websecurityservice connectivity: wss agent

Web Security Service

Connectivity:WSS Agentand Unified Agent

Symantec Web Security Service/

Unified Agent Guide/

Copyrights

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term“Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Copyright © 2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does notassume any liability arising out of the application or use of this information, nor the application or use of any product or circuitdescribed herein, neither does it convey any license under its patent rights nor the rights of others.


Symantec Web Security Service:WSS Agent GuideThe Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-basedproduct, theWeb Security Service leverages Symantec's proven security technology, including theWebPulse™ cloudcommunity.

With extensive web application controls and detailed reporting features, IT administrators can use theWeb Security Service tocreate and enforce granular policies that are applied to all covered users, including fixed locations and roaming users.

To provide security to employees who take corporate clients beyond the corporate network, such as taking laptops on businesstrips, theWSS Agent routes web requests throughWSS when connecting from a non-corporate network.

Table Of Contents

Symantec Web Security Service:WSS Agent Guide 4Table Of Contents 4

WSS Agent 7Connectivity: About the WSS Agent 8Why Select This Method? 8

Connectivity: Install the WSS Agent 17Technical Requirements 17About theWSS Root Certificate 17About theWSS Agent Installation or Upgrade 18About Bypassed Non-Routable IP Addresses 18Procedure—Prepare for Installation 18Procedure—Install theWSS Agent 20

Connectivity: Distribute WSS Agent With GPO 27Technical Requirements 27Procedure 27

Connectivity: Distribute WSS Agent With JAMF 31Technical Requirement 31Procedure 31

Set WSSA Network/Security Options 35About the WSS Agent UI 42System Tray/Menu 42Agent Interface 42About Tab 43Available Updates 43

Disable the WSS Agent 45Procedure 45Agent Logging 47


SymDiag Application For WSS Agent on Windows 48Technical Requirements 48Procedure 48

Debugging Script for WSS Agent on Mac Systems 52Technical Requirements 52Procedure 52

WSS Agent 7.x—Tunnel Error 54Uninstall the WSS Agent 55Windows 55macOS 55

Unified Agent 56Connectivity: About the Unified Agent 57Why Select This Method? 58HTTP/3 62About Proxy Avoidance Attempts 62About Password Protection 62About SSLCertificate Installation 62About Challenge-based Authentication (Captive Portal) 63About IPv6 IP Addresses 63About Time Zones 63About Hybrid Policy and Unified Agent Connections 63

Connectivity: Manually Deploy the Unified Agent (Windows) 66Technical Requirements 66About Bypyassed Non-Routable IP Addresses 66Procedure 67

Connectivity: Manually Deploy the Unified Agent (Mac) 71Technical Requirements 71About Bypassed Non-Routable IP Addresses 71Procedure 72

Route Remote Connections Through an HTTP Proxy 75Deployment Notes 75

Manually Disable the Unified Agent 78Activate the Disable Option 78Instruct Employees How to Disable the Unified Agent 78

Uninstall the Unified Agent 79Available Options 79Unified Agent—With Uninstall Token 79Information 79Procedure 79Windows 80OS X 81No Token Defined/Client Connector 82Reference—MSI Versions 82MSI VersionMis-Match (UnknownMSI) 82

Troubleshoot... 84Unified Agent Connection Troubleshooting 85


ManageWeb Security Service Client Connections 89Manually Disable the Unified Agent 90Review System Events Generated by Remote Clients 91Capture Remote Client Trace Log 92

Verify Mobile Connections 94About Device Visibility 94View Devices 94Page Options 95

Prevent a Domain From Routing to WSS 96Notes 96Procedure—Manually Add Domain Entries 96Import IP Address Entries From a Saved List 97

Prevent IP/Subnet From Routing to the Web Security Service 98Notes 98Procedure—Manually Add IP Addresses 98Import IP Address Entries From a Saved List 99

Reference: Windows WSSA/UA Package Versions 100


WSS AgentTheWSS Agent is the Symantec-recommended agent for supportedWindows 10+ andmacOS High Sierra+ clients.

n "Connectivity: About theWSS Agent" on page 8

n "Connectivity: Install theWSS Agent" on page 17

n "Connectivity: DistributeWSS Agent With GPO" on page 27

n "Connectivity: DistributeWSS Agent With JAMF" on page 31

n "Set WSSA Network/Security Options" on page 35

n "About theWSS Agent UI" on page 42

n "Disable theWSS Agent" on page 45

n "SymDiag Application ForWSS Agent onWindows" on page 48

n "Debugging Script forWSS Agent onMac Systems" on page 52

n "Uninstall theWSS Agent" on page 55


Connectivity: About theWSS AgentWSS Agent is a powerful, flexible, cloud-directedWSS connectivity method. WSS Agent uses a VPN tunnel to securely routetraffic from the end user’s machine toWSS. WSS Agent provides non-standard web traffic redirection and an extra layer of dataprivacy to public WiFi networks, which are twomajor benefits of this connection solution.

When installed on client systems, theWSS Agent works as part of the client system's configuration. After the application isinstalled, no further configuration is required on the client system. It directs content requests toWSS over a secure connection(port 443). To enforce proxy avoidance, theWSS Agent detects and redirects HTTP proxy requests to any external, non-WSSIP addresses. As such requests are redirected, the user is unable to circumvent filtering andmalware scanning.

TheWSS Agent provides additional security features.

n TheWSS Agent prevents employees from stopping and starting the service from the Services Management Console,even if the employee has Windows Administrator privileges.

n You can give employees the ability to temporarily disable theWSS Agent should they be experiencing connection issues.

Why Select This Method?Benefits—

n Always active. The user does not have to log in to the agent.

n Works in the background and is transparent to users.

n Captures the user and system names for reporting.

n Viable security solution for a premises with fewer than 100 clients and where location-based network infrastructure (suchas a firewall) is not available.

Select another method if—

n Youwant to manage remote clients throughmultiple PAC files. SEP Solution.

n You require IPv6 support. TheWSS Agent does not currently support IPv6 connections; a future update will providesupport.


Use Cases

Remote, Off-Corporate Network

Your business has one or more physical locations. On-premises infrastructure, such as proxies orfirewall devices, provide security to your corporate-controlled internet connections. Some employeeswork remotely or take their laptops to travel and connect through to the internet from an off-corporatenetwork, such as a hotel or other commercial property WiFi.

1—A Sales Person is on site at a corporate location. The client system recognizes the corporateinternet connection and theWSS Agent remains in PassiveMode. All internet requests proceedthrough the on-premises gateway infrastructure. If WSS is providing security, the connection occursthrough a defined location. For example, the proxy appliance or firewall device is configured to connectto the Santa Clara datacenter VIP. Security policies are applied for that location and/or logged-in useror group name.

2—The Sales Person then takes a flight to the southern United States and checks into a hotel. TheWSS Agent is now engaged and connects to the nearest WSS datacenter, which in this example isDallas (for more details about the cloud service connections, see the next section). Youmight elect todefine a separate set of web-use policies forWSS Agent connections. For example, you allow accesstomore leisure categories after work hours because employees are spending personal time away fromhome.

Small Office

n Your business might be small—typically defined as fewer than 100 employees—and thus you donot have advanced network infrastructure, such as firewall devices or proxies that forwardinternet traffic.

n Or your business might havemicro-branches, or smaller locations where it does not makessense to invest and support network infrastructure that your larger sites require.


In these cases, theWSS Agent is a viable, low-touchmethod to provide web security and enforce web-use policies.

TheWSS Agent connects through the location's ISP to the nearest WSS datacenter.

Tip: It is possible for theWSS Agent to connect to a specific datacenter. Ifyour business requires specific location connections, contact SymantecTechnical Support to request assistance.


How the WSS Agent Connects

TheWSS Agent connects toWSS when a user logs on (or if there is a connection error from anothermethod). The agent and the service perform a series of checks in preparation for web requests as thefollowing flow describes.

1—A Sales Person on a business trip logs in.

n TheWSS Agent initiates a connection over port 443 to the Client Traffic Controller (CTC) in theclosest WSS datacenter (theWSS can return availability from up to three geographicaldatacenters).

n If theWSS Agent detects any tampering.

o TheWSS Agent detects that the configuration store (which contains your customer ID,failuremode, tamper detection settings) has been tampered with outside of the


application itself.

o TheWSS Agent detects an attempt to bypass WSS through entries in the hosts file.

o TheWSS Agent is unable to validate the SSL connection for the VPN tunnel to theservice.

The connection is refused and the client receives an exception; otherwise, the connectioncontinues.

n WSS determines if the connection is from a defined corporate location, theWSS Agent remainsin passivemode.

n WSS verifies that aWSS Admin has configured the portal to block this WSS Agent (forexample, a laptop was lost or stolen and the Admin wants to prevent the connection).

n For all web content requests, WSS applies checks against WSS bypass list, acceptable webuse policies, andmalware scanning results.

2—A request is for internally-hosted content or content that belongs to a bypass list never reaches WSS.


WSS Agent Connection Concepts

This section provides technical details about how theWSS Agent connects to theWSS.

CTC Issues

If the CTC is not able to respond, theWSS Agent uses a cached connection list and displays awarning.

VPN Compatibility

TheWSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might beinstalled on client systems. You can configure full or split tunnel with additional configurations.

n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSecLocation inWSS (mode Connectivity > Locations). This enables WSS to enter Passivemodewhen on the Location network.

n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.

Single Tunnel Default

Applies toWSS Agent 7.1+.

By default, the agent operates in Single Tunnel Mode. This single tunnel behaves as both a systemtunnel and a user tunnel. All traffic generated by the device (regardless of originating process) isidentified as from logged-in user of the client.

Windows Only—Youmight have an environment where several users concurrently log in to anenvironment without a physical console. For example, multiple users concurrently log in to amachineonly test environment through Remote Desktop. You can distributeWSS Agent 7.1+ with aninstallation option that supports this deployment. This is described in the installation topic.

HTTP/3

HTTP/3 is a third revision of the HTTP protocol. When introduced in 2013, it was named theQuickUDP Internet Connections (QUIC) protocol. It is transport layer designed to reduce latency whencompared to TCP (HTTP/HTTPS) connections. Browsers with HTTP/3 enabled and smaller devicesreceive the benefit. Chrome 29+ has HTTP/3 enabled by default (chrome://net-internals/#quic).Other browsers are beginning to include HTTP/3.

To allow for a seamless experience, when clients send web requests that are intercepted forprocessing (such as by WSS for security purposes) the connections revert to TCP.

If you have a business requirement or a preference for the highest performance, you can instruct WSSto bypass HTTP/3 connections. Be aware of the lessened security because of this option. BecauseHTTP/3 is UDP-based, these connections are bypassed at the client end-point, whichmeans thetraffic is not checked against policy nor is reporting against theWSS Agent possible. Only select thisbypass option if the highest performance for these clients supersedes the security requirement.


Proxy Connections

The CTC uses the system proxy settings (and if specified the PAC file and/orWPAD) in its connectionto ctc.threatpulse.com.

Windows—Uses the proxy settings of the currently logged-in console user (the user physically loggedinto the device). If there is no currently logged-in console user (for example. a remote desktop), then theproxy settings of the SYSTEM user is used.

macOS—Uses the proxy settings of themain network device (the one that requests forctc.threatpulse.com are routed from).

n If a proxy was used for the actual CTC request, then tunnels are opened using the same proxyserver that resolved for ctc.threatpulse.com.

n If a proxy was not used for ctc.threatpulse.com, then tunnels are opened using a directconnection to the individual connect list items.

