websecurityservice connectivity: wss agent · 2020-01-28 · symantecwebsecurityservice/page10 use...

Web Security Service

Connectivity:WSS Agentand Unified Agent

Symantec Web Security Service/

Unified Agent Guide/

Copyrights

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term“Broadcom” refers to Broadcom Inc. and/or its subsidiaries.

Copyright © 2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability,function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does notassume any liability arising out of the application or use of this information, nor the application or use of any product or circuitdescribed herein, neither does it convey any license under its patent rights nor the rights of others.


Symantec Web Security Service:WSS Agent GuideThe Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-basedproduct, theWeb Security Service leverages Symantec's proven security technology, including theWebPulse™ cloudcommunity.

With extensive web application controls and detailed reporting features, IT administrators can use theWeb Security Service tocreate and enforce granular policies that are applied to all covered users, including fixed locations and roaming users.

To provide security to employees who take corporate clients beyond the corporate network, such as laptops on business trips,Symantec provides theWSS Agent that routes web requests through theWSS when connecting from a non-corporate network.


Table Of Contents

Symantec Web Security Service:WSS Agent Guide 4Table Of Contents 5

WSS Agent 8Connectivity: About the WSS Agent 9Why Select This Method? 9

Connectivity: Install the WSS Agent 17Technical Requirements 17About theWSS Agent Installation or Upgrade 17About Bypyassed Non-Routable IP Addresses 17Procedure—Prepare for Installation 18Procedure—Install theWSS Agent 20

Connectivity: Distribute WSS Agent With GPO 26Technical Requirements 26Procedure 26

Connectivity: Distribute WSS Agent With JAMF 30Technical Requirement 30Procedure 30

Set WSSA Network/Security Options 34About the WSS Agent UI 40System Tray/Menu 40Agent Interface 40About Tab 41Available Updates 41

Disable the WSS Agent 43Procedure 43Agent Logging 45

SymDiag Application For WSS Agent on Windows 46Technical Requirements 46Procedure 46

Debugging Script for WSS Agent on Mac Systems 50Technical Requirements 50Procedure 50

Uninstall the WSS Agent 52Windows 52macOS 52

Unified Agent 53Connectivity: About the Unified Agent 54Why Select This Method? 55About the QUIC Protocol 59About Proxy Avoidance Attempts 59About Password Protection 59


About SSLCertificate Installation 59About Challenge-based Authentication (Captive Portal) 60About IPv6 IP Addresses 60About Time Zones 60About Hybrid Policy and Unified Agent Connections 60

Connectivity: Manually Deploy the Unified Agent (Windows) 63Technical Requirements 63About Bypyassed Non-Routable IP Addresses 63Procedure 64

Connectivity: Manually Deploy the Unified Agent (Mac) 68Technical Requirements 68About Bypyassed Non-Routable IP Addresses 68Procedure 68

Route Remote Connections Through an HTTP Proxy 72Deployment Notes 72

Manually Disable the Unified Agent 74Activate the Disable Option 74Instruct Employees How to Disable the Unified Agent 74

Verify Connections 75Remote Users 76

Uninstall the Unified Agent 78Available Options 78Unified Agent—With Uninstall Token 78Information 78Procedure 78Windows 80OS X 80No Token Defined/Client Connector 81Reference—MSI Versions 81MSI VersionMis-Match (UnknownMSI) 81

Troubleshoot... 83Unified Agent Connection Troubleshooting 84ManageWeb Security Service Client Connections 88Manually Disable the Unified Agent 89Review System Events Generated by Remote Clients 90Capture Remote Client Trace Log 91

Prevent a Domain From Routing to the Web Security Service 93Notes 93Procedure—Manually Add Domain Entries 93Import IP Address Entries From a Saved List 94

Prevent IP/Subnet From Routing to the Web Security Service 96Notes 96Procedure—Manually Add IP Addresses 96Import IP Address Entries From a Saved List 97


Reference: Windows WSSA/UA Package Versions 98


WSS AgentTheWSS Agent is the Symantec-recommended agent for supportedWindows 10+ andmacOS High Sierra+ clients.

n "Connectivity: About theWSS Agent" on page 9

n "Connectivity: Install theWSS Agent" on page 17

n "Connectivity: DistributeWSS Agent With GPO" on page 26

n "Connectivity: DistributeWSS Agent With JAMF" on page 30

n "Set WSSA Network/Security Options" on page 34

n "About theWSS Agent UI" on page 40

n "Disable theWSS Agent" on page 43

n "SymDiag Application ForWSS Agent onWindows" on page 46

n "Debugging Script forWSS Agent onMac Systems" on page 50

n "Uninstall theWSS Agent" on page 52


Connectivity: About theWSS AgentThe Symantec WSS Agent provides web security to remote users when a route through the corporate network is not possibleor practical.

