnel and a user tunnel. All traffic generated by the device (regardless of originating process) is
identified as from logged-in user of the client.

Windows Only—You might have an environment where several users concurrently log in to an
environment without a physical console. For example, multiple users concurrently log in to a machine
only test environment through Remote Desktop. You can distribute WSS Agent 7.1+ with an
installation option that supports this deployment. This is described in the installation topic.

HTTP/3

HTTP/3 is a third revision of the HTTP protocol. When introduced in 2013, it was named the Quick
UDP Internet Connections (QUIC) protocol. It is transport layer designed to reduce latency when
compared to TCP (HTTP/HTTPS) connections. Browsers with HTTP/3 enabled and smaller devices
receive the benefit. Chrome 29+ has HTTP/3 enabled by default (chrome://net-internals/#quic).
Other browsers are beginning to include HTTP/3.

To allow for a seamless experience, when clients send web requests that are intercepted for
processing (such as by WSS for security purposes) the connections revert to TCP.

If you have a business requirement or a preference for the highest performance, you can instruct WSS
to bypass HTTP/3 connections. Be aware of the lessened security because of this option. Because
HTTP/3 is UDP-based, these connections are bypassed at the client end-point, which means the
traffic is not checked against policy nor is reporting against the WSS Agent possible. Only select this
bypass option if the highest performance for these clients supersedes the security requirement.
Symantec Web Security Service/Page 14

            Proxy Connections

            The CTC uses the system proxy settings (and if specified the PAC file and/or WPAD) in its connection
            to ctc.threatpulse.com.

            Windows—Uses the proxy settings of the currently logged-in console user (the user physically logged
            into the device). If there is no currently logged-in console user (for example. a remote desktop), then the
            proxy settings of the SYSTEM user is used.

            macOS—Uses the proxy settings of the main network device (the one that requests for
            ctc.threatpulse.com are routed from).

                n   If a proxy was used for the actual CTC request, then tunnels are opened using the same proxy
                    server that resolved for ctc.threatpulse.com.

                n   If a proxy was not used for ctc.threatpulse.com, then tunnels are opened using a direct
                    connection to the individual connect list items.

            The proxy used is the same IP address and port as the proxy used in the actual CTC request.

            After two consecutive CTC connection failures, the system proxy is ignored and a direct connection is
            attempted instead.

               Note: Authenticating proxies are not supported on either platform. This is a
               limitation of the operating systems themselves.

            Proxy Avoidance Attempts

            To enforce proxy avoidance, the WSS Agent detects proxy HTTP requests in outbound streams for
            ports other than those configured to be forwarded to the service (typically 80 and 443). Those
            connections are forwarded to the WSS instead of the originally-specified proxy.

            Furthermore, the WSS Agent does not interpret proxy auto-configuration (PAC) settings as a proxy
            avoidance attempt. If your deployment uses a PAC control to manage outbound web connections, the
            WSS Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and by default).
            If the WSS Agent cannot connect with the PAC settings, it attempts a direct connection to the WSS IP
            address. You can allow additional ports.

            SSL Certificate Installation

            The WSS Agent to CTC requires the SSL Root Certificate. WSS Agent installations also install this
            certificate. If the certificate is not present, the WSS Agent remains operational but might fail to connect
            to the CTC in the datacenter. If this occurs, the agent reverts to the last-received connection list.

            Upon installation, the WSS Agent installs the WSS root certificate. If the certificate is not installed
            because of unforeseen permission issues, you can manually download it and install it.

            Challenge-based Authentication (Captive Portal)

            For enhanced security, enable the Captive Portal option during configuration. When enabled, Captive
            Portal displays a challenge dialog to users each time that they begin a new browser session (or 24 hours
            after their previous successful entry). This eliminates cached credential access.
Unified Agent Guide/Page 15

MAC CLIENT NOTE

You can install WSS Agent on Windows and Mac clients. If a Mac user's username is the same as in
the your AD and there is only one domain in your AD, then user based policy is applied for the Mac
client. The domain defaults to the single domain in the AD. You can, however, enable the Captive
Portal feature, which allows users and groups to be available for policy checks.

Hybrid Policy and WSS Agent Connections

If you are employing the Symantec Hybrid Policy solution, the WSS Agent has slightly different
connection behaviors. In this deployment, the on-premises ProxySG appliance is configured to use
common policy. The client workstations that use that common policy proxy have the WSS Agent
installed. Normally, the WSS Agent is in Passive mode on workstations connecting from behind a
proxy that is providing common policy.