The proxy used is the same IP address and port as the proxy used in the actual CTC request.

After two consecutive CTC connection failures, the system proxy is ignored and a direct connection isattempted instead.

Note: Authenticating proxies are not supported on either platform. This is alimitation of the operating systems themselves.

Proxy Avoidance Attempts

To enforce proxy avoidance, theWSS Agent detects proxy HTTP requests in outbound streams forports other than those configured to be forwarded to the service (typically 80 and 443). Thoseconnections are forwarded to theWSS instead of the originally-specified proxy.

Furthermore, theWSS Agent does not interpret proxy auto-configuration (PAC) settings as a proxyavoidance attempt. If your deployment uses a PAC control to manage outbound web connections, theWSS Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and by default).If theWSS Agent cannot connect with the PAC settings, it attempts a direct connection to theWSS IPaddress. You can allow additional ports.

SSL Certificate Installation

TheWSS Agent to CTC requires the SSLRoot Certificate. WSS Agent installations also install thiscertificate. If the certificate is not present, theWSS Agent remains operational but might fail to connectto the CTC in the datacenter. If this occurs, the agent reverts to the last-received connection list.

Upon installation, theWSS Agent installs theWSS root certificate. If the certificate is not installedbecause of unforeseen permission issues, you canmanually download it and install it.

Challenge-based Authentication (Captive Portal)

For enhanced security, enable the Captive Portal option during configuration. When enabled, CaptivePortal displays a challenge dialog to users each time that they begin a new browser session (or 24 hoursafter their previous successful entry). This eliminates cached credential access.


MAC CLIENT NOTE

You can install WSS Agent onWindows andMac clients. If a Mac user's username is the same as inthe your AD and there is only one domain in your AD, then user based policy is applied for theMacclient. The domain defaults to the single domain in the AD. You can, however, enable the CaptivePortal feature, which allows users and groups to be available for policy checks.

Hybrid Policy and WSS Agent Connections

If you are employing the Symantec Hybrid Policy solution, theWSS Agent has slightly differentconnection behaviors. In this deployment, the on-premises ProxySG appliance is configured to usecommon policy. The client workstations that use that common policy proxy have theWSS Agentinstalled. Normally, theWSS Agent is in Passivemode on workstations connecting from behind aproxy that is providing common policy.

Noticeable Behavior

n On theWSS portal, the Location status changes from green to red. This causes all newWSS Agent connections to switch to active versus passive.

n After a networking event, such as a change in IP address and the Location is red, theWSS Agent switches to active.

n When the Location status is green, theWSS Agent switches to passivemode.

If the common policy proxy is unable to establish a connection to the portal for approximately 35minutes, then the hybrid location changes from green to red. If theWSS Agent is in passivemode, itremains passive unless a networking event occurs. TheWSS Agent goes to activemode for all newconnections from that red-status network. This is by design. If the on-premises ProxySG appliance isexperiencing issues and is configured to Fail Open, theWSS Agent must be in activemode forWSS toprovide protection.

Tip: If you notice that theWSS Agent is switching to activemode forreasons not described above, check the hybrid location in the portal. If thehybrid location status is red, check connectivity between the on-premisesProxySG appliance andWSS (might require a packet capture to diagnose).You can run the update-now commandwhile in the cloud-serviceconfigurationmode to generate traffic destined to the service.


About WSS Agent Performance

As discussed in the topic introduction, WSS Agent uses a VPN tunnel. All VPNs impact performance.Depending on network conditions, explicit proxy redirectionmight significantly outperformWSS Agentin controlled lab testing. Fortunately, the impact is rarely noticeable in real-world usage. While it isimpossible to predict the performance impact from one user to the next, WSS Agent should easilyachieve the speeds required to handle the latency-sensitive needs of power-users. Typically, theseusers rely onmodern cloud applications, such as the following platforms and examples:

n HD conferencing applications (Zoom, Webex, andMicrosoft Teams)

n HD video streaming (YouTube and Vimeo)

n Business productivity applications (Office 365 andG-Suite)

n Collaboration applications (Slack andGoogle Chat)

n Online file storage and sharing (Box, Dropbox, andMicrosoft OneDrive)

Performance Best Practices

n Deploy themost recent WSS Agent release. Because Symantec provides performanceimprovements in each release, maintaining themost current WSS Agent version yields the bestresults.

n For trusted applications that require near line-speed performance, consider adding the applicationto theWSS Agent bypass feature.

n If bypass is not possible, switching to the Symantec Endpoint Protection (SEP) Agent solution isanother option. SEP Agent connects toWSS using explicit proxy redirection, which is typicallyfaster thanWSS Agent.


Connectivity: Install theWSS AgentThis topic describes what is required and how tomanually install theWSS Agent on a supportedWindows or macOS client.

Technical Requirementsn Supported clients—

o 64-bit Windows 10 Professional, Enterprise or Education version 1703

o macOS High Sierra+

Note: Youmust use the fully-patched vendor-provided versions of the operating systems.All attempts to install on an unsupported OS fail.

n SEP 14.2 withWTR running in parallel withWSS Agent is not a supported configuration

n Protocols: UDP, SSL, TCP

n Port 443 to ctc.threatpulse.com (for TCP, UDP, and software updates)

n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect toWSS. For moreinformation, consult the following Knowledge Base article:

https://knowledge.broadcom.com/external/article?legacyId=TECH242793

n OnmacOS, the contents of the stamped installer are notarized using Apple's notarization process. This means that thedriver, service, and all parts of WSS Agent function correctly on a system that requires notarization. However, the .pkgfile itself is not notarized. If you require a notarized .pkg file, contact Symantec Technical Support.

n TheWSS Agent currently does not support IPv6 connections. The best practice is to you disable IPv6 on clientsystems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.

n Not supported:

o Long-term Servicing Channel (LTSC) is not supported. Microsoft intends for LTSC to be used only for specializedsystems.

o WSS Agent version 7.x does not support Captive Portal. If this is a current requirement, do not upgrade toWSSA7.x.

About the WSS Root Certificaten When you install WSS Agent on endpoint clients, theWSS root certificate is also installed.

n If you install or upgrade toWSS Agent version 7.x, the installation removes the root certificate that expires in Septemberof 2021 and installs the new certificate that expires in September of 2036.

n If you do not want the new certificate, remove it from the trust store. Be advised without a certificate, the clients receive



certificate errors when SSL sites are intercepted.

n If you want to retain the older certificate, add it to the trust store after installation or upgrade.

About the WSS Agent Installation or Upgraden You can upgrade from the Unified Agent or previous versions of theWSS Agent; however, if the Unified Agent was

installed with custom options, they are not preserved or migrated to theWSS Agent.

n You can configure the portal to automatically update theWSS Agent; however, if you upgrading from the Unified Agent totheWSS Agent, youmust push a new installation notification to all clients and clients require a reboot.

n Subsequent WSS Agent upgrades do not require a client system reboot.

About Bypassed Non-Routable IP AddressesBy default, WSS bypasses the following RFC 1918 addresses.

n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16

If a destination request contains one of these IP addresses, the traffic bypasses WSS and the client connects directly.

Procedure—Prepare for Installation

VPN Compatibility

TheWSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on clientsystems. You can configure full or split tunnel with additional configurations.

n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in theWSS(Connectivity > Locations). This enables WSS to enter Passivemode when on the Location network.


Step 1—Select End User Permissions

As best practice, Symantec recommends that you select how much control your employees have with theWSS Agent beforeyou push the agent to clients.

Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.


Decide if the following features are applicable.

Enable Update Prompts

If Prompt end user for update is selected, theWSS Agent notifies the logged-in user that an update is available fordownloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default isenabled.

Allow the Proxy Settings Tab

This option applies only to Unified Agent.

Allow Local Ability to Disable the Agent

If you Allow agent to be disabled by end user, your employees can (temporarily) disable theWSS Agent.

Require Token for Uninstalling

If you select Require Token to Uninstall, employees are able to uninstall theWSS Agent, but are required to use a token thatyou define.

Step 2—Download theWSS Agent Installer.

1. In the Installers area, click theWSS Agent Download button.

2. If this is the first time you are attempting to download the application, the service displays the Profile dialog.


As a company that provides security services across the globe, Symantec supports and complies with United States andlocal export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading theWSS Agent.

a. Click the Ensure...enterprise account link, which opens your Broadcom profile page.

b. Complete your enterprise information and click Next.

c. Verify and click Upgrade Account. Broadcom sends you a confirmation email.

d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent.

3. Download the installation file and place it in a network location that is accessible by test clients.

Procedure—Install the WSS AgentThe installation varies depending on theOS and if you want to install with additional options.

Installation Options

When installing on clients, you can install the app with default settings or use the CLI to install with additional options.

n MSI (Windows clients only)—TheMicrosoft CLI provides multiple options, which are detailed on their website.

https://docs.microsoft.com/en-us/windows/desktop/Msi/command-line-options

The following commands aremost relevant to theWSS Agent.

o /passive—Installs without user intervention

o /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log).This command provides installation debugging information.

n Configuration Options—You can append the following options to an installation:

n Specify whether or not to attempt UDP connections. By default, theWSS Agent attempts a UDP connection, butreverts to TCP if not possible. You can elect to always connect through TCP or exclusively through UDP (never

https://docs.microsoft.com/en-us/windows/desktop/Msi/command-line-options


attempt TCP); however, if the connection cannot be established using the given protocol, the connection failsand the agent enters the configured failuremode.

n Specify the packet size attempted when sending a PMTU check, which is an option when the connectioncontinues to fall back to TCP transport because the ping containing the default byte size never receives aresponse.

n Disable all real-time statistics collection. No new data is collected; no data purging occurs. Youmight do this iftheWSS Agent is experiencing performance issues.

n Specify the number of days to retain real-time statistics.

n (WSS Agent 7.1+ only) EnableMultiple Concurrent Users instead of the default Single Tunnel Mode.

If you think one or more these options might suit your deployment or testing needs, consult the configuration descriptions in thenext sections. They contain command syntax andmore details.

Windows Application

1. Put the installer on the test client.

2. Launch the installer.

a. InWindows, navigate to the directory where you saved the wssa-.<snip>.msi file.

Record the full MSI name; it might be required for future uninstallation tasks.

b. Double-click the file, which launches the installer.

3. Follow the prompts in the wizard. Select a directory for installation. Click Next.

4. Click Install. The installation begins.

5. Click Finish to complete the installation. The service displays the Installer Information dialog.

6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.

Windows CLI—Options Available

Youmust have Administrator privilege.