When installed on client systems, theWSS Agent works as part of the client system's configuration; after the application isinstalled, no further configuration is required on the client system. It directs content requests to the SymantecWeb SecurityService over a secure connection (port 443). To enforce proxy avoidance, theWSS Agent detects and redirects HTTP proxyrequests to any external, non-WSS IP addresses. As such requests are redirected, the user is unable to circumvent filteringandmalware scanning.

Furthermore, theWSS Agent provides additional security features.

n TheWSS Agent prevents employees from stopping and starting the service from the Services Management Console,even if such employee has Windows Administrator privileges.

n You can give the ability for employees to temporarily disable theWSS Agent should they be experiencing connectionissues.

Tip: This and related topics refer to the agent as theWSS Agent, which is the recommendedagent. However, until further notice, Symantec will continue to support Unified Agent onWindows 7/8 andmacOS Sierra Operating Systems only until those operating systems reachend-of-life by their respective vendors.

Why Select This Method?Benefits—

n Always active. The user does not have to log in to the agent.

n Works in the background and is transparent to users.

n Captures the user and system names for reporting.

n Viable solution for a premises with fewer than 100 clients and where location-based network infrastructure (such as afirewall) is not available.

Select another method if—

n The clients are 32-bit Windows, pre-Windows 10 or macOS High Sierra.

n Youwant to manage remote clients throughmultiple PAC files. SEP Solution.

n You require IPv6 support. TheWSS Agent does not currently support IPv6 connections; a future update will providesupport.


Use Cases

Remote, Off-Corporate Network

Your business has one or physical locations. On-premises infrastructure, such as proxies or firewalldevices, provide security to your corporate-controlled internet connections. Some employees workremotely or take their laptops to travel and connect through to the internet from an off-corporate network,such as a hotel or other commercial property WiFi.

1—A Sales Person is on site at a corporate location. The client system recognizes the corporate internetconnection and theWSS Agent remains in PassiveMode. All internet requests proceed through the on-premises gateway infrastructure. If theWeb Security Service is providing security, the connectionoccurs through defined location. For example, the proxy appliance or firewall device is configured toconnect to the Santa Clara datacenter VIP. Security policies are applied for that location and/or logged-in user or group name.

2—The Sales Person then takes a flight to the southern United States and checks into a hotel. TheWSS Agent is now engaged and connects to the nearest WSS datacenter, which in this example isDallas (for more details about the cloud service connections, see the next section). Youmight elect todefine a separate set of web-use policies forWSS Agent connections. For example, you allow accesstomore leisure categories after work hours because employees are spending personal time away fromhome.

Small Office

n Your business might be small—as a best practice defined as fewer than 100 employees—and thusyou do not have advanced network infrastructure such as firewall devices or proxies that forwardinternet traffic.

n Or your business might havemicro-branches, or smaller locations where it does not makessense to invest and support network infrastructure that your larger sites require.


In these cases, theWSS Agent is a viable, low-touchmethod to provide web security and enforceweb-use policies.

TheWSS Agent connects through the location's ISP to the nearest WSS datacenter.

Tip: It is possible for theWSS Agent to connect to a specific datacenter. Ifyour business requires specific location connections, contact SymantecTechnical Support to request assistance.


How the WSS Agent Connects

TheWSS Agent connects to theWSS when a user logs on (or if there is a connection error from anothermethod). The agent and the service perform a series of checks in preparation for web requests as thefollowing flow describes.

1—A Sales Person on a business trip logs in.

n TheWSS Agent initiates a connection over port 443 to the Client Traffic Controller (CTC) in theclosest WSS datacenter (theWSS can return availability from up to three geographicaldatacenters).

n If theWSS Agent detects any tampering.

o TheWSS Agent detects that the configuration store (which contains your customer ID,failuremode, tamper detection settings) has been tampered with outside of the


application itself.

o TheWSS Agent detects an attempt to bypass theWSS through entries in the hosts file.

o TheWSS Agent is unable to validate the SSL connection for the VPN tunnel to theservice.