Noticeable Behavior

   n   On the WSS portal, the Location status changes from green to red. This causes all new
       WSS Agent connections to switch to active versus passive.

   n   After a networking event, such as a change in IP address and the Location is red, the
       WSS Agent switches to active.

   n   When the Location status is green, the WSS Agent switches to passive mode.

If the common policy proxy is unable to establish a connection to the portal for approximately 35
minutes, then the hybrid location changes from green to red. If the WSS Agent is in passive mode, it
remains passive unless a networking event occurs. The WSS Agent goes to active mode for all new
connections from that red-status network. This is by design. If the on-premises ProxySG appliance is
experiencing issues and is configured to Fail Open, the WSS Agent must be in active mode for WSS to
provide protection.

   Tip: If you notice that the WSS Agent is switching to active mode for
   reasons not described above, check the hybrid location in the portal. If the
   hybrid location status is red, check connectivity between the on-premises
   ProxySG appliance and WSS (might require a packet capture to diagnose).
   You can run the update-now command while in the cloud-service
   configuration mode to generate traffic destined to the service.
Symantec Web Security Service/Page 16

               About WSS Agent Performance
            As discussed in the topic introduction, WSS Agent uses a VPN tunnel. All VPNs impact performance.
            Depending on network conditions, explicit proxy redirection might significantly outperform WSS Agent
            in controlled lab testing. Fortunately, the impact is rarely noticeable in real-world usage. While it is
            impossible to predict the performance impact from one user to the next, WSS Agent should easily
            achieve the speeds required to handle the latency-sensitive needs of power-users. Typically, these
            users rely on modern cloud applications, such as the following platforms and examples:

                n   HD conferencing applications (Zoom, Webex, and Microsoft Teams)

                n   HD video streaming (YouTube and Vimeo)

                n   Business productivity applications (Office 365 and G-Suite)

                n   Collaboration applications (Slack and Google Chat)

                n   Online file storage and sharing (Box, Dropbox, and Microsoft OneDrive)

            Performance Best Practices

                n   Deploy the most recent WSS Agent release. Because Symantec provides performance
                    improvements in each release, maintaining the most current WSS Agent version yields the best
                    results.

                n   For trusted applications that require near line-speed performance, consider adding the application
                    to the WSS Agent bypass feature.

                n   If bypass is not possible, switching to the Symantec Endpoint Protection (SEP) Agent solution is
                    another option. SEP Agent connects to WSS using explicit proxy redirection, which is typically
                    faster than WSS Agent.
Unified Agent Guide/Page 17

Connectivity: Install the WSS Agent
This topic describes what is required and how to manually install the WSS Agent on a supported Windows or macOS client.

Technical Requirements
   n   Supported clients—

           o   64-bit Windows 10 Professional, Enterprise or Education version 1703

           o   macOS High Sierra+

          Note: You must use the fully-patched vendor-provided versions of the operating systems.
          All attempts to install on an unsupported OS fail.

   n   SEP 14.2 with WTR running in parallel with WSS Agent is not a supported configuration

   n   Protocols: UDP, SSL, TCP

   n   Port 443 to ctc.threatpulse.com (for TCP, UDP, and software updates)

   n   Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to WSS. For more
       information, consult the following Knowledge Base article:

       https://knowledge.broadcom.com/external/article?legacyId=TECH242793

   n   On macOS, the contents of the stamped installer are notarized using Apple's notarization process. This means that the
       driver, service, and all parts of WSS Agent function correctly on a system that requires notarization. However, the .pkg
       file itself is not notarized. If you require a notarized .pkg file, contact Symantec Technical Support.

   n   The WSS Agent currently does not support IPv6 connections. The best practice is to you disable IPv6 on client
       systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.

   n   Not supported:

           o   Long-term Servicing Channel (LTSC) is not supported. Microsoft intends for LTSC to be used only for specialized
               systems.

           o   WSS Agent version 7.x does not support Captive Portal. If this is a current requirement, do not upgrade to WSSA
               7.x.

About the WSS Root Certificate
   n   When you install WSS Agent on endpoint clients, the WSS root certificate is also installed.

   n   If you install or upgrade to WSS Agent version 7.x, the installation removes the root certificate that expires in September
       of 2021 and installs the new certificate that expires in September of 2036.

   n   If you do not want the new certificate, remove it from the trust store. Be advised without a certificate, the clients receive
Symantec Web Security Service/Page 18

        certificate errors when SSL sites are intercepted.

    n   If you want to retain the older certificate, add it to the trust store after installation or upgrade.