2. Syntax: msiexec -i \Path\To\wssa-installer.msi MSI_optionsconfiguration_options

Where \Path\To is the location of the installer on your client system. For example: C:\Downloads\.

msiexec -i C:\downloads\wssa-installer.msi






Example—Install with MSI options.

n /passive—Installs without user intervention

n /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log). Thiscommand provides installation debugging information.

msiexec -i C:\downloads\wssa-installer.msi /passive

Example—Install with MSI and configuration options.

n minPMTU = [0-1500]

The PathMaximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpointswithout fragmentation. This has implication for UDP connections, which requires retransmissions if packets arefragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. Thisis used in conjunction with the enableUDP option (below) to determine the requiredminimumMTU to automaticallyconnect using UDP. The default is 1492.

n enableUDP = [true | false | exclusive]

o true—Attempt UDP connections. TheWSS Agent sends an ICMP ping with a large payload to determine if PMTUis limited along the path. If UDP is not possible, the connection defaults to TCP.

o false—Never attempt UDP connections. PMTU is never attempted.

o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection isdropped.

n disableStats = [true | false]

The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data isadded, nor will any purging occur.

n statsRetentionDays = [0-14]

Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data sincemidnight, UTCfor the current day. Any data occurring beforemidnight UTC specified days ago is removed. For example, if the setting is1, then data beforemidnight UTC yesterday is purged. The purging occurs every time the client is started and roughlyevery 30minutes whileWSS Agent is running. If disableStats is set to true, this option has no effect.

msiexec -i C:\downloads\wssa-installer.msi /passive CUSTOM_CONFIG=enableUDP=exclusive,statsRetentionDays=1

n MCU=1

Applies toWSS Agent 7.1+. Enables Multiple Concurrent Users Mode. This is for the use cases wheremultiple users login to amachine through remote desktop or for console-less users.


macOS Application



a. Open the wssa-5.0.1.<snip>.dmg file by double-clicking on it.

Symantec strongly recommends that you record the full .dmg name; it might be required for future uninstallationtasks.

b. Double-click the .pkg file, which launches the installer.





macOSCLI—Options Available

1. Open the .dmg file using themacOS hdiutil attach command and install the .pkg file using themacOS installercommand. Consult the Appleman pages for more details.

For example, the following three commands attach the disk image, install the package, and detach the disk image.

$ hdiutil attach /path/to/wssa-installer.dmg$ sudo installer -pkg /path/to/mounted/wssa-installer.pkg -target /$ hdiutil detach /path/to/mounted





Example—Install with configuration options.

Tip: The command can be runmultiple times with multiple configuration options; however, eachindividual option is set once only. Attempting to write the same option after it has already beenset overwrites the previous setting.


n minPMTU = [0-1500]

The PathMaximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpointswithout fragmentation. This has implication for UDP connections, which requires retransmissions if packets arefragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. Thisis used in conjunction with the enableUDP option (below) to determine the requiredminimumMTU to automaticallyconnect using UDP. The default is 1492.

n enableUDP = [true | false | exclusive]

o true—Attempt UDP connections. TheWSS Agent sends an ICMP ping with a large payload to determine if PMTUis limited along the path. If UDP is not possible, the connection defaults to TCP.

o false—Never attempt UDP connections. PMTU is never attempted.

o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection isdropped.

n disableStats = [true | false]

The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data isadded, nor will any purging occur.

n statsRetentionDays = [0-14]

Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data sincemidnight, UTCfor the current day. Any data occurring beforemidnight UTC specified days ago is removed. For example, if the setting is1, then data beforemidnight UTC yesterday is purged. The purging occurs every time the client is started and roughlyevery 30minutes while theWSS Agent is running. If disableStats is set to true, this option has no effect.

$ sudo defaults write com.symantec.wssa CUSTOM_CONFIG -string"enableUDP=exclusive,statsRetentionDays=1"

Modify Options Post-Installation

After you install theWSS Agent, you can add or delete the options (described in the previous option sections). For example, youhave already installed the agent, but now want to push out the option to lower the PMTU. To achieve this, you use the wssadcommand.

Windows

Youmust run the command as an Admin. The following example uses the default agent path and sets multiple options.

"c:\Program Files\Symantec\WSS Agent\wssad.exe -p enableUDP=exclusive,statsRetentionDays=1"

macOS$ sudo /opt/symantec/wssad -p enableUDP=exclusive,statsRetentionDays=1

Delete Options

To delete options, run the same command but use -e instead of -p.

"c:\Program Files\Symantec\WSS Agent\wssad.exe -e enableUDP"


$ sudo /opt/symantec/wssad -e enableUDP

Tip: When deleting options, you cannot delete more than one option per command.

WSS Agent 6.x with CloudSOC

If your portal account has integrated with the CloudSOC (CASB) service for deeper web application security, some thickclients—for example, Dropbox—do not work throughWSS Agent. This is because of the thick clients' pinning the certificate,which breaks because of theWSS SSL certificate. Using an installation option, you can bypass all traffic sent to theWSS froma specific executable (thick client) on aWSS Agent 6.x client. You can bypass these applications, plus other elements such asVPN IP addresses.

If you have deployedWSS Agent 7.1+, seeWSS Agent—Bypass Applications.

Caution: This option weakens security protections because the bypassed traffic is notsusceptible to malware scanning and policies. Also, a savy user with admin privileges on theclient couldmodify the file.

STEP 1—Disable Tamper Protection

1. In theWSS portal, navigate to Service mode > Mobility > WSS Agent.

2. Select the Disable Tamper Protection option.

STEP 2—Create a JSON File

Create a JSON file that contains the executable bypass information.

{ "bypassExecutables": [

{ "executablePath": "C:\Path\To\Executable.exe" }, ... ]}

Where the value for exectuablePath is the path on themachine of the executable that is allowed.

When traffic is seen for a new process ID (PID), theWSS Agent driver queries the service to find the executable making thecall. If a PID is provided, which represents an executable that matches an executablePath, then all traffic from that process isallowed and not sent to theWSS.

Your JSON must be well-formed. In particular, all values must be properly escaped, quoted, and there should be no trailinghanging commas. You can use an online JSON validator to validate your JSON file.

https://jsonformatter.curiousconcept.com

https://jsonformatter.curiousconcept.com/


STEP 3—Host the JSON File

This file can be located local to the endpoint (and accessed through the file://URI) or on an http:// or https://website. Ifhosting on an https://website, the endpoint must trust the server certificate.

STEP 4—Send the WSS Agent Configuration Update

Use the CLI to modify theWSS Agent installation.

Windows"c:\Program Files\Symantec\WSS Agent\wssad.exe -p additionalBypassUrl string"

macOS$ sudo /opt/symantec/wssad -p additionalBypassUrl string

Where string is the URL of the JSON file.

The bypass takes affect following the next WSS Agent reconnection.

Next Step

n Proceed to "Set WSSA Network/Security Options" on page 35.


Connectivity: DistributeWSS Agent With GPOThis topic describes how to useGroup Policy Object (GPO) to distribute theWSS Agent or Unified Agent to multipleWindowsclients so they can connect to theWeb Security Service.

Tip: This method does not support using a command line to add optional parameters.

Technical RequirementsThis method requires the following.

n An understanding of the solution.

o "Connectivity: About theWSS Agent" on page 8—The Symantec-recommended solution.

o "Connectivity: About the Unified Agent" on page 57

Tip: This topic refers to theWSS Agent but also applies to the Unified Agent.

n AWindows 2008 or 2012 domain controller.

n A DNS server.

n The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller.

n Verify the client system can resolve the name of the AD server that contains the client library.

n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect toWSS. For moreinformation, consult the following Knowledge Base article:


n Applies toWSS Agent v5.x and below. TheWSS Agent currently does not support IPv6 connections. The current bestpractice is to disable IPv6 on client systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.

Procedure

VPN Client Compatibility


n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location inWSS(Connectivity > Locations). This enables theWSS Agent to enter Passivemode when on the Location network.


ForWSS Agent deployment, proceed toStep 2.



Step 1—HTTP Proxy Connection Required?

ForWSS Agent deployment, proceed toStep 2.

Navigate to Connectivity > WSS Agent.

n A scenario might require this or other clients to connect to theWSS through an HTTP proxy. For example, you have a testor demonstration network. Before installing the Unified Agent on a client, youmust select the Allow access toProxy Settings in agent, which allows Proxy tab to be visible after its installation.

n For increased security in a production installation, clear this option. That the Proxy tab is not visible nor available on theUnified Agent application on the employee's client system.

Tip: You cannot regain visibility of the Proxy tab post-installation. Youmust re-install theUnified Agent with this option enabled.

Step 2—Entrust Certificate Prerequisite

EachWindows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWSS. For morenotes and installation steps, consult the following Symantec Knowledge Base article:


Step 3—Download the Agent Installer.

If you downloaded the agent during the Initial ConfigurationWizard process, begin withStep 4: Install the Client.

1. Navigate to Connectivity > WSS Agent.

2. In the Installers area, click theWindows:WSS Agent Download.




As a company that provides security services across the globe, Symantec supports and complies with United Statesand local export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading theWSS Agent.

a. Click the Ensure...enterprise account link, which opens your Broadcom profile page.

b. Complete your enterprise information and click Next.

c. Verify and click Upgrade Account. Broadcom sends you a confirmation email.

d. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent.

4. Download the installation file. If the location of the file is not aWindows share, create a share. Verify that the directoryand files have Read and Execute file system rights.

Step 4—Distribute the Agent

1. On the domain controller, click Start and select Control Panel > Administrative Tools > Active Directory Users andComputers.

2. Right-click the domain and select Properties.

3. On theGroup Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPO objectand click Edit.

4. Navigate to Computer Configuration > Software Settings > Software installation.

a. Right-click Software Installation and select New > Package.

Note: Verify that you have a valid UNC path. Click My Network Places > EntireNetwork > Microsoft Windows Network >server_domain>server_name >client_binary_share_name >select_the_binary.


b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-click SoftwareInstallation and click Refresh.

5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the first bootup) andexecutes policy. The workstation installs the client and reboots oncemore.

6. Test.

Next Selection

WSS Agent

n "Set WSSA Network/Security Options" on page 35.

Unified Agent

n If you enabled the Allow access to Proxy Settings option inStep 1, proceed to "Route Remote Connections Through anHTTP Proxy" on page 75.

n If not, proceed to "Set WSSA Network/Security Options" on page 35.


Connectivity: DistributeWSS Agent With JAMFTo provideWeb Security Service to remote users, youmust download theWSS Agent and install it on client systems. See"Connectivity: About theWSS Agent" on page 8.

JAMF provides a widely used software solution to distribute applications. This section describes how to distribute theWSS Agent to clients. For general information about using JAMF polices and packages, see the user documentation for JAMFat www.jamfsoftware.com.

Technical Requirementn TheWSS Agent currently does not support IPv6 connections. Symantec recommends that you disable IPv6 on client

systems and select Block IPv6 Traffic on the Connectivity > WSS Agent page.

Procedure





Step 1—Select End User Permissions

As best practice, Symantec recommends that you select how much control your employees have with theWSS Agent beforeyou push the agent to clients.

Navigate to Connectivity > WSS Agent. Locate the End User Permissions area.

http://www.jamfsoftware.com/



Enable Update Prompts

If Prompt end user for update is selected, theWSS Agent notifies the logged-in user that an update is available fordownloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default isenabled.

Allow the Proxy Settings Tab

This option applies only to Unified Agent.

Allow Local Ability to Disable the Agent


Require Token for Uninstalling

If you select Require Token to Uninstall, employees are able to uninstall theWSS Agent, but are required to use a token thatyou define.

Step 2—Download theWSS Agent Installer.

If you downloaded theWSS Agent during the Initial ConfigurationWizard process, begin withStep 4: Install the Client.

1. In the Installers area, Download the agent.


As a company that provides security services across the globe, Symantec supports and complies with United States andlocal export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading the Unified Agent. The fields with blue asterisks (*) are required.

Click Save to update your profile and then close the dialog.

3. Download the installation file.


Step 3—High-Level JAMF Procedure

1. Create the upgrade packages forWSS Agent installation.

Tip: If you deploy both the on-box and cloud versions of the agent on your network, createtwo packages with different names.

2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory.