The connection is refused and the client receives an exception; otherwise, the connectioncontinues.

n TheWeb Security Service determines if the connection is from a defined corporate location, theWSS Agent remains in passivemode.

n TheWSS verifies that aWSS Admin has configured the portal to block this WSS Agent (forexample, a laptop was lost or stolen and the Admin wants to prevent the connection).

n For all web content requests, theWSS applies checks against theWSS bypass list,acceptable web use policies, andmalware scanning results.

2—A request is for internally-hosted content or content that belongs to a bypass list never reaches theWSS.


WSS Agent Connection Concepts

This section provides technical details about how theWSS Agent connects to theWSS.

CTC Issues

If the CTC is not able to respond, theWSS Agent uses a cached connection list and displays a warning.

VPN Compatibility

TheWSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might beinstalled on client systems. You can configure full or split tunnel with additional configurations.

n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSecLocation in theWSS (Service mode > Network > Locations). This enables theWSS to enterPassivemode when on the Location network.

n Split Tunnel—White-list the IP address of the VPN server to prevent connection flapping.

Proxy Connections

The CTC uses the system proxy settings (and if specified the PAC file and/orWPAD) in its connectionto ctc.threatpulse.com.

Windows—Uses the proxy settings of the currently logged-in console user (the user physically loggedinto the device). If there is no currently logged-in console user (for example. a remote desktop), then theproxy settings of the SYSTEM user is used.

macOS—Uses the proxy settings of themain network device (the one that requests forctc.threatpulse.com are routed from).

n If a proxy was used for the actual CTC request, then tunnels are opened using the same proxyserver that resolved for ctc.threatpulse.com.

n If a proxy was not used for ctc.threatpulse.com, then tunnels are opened using a directconnection to the individual connect list items.

The proxy used is the same IP address and port as the proxy used in the actual CTC request.

After two consecutive CTC connection failures, the system proxy is ignored and a direct connection isattempted instead.

If you select Ignore Proxy Settings in the portal, theWSS Agent establishes a direct VPN tunnel,bypassing any possibly set proxy setting a endpoint user attempts to define. However, Ignore ProxySettings applies only to the tunnel creation. If the CTC connection fails, this setting cannot beretrieved. For a successful on-premesis WSS Agent to go passive, any on-premesis firewall/proxymust bypass traffic to https://ctc.threatpulse.com.

Note: Authenticating proxies are not supported on either platform. This is alimitation of the operating systems themselves.


Proxy Avoidance Attempts

To enforce proxy avoidance, theWSS Agent detects proxy HTTP requests in outbound streams forports other than those configured to be forwarded to the service (typically 80 and 443). Thoseconnections are forwarded to theWSS instead of the originally-specified proxy.

Furthermore, theWSS Agent does not interpret proxy auto-configuration (PAC) settings as a proxyavoidance attempt. If your deployment uses a PAC control to manage outbound web connections, theWSS Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and bydefault). If theWSS Agent cannot connect with the PAC settings, it attempts a direct connection to theWSS IP address. You can allow additional ports.

SSL Certificate Installation

TheWSS Agent to CTC requires the SSLRoot Certificate. WSS Agent installations also install thiscertificate. If the certificate is not present, WSS Agent remains operational but might fail to connect tothe CTC in the datacenter. If this occurs, the agent reverts to the last-received connection list.

Upon installation, theWSS Agent installs theWSS root certificate. If the certificate is not installedbecause of unforeseen permission issue, you canmanually download it and install it.

Challenge-based Authentication (Captive Portal)

For enhanced security, enable the Captive Portal option during configuration. When enabled, CaptivePortal displays a challenge dialog to users each time that they begin a new browser session (or 24hours after their previous successful entry). This eliminates cached credential access.

MAC CLIENT NOTE

You can install WSS Agent onWindows andMac clients. If a Mac user's username is the same as inthe your AD and there is only one domain in your AD, then user based policy is applied for theMacclient. The domain defaults to the single domain in the AD. You can, however, enable the CaptivePortal feature, which allows users and groups to be available for policy checks.

Hybrid Policy and WSS Agent Connections

If you are employing the Symantec Hybrid Policy solution, theWSS Agent has slightly differentconnection behaviors. In this deployment, the on-premises ProxySG appliance is configured to usecommon policy. The client workstations that use that common policy proxy have theWSS Agentinstalled. Normally, theWSS Agent is in Passivemode on workstations connecting from behind aproxy that is providing common policy.