About the WSS Agent Installation or Upgrade
    n   You can upgrade from the Unified Agent or previous versions of the WSS Agent; however, if the Unified Agent was
        installed with custom options, they are not preserved or migrated to the WSS Agent.

    n   You can configure the portal to automatically update the WSS Agent; however, if you upgrading from the Unified Agent to
        the WSS Agent, you must push a new installation notification to all clients and clients require a reboot.

    n   Subsequent WSS Agent upgrades do not require a client system reboot.

About Bypassed Non-Routable IP Addresses
By default, WSS bypasses the following RFC 1918 addresses.

    n   10.0.0.0/8

    n   169.254.0.0/16

    n   172.16.0.0/12

    n   192.168.0.0/16

If a destination request contains one of these IP addresses, the traffic bypasses WSS and the client connects directly.

Procedure—Prepare for Installation

VPN Compatibility
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client
systems. You can configure full or split tunnel with additional configurations.

    n   Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in the WSS
        (Connectivity > Locations). This enables WSS to enter Passive mode when on the Location network.

    n   Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.

Step 1—Select End User Permissions
As best practice, Symantec recommends that you select how much control your employees have with the WSS Agent before
you push the agent to clients.

Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.
Unified Agent Guide/Page 19

Decide if the following features are applicable.

Enable Update Prompts

If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for
downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is
enabled.

Allow the Proxy Settings Tab

This option applies only to Unified Agent.

Allow Local Ability to Disable the Agent

If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent.

Require Token for Uninstalling

If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that
you define.

Step 2—Download the WSS Agent Installer.
   1. In the Installers area, click the WSS Agent Download button.

   2. If this is the first time you are attempting to download the application, the service displays the Profile dialog.
Symantec Web Security Service/Page 20

        As a company that provides security services across the globe, Symantec supports and complies with United States and
        local export controls. As an authorized member of your enterprise/organization, you must complete this form before
        downloading the WSS Agent.

           a. Click the Ensure...enterprise account link, which opens your Broadcom profile page.

           b. Complete your enterprise information and click Next.

           c. Verify and click Upgrade Account. Broadcom sends you a confirmation email.

           d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent.

   3. Download the installation file and place it in a network location that is accessible by test clients.

Procedure—Install the WSS Agent
The installation varies depending on the OS and if you want to install with additional options.

Installation Options
When installing on clients, you can install the app with default settings or use the CLI to install with additional options.

    n   MSI (Windows clients only)—The Microsoft CLI provides multiple options, which are detailed on their website.

        https://docs.microsoft.com/en-us/windows/desktop/Msi/command-line-options

        The following commands are most relevant to the WSS Agent.

            o   /passive—Installs without user intervention

            o   /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log).
                This command provides installation debugging information.

    n   Configuration Options—You can append the following options to an installation:

            n   Specify whether or not to attempt UDP connections. By default, the WSS Agent attempts a UDP connection, but
                reverts to TCP if not possible. You can elect to always connect through TCP or exclusively through UDP (never
Unified Agent Guide/Page 21

               attempt TCP); however, if the connection cannot be established using the given protocol, the connection fails
               and the agent enters the configured failure mode.

           n   Specify the packet size attempted when sending a PMTU check, which is an option when the connection
               continues to fall back to TCP transport because the ping containing the default byte size never receives a
               response.

           n   Disable all real-time statistics collection. No new data is collected; no data purging occurs. You might do this if
               the WSS Agent is experiencing performance issues.

           n   Specify the number of days to retain real-time statistics.

           n   (WSS Agent 7.1+ only) Enable Multiple Concurrent Users instead of the default Single Tunnel Mode.

If you think one or more these options might suit your deployment or testing needs, consult the configuration descriptions in the
next sections. They contain command syntax and more details.

Windows Application
   1. Put the installer on the test client.

   2. Launch the installer.

          a. In Windows, navigate to the directory where you saved the wssa-5.0.1..msi file.

               Symantec strongly recommends that you record the full MSI name; it might be required for future uninstallation
               tasks.

          b. Double-click the file, which launches the installer.

   3. Follow the prompts in the wizard. Select a directory for installation. Click Next.

   4. Click Install. The installation begins.

   5. Click Finish to complete the installation. The service displays the Installer Information dialog.

   6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.

Windows CLI—Options Available
You must have Administrator privilege.