3. Create a policy with the following settings.

n Category—Select the appropriate setting for your network.

n Triggers—Select the appropriate setting for your network.

n Execution Frequency—Once per device.

n Priority—Before. This permits the CMURL to be set before installation.

n Scope—Add the devices to update. Each of the devices must bemarked as Managed.

n Restart—Not needed.

The interface displays the new policy in the list.

What Occurs on Employee Clients?

After you use JAMF to push the update package, the following events occur on the employeeOS X client.

1. The client displays aManagement Notification dialog.

2. The employee follows the prompts to accept and install theWSS Agent application.

Employee Template

(Optional) To notify your impacted employees and provide them with instructions, consider using the following template. Copycontents in an email; edit as needed; send.

[Company] is distributing a security update to your corporateMac client. You will be prompted to [install / update] an applicationcalledWSS Agent. Perform the following steps.

1. When your Mac client receives the update, the client displays aManagement Notification.

2. To complete the installation, click through the prompts.

3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application.

If you have any questions or issues, contact IT.


Next Selection

WSS Agent

n "Set WSSA Network/Security Options" on page 35.

Unified Agent




Set WSSA Network/Security OptionsTheWeb Security Service provides several options that allow you to specify how theWSS Agent behaves on the client andhow to route traffic.


Tip: This page does not contain an Apply button. Selecting the option sets the configuration, asindicated by the displayedmessage.

Determine Failure Behavior.

By default, theWSS allows remote clients unabated web access if the service becomes unavailable. For maximum security,set the Fail Behavior to Block All Traffic until IT or Symantec restores the service.

Change Listening Ports (No CFS).

By default, theWSS accepts traffic from theWSS Agent, that is installed on client systems, from the common gateway portsof 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP).

Tip: Migration Scenario—You aremigrating security to theWSS from on-premises Blue CoatProxySG appliances and where theWSS Agent (proxy version) accessed numerousHTTP/HTTPS sites on non-standard ports. By default, theWSS is limited to the three standardweb ports.


The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPStraffic, configure theWSS to listen on those ports. For example, theWSS must also listen to ports 8000 (HTTP) and 8083(HTTPS).

1. Select View/Edit Ports.

2. Ports—If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriatetraffic type and entering the port. You can only enter one port in each field. You can add up to 1000 ports.

3. Click Save.


Forward All Ports (CFSOnly).

If you have enabled the Cloud Firewall Service on yourWSS portal account, youmust select the Forward all traffic from allports to WSS option.

Note: This option is available in the portal only your account has the CFS license provisioned.

Bypass IP addresses/subnets and domains.

By default, WSS bypasses the following RFC 1918 addresses.

n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16


Personal choices or business requirements might require you to configureWSS to bypass additional IP addresses/Subnetsand Domains. For example, bypass test networks.

Clicking the Connectivity > Bypassed Traffic (bottom of page) link takes you to that screen, as this is a shared configurationwith otherWSS features.


n Formore details, see "Prevent IP/Subnet From Routing to theWeb Security Service" on page 98.

n Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See "Prevent a DomainFrom Routing toWSS" on page 96.

Define Agent Connection Options.

a. Block IPv6 traffic:

Performs DNS rewriting to prevent connections from resolving to IPv6.

WSS Agent 6+—Blocks any detected IPv6 traffic except for the following scenarios.

n IPv6 traffic is destined for local addresses (link-local and unique local addresses).

n IPv6 traffic is destined for a non-forwarded port (80, 443, and 8080 by default).

b. Select Allow HTTP/3 only if you have a business requirement or a preference for the highest performance to bypassHTTP/3 (formerly QUIC) connections. For more information, see the HTTP/3 section in "Connectivity: About theWSS Agent" on page 8.

c. Disable Tamper Protection—Select this option if your preference is to allow WSS Agent to fail-open (allow connections)should the agent be unable to connect toWSS. Be advised that these connections are not susceptible to policy checksandmalware detection.

d. Ignore Proxy Settings—Applies toWSS Agent v4.x and below.

TheWSS Agent establishes a direct VPN tunnel, bypassing any proxy setting an endpoint user attempts to define.However, Ignore Proxy Settings applies only to the tunnel creation. If the CTC connection fails, this setting cannot beretrieved. For a successful on-premises WSS Agent to go passive, any on-premises firewall/proxy must bypass traffic tohttps://ctc.threatpulse.com.

e. Applies toWSS Agent v6.x and below.

By default, aWSS Agent process sends the User ID through the tunnel toWSS. This ensures an accurate account ofwho initiated the request and allows for policy enforcement and reporting. Your network might have third-party productsthat also intercept these connections, which causes WSS to erroneously view the username as something similar to the


following. Examples of these products include anti-virus programs and applications run browsers in a secure virtualcontainer.

NT AUTHORITY\SYSTEM

This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that causethis issue, instruct theWSS Agent to send the logged-in username.

Select Logged in User ID from the Username Format drop-down list.

Tip: For a current list of known third-party applications that cause this issue, see NTAUTHORITY\SYSTEM UsernameReturned From the UA.

Select End User Permissions

As best practice described in "Connectivity: Install theWSS Agent" on page 17, select how much control your employees havewith theWSS Agent before you push the agent to clients.

On theWSS Agent page, locate the End User Permissions area.


n Enable update prompts.

If Prompt end user for update is selected, theWSS Agent notifies the logged-in user that an update is available fordownloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The defaultis enabled.

n Allow the Proxy Settings tab. This option applies only to the Unified Agent.

The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decisionperformed before installation.

This is option does not change the system proxy settings for any other application on the client system; it only affectshow the Unified Agent connects its tunnels. Typically, the Unified Agent honors the system proxy setting. This option


disables that and connections aremade direct instead; the Unified Agent never connects through a proxy (but seebrowser note below). This option is for the very specific case where your environment has proxy settings, but you do notwant the Unified Agent to use the proxy settings when connecting to CTC or establishing their tunnels.

The proxy that is used is the proxy of the user related to the process.

n MAC OSes use one set of proxies.

n Windows—The CTC see connection requests from the SYSTEM user, which can be fromWPAD, a PAC file, orexplicit proxy address/port settings.

Tip: Browser configurations are completely separate. The Unified Agent cannot control thebrowser's behavior relating to proxies. That is, if a proxy is set in the particular browser(wherever that browser stores it), that proxy setting is honored.

n Allow local ability to disable the agent.


n Require a token for uninstallation.

If you select Require Token to Uninstall, employees are able to uninstall theWSS Agent, but are required to use atoken that you define.

(Optional) Enable challenge-based authentication (Captive Portal).

Applies toWSS Agent v6.x and below. This option requires deployment of the Auth Connector application, which integrates withyour Active Directory to provide username and group information.

To enforce accurate user credentials rather than rely on locally cached credentials:

1. Navigate to Identity > Authentication Policy (or click the link on theWSS Agent page).

2. Expand the Authentication Policy area.

3. Click the Edit icon at the end of Rule G4.


a. Toggle Captive Portal to On.

b. Select Auth Connector.

c. Click Save.

On clients, employees are prompted for network credentials.

Windows

macOS

Next Options

WSSA UI

n "About theWSS Agent UI" on page 42.


About theWSS Agent UIAfter theWSS Agent is installed on client systems, one component—the service—runs as a system process that establishes theconnection toWSS and enforces policies. The other component—the UI—runs an instance per user that is logged in to the clientand provides the status of the service. Two components comprise the user interface.

System Tray/Menun OnWindows clients, the System Tray contains an icon.

n OnmacOS clients, theMenu Bar contains an icon.

The icon indicates the current connection status.

Right-click on a status icon to display a context menu with available actions. Selecting Open Symantec WSS Agent displaysthe agent interface.

Agent InterfaceThis agent interface provides connection status and information that can assist with troubleshooting.

Status Tab

Windows


macOS

a. Status Bar—The background color of the status bar correlates to the status icon in the System Tray / Menu Bar.

n Green—Connected

n Red—Disconnected

n Gray—Passive / Disabled

n Orange—Connecting / Fail Open

b. Information Section—TheWSS Agent displays informationmessages related to the connection, including errors andwarnings.

n Error—An unrecoverable error.

n Warning—A recoverable error.

c. Reconnect Button—Click to reestablish a connection toWSS.

Support Tab

This tab displays the diagnostic information. You will likely view this tab when working in Symantec Technical Support,including the use of the available diagnostic applications. See also—

n "SymDiag Application ForWSS Agent onWindows" on page 48.

n "Debugging Script forWSS Agent onMac Systems" on page 52.

About TabThis tab displays the current WSS Agent version and build number.

Available UpdatesWhen you as administrator distribute new WSS Agent versions, the client displays the following element.


Disable theWSS AgentFor troubleshooting purposes, youmight need to temporarily disable a specific WSS Agent from the portal. For example:

n A user is experiencing performance issues or is unable to access a specific website. Temporarily disabling the agentand retrying the website can help narrow the issues.

n A user, such as a consultant, needs to disable the agent to access the network.

In theWSS portal, an admin can look up a device (or user) and disable it for a specified amount of time. When theWSS Agentattempts a connection, the CTC provides configuration that includes a list of devices to disable (including an expiration dateand time). When aWSS Agent on a client matches a device in the list, the agent enters a passive state.

This feature works on bothWindows andmacOS clients.

Procedure1. Navigate to Connectivity > Agents.

2. Locate the device to disable. You can use the Search field to filter, including the Installation ID if known.

From the Actions column select Disable. The portal displays the DisableWSS Agent dialog.

3. Specify the disabled duration.


Click Disable Agent.

Tip: The connection terminationmight require up to 30 seconds.

4. (Optional)—If you require testing beyond the original duration, return to the Action column and select Extend DisableDuration.

About the Disabled Duration

n Notifications when theWSS Agent is disabled.

o TheWSS Agent displays a status message: Disabled by administrator until yyyy-mm-dd hh:mm, where yyyy-mm-dd hh:mm is the time at whichWSS Agent will automatically re-enable. The time is in the timezone of themachine that is disabled.

o TheWSS Agent log receives an entry: Disabled by administrator until XXXXX, where XXXXX is the time atwhichWSS Agent will automatically re-enable. The time is in the timezone of themachine that is disabled.

o TheWSS Agent tray icon uses passive icon.

o When disabled duration expires is reached, theWSS Agent diagnostic log log receives an entry: Administratordisable expired.

n Neither the disabled state nor expiration time are persisted to the disk on the client. Upon reboot of the device, a newCTC request occurs. The CTC returns the disabled status to the agent.

n After the disabled expiration time expires, theWSS Agent reissues a CTC request to verify that no extension to thedisable time has occurred and then re-enables.

n If theWSS Agent has not re-enabled because, whichmight occur after a network change, click Reconnect agent UI.This re-issues a CTC check and the device re-enables.


Agent LoggingAll taken actions are logged in theWSS Agent diagnostic logs. The following is an example entry.

Disabled by Admin until 2021-08-01 13:22 Pacific Daylight Time

This helps you or support personnel during troubleshooting exercises.

See "SymDiag Application ForWSS Agent onWindows" on page 48 or "Debugging Script forWSS Agent onMac Systems" onpage 52.


SymDiag Application For WSS Agent onWindowsSymDiag is aWSS Agent diagnostic application. It gathers debugging, troubleshooting, and trace log information that SymantecTechnical Support can analyze to assist you in remedying connection issues.

This section describes how to run the SymDiag application. Most issues can be traced and gathered without requiring a reboot.However, debuggingWSS Agent startup process issues requires additional advanced debug logging steps, as outlined in theprocedure.