Noticeable Behavior

n On theWSS portal, the Network Location status changes from green to red. This causes allnew WSS Agent connections to switch to active versus passive.

n After a networking event, such as a change in IP address and the Network Location is red, theWSS Agent switches to active.

n When the Network Location status is green, theWSS Agent switches to passivemode.

If the common policy proxy is unable to establish a connection to the portal for approximately 35minutes, then the hybrid location changes from green to red. If theWSS Agent is in passivemode, itremains passive unless a networking event occurs. TheWSS Agent goes to activemode for all new


connections from that red-status network. This is by design. If the on-premises ProxySG appliance isexperiencing issues and is configured to Fail Open, theWSS Agent must be in activemode for theWSS to provide protection.

Tip: If you notice that theWSS Agent is switching to activemode forreasons not described above, check the hybrid location in the portal. If thehybrid location status is red, check connectivity between the on-premisesProxySG appliance and theWSS (might require a packet capture todiagnose). You can run the update-now commandwhile in the cloud-serviceconfigurationmode to generate traffic destined to the service.


Connectivity: Install theWSS AgentThis topic what is required and how tomanually install theWSS Agent on a supportedWindows or macOS client.

Technical Requirementsn WSSWSS Agent license.

n Supported clients—

o 64-bit Windows 10 Professional, Enterprise or Education version 1703

o macOS High Sierra+

Note: Youmust use the fully-patched vendor-provided versions of the operating systems.All attempts to install on an unsupported OS fail.

n SEP 14.2 withWTR running in parallel withWSS Agent is not a supported configuration

n Protocols: UDP, SSL, TCP

n Port 443 to ctc.threatpulse.com (for TCP, UDP, and software updates)

n Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWSS. For moreinformation, consult the following Knowledge Base article:

https://support.symantec.com/en_US/article.TECH242793.html

n OnmacOS, the contents of the stamped installer are notarized using Apple's notarization process. This means that thedriver, service, and all parts of WSS Agent function correctly on a system that requires notarization. However, the .pkgfile itself is not notarized. If you require a notarized .pkg file, contact Symantec Technical Support.

n TheWSS Agent currently does not support IPv6 connections. Symantec recommends that you disable IPv6 on clientsystems and select Block IPv6 Traffic on the Service mode > Mobility > WSS Agent page.

About the WSS Agent Installation or Upgraden You can upgrade from the Unified Agent or previous versions of theWSS Agent; however, if the Unified Agent was

installed with custom options, they are not preserved or migrated to theWSS Agent

n You can configure the portal to automatically update theWSS Agent; however, if you upgrading from the Unified Agentto theWSS Agent, youmust push a new installation notification to all clients and clients require a reboot.

n Subsequent WSS Agent upgrades do not require a client system reboot.

About Bypyassed Non-Routable IP AddressesBy default, the Web Security Service bypasses the following RFC 1918 addresses.



n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16

If a destination request contains one of these IP addresses, the traffic bypasses theWeb Security Service the client connectsdirectly.

Procedure—Prepare for Installation

VPN Compatibility

TheWSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on clientsystems. You can configure full or split tunnel with additional configurations.

n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in theWSS(Service mode > Network > Locations). This enables theWSS to enter Passivemode when on the Location network.


Step 1—Select End User Permissions

As best practice, Symantec recommends that you select how much control your employees have with theWSS Agentbeforeyou push the agent to clients.

In Service mode; select Mobility > WSS Agent. Locate the End User Permissions area.

Decide if the following features are applicable.

Enable Update Prompts

If Prompt end user for update is selected, theWSS Agent notifies the logged-in user that an update is available fordownloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default isenabled.


Allow the Proxy Settings Tab

This option applies only to Unified Agent.

Allow Local Ability to Disable the Agent

If you Allow agent to be disabled by end user, your employees can (temporarily) disable theWSS Agent.

Require Token for Uninstallation

If you select Require Token to Uninstall, employees are able to uninstall theWSS Agent, but are required to use a token thatyou define.

Step 2—Download theWSS Agent Installer.

1. In Service mode; select Mobility > WSS Agent.

2. In the Installers area, click theWSS Agent Download button.

3. If this is the first time you are attempting to download the application, the service displays the Profile dialog.

As a company that provides security services across the globe, Symantec supports and complies with United Statesand local export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading theWSS Agent. The fields with gold asterisks (*) are required.

Click Save to update your profile and then close the dialog.

4. Download the installation file and place it in a network location that is accessible by test clients.


Procedure—Install the WSS AgentThe installation varies depending on theOS and if you want to install with additional options.