   1. Put the installer on the test client.

   2. Syntax: msiexec -i \Path\To\wssa-installer.msi MSI_optionsconfiguration_options

       Where \Path\To is the location of the installer on your client system. For example: C:\Downloads\.

         msiexec -i C:\downloads\wssa-installer.msi

   3. Follow the prompts in the wizard. Select a directory for installation. Click Next.

   4. Click Install. The installation begins.
Symantec Web Security Service/Page 22

  5. Click Finish to complete the installation. The service displays the Installer Information dialog.

  6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.

Example—Install with MSI options.
   n   /passive—Installs without user intervention

   n   /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log). This
       command provides installation debugging information.

  msiexec -i C:\downloads\wssa-installer.msi /passive

Example—Install with MSI and configuration options.
   n   minPMTU = [0-1500]

       The Path Maximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpoints
       without fragmentation. This has implication for UDP connections, which requires retransmissions if packets are
       fragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. This
       is used in conjunction with the enableUDP option (below) to determine the required minimum MTU to automatically
       connect using UDP. The default is 1492.

   n   enableUDP = [true | false | exclusive]

           o   true—Attempt UDP connections. The WSS Agent sends an ICMP ping with a large payload to determine if PMTU
               is limited along the path. If UDP is not possible, the connection defaults to TCP.

           o   false—Never attempt UDP connections. PMTU is never attempted.

           o   exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection is
               dropped.

   n   disableStats = [true | false]

       The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data is
       added, nor will any purging occur.

   n   statsRetentionDays = [0-14]

       Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data since midnight, UTC
       for the current day. Any data occurring before midnight UTC specified days ago is removed. For example, if the setting is
       1, then data before midnight UTC yesterday is purged. The purging occurs every time the client is started and roughly
       every 30 minutes while WSS Agent is running. If disableStats is set to true, this option has no effect.

  msiexec -i C:\downloads\wssa-installer.msi /passive CUSTOM_
  CONFIG=enableUDP=exclusive,statsRetentionDays=1

   n   MCU=1

       Applies to WSS Agent 7.1+. Enables Multiple Concurrent Users Mode. This is for the use cases where multiple users log
       in to a machine through remote desktop or for console-less users.
Unified Agent Guide/Page 23

macOS Application
   1. Put the installer on the test client.

   2. Launch the installer.

          a. Open the wssa-5.0.1..dmg file by double-clicking on it.

              Symantec strongly recommends that you record the full .dmg name; it might be required for future uninstallation
              tasks.

          b. Double-click the .pkg file, which launches the installer.

   3. Follow the prompts in the wizard. Select a directory for installation. Click Next.

   4. Click Install. The installation begins.

   5. Click Finish to complete the installation. The service displays the Installer Information dialog.

   6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.

macOS CLI—Options Available
   1. Open the .dmg file using the macOS hdiutil attach command and install the .pkg file using the macOS installer
      command. Consult the Apple man pages for more details.

      For example, the following three commands attach the disk image, install the package, and detach the disk image.

         $ hdiutil attach /path/to/wssa-installer.dmg
         $ sudo installer -pkg /path/to/mounted/wssa-installer.pkg -target /
         $ hdiutil detach /path/to/mounted

   2. Follow the prompts in the wizard. Select a directory for installation. Click Next.

   3. Click Install. The installation begins.

   4. Click Finish to complete the installation. The service displays the Installer Information dialog.

   5. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.

Example—Install with configuration options.

   Tip: The command can be run multiple times with multiple configuration options; however, each
   individual option is set once only. Attempting to write the same option after it has already been
   set overwrites the previous setting.
Symantec Web Security Service/Page 24

    n   minPMTU = [0-1500]

        The Path Maximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpoints
        without fragmentation. This has implication for UDP connections, which requires retransmissions if packets are
        fragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. This
        is used in conjunction with the enableUDP option (below) to determine the required minimum MTU to automatically
        connect using UDP. The default is 1492.

    n   enableUDP = [true | false | exclusive]

            o   true—Attempt UDP connections. The WSS Agent sends an ICMP ping with a large payload to determine if PMTU
                is limited along the path. If UDP is not possible, the connection defaults to TCP.

            o   false—Never attempt UDP connections. PMTU is never attempted.

            o   exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection is
                dropped.

    n   disableStats = [true | false]

        The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data is
        added, nor will any purging occur.

    n   statsRetentionDays = [0-14]

        Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data since midnight, UTC
        for the current day. Any data occurring before midnight UTC specified days ago is removed. For example, if the setting is
        1, then data before midnight UTC yesterday is purged. The purging occurs every time the client is started and roughly
        every 30 minutes while the WSS Agent is running. If disableStats is set to true, this option has no effect.