Technical Requirementsn Obtain the SymDiag application from the link in the Symantec KB article.


n Put the SymDiag application on the test system. You can run SymDiag from any location on the local system. Theprocess does not install anything.

Procedure1. On theWindows desktop, double-click the SymDiag.exe icon.

SymDiag checks for available updates, installs them, and provides you with a license agreement. Accept the EULA tocontinue.

2. The system displays the application.

Click Collect Data for Support.

3. Verify that WSS Agent is selected.

n If theWSS Agent is installed, this option should be automatically selected in the Installed Products area.

n If debugging installer issues, select WSS Agent / Unified Agent in the Other Products area.

Click Next.



4. Collection options.

a. Under Data Type, verify that Limited data for Support is selected.

b. (Optional) Symantec Support might have asked you to provide additional files, such as a packet capture (PCAP)or screenshots of an issue. Select Choose additional files to collect. The app displays a screen from whichyou can browse and attach the files.

c. Startup/Reboot Diagnostic Issues Only—In the Debug Logging area, click Advanced.


i. Click theWPP reboot only preset.

ii. In the resulting dialog, click OK.

d. Click Next, which begins the tracing process.

5. Startup/Reboot Diagnostic Issues Only—If you selected the reboot preset inStep 4.c, the application promptsyou. Select Enable and reboot. After the system reboot, do not proceed until SymDiag also restarts.

6. Debug logging/tracing is now active. Perform the steps to reproduce theWSS Agent issue. Youmust leave this SymDiagscreen open until you have fully reproduced the issue.

After you reproduce the issue, click Next.

7. Send to Symantec.


n If you have a current Support Case for this issue, select Open or Update a Support Case. Log In andcomplete the process.

n Save the .sdbz file locally. Exit SymDiag and send the file to your Support Contact.

Related Topics

n "Debugging Script forWSS Agent onMac Systems" on page 52.

n "Disable theWSS Agent" on page 45.


Debugging Script for WSS Agent onMac SystemsForMac systems, Symantec provides a shell script (wssad-diag.sh) that gathers debugging, troubleshooting, and trace loginformation that Technical Support can analyze to assist you in remedying connection issues.

This section describes how to run the script. Most issues can be traced and gathered without requiring a reboot. However,debuggingWSS Agent startup process issues requires additional advanced debug logging steps, as outlined in the procedure.

Technical Requirementsn Download the script zip file.

http://portal.threatpulse.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://cloudwebsecurity.att.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://websaas.dimensiondata.cloud/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

n Put the script on the test system. You can run the script from any location on the local system. The process does notinstall anything.

Startup/Reboot Diagnostic Issues Only—If you are diagnosingWSS Agent startup connection issues, launch the applicationusing the --reboot command line option. When prompted, save your work and reboot. After you are finished, you reboot againto fully stop the debug log.

If you use this --reboot command line option or theWSS Agent is version 6.0.9+, Steps 5 and 8 in the following procedure arenot required.

Procedure1. Open Terminal.app and cd to the directory where you saved the wssad-diag.sh script.

2. Run chmod +x wssa-diag.sh to make the script executable.

3. Run ./wssa-diag.sh.

n Optionally, you can pass a /path/to/output.wdbz to specify the output file name. The default is a file in yourcurrent directory based off your hostname and the time.

4. Enter your administrator (sudo) password.

5. Skip this step if you are diagnosingStartup/Reboot Issues or if theWSS Agent/Unified Agent is version 6.0.8 orprevious.

When prompted, begin the tracing.

n InWSS Agent, click the Play icon in the bottom-right corner of the Support tab.

n In Unified Agent, click Start Tracing on the Advanced tab.

6. Debug logging/tracing is now active. Perform the steps to reproduce theWSS Agent issue.

http://portal.threatpulse.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://cloudwebsecurity.att.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://http//websaas.dimensiondata.cloud/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm


Note: Youmust leave the terminal window open until you have fully reproduced the issue.

After you reproduce the issue, press Enter in your Terminal.appwindow to stop tracing and begin gathering additionalinformation

7. The script then uses the Apple-provided sysdiagnose utility to gather system information. Read the displayed licenseand press Enter to continue gathering information. According to the commandman page, sysdiagnose collects thefollowing.

n A spindump of the system.

n Several seconds of fs_usage output.

n Several seconds of top output.

n Data about kernel zones.

n Status of loaded kernel extensions.

n Resident memory usage of user processes.

n Recent system logs.

n A System Profiler report.

n Recent crash reports.

n Disk usage information.

n I/O Kit registry information.

n Network status.

8. Skip this step if you are diagnosingStartup/Reboot Issues or if theWSS Agent/Unified Agent is version 6.0.8 orprevious.

Stop tracing in theWSS Agent.

9. Send the .wdbz file to Symantec Support.

Note: If debugging start up issues—After troubleshooting is complete, clear the Enable tracingon startup option inWSS Agent and reboot theMac system again.

Related Topics

n "SymDiag Application ForWSS Agent onWindows" on page 48.

n "Disable theWSS Agent" on page 45.


WSS Agent 7.x—Tunnel ErrorIf theWSS Agent was installed on endpoints in the default configuration, it operates in Single Tunnel Mode. WSS Agentestablishes a single tunnel that corresponds with the user who logged into the client system.

If there is no console user logged in, themost recently logged-in console user (for that session) continues through the activetunnel. If no console user has ever logged in, theWSS Agent Status Page displays an error stating that there is no user loggedon at the physical console.

The error message depends on the portal-configured failuremode—Fail Closed or Fail Open. Domain and IP bypass lists arehonored while in failuremode.

Fail Closed

Fail Open

This error is encountered when a user is not logged in to the computer from the physical console (where the keyboard, monitorandmouse are physically connected to it). For example, a user connected through Remote Desktop (RDP). If this is a requiredenvironment, re-install WSS Agent with theMultiple Concurrent Users (MCU) option enabled. See "Connectivity: Install theWSS Agent" on page 17.


Uninstall theWSS Agent

WindowsTo uninstall, you can remove the application from theWindows Control Panel. If an uninstall token has been set on the portal,youmust enter the token to proceed.

Alternatively, you can uninstall from the command line.

msiexec /x {msi_token}

Command if an uninstall token was defined in the portal.

msiexec /x {msi_token} uninstall_token=token

For a list of MSI codes, see "Reference: Windows WSSA/UA Package Versions" on page 100.

macOSTo uninstall, hold the <option> key on your keyboard when clicking on themenubar icon. If an uninstall token has been set onthe portal, youmust enter the token to proceed.

Alternatively, you can uninstall from the command line.

$ sudo "/Library/Application Support/Symantec WSS Agent/wssa-uninstall.app/Contents/MacOS/uninstall-helper"

Command if an uninstall token was defined in the portal.

$ sudo "/Library/Application Support/Symantec WSS Agent/wssa-uninstall.app/Contents/MacOS/uninstall-helper" -ut token


Unified AgentThe Unified Agent is the Symantec agent forWindows 7/8 andmacOS Sierra and previous.

n "Connectivity: About the Unified Agent" on page 57

n "Connectivity: Manually Deploy the Unified Agent (Windows)" on page 66

n "Connectivity: Manually Deploy the Unified Agent (Mac)" on page 71

n "Route Remote Connections Through an HTTP Proxy" on page 75

n "Uninstall the Unified Agent" on page 79

n "Troubleshoot..." on page 84


Connectivity: About the Unified Agent

Note: End of Maintenance for the Unified Agent is March 31st, 2021. Unless your portalaccount was provisioned with the agent license before July 31st, 2020, you cannot downloadthe Unified Agent. Use the newest product, theWSS Agent. See "Connectivity: About theWSS Agent" on page 8.

The Symantec Unified Agent provides web security to remote users when a route through the corporate network is not possibleor practical.

When installed on client systems, the Unified Agent works as part of the client system's configuration; after the application isinstalled, no further configuration is required on the client system. It directs content requests to theWeb Security Service overa secure connection (port 443). To enforce proxy avoidance, the Unified Agent detects and drops HTTP_CONNECTmethodrequests to any external, non-WSS IP addresses. As such connections are dropped, the user is unable to circumvent filteringandmalware scanning.

Furthermore, the Unified Agent provides additional security features.

n The Unified Agent prevents employees from stopping and starting the service from the Services Management Console,even if such employee has Windows Administrator privileges.

n You can hide the Proxy Setting tab in the application. Employees cannot attempt proxy avoidance by routing trafficthrough another egress device.

n You can give the ability for employees to temporarily disable the Unified Agent should they be experiencing connectionissues.

The Symantec Unified Agent provides web security to remote users when a route through the corporate network is not possibleor practical.

When installed on client systems, the Unified Agent works as part of the client system's configuration; after the application isinstalled, no further configuration is required on the client system. It directs content requests to theWSS over a secureconnection (port 443). To enforce proxy avoidance, theWSS Agent detects and redirects HTTP proxy requests to any external,non-WSS IP addresses. As such requests are redirected, the user is unable to circumvent filtering andmalware scanning.

Furthermore, the Unified Agent provides additional security features.

n TheWSS Agent prevents employees from stopping and starting the service from the Services Management Console,even if that employee has Windows Administrator privileges.

n [UA only] You can hide the Proxy Setting tab in the application. Employees cannot attempt proxy avoidance by routingtraffic through another egress device.

n You can give employees the ability to temporarily disable theWSS Agent should they be experiencing connectionissues.


Why Select This Method?Benefits—

n Always active. The user does not have to log in to the agent.

n Works in the background and is transparent to users.

n Captures the user and system names for reporting.

n Viable solution for a premises with fewer than 100 clients and where location-based network infrastructure (such as afirewall) is not available.

Select another method if—

n Youwant to manage remote clients throughmultiple PAC files. See Connectivity: About Symantec Endpoint Protection.


Topographies

High-Level Example

The following diagram illustrates how theWSS Unified Agent facilitates web requests.

1—A Sales person on a business trip in India initiates a web request.

2—The Unified Agent initiates a connection over port 443 to theWSS(ctc.threatpulse.com)because it detects web-bound traffic on a port it is capturing. The agent attempts to connect to theClient Traffic Controller (CTC) in the nearest three geographical SymantecWSS data centers. In thisexample, Mumbai accepts the request.

n If the CTC is not able to respond, the request defaults to a DNS ask(client.threapulse.net).

n Unified Agent 4.9.1+: The agent evaluates network conditions to attempt a UDP connection; ifthe conditions are not met, the connection reverts to TCP.

2.1—If this is the initial connection, the client receives additional configuration.

3—The client establishes a tunnel to the service for each logged in user, which serves content from thedestination website.

4—In addition, the client establishes a default tunnel that is used for system level requests, such asWindows updates or other requests initiated by a system owned process.

TheWSS provides the policy rule enforcement.

5—Requests for internally-hosted resources do not transport through theWSS. Furthermore, theUnified Agent cannot compete with other installed VPNs, such as Cisco AnyConnect. Youmust


configure other VPN applications to Split Tunnel so that Internet-hosted destinations route through theWSS or add entries to the bypass list.

Tip: If your enterprise requires specific location connections, contactSymantec Technical Support to request assistance.

Dynamic User Location Example

If the user logs in while on a protected network—for example, a corporate location—the client agent goesinto passivemode. That is, the acceptable web use policies are enforced by the on-site web service.

The following diagram illustrates the various access points from remote users to theWSS.

n A—An employee logs in and is detected by the on-premise network. As a gateway ProxySGappliance provides the security and web access policies, the Unified Agent enters into PassiveMode; that is, it does not intercept any traffic.