Installation Options

When installing on clients, you can install the app with default settings or use the CLI to install with additional options.

n MSI (Windows clients only)—TheMicrosoft CLI provides multiple options, which are detailed on their website.

https://docs.microsoft.com/en-us/windows/desktop/Msi/command-line-options

The following commands aremost relevant to theWSS Agent.

o /passive—Installs without user intervention

o /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log).This command provides installation debugging information.

n Configuration Options—You can append the following options to an installation.

n Specify whether or not to attempt UDP connections. By defaults, theWSS Agent attempts a UDP connection, butdefaults to DNS if not possible. You can elect to always connect through DNS or exclusively through UDP (neverattempt DNS).

n Specify the packet size attempted when sending a PMTU check, which is an option when the connectioncontinues to fall back to TCP transport because the ping containing the default byte size never receives aresponse.

n Disable all real-time statistics collection. No new data is collected; no data purging occurs. Youmight do this if theWSS Agent is experiencing performance issues.

n Specify the number of days to retain real-time statistics.

If you think one or more these options might suit your deployment or testing needs, consult the configuration descriptions in thenext sections. They contain command syntax andmore details.

Windows Application

1. Put the installer on the test client.

2. Launch the installer.

a. InWindows, navigate to the directory where you saved the wssa-5.0.1.<snip>.msi file.

Symantec strongly recommends that you record the full MSI name; it might be required for future uninstallationtasks.

b. Double-click the file, which launches the installer.

3. Follow the prompts in the wizard. Select a directory for installation. Click Next.

4. Click Install. The installation begins.

https://docs.microsoft.com/en-us/windows/desktop/Msi/command-line-options


5. Click Finish to complete the installation. The service displays the Installer Information dialog.

6. Only required if upgrading a client from Unified Agent—Click Yes to reboot the computer.

Windows CLI—Options Available

Youmust have Administrator privilege.


2. Syntax: msiexec -i \Path\To\wssa-installer.msi MSI_optionsconfiguration_options

Where \Path\To is the location of the installer on your client system. For example: C:\Downloads\.

msiexec -i C:\downloads\wssa-installer.msi





Example—Install with MSI options.

n /passive—Installs without user intervention

n /l*v \Path\To\install.log—Outputs the installation process to a log file (give by \Path\To\install.log). Thiscommand provides installation debugging information.

msiexec -i C:\downloads\wssa-installer.msi /passive

Example—Install with MSI and configuration options.

n minPMTU = [0-1500]

The PathMaximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpointswithout fragmentation. This has implication for UDP connections, which requires retransmissions if packets arefragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. Thisis used in conjunction with the enableUDP option (below) to determine the requiredminimumMTU to automaticallyconnect using UDP. The default is 1492.

n enableUDP = [true | false | exclusive]

o true—Attempt UDP connections. TheWSS Agent sends an ICMP ping with a large payload to determine ifPMTU is limited along the path. If UDP is not possible, the connection defaults to DNS.

o false—Never attempt UDP connections. PMTU is never attempted.

o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection isdropped.


n disableStats = [true | false]

The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data isadded, nor will any purging occur.

n statsRetentionDays = [0-14]

Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data sincemidnight, UTCfor the current day. Any data occurring beforemidnight UTC specified days ago is removed. For example, if the setting is1, then data beforemidnight UTC yesterday is purged. The purging occurs every time the client is started and roughlyevery 30minutes whileWSS Agent is running. If disableStats is set to true, this option has no effect.

msiexec -i C:\downloads\wssa-installer.msi /passive CUSTOM_CONFIG=enableUDP=exclusive,statsRetentionDays=1

macOS Application



a. Open the wssa-5.0.1.<snip>.dmg file by double-clicking on it.

Symantec strongly recommends that you record the full .dmg name; it might be required for future uninstallationtasks.

b. Double-click the .pkg file, which launches the installer.





macOSCLI—Options Available

1. Open the .dmg file using themacOS hdiutil attach command and install the .pkg file using themacOS installercommand. Consult the Appleman pages for more details.

For example, the following three commands attach the disk image, install the package, and detach the disk image.

$ hdiutil attach /path/to/wssa-installer.dmg$ sudo installer -pkg /path/to/mounted/wssa-installer.pkg -target /$ hdiutil detach /path/to/mounted






Example—Install with configuration options.