  $ sudo defaults write com.symantec.wssa CUSTOM_CONFIG -string
  "enableUDP=exclusive,statsRetentionDays=1"

Modify Options Post-Installation
After you install the WSS Agent, you can add or delete the options (described in the previous option sections). For example, you
have already installed the agent, but now want to push out the option to lower the PMTU. To achieve this, you use the wssad
command.

Windows
You must run the command as an Admin. The following example uses the default agent path and sets multiple options.

  "c:\Program Files\Symantec\WSS Agent\wssad.exe -p enableUDP=exclusive,statsRetentionDays=1"

macOS
  $ sudo /opt/symantec/wssad -p enableUDP=exclusive,statsRetentionDays=1

Delete Options
To delete options, run the same command but use -e instead of -p.

  "c:\Program Files\Symantec\WSS Agent\wssad.exe -e enableUDP"
Unified Agent Guide/Page 25

  $ sudo /opt/symantec/wssad -e enableUDP

   Tip: When deleting options, you cannot delete more than one option per command.

WSS Agent 6.x with CloudSOC
If your portal account has integrated with the CloudSOC (CASB) service for deeper web application security, some thick
clients—for example, Dropbox—do not work through WSS Agent. This is because of the thick clients' pinning the certificate,
which breaks because of the WSS SSL certificate. Using an installation option, you can bypass all traffic sent to the WSS from
a specific executable (thick client) on a WSS Agent 6.x client. You can bypass these applications, plus other elements such as
VPN IP addresses.

If you have deployed WSS Agent 7.1+, see WSS Agent—Bypass Applications.

   Caution: This option weakens security protections because the bypassed traffic is not
   susceptible to malware scanning and policies. Also, a savy user with admin privileges on the
   client could modify the file.

STEP 1—Disable Tamper Protection

   1. In the WSS portal, navigate to Service mode > Mobility > WSS Agent.

   2. Select the Disable Tamper Protection option.

STEP 2—Create a JSON File

Create a JSON file that contains the executable bypass information.

  {
           "bypassExecutables": [
               {
                     "executablePath": "C:\Path\To\Executable.exe"
                },
                ...
            ]
  }

Where the value for exectuablePath is the path on the machine of the executable that is allowed.

When traffic is seen for a new process ID (PID), the WSS Agent driver queries the service to find the executable making the
call. If a PID is provided, which represents an executable that matches an executablePath, then all traffic from that process is
allowed and not sent to the WSS.

Your JSON must be well-formed. In particular, all values must be properly escaped, quoted, and there should be no trailing
hanging commas. You can use an online JSON validator to validate your JSON file.

https://jsonformatter.curiousconcept.com
Symantec Web Security Service/Page 26

STEP 3—Host the JSON File

This file can be located local to the endpoint (and accessed through the file:// URI) or on an http:// or https:// website. If
hosting on an https:// website, the endpoint must trust the server certificate.

STEP 4—Send the WSS Agent Configuration Update

Use the CLI to modify the WSS Agent installation.

Windows
  "c:\Program Files\Symantec\WSS Agent\wssad.exe -p additionalBypassUrl string"

macOS
  $ sudo /opt/symantec/wssad -p additionalBypassUrl string

Where string is the URL of the JSON file.

The bypass takes affect following the next WSS Agent reconnection.

Next Step
    n   Proceed to "Set WSSA Network/Security Options" on page 35.
Unified Agent Guide/Page 27

Connectivity: Distribute WSS Agent With GPO
This topic describes how to use Group Policy Object (GPO) to distribute the WSS Agent or Unified Agent to multiple Windows
clients so they can connect to the Web Security Service.

   Tip: This method does not support using a command line to add optional parameters.

Technical Requirements
This method requires the following.

    n   An understanding of the solution.

            o   "Connectivity: About the WSS Agent" on page 8—The Symantec-recommended solution.

            o   "Connectivity: About the Unified Agent" on page 57

                   Tip: This topic refers to the WSS Agent but also applies to the Unified Agent.

    n   A Windows 2008 or 2012 domain controller.

    n   A DNS server.

    n   The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller.

    n   Verify the client system can resolve the name of the AD server that contains the client library.

    n   Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to WSS. For more
        information, consult the following Knowledge Base article:

        https://knowledge.broadcom.com/external/article?legacyId=TECH242793

    n   The WSS Agent currently does not support IPv6 connections. The current best practice is to disable IPv6 on client
        systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.