Note: For a successful on-premises Unified Agent to go passive, anyon-premises firewall/proxy must bypass traffic tohttps://ctc.threatpulse.com.


n B—The same employee travels to a hotel and logs into the hotel's WiFi service. The UnifiedAgent now engages and connects to the nearest WSS datacenter, which enforces the webaccess policies.

This allows you to write different policies for corporate locations versus remote locations.


Unified Agent Connection Concepts

HTTP/3HTTP/3 is a third revision of the HTTP protocol. When introduced in 2013, it was named theQuick UDPInternet Connections (QUIC) protocol. It is transport layer designed to reduce latency when comparedto TCP (HTTP/HTTPS) connections. Browsers with HTTP/3 enabled and smaller devices receive thebenefit. Chrome 29+ has HTTP/3 enabled by default (chrome://net-internals/#quic). Otherbrowsers are beginning to include HTTP/3.

To allow for a seamless experience, when clients send web requests that are intercepted for processing(such as by WSS for security purposes) the connections revert to TCP.

If you have a business requirement or a preference for the highest performance, you can instruct WSSto bypass HTTP/3 connections. Be aware of the lessened security because of this option. BecauseHTTP/3 is UDP-based, these connections are bypassed at the client end-point, whichmeans the trafficis not checked against policy nor is reporting against the Unified Agent possible. Only select thisbypass option if the highest performance for these clients supersedes the security requirement.

About Proxy Avoidance AttemptsTo enforce proxy avoidance, the Unified Agent detects proxy HTTP requests in outbound streams forports other than those configured to be forwarded to the service (typically 80 and 443). Suchconnections are dropped and the user is unable to circumvent filtering andmalware scanning.Furthermore, the Unified Agent does not interpret proxy auto-configuration (PAC) settings as a proxyavoidance attempt. If your deployment uses a PAC control to manage outbound web connections, theUnified Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and bydefault). If the Unified Agent cannot connect with the PAC settings, it attempts a direct connection totheWSS IP address. You can allow additional ports. Also, Symantec recommends adding internalsubnets to the IP Bypass List so that internal traffic is not sent to theWSS.

Note: For clients running Unified Agent 4.8+, you have the option to disabletamper detection, which allows uninterrupted service if it cannot connect totheWeb Security Service.

About Password ProtectionYou can configure a un-installation token in the portal. Users cannot uninstall the remote clientapplication from their systems without the token.

About SSL Certificate InstallationThe Unified Agent to CTC requires the SSLRoot Certificate. Unified Agent installations also install thiscertificate. If the certificate is not present, Unified Agent remains operational but might fail to connect tothe CTC in theWeb datacenter. If this occurs, the agent reverts to the legacy DNS method to connectto theWSS.


Upon installation, the Unified Agent installs theWSS root certificate. If the certificate is not installedbecause of unforeseen permission issues, you canmanually download it and install it.

About Challenge-based Authentication (Captive Portal)For enhanced security, enable the Captive Portal option during configuration. When enabled, CaptivePortal displays a challenge dialog to users each time that they begin a new browser session (or 24hours after their previous successful entry). This eliminates cached credential access.

MAC CLIENT NOTE

You can install WSS Agent onWindows andMac clients. If a Mac user's username is the same as inthe your AD and there is only one domain in your AD, then user based policy is applied for theMacclient. The domain defaults to the single domain in the AD. You can, however, enable the CaptivePortal feature, which allows users and groups to be available for policy checks.

About IPv6 IP AddressesThe Unified Agent that accompanies theWSS 6.9.4.1 service update (December, 2016) changes howthe Unified Agent processes IPv6 IP addresses.

n In situations where IPv6 access is available, most clients ask the DNS for both IPv4 and IPv6destination addresses. The Unified Agent modifies the IPv6 DNS responses to provide no IPv6addresses and an NXDOMAIN status code, whichmeans that no IPv6 addresses are available.Therefore, the clients use IPv4 by default, and the Unified Agent intercepts the subsequentconnection. This behavior allows for proper application of policy andmalware scanning.

n If the DNS server returns no IPv4 addresses, the client cannot resolve the destination andreceives a DNS error.

n Be advised that an employee can circumvent the interception by entering the IPv6 IP directlyinto the browser (versus entering the destination URL).

About Time ZonesWhen a user's system connects to theWeb Security Service from the Unified Agent, the time zone isthe recognized system time of their machine.

About Hybrid Policy and Unified Agent ConnectionsIf you are employing the Symantec Hybrid Policy solution, the Unified Agent has slightly differentconnection behaviors. In this deployment, the on-premises ProxySG appliance is configured to usecommon policy. The client workstations that use that common policy proxy haveWSS version of theUnified Agent installed. Normally, the Unified Agent is in Passivemode on workstations connectingfrom behind a proxy that is providing common policy.

Noticeable Behavior

n On theWSS portal, the Network Location status changes from green to red. This causes allnew Unified Agent connections to switch to active versus passive.


n After a networking event, such as a change in IP address and the Network Location is red, theUnified Agent switches to active.

n When the Network Location status is green, the Unified Agent switches to passivemode.

If the common policy proxy is unable to establish a connection to the portal for approximately 35minutes, the hybrid location changes from green to red. If the Unified Agent is in passivemode, itremains passive unless a networking event occurs. The Unified Agent goes to activemode for all newconnections from that red-status network. This is by design. If the on-premises ProxySG appliance isexperiencing issues and is configured to Fail Open, the Unified Agent must be in activemode for theWSS to provide protection.

Tip: If you notice that the Unified Agent is switching to activemode forreasons not described above, check the hybrid location in the portal. If thehybrid location status is red, check connectivity between the on-premisesProxySG appliance and theWSS (might require a packet capture todiagnose). You can run the update-now commandwhile in the cloud-serviceconfigurationmode to generate traffic destined to the service.


Select a Distribution Method

You canmanually install to individual clients or use an application to distribute tomultiple clients.

Windows

n "Connectivity: Manually Deploy the Unified Agent (Windows)" on page 66

n "Connectivity: DistributeWSS Agent With GPO" on page 27

MAC OS X

n "Connectivity: Manually Deploy the Unified Agent (Mac)" on page 71

n "Connectivity: DistributeWSS Agent With JAMF" on page 31

.


Connectivity: Manually Deploy the Unified Agent (Windows)

Note: End of Maintenance for the Unified Agent is March 31st, 2021. Unless your portal accountwas provisioned with the agent license before July 31st, 2020, you cannot download the UnifiedAgent. Use the newest product, theWSS Agent. See "Connectivity: About theWSS Agent" onpage 8.

When installed on client systems, theWeb Security Service Unified Agent protects remote users when the internet connectionis from a non-corporate location. This topic describes how tomanually install the agent on aWindows client and configureWSSsecurity options. It is practical if you are installing to one or several client systems. If you require distribution to a large number ofclients, see "Connectivity: DistributeWSS Agent With GPO" on page 27.

For more solution details, see "Connectivity: About theWSS Agent" on page 8.

Technical Requirementsn WSS account Admin access.

n Windows clients—

o Windows 7.x 32-64 bit (Pro and Enterprise)

o Windows 8.x 32-64 bit (Pro and Enterprise)


n Allow the following IPsec ports on firewalls.

o Port 80/443 to portal.threatpulse.com (199.19.250.192) (for captive network information and updates)

o Port 443 to ctc.threatpulse.com

o Port 443 to client.threatpulse.net (DNS fallback)

n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWSS. For moreinformation, consult the following Knowledge Base article:


About Bypyassed Non-Routable IP AddressesBy default, WSS bypasses the following RFC 1918 addresses.

n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16




Procedure





Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

This applies to Unified Agent 4.4 and later only. Youmust make the following decision before installing the Unified Agent.


n Your network might require the Unified Agent to connect to theWSS through an HTTP proxy. For example, you have atest or demonstration network. Before installing the Unified Agent on a client, youmust select the Allow access toProxy Settings in agent, which allows the Proxy tab to be visible after its installation.

n For increased security in a production installation, clear this option. The Proxy tab is not visible nor available on theUnified Agent application on the employee's client system.

Tip: If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it,return to this page and enable it. However, the Unified Agent does not display the tab untilafter the next client restart/reboot.


Step 2—Entrust Certificate Prerequisite

EachWindows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWSS. For morenotes and installation steps, consult the following Symantec Knowledge Base article:


Step 3—Download the Unified Agent Installer.

If you downloaded the Unified Agent during the Initial ConfigurationWizard process, begin withStep 4: Install the Client.

Tip: If your account was not provisioned for Unified Agent before July 31st, 2020, the installer isnot available. Youmust useWSS Agent.


2. In the Installers area, click the 32-bit or 64-bit buttons in theWindows 7.x, 8.x and 10.x Unified Agent section.


As a company that provides security services across the globe, Symantec supports and complies with United States andlocal export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading the Unified Agent. The fields with blue asterisks (*) are required.


4. Download the installation file.



Step 4—Install the Unified Agent on a Client System.


a. InWindows, navigate to the directory where you saved the UnifiedAgentInstaller[32 | 64]-version_number.msi file. Symantec strongly recommends that you record this full MSI name; it might berequired for future uninstallation tasks.

b. Double-click the file, which launches the installer.



4. Click Finish to complete the installation.

5. The service displays the Installer Information dialog. Click Yes to reboot the computer.

Step 5—Verify the Client Installation.

When the system reboots, it connects toWSS and begins intercepting web-bound traffic.

1. In the Windows system tray, locate the Unified Agent icon and double-click it. Windows displays the a dialog with theStatus tab.

2. Verify that the connection toWSS is active.

(If the system detects a defined location, the agent displays ...in Passive Mode).


3. Use a browser on the client and attempt to access a site that belongs to a blocked category. The browser displays anexception (blocked content) page.

Next Selection




Connectivity: Manually Deploy the Unified Agent (Mac)


When installed on client systems, theWeb Security Service Unified Agent protects remote users when the internet connectionis from a non-corporate location. This topic describes how tomanually install the agent on aMac OS X client and configureWeb Security Service security options, which is practical if you are installing to one or several client systems. If you requiredistribution to a large number of clients, see "Connectivity: DistributeWSS Agent With JAMF" on page 31.

For more solution details, see "Connectivity: About theWSS Agent" on page 8.

Technical Requirementsn WebSecurity Service account Admin access.

n Mac OS X clients 10.9+


n Allow the following IPsec ports on firewalls.

o Port 80/443 to portal.threatpulse.com (199.19.250.192) (for captive network information and updates)

o Port 443 to ctc.threatpulse.com

o Port 443 to client.threatpulse.net (DNS fallback)

n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWSS. For moreinformation, consult the following Knowledge Base article:


About Bypassed Non-Routable IP AddressesBy default, WSS bypasses the following RFC 1918 addresses.

n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16




Procedure





Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

This applies to Unified Agent 4.4 and later only. Youmust make the following decision before installing the Unified Agent.

Navigate to Connections > WSS Agent.

n Your network might require the Unified Agent to connect toWSS through an HTTP proxy. For example, you have a test ordemonstration network. Before installing the Unified Agent on a client, youmust select the Allow access toProxy Settings in agent, which allows Proxy tab to be visible after its installation.

n For increased security in a production installation, clear this option. The Proxy tab is not visible nor available on theUnified Agent application on the employee's client system.

Tip: If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it,return to this page and enable it. However, the Unified Agent does not display the tab untilafter the next client restart/reboot.


Step 2—Download the Unified Agent Installer.