Tip: The command can be runmultiple times with multiple configuration options; however, eachindividual option is set once only. Attempting to write the same option after it has already beenset overwrites the previous setting.

n minPMTU = [0-1500]

The PathMaximum Transmission Unit (PMTU) is the largest packet that can be transmitted between any two endpointswithout fragmentation. This has implication for UDP connections, which requires retransmissions if packets arefragmented by nodes in the network. The option specifies the attempted packet size when sending a PMTU check. Thisis used in conjunction with the enableUDP option (below) to determine the requiredminimumMTU to automaticallyconnect using UDP. The default is 1492.

n enableUDP = [true | false | exclusive]

o true—Attempt UDP connections. TheWSS Agent sends an ICMP ping with a large payload to determine ifPMTU is limited along the path. If UDP is not possible, the connection defaults to DNS.

o false—Never attempt UDP connections. PMTU is never attempted.

o exclusive—Attempt only UDP connections. PMTU is never attempted. If UDP is not possible, the connection isdropped.

n disableStats = [true | false]

The default is false. Setting to true disables all activities surrounding real-time stats collection; that is, no new data isadded, nor will any purging occur.

n statsRetentionDays = [0-14]

Specifies the number of days to retain real-time statistics. The default is 14. Setting to 0 retains data sincemidnight,UTC for the current day. Any data occurring beforemidnight UTC specified days ago is removed. For example, if thesetting is 1, then data beforemidnight UTC yesterday is purged. The purging occurs every time the client is started androughly every 30minutes whileWSS Agent is running. If disableStats is set to true, this option has no effect.

$ sudo defaults write com.symantec.wssa CUSTOM_CONFIG -string"enableUDP=exclusive,statsRetentionDays=1"

Modify Options Post-Installation

After you install theWSS Agent, you can add or delete the options (described in the previous option sections). For example,you have already installed the agent, but now want to push out the option to lower the PMTU. To achieve this, you use thewssad command.

Windows

Youmust run the command as an Admin. The following example uses the default agent path and sets multiple options.

"c:\Program Files\Symantec\WSS Agent\wssad.exe -p enableUDP=exclusive,statsRetentionDays=1"


macOS$ sudo /opt/symantec/wssad -p enableUDP=exclusive,statsRetentionDays=1

Delete Options

To delete options, run the same command but use -e instead of -p.

"c:\Program Files\Symantec\WSS Agent\wssad.exe -e enableUDP"

$ sudo /opt/symantec/wssad -e enableUDP

Tip: When deleting options, you cannot delete more than one option per command.

WSS Agent 6.1+ with CloudSOC

If your portal account has integrated with the CloudSOC (CASB) service for deeper web application security, some thickclients—for example, Dropbox—do not work throughWSS Agent. This is because of the thick clients' pinning the certificate,which breaks because of theWSS SSL certificate. Using an installation option, you can bypass all traffic sent to theWSS froma specific executable (thick client) on aWSS Agent 6.1+ client.

Caution: This option weakens security protections because the bypassed traffic is notsusceptible to malware scanning and policies. Also, a savy user with admin privileges on theclient couldmodify the file.

STEP 1—Disable Tamper Protection

1. In theWSS portal, navigate to Service mode > Mobility > WSS Agent.

2. Select the Disable Tamper Protection option.

STEP 2—Create a JSON File

Create a JSON file that contains the executable bypass information.

{ "bypassExecutables": [

{ "executablePath": "C:\Path\To\Executable.exe" }, ... ]}

Where the value for exectuablePath is the path on themachine of the executable that is allowed.


When traffic is seen for a new process ID (PID), theWSS Agent driver queries the service to find the executable making thecall. If a PID is provided, which represents an executable that matches an executablePath, then all traffic from that process isallowed and not sent to theWSS.

Your JSON must be well-formed. In particular, all values must be properly escaped, quoted, and there should be no trailinghanging commas. You can use an online JSON validator to validate your JSON file.

https://jsonformatter.curiousconcept.com

STEP 3—Host the JSON File

This file can be located local to the endpoint (and accessed through the file://URI) or on an http:// or https://website. Ifhosting on an https://website, the endppoint must trust the server certificate.

STEP 4—Send the WSS Agent Configuration Update

Use the CLI to modify theWSS Agent installation.

Windows"c:\Program Files\Symantec\WSS Agent\wssad.exe -p additionalBypassUrl string"

macOS$ sudo /opt/symantec/wssad -p additionalBypassUrl string

Where string is the URL of the JSON file.