Procedure

VPN Client Compatibility
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client
systems. You can configure full or split tunnel with additional configurations.

    n   Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in WSS
        (Connectivity > Locations). This enables the WSS Agent to enter Passive mode when on the Location network.

    n   Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.

For WSS Agent deployment, proceed to Step 2.
Symantec Web Security Service/Page 28

Step 1—HTTP Proxy Connection Required?
For WSS Agent deployment, proceed to Step 2.

Navigate to Connectivity > WSS Agent.

    n   A scenario might require this or other clients to connect to the WSS through an HTTP proxy. For example, you have a test
        or demonstration network. Before installing the Unified Agent on a client, you must select the Allow access to
        Proxy Settings in agent, which allows Proxy tab to be visible after its installation.

    n   For increased security in a production installation, clear this option. That the Proxy tab is not visible nor available on the
        Unified Agent application on the employee's client system.

           Tip: You cannot regain visibility of the Proxy tab post-installation. You must re-install the
           Unified Agent with this option enabled.

Step 2—Entrust Certificate Prerequisite
Each Windows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to the WSS. For more
notes and installation steps, consult the following Symantec Knowledge Base article:

https://knowledge.broadcom.com/external/article?legacyId=TECH242793

Step 3—Download the Agent Installer.
If you downloaded the agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client.

   1. Navigate to Connectivity > WSS Agent.

   2. In the Installers area, click the Windows:WSS Agent Download.

   3. If this is the first time you are attempting to download the application, the service displays the Profile dialog.
Unified Agent Guide/Page 29

    As a company that provides security services across the globe, Symantec supports and complies with United States
    and local export controls. As an authorized member of your enterprise/organization, you must complete this form before
    downloading the WSS Agent.

        a. Click the Ensure...enterprise account link, which opens your Broadcom profile page.

        b. Complete your enterprise information and click Next.

        c. Verify and click Upgrade Account. Broadcom sends you a confirmation email.

        d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent.

 4. Download the installation file. If the location of the file is not a Windows share, create a share. Verify that the directory
    and files have Read and Execute file system rights.

Step 4—Distribute the Agent
 1. On the domain controller, click Start and select Control Panel > Administrative Tools > Active Directory Users and
    Computers.

 2. Right-click the domain and select Properties.

 3. On the Group Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPO object
    and click Edit.

 4. Navigate to Computer Configuration > Software Settings > Software installation.

        a. Right-click Software Installation and select New > Package.

                Note: Verify that you have a valid UNC path. Click My Network Places > Entire
                Network > Microsoft Windows Network >server_domain>server_name >client_
                binary_share_name >select_the_binary.
Symantec Web Security Service/Page 30

          b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-click Software
             Installation and click Refresh.

   5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the first bootup) and
      executes policy. The workstation installs the client and reboots once more.

   6. Test.

Next Selection

WSS Agent

   n   "Set WSSA Network/Security Options" on page 35.

Unified Agent

   n   If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an
       HTTP Proxy" on page 75.

   n   If not, proceed to "Set WSSA Network/Security Options" on page 35.
Unified Agent Guide/Page 31

Connectivity: Distribute WSS Agent With JAMF
To provide Web Security Service to remote users, you must download the WSS Agent and install it on client systems. See
"Connectivity: About the WSS Agent" on page 8.

JAMF provides a widely used software solution to distribute applications. This section describes how to distribute the
WSS Agent to clients. For general information about using JAMF polices and packages, see the user documentation for JAMF
at www.jamfsoftware.com.

Technical Requirement
   n   The WSS Agent currently does not support IPv6 connections. Symantec recommends that you disable IPv6 on client
       systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.

Procedure

VPN Client Compatibility
The WSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client
systems. You can configure full or split tunnel with additional configurations.

   n   Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in WSS
       (Connectivity > Locations). This enables the WSS Agent to enter Passive mode when on the Location network.

   n   Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.

Step 1—Select End User Permissions
As best practice, Symantec recommends that you select how much control your employees have with the WSS Agent before
you push the agent to clients.

Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.
Symantec Web Security Service/Page 32

Decide if the following features are applicable.

Enable Update Prompts

If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for
downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default is
enabled.

Allow the Proxy Settings Tab

This option applies only to Unified Agent.

Allow Local Ability to Disable the Agent

If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent.

Require Token for Uninstalling

If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a token that
you define.