Tip: If your account was not provisioned for Unified Agent before July 31st, 2020, the installer isnot available. Youmust useWSS Agent.

If you downloaded the Unified Agent during the Initial ConfigurationWizard process, begin withStep 3: Install the Client.

1. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section.


As a company that provides security services across the globe, Symantec supports and complies with United Statesand local export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading the Unified Agent. The fields with blue asterisks (*) are required.


3. Download the installer.

Step 3—Install the Unified Agent on a Client System.

1. Launch the installer assistant.

a. Navigate to the directory where you saved the installer. Double-click it to mount the disk image.

b. Navigate in the Finder and select the Unified Agent .pkg file; double-click. TheOS displays the Unified Agent


installer.

2. Click Continue. The Unified Agent Installation wizard begins.

3. The installer displays a prompt for the administrator user name and password.

4. When the installation completes, click Close.

From the toolbar, select the Unified Agent icon and select Status. On the Advanced tab, verify that agent is running (ifyou still require a proxy connection to the Internet, see below).

Next Selection




Route Remote Connections Through an HTTP Proxy


If you encounter a situation that requires the Unified Agent to connect to theWeb Security Service through an HTTP proxy,such as a test network trial or demonstration, youmust provide the proxy IP address.

Perform the following steps onWindows or Mac clients.

Deployment Notesn This is not applicable to theWSS Agent.

n If you do not see the Proxy tab, you or another administrator installed the client with the option to hide that tab enabled.This is a higher-security measure that prevents employees from evading the corporate-to-Internet egress addresses thatare linked to enforced browsing policies. If a particular client requires this setting, youmust re-install the agent on thesystem.

n If you configure this option, you cannot select the Unified Agent 4.8+ Ignore Proxy Settings option on theConnectivity > WSS Agent page.

InWindows

This section demonstrates the Unified Agent.


1. Right-click the Unified Agent icon in the system tray and select Proxy Settings.

a. Select Connect to the Blue Coat Cloud Service using the HTTP proxy at:.

b. Enter the IP address and port number in the appropriate fields.

c. (Optional) If required to gain access to the proxy server, enter the proxy user name and password.

d. Click Apply.

In OS X:

This section demonstrates the Unified Agent.

1. Click the Unified Agent icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Thesystem displays the dialog.

2. Click the Proxy tab.


a. Select Connect to the Blue Coat Cloud Service using the HTTP proxy at.

b. Enter the HTTP proxy IP Address and Port.

c. (Optional) If the HTTP proxy requires a User Name and Password for access, enter those.

3. Click Apply.

Next Step

n Proceed to "Set WSSA Network/Security Options" on page 35.


Manually Disable the Unified AgentThe Symantec Unified Agent, installed on employee devices such as laptops, provides web security when the client is notconnected to an on-premise network. Although the Unified Agent should function in any network, sometimes an unforeseenenvironment might cause connection issues or prevent the Unified Agent from passing web traffic to theWSS. Your businessmight depend on the efficiency of personnel in field who cannot be disrupted by a lack of an Internet connection.

You can configure theWSS to allow employees to temporarily disable the Unified Agent should connection issues occur. TheUnified Agent remains disabled only until the client machine reboots or the employee initiates a reconnect from the Unified Agentinterface.

Furthermore, this setting in theWSS applies to all Unified Agents in the field. You cannot selectively target which installationsreceive the disable option.

Note: This feature only functions for clients running Unified Agent v4.4+ (released July 11,2014).

Activate the Disable Option1. Navigate to Connectivity > WSS Agent.

2. In the End User Permissions area, select Allow agent to be disabled by user.

Instruct Employees How to Disable the Unified AgentWindows

In the system tray, right-click the Unified Agent icon and select Disable Unified Agent. Employees can also return here andEnable the agent.

OS X

Click the Unified Agent icon in themenu bar and select Disable Unified Agent. Employees can also return here and Enable theagent.


Uninstall the Unified Agent


The Symantec Unified Agent in an application installed on remote systems that frequently connect to the Internet from non-corporate networks. You have the option to require an uninstall token, which employees must enter to remove the UnifiedAgent.

Available Optionsn "Unified Agent—With Uninstall Token" below

n "No Token Defined/Client Connector" on page 82

n "CLI" on page 82

n "MSI VersionMis-Match (UnknownMSI)" on page 82

Unified Agent—With Uninstall TokenEmployees attempting to uninstall the Unified Agent require an uninstall token that you define in theWeb Security Serviceportal.

Informationn This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014).

n If you have previously deployed Unified Agent to clients and used the CLI options (Windows: SUP=password; OSX: "--args -SUP password"), those passwords are no longer valid. Youmust log in to the portal and define the uninstalltoken.

n Each time that a Unified Agent reconnects to theWeb Security Service (for example, a user who takes a laptop offcampus and connects through a non-corporate network), the client receives the latest uninstall token.

n If you did not define an uninstall token, you can use the Control Panel.

Procedure1. Navigate to Connectivity > WSS Agent.

2. Define the uninstall token.


a. Select Require token to uninstall agent: Yes.

b. Click Uninstall Token (or Change Token if you or someone previously obtained a token). The service displaysthe Set Unified Agent Uninstall Token dialog.

c. Name the Uninstall Token and click Set Token. The service displays that an uninstall token was set on a givendate and time.

d. Distribute the uninstall token and instructions (see below) to those who have permission to uninstall the UnifiedAgent.

You can change the uninstall token any time.

WindowsIf it still exists on the client, running the correct MSI installer allows you to remove the client application. If theMSI does notexist, you can download it again from theWeb Security Service portal. If you attempt this method and receive an error string thatbegins with Another version of this product is already installed..., see "MSI VersionMis-Match (UnknownMSI)"on page 82 below.


n Execute the Unified Agent installer (MSI).

In the Removal...uninstall token field, enter the token and click Validate.

Note: The equivalent CLI command is UNINSTALL_TOKEN=password, where password isthe token obtained from the portal.

Tip: If an employee attempts to remove the Unified Agent from theWindows > Control Panelmenu, they receive a pop-message prompting them to contact their Administrator for removalpermission.

OS X1. In themenu bar, click the Unified Agent icon.

2. Hold down theOption and Alt keys. TheQuit menu changes to Uninstall.

3. The system prompts you for the uninstall token.


Enter the uninstall token and click OK.

4. Click Uninstall.

No Token Defined/Client ConnectorIf an uninstall token was not generated in the token, follow the standard process for removing a program.

Windows

(Start > Control Panel > Add/Remove Programs). Youmust have administrative rights to the system.

OS X

1. In themenu bar, click the Unified Agent icon.

2. Hold down theOption and Alt keys. TheQuit menu changes to Uninstall.

3. Click Uninstall.

Alternative

Navigate to /Library/Application Support/Blue Coat Systems and double-click the cloud-client-uninstaller.

CLI

If you know or recorded the exact MSI that was used to install the application, use the CLI command to remove it.

msiexec /x {MSI_Value} [/quiet UNINSTALL_TOKEN=password]

Reference—MSI Versionsn See "Reference: Windows WSSA/UA Package Versions" on page 100 for versions.

MSI Version Mis-Match (Unknown MSI)The following scenario creates anMSI-versionmis-match.

n You configured the option in theWeb Security Service portal to allow Unified Agent clients to automatically update.

n You defined an uninstall token.

For example, you downloaded and installed Unified Agent 4.4, then (per configuration) the portal automatically updates theinstalled client versions to 4.5 when Symantec posts it to datacenters. With the uninstall token option defined, you or employeescannot uninstall the application because noMSI was downloaded and paired with the upgraded product ID.

To remove the application, youmust use the CLI commandwith correct product ID code.

msiexec /x {product_id_code} /quiet UNINSTALL_TOKEN=password

You find this code one of two ways:

n (Recommended) Review theMSI uninstall failure log.

n Find it in the registry. For more information about this method, see the Knowledge Base article.


https://support.symantec.com/en_US/article.TECH246265.html

The product ID is the same for all installation instances, whichmeans you can create scripts to remove the application frommultiple clients.

https://support.symantec.com/en_US/article.TECH246265.html


Troubleshoot...Attempt to solve remote client application connections.

n "Unified Agent Connection Troubleshooting" on page 85

n "ManageWeb Security Service Client Connections" on page 89

n "Manually Disable the Unified Agent" on page 90

n "Capture Remote Client Trace Log" on page 92

n "Uninstall the Unified Agent" on page 79


Unified Agent Connection Troubleshooting

Connection Issues

n Symptom

The Unified Agent redirects or connects to wrong datacenter

Check

UA Installation Article.

n Symptom

The Unified Agent randomly loses connection and then reconnect causing interruptions to internet access.

Check

On computers with a wired and wireless network connection, ensure both interfaces are not connected at the sametime. This causes the client to roll from one interface to the other, whichmight connection interruptions.

n Symptom

Unified Agent installation fails.

Check

Multiple failed installation attempts might cause registry entries that compound the failures. See

UA KB Query

n Symptom

The Unified Agent returns a username similar to the following.

NT AUTHORITY\SYSTEM

The cause a third-party application intercepting the traffic, which prevents the Unified Agent from returning the correctusername as derived from its process.

Check

With Unified Agent v4.6+, you can instruct theWeb Security Service to return the logged-in username. On theMobility> Unified Agent page, select Logged in User ID from the Username Format drop-down list.

System Events

You can view a list of system events recorded by the Unified Agent by opening the diagnostics log file. This text file displaysevents with time stamps whenever the network or client status changes as a result of user input or other system disturbances.

The diagnostic log file is automatically created by the remote client application and does not require setup. To view the auto-generated log file, refer to the following action steps.

InWindows:


https://support.broadcom.com/home-search-results.html?q=Unified%20Agent%20WSS


1. In the system tray, double-click the installed client icon. The service displays the Status tab of the client dialog.

2. Click the Advanced tab.

3. Click Show File to open the folder containing the log files. Double-click a log file to view the contents. The log filenameshows log creation date (for example, the filename UnifiedAgent_Diag_07072016-1047.txt indicates the file wascreated on July 7, 2016 at 10:47 AM).

In OS X:

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Theservice displays the Status tab of the client dialog.



If your remote user employees are sending complaints about network access to the web and they have the Unified Agentinstalled and routing web requests to theWSS, you can capture tracing logs from the client to help diagnose client-related issues(if you are working with Technical Support, they might also request this information). As the capturemust be performed on theclient system, youmust initiate the process by performing one of the following actions:

n Have the employee bring you their client system.

n Gain access to their system through a remote connection.

n Instruct the employee on how to perform the capture and send you the file.

Packet Capture

To perform a packet capture, refer to the following action steps:

In Windows

1. In the system tray, double-click the installed client icon. The system displays the Status tab of the client dialog.



a. Click Start Tracing to initiate a trace capture. When you begin a trace capture, the service displays the path tothe trace file.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart Windows, and return to this dialog to stop the capture.

c. Stop the trace capture by clicking Stop Tracing.

d. Click Open Trace Folder to display the folder that contains the trace file to send to support.

In OS X

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Thesystem displays the Status tab of the client dialog.



a. Click Start Tracing to initiate a trace capture.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart the computer, and return to this dialog to stop the capture.


d. To view the trace (packet capture) information, use the OS X Console application to open the System Log. Youcan find the Console application in the OS X Utilities folder. Unified Agent tracemessages are added to thesystem log. To just see thesemessages, enter bcua in the search field (upper-right) in the Console application. Tocopy/paste all of themessages, select one and select Select All from the Edit menu; paste into a text file.