The bypass takes affect following the next WSS Agent reconnection.

Next Step

n Proceed to "Set WSSA Network/Security Options" on page 34.

https://jsonformatter.curiousconcept.com/


Connectivity: DistributeWSS Agent With GPOThis topic describes how to useGroup Policy Object (GPO) to distribute theWSS Agent or Unified Agent to multipleWindowsclients.

Tip: This method does not support using a command line to add optional parameters.

Technical RequirementsThis method requires the following.

n An understanding of the solution.

o "Connectivity: About theWSS Agent" on page 9—The Symantec-recommended solution.

o "Connectivity: About the Unified Agent" on page 54

Tip: This topic refers to theWSS Agent but also applies to the Unified Agent.

n AWindows 2008 or 2012 domain controller.

n A DNS server.

n The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller.

n Verify the client system can resolve the name of the AD server that contains the client library.



n TheWSS Agent currently does not support IPv6 connections. Symantec recommends that you disable IPv6 on clientsystems and select Block IPv6 Traffic on the Service mode > Mobility > WSS Agent page.

Procedure

VPN Client Compatibility


n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in theWebSecurity Service (Service mode > Network > Locations). This enables theWSS Agent to enter Passivemode when onthe Location network.




Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

ForWSS Agent deployment, proceed toStep 2.

This applies to Unified Agent 4.4 and later only. Youmust make the following decision before installing the Unified Agent.

In Service mode, select Mobility > WSS Agent.

n A scenario might require this or other clients require to connect to theWeb Security Service through an HTTP proxy. Forexample, you have a test or demonstration network. Before installing the Unified Agent on a client, youmust select theAllow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation.

n For increased security in a production installation, Symantec recommends clearing this option, whichmeans that theProxy tab is not visible nor available on the Unified Agent application on the employee's client system.

Tip: You cannot regain visibility of the Proxy tab post-installation. Youmust re-install theUnified Agent with this option enabled.

Step 2—Entrust Certificate Prerequisite

EachWindows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWeb SecurityService. For more notes and installation steps, consult the following Symantec Knowledge Base article:


Step 3—Download the Agent Installer.

If you downloaded the agent during the Initial ConfigurationWizard process, begin withStep 4: Install the Client.

1. In Service mode, select Mobility > Unified Agent.

2. In the Installers area, click theWindows:WSS Agent Download.



3. If this is the first time you are attempting to download the application after theWeb Security Service version 6.5.2 wentlive, the service displays the Profile dialog.

As a company that provides security services across the globe, Symantec supports and complies with United States andlocal export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading theWSS Agent. The fields with blue asterisks (*) are required.


4. Download the installation file. If the location of the file is not aWindows share, create a share. Verify that the directoryand files have Read and Execute file system rights.

Step 4—Distribute the Agent

1. On the domain controller, click Start and select Control Panel > Administrative Tools > Active Directory Users andComputers.

2. Right-click the domain and select Properties.

3. On theGroup Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPO objectand click Edit.

4. Navigate to Computer Configuration > Software Settings > Software installation.


a. Right-click Software Installation and select New > Package.

Note: Verify that you have a valid UNC path. Click My Network Places > EntireNetwork > Microsoft Windows Network >server_domain>server_name >client_binary_share_name >select_the_binary.

b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-click SoftwareInstallation and click Refresh.

5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the first bootup)and executes policy. The workstation installs the client and reboots oncemore.

6. Test.

Next Selection

WSS Agent

n "Set WSSA Network/Security Options" on page 34.

Unified Agent

n If you enabled the Allow access to Proxy Settings option inStep 1, proceed to "Route Remote Connections Throughan HTTP Proxy" on page 72.

n If not, proceed to "Set WSSA Network/Security Options" on page 34.


Connectivity: DistributeWSS Agent With JAMFTo provide Symantec Web Security Service to remote users on AppleMac OS X 10.9.x or later, youmust download the UnifiedAgent and install it on client systems. See "Connectivity: About theWSS Agent" on page 9.

JAMF provides a widely used software solution to distribute applications. This section describes how to distribute the UnifiedAgent to Mac/OS X clients. For general information about using JAMF polices and packages, see the user documentation forJAMF at www.jamfsoftware.com.

Technical Requirementn TheWSS Agent currently does not support IPv6 connections. Symantec recommends that you disable IPv6 on client

systems and select Block IPv6 Traffic on the Service mode > Mobility > WSS Agent page.