Step 2—Download the WSS Agent Installer.
If you downloaded the WSS Agent during the Initial Configuration Wizard process, begin with Step 4: Install the Client.

   1. In the Installers area, Download the agent.

   2. If this is the first time you are attempting to download the application, the service displays the Profile dialog.

       As a company that provides security services across the globe, Symantec supports and complies with United States and
       local export controls. As an authorized member of your enterprise/organization, you must complete this form before
       downloading the Unified Agent. The fields with blue asterisks (*) are required.

       Click Save to update your profile and then close the dialog.

   3. Download the installation file.
Unified Agent Guide/Page 33

Step 3—High-Level JAMF Procedure
   1. Create the upgrade packages for WSS Agent installation.

           Tip: If you deploy both the on-box and cloud versions of the agent on your network, create
           two packages with different names.

   2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory.

   3. Create a policy with the following settings.

           n   Category—Select the appropriate setting for your network.

           n   Triggers—Select the appropriate setting for your network.

           n   Execution Frequency—Once per device.

           n   Priority—Before. This permits the CMURL to be set before installation.

           n   Scope—Add the devices to update. Each of the devices must be marked as Managed.

           n   Restart—Not needed.

       The interface displays the new policy in the list.

What Occurs on Employee Clients?
After you use JAMF to push the update package, the following events occur on the employee OS X client.

   1. The client displays a Management Notification dialog.

   2. The employee follows the prompts to accept and install the WSS Agent application.

Employee Template
(Optional) To notify your impacted employees and provide them with instructions, consider using the following template. Copy
contents in an email; edit as needed; send.

[Company] is distributing a security update to your corporate Mac client. You will be prompted to [install / update] an application
called WSS Agent. Perform the following steps.

1. When your Mac client receives the update, the client displays a Management Notification.

2. To complete the installation, click through the prompts.

3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application.

If you have any questions or issues, contact IT.
Symantec Web Security Service/Page 34

Next Selection

WSS Agent

   n   "Set WSSA Network/Security Options" on page 35.

Unified Agent

   n   If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote Connections Through an
       HTTP Proxy" on page 75.

   n   If not, proceed to "Set WSSA Network/Security Options" on page 35.
Unified Agent Guide/Page 35

Set WSSA Network/Security Options
The Web Security Service provides several options that allow you to specify how the WSS Agent behaves on the client and
how to route traffic.

Navigate to Connectivity > WSS Agent.

   Tip: This page does not contain an Apply button. Selecting the option sets the configuration, as
   indicated by the displayed message.

Determine Failure Behavior.
By default, the WSS allows remote clients unabated web access if the service becomes unavailable. For maximum security,
set the Fail Behavior to Block All Traffic until IT or Symantec restores the service.

Change Listening Ports (No CFS).
By default, the WSS accepts traffic from the WSS Agent, that is installed on client systems, from the common gateway ports
of 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP).

   Tip: Migration Scenario—You are migrating security to the WSS from on-premises Blue Coat
   ProxySG appliances and where the WSS Agent (proxy version) accessed numerous
   HTTP/HTTPS sites on non-standard ports. By default, the WSS is limited to the three standard
   web ports.
Symantec Web Security Service/Page 36

The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPS
traffic, configure the WSS to listen on those ports. For example, the WSS must also listen to ports 8000 (HTTP) and 8083
(HTTPS).

   1. Select View/Edit Ports.

   2. Ports—If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriate
      traffic type and entering the port. You can only enter one port in each field. You can add up to 1000 ports.

   3. Click Save.
Unified Agent Guide/Page 37

Forward All Ports (CFS Only).
If you have enabled the Cloud Firewall Service on your WSS portal account, you must select the Forward all traffic from all
ports to WSS option.

   Note: This option is available in the portal only your account has the CFS license provisioned.

Bypass IP addresses/subnets and domains.
By default, WSS bypasses the following RFC 1918 addresses.

    n   10.0.0.0/8

    n   169.254.0.0/16

    n   172.16.0.0/12

    n   192.168.0.0/16

If a destination request contains one of these IP addresses, the traffic bypasses WSS and the client connects directly.

Personal choices or business requirements might require you to configure WSS to bypass additional IP addresses/Subnets
and Domains. For example, bypass test networks.

Clicking the Connectivity > Bypassed Traffic (bottom of page) link takes you to that screen, as this is a shared configuration
with other WSS features.
Symantec Web Security Service/Page 38

   n   For more details, see "Prevent IP/Subnet From Routing to the Web Security Service" on page 98.

   n   Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See "Prevent a Domain
       From Routing to WSS" on page 96.