Symptom

The Unified Agent returns a username similar to the following.

NT AUTHORITY\SYSTEM

The cause a third-party application intercepting the traffic, which prevents the Unified Agent from returning the correct usernameas derived from its process.

Solution

With Unified Agent v4.6+, you can instruct WSS to return the logged-in username. On the Connectivity > WSS Agent page,select Logged in User ID from the Username Format drop-down list.


Manage Web Security Service Client ConnectionsIf employees are sending complaint requests regarding dropped connections to the web, reviewing theWeb Security Serviceclient connections status might help you determine if this is a widespread or minimal issue. Also, if you see a client on thesystem that you do not believe belongs in your organization (for example, a stolen laptop), you can log in to theWSS portal andblock access to that client while you investigate.

To review client connections, navigate to Connectivity > Agents tab.

Your organizationmight have hundreds to thousands of client connections at any givenmoment. Use the search field to yieldtargeted results. As you enter text, the portal uses auto-fill to match entries. Select the option on which to sort.

SeeManage Remote/Mobile Device Connections for more details.


Manually Disable the Unified AgentThe Symantec Unified Agent, installed on employee devices such as laptops, provides web security when the client is notconnected to an on-premise network. Although the Unified Agent should function in any network, sometimes an unforeseenenvironment might cause connection issues or prevent the Unified Agent from passing web traffic to theWSS. Your businessmight depend on the efficiency of personnel in field who cannot be disrupted by a lack of an Internet connection.

You can configure theWSS to allow employees to temporarily disable the Unified Agent should connection issues occur. TheUnified Agent remains disabled only until the client machine reboots or the employee initiates a reconnect from the Unified Agentinterface.

Furthermore, this setting in theWSS applies to all Unified Agents in the field. You cannot selectively target which installationsreceive the disable option.

Note: This feature only functions for clients running Unified Agent v4.4+ (released July 11,2014).

Activate the Disable Option


2. In the End User Permissions area, select Allow agent to be disabled by user.

Instruct Employees How to Disable the Unified Agent

Windows

In the system tray, right-click the Unified Agent icon and select Disable Unified Agent. Employees can also return here andEnable the agent.

OS X

Click the Unified Agent icon in themenu bar and select Disable Unified Agent. Employees can also return here and Enable theagent.


Review System Events Generated by Remote ClientsYou can view a list of system events recorded by the Unified Agent by opening the diagnostics log file. This text file displaysevents with time stamps whenever the network or client status changes as a result of user input or other system disturbances.

The diagnostic log file is automatically created by the remote client application and does not require setup. To view the auto-generated log file, refer to the following action steps.

In Windows

1. In the system tray, double-click the installed client icon. The service displays the Status tab of the client dialog.



In OS X

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Theservice displays the Status tab of the client dialog.




Capture Remote Client Trace LogIf your remote user employees are sending complaints about network access to the web and they have the Unified Agentinstalled and routing web requests to theWeb Security Service, you can capture tracing logs from the client to help diagnoseclient-related issues (if you are working with Technical Support, they might also request this information). As the capturemustbe performed on the client system, youmust initiate the process by performing one of the following actions:

n Have the employee bring you their client system.

n Gain access to their system through a remote connection.

n Instruct the employee on how to perform the capture and send you the file.

To perform a packet capture, refer to the following action steps:

In Windows

1. In the system tray, double-click the installed client icon. The system displays the Status tab of the client dialog.


a. Click Start Tracing to initiate a trace capture. When you begin a trace capture, the service displays the path to thetrace file.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart Windows, and return to this dialog to stop the capture.



d. Click Open Trace Folder to display the folder that contains the trace file to send to support.

In OS X

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Thesystem displays the Status tab of the client dialog.


a. Click Start Tracing to initiate a trace capture.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart the computer, and return to this dialog to stop the capture.


d. To view the trace (packet capture) information, use the OS X Console application to open the System Log. Youcan find the Console application in the OS X Utilities folder. Unified Agent tracemessages are added to thesystem log. To just see thesemessages, enter bcua in the search field (upper-right) in the Console application.To copy/paste all of themessages, select one and select Select All from the Edit menu; paste into a text file.


Verify Mobile ConnectionsThe Connectivity > Agents page displays WSS connections from devices that have an installed agent or VPN profile. You canview what type of device has passed traffic, who owns the device, and other information as described below. You can also blockWSS connections from suspicious devices, allowing you to investigate and take further action if necessary.

Note: At this time, you cannot verify connections from the Cloud Connect Defense (CCD) app.

About Device VisibilityInstalling an agent or VPN profile on a device does not cause immediate visibility on the Agents page. The client must firstconnect toWSS and pass traffic. Also, by default the portal displays connections that occurred over the previous 24 hours. Youcan adjust the filter to view connections going back days, weeks, or years.

ViewDevicesAs WSS begins to receive traffic and build the reporting database, the portal displays each device in a row. You can search forterms, sort by columns, and take actions as necessary.

A: Authenticated User—Who authenticated through the device (logged-in user).

B: Device Name—The name of the device as designated by IT at provisioning or customized by the owner of a personal device(mobile phone).

C: Device ID—The device's registration number.

D: Agent Type—The platform connecting toWSS:

n Android

n iOS


n WSS Agent

n Unified Agent

E: Client Version—The version of the installed agent.

F: Suppressed—If your portal is configured to suppress personal identification information (PII), the table does not displayinformation such as authenticated username or device identity.

G: Egress IP—The IP address of the network segment that connects toWSS.

H: Last Access—The time stamp indicating when the device last connected toWSS.

I: Permission—The Allowed or Blocked status for this device. Blocked means the device cannot access the web throughWSS.

J: Actions—Allow or temporarily Block a device. Consider the following use case. You are suspicious about a specific deviceconnection. You can block it, investigate, then return to this page and Reconnect the device if it is legitimate.

Tip: Because of a unresolved issue, manually click Refresh to see the Actions column link.

PageOptionsThe Agents page provides the following options:

n Refresh the table to obtain themost recent data.

n TheAgent Type filter instructs the portal to display connections for a specific device type:

n Android

n iOS

n WSS Agent

n The Last Access filter instructs the portal to display connections that occurred during a specific time period. The defaultis the previous 24 hours.

n Enter a Search Term to filter by a specific name (applies to both user and device names).


Prevent a Domain From Routing to WSSIMPORTANT—This topic only applies to locations that use the Explicit Proxy andWSS Agent WSS connectivity methods. Allother access methods ignore any bypass domain configurations.

Some destinations, such as intranets, do not requireWSS processing. Configure the service to ignore these connections.Another use case is you have use policy enabled, such as blocking several leisure categories, but you want to relax restraints forremote users and allow their requests to bypass WSS en route to specific sites.

Notesn WSS allows an unlimited number of bypassed domains.

n The bypass setting is a simplematch; the hostname and top level domain are used for policy matching. For example, arequest for www.test.commatches bypass policy for test.com, but also for shop.test.com.

n The setting is global; that is, it applies to every location/client in yourWSS account.

n Be advised that multi-homed domains might lead to over-bypassing a site.

n Each time that aWSS Agent reconnects toWSS (for example, a user who takes a laptop off campus and connectsthrough a non-corporate network), the client checks against any updates to the list.

Procedure—Manually Add Domain Entries1. Navigate to the Policy > Bypassed Traffic > Bypassed Domains tab.

2. Click Add. The portal displays a dialog.


a. Enter a valid Domain.

b. (Optional) Enter a Comment.

c. (Optional) Click the + icon to add another row for another entry.

d. Click Add Domains.

The new entries display in the tab view. You can edit or delete any entry from here.

Import IP Address Entries From a Saved ListThis procedure assumes that you have already created an accessible list (text file) of domains to be bypassed. Each entry inthe file must be on its own line.

1. Navigate to the Policy > Bypassed Traffic > Bypassed Domains tab.

2. Click Add. The service displays the Add Bypass Domain dialog.

3. Click Import Domains.

a. Click Browse. The service displays the File Upload dialog. Navigate to the file location andOpen it.

b. Click Import.

All of the new entries display in the tab view. You can edit or delete any entry from here.


Prevent IP/Subnet From Routing to the Web SecurityServiceIMPORTANT—This topic only applies to locations that use the Explicit Proxy andWSS Agent Web SecurityServiceconnectivity methods. All other access methods ignore any bypass domain configurations.

Some IP addresses or subnets do not requireWSS processing. For example, you want to exclude test networks. Configure theservice to ignore these connections.

Notesn WSS allows an unlimited number of bypassed IP addresses/subnets.

n Each time that aWSS Agent reconnects toWSS (for example, a user who takes a laptop off campus and connectsthrough a non-corporate network), the client checks against any updates to the list.

Procedure—Manually Add IP Addresses1. Navigate to the Policy > Bypassed Traffic > Bypassed IPs/Subnets tab.

2. Click Add. The service displays a dialog.

a. Enter an IP/Subnet.

b. (Optional) Enter a Comment.


c. (Optional) Click the + icon to add another row for another entry.

d. Click Add IPs/Subnets.

The new entries display in the tab view. You can edit or delete any entry from here.

Import IP Address Entries From a Saved ListThis procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Each entryin the file must be on its own line.

1. Navigate to the Policy > Bypassed Traffic > Bypassed IPs/Subnets tab.

2. Click Add. The service displays the Add Bypass IP Address/Subnet dialog.

3. Click Import IPs/Subnets.

a. Click Browse. The service displays the File Upload dialog. Navigate to the file location andOpen it.

b. Click Import.

All of the new entries display in the tab view. You can edit or delete any entry from here.


Reference: Windows WSSA/UA Package VersionsMSI String

WSS Agent

wssa-7.1.1.14278-64.msi {D65CB863-20E1-45D6-8BF7-2CE76DB37A05}

wssa-6.2.1.13798-64.msi {89F9FCDD-2963-4BC3-8DC7-7DF0E04F0AEB}

wssa-6.1.10765-x64.msi {07EEAD61-94F6-447D-9DB6-2F78955ED56E}

wssa-5.1.1.238363-x64.msi {87B9C4EB-3640-49FE-8FAE-5666E47FFEC1}

Unified Agent

UnifiedAgentInstaller64-4.10.6.230466.msi {DBC6623E-500F-4FFA-BB8D-B119ABA56F8A}

UnifiedAgentInstaller64-4.10.3.225009.msi {58660032-15F8-4B48-848F-63D31541305C}

UnifiedAgentInstaller64-4.10.1.219990.msi {BD6535C4-B66E-472C-A4FC-473B4F93DC10}

UnifiedAgentInstaller64-4.9.4.212024.msi {1536286D-6678-4FCD-A732-9E794A0ACDF7}

o UnifiedAgentInstaller64-4.9.1.208066.msi


{758D4802-6245-4EAA-8C8C-EEA3B50A246B}



{12C3173D-00E4-4D80-B229-D0DA792E8898}



{5FEBEFA8-C6F2-4395-B329-2461C973DE34}

{CD54CD6F-C16C-4155-9E1D-26A58C3D24D8}



{57A84D92-77A7-4C63-B847-FF7087C7D878}

{226C2DE9-7D3E-4A8C-8078-47DF0BE257F8}

o UnifiedAgentInstaller64-v4.6.0.157065.msi {D6FD56F5-00E5-4954-8CED-DC1F9F2887F6}



{61BDFA31-62A5-41CB-9833-D602056B8751}



{216652C2-709F-449B-B92F-9723C7E78384}

websecurityservice connectivity: wss agent

Documents