Define Agent Connection Options.

  a. Block IPv6 traffic—Applies to WSS Agent v5.x and below.

       Blocks requested connections to destinations with IPv6 addresses when resolved by DNS. This includes traffic destined
       for non-local forwarded ports.

       IPv6 addresses are allowed under the following scenarios.

           n   IPv6 traffic is destined for local addresses (link-local and unique local addresses).

           n   IPv6 traffic is destined for a non-forwarded port (80, 443, and 8080 by default).

  b. Select Allow HTTP/3 only if you have a business requirement or a preference for the highest performance to bypass
     HTTP/3 (formerly QUIC) connections. For more information, see the HTTP/3 section in "Connectivity: About the
     WSS Agent" on page 8.

  c. Disable Tamper Protection—Select this option if your preference is to allow WSS Agent to fail-open (allow connections)
     should the agent be unable to connect to WSS. Be advised that these connections are not susceptible to policy checks
     and malware detection.

  d. Ignore Proxy Settings—Applies to WSS Agent v4.x and below.

       The WSS Agent establishes a direct VPN tunnel, bypassing any possibly set proxy setting a endpoint user attempts to
       define. However, Ignore Proxy Settings applies only to the tunnel creation. If the CTC connection fails, this setting
       cannot be retrieved. For a successful on-premises WSS Agent to go passive, any on-premises firewall/proxy must
       bypass traffic to https://ctc.threatpulse.com.

  e. Applies to WSS Agent v6.x and below.

       By default, a WSS Agent process sends the User ID through the tunnel to WSS. This ensures an accurate account of
       who initiated the request and allows for policy enforcement and reporting. Your network might have third-party products
Unified Agent Guide/Page 39

        that also intercept these connections, which causes WSS to erroneously view the username as something similar to the
        following. Examples of these products include anti-virus programs and applications run browsers in a secure virtual
        container.

               NT AUTHORITY\SYSTEM

        This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that cause
        this issue, instruct the WSS Agent to send the logged-in username.

        Select Logged in User ID from the Username Format drop-down list.

           Tip: For a current list of known third-party applications that cause this issue, see NT
           AUTHORITY\SYSTEM Username Returned From the UA.

Select End User Permissions
As best practice described in "Connectivity: Install the WSS Agent" on page 17, select how much control your employees have
with the WSS Agent before you push the agent to clients.

On the WSS Agent page, locate the End User Permissions area.

Decide if the following features are applicable.

    n   Enable update prompts.

        If Prompt end user for update is selected, the WSS Agent notifies the logged-in user that an update is available for
        downloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default
        is enabled.

    n   Allow the Proxy Settings tab. This option applies only to the Unified Agent.

        The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decision
        performed before installation.
Symantec Web Security Service/Page 40

        This is option does not change the system proxy settings for any other application on the client system; it only affects
        how the Unified Agent connects its tunnels. Typically, the Unified Agent honors the system proxy setting. This option
        disables that and connections are made direct instead; the Unified Agent never connects through a proxy (but see
        browser note below). This option is for the very specific case where your environment has proxy settings, but you do not
        want the Unified Agent to use the proxy settings when connecting to CTC or establishing their tunnels.

        The proxy that is used is the proxy of the user related to the process.

            n   MAC OSes use one set of proxies.

            n   Windows—The CTC see connection requests from the SYSTEM user, which can be from WPAD, a PAC file, or
                explicit proxy address/port settings.

           Tip: Browser configurations are completely separate. The Unified Agent cannot control the
           browser's behavior relating to proxies. That is, if a proxy is set in the particular browser
           (wherever that browser stores it), that proxy setting is honored.

    n   Allow local ability to disable the agent.

        If you Allow agent to be disabled by end user, your employees can (temporarily) disable the WSS Agent.

    n   Require a token for uninstallation.

        If you select Require Token to Uninstall, employees are able to uninstall the WSS Agent, but are required to use a
        token that you define.

(Optional) Enable challenge-based authentication (Captive Portal).
Applies to WSS Agent v6.x and below. This option requires deployment of the Auth Connector application, which integrates with
your Active Directory to provide username and group information.

To enforce accurate user credentials rather than rely on locally cached credentials:

   1. Navigate to Identity > Authentication Policy (or click the link on the WSS Agent page).

   2. Expand the Authentication Policy area.

   3. Click the Edit icon at the end of Rule G4.
You can also read