Procedure







In ServiceMode; select Mobility > Unified Agent.

http://www.jamfsoftware.com/




Tip: You cannot regain visibility of the Proxy tab post-installation. Youmust re-install theUnified Agent with this option enabled.

Step 2—Download the Unified Agent Installer.

If you downloaded the Unified Agent during the Initial ConfigurationWizard process, begin withStep 4: Install the Client.

1. In ServiceMode; select Mobility > Unified Agent.

2. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section.



As a company that provides security services across the globe, Symantec supports and complies with United States andlocal export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading the Unified Agent. The fields with blue asterisks (*) are required.


4. Download the installation file.

Step 3—High-Level JAMF Procedure

1. Create the upgrade packages for Unified Agent installation.

Tip: If you deploy both the on-box and cloud versions of the Unified Agent on your network,create two packages with different names.

2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory.

3. Create a policy with the following settings.

n Category—Select the appropriate setting for your network.

n Triggers—Select the appropriate setting for your network.

n Execution Frequency—Once per device.

n Priority—Before. This permits the CMURL to be set before installation.

n Scope—Add the devices to update. Each of the devices must bemarked as Managed.

n Restart—Not needed.

The interface displays the new policy in the list.

What Occurs on Employee Clients?

After you use JAMF to push the update package, the following events occur on the employeeOS X client.

1. The client displays aManagement Notification dialog.

2. The employee follows the prompts to accept and install the Unified Agent application.

Employee Template

(Optional) To notify your impacted employees and provide them with instructions, consider using the following template. Copycontents in an email; edit as needed; send.

[Company] is distributing a security update to your corporateMac client. You will be prompted to [install / update] an applicationcalled Unified Agent. Perform the following steps.


1. When your Mac client receives the update, the client displays aManagement Notification.

2. To complete the installation, click through the prompts.

3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application.

If you have any questions or issues, contact IT.

Next Selection

WSS Agent

n "Set WSSA Network/Security Options" on page 34.

Unified Agent




Set WSSA Network/Security OptionsTheWeb Security Service provides several options that allow you to specify how theWSS Agent behaves on the client and howto route traffic.

In Service mode, select Mobility > WSS Agent.

Tip: This page does not contain an Apply button. Selecting the option sets the configuration, asindicated by the displayedmessage.

Determine Failure Behavior.

By default, theWSS allows remote clients unabated web access if the service becomes unavailable. For maximum security, setthe Fail Behavior to Block All Traffic until IT or Symantec restores the service.

Change Listening Ports.

By default, the SymantecWeb Security Service accepts traffic from the Unified Agent, that is installed on client systems, fromcommon gateway ports of 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP).

Tip: Migration Scenario—You aremigrating security to theWSS from on-premises Blue CoatProxySG appliances and where the Unified Agent (proxy version) accessed numerousHTTP/HTTPS sites on non-standard ports. By default, theWSS is limited to the three standardweb ports.


The default ports are not changeable, but if your remote clients are configured to use other or additional ports for HTTP/HTTPStraffic, configure theWSS to listen on those ports. For example, theWSS must also listen to ports 8000 (HTTP) and 8083(HTTPS).

1. Select View/Edit Ports.

2. Ports—If your gateway forwards web traffic on ports other than the defaults, specify them by selecting the appropriatetraffic type and entering the port. You can only enter one port in each field. You can add up to 1000 ports.

3. Click Save.

Bypass IP addresses/subnets and domains.

By default, the Web Security Service bypasses the following RFC 1918 addresses.


n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16


Personal choices or business requirements might require you to configure theWeb Security Service to bypass additional IPaddresses/Subnets and Domains. For example, bypass test networks.

Clicking the Network > Bypassed Sites (bottom of page) link takes you to that screen, as this is a shared configuration withotherWeb Security Service features.

n Formore details, see "Prevent IP/Subnet From Routing to theWeb Security Service" on page 96.

n Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See "Prevent a DomainFrom Routing to theWeb Security Service" on page 93.

Define Agent Connection Options.

The following configurations apply only to the Unified Agent.


a. Block IPv6 traffic blocks requested connections to destinations with IPv6 addresses when resolved by DNS. Thisincludes traffic destined for non-local forwarded ports.

IPv6 addresses are allowed under the following scenarios.

n IPv6 traffic is destined for local addresses (link-local and unique local addresses).

n IPv6 traffic is destined for a non-forwarded port (80, 443, and 8080 by default).

Note: The above applies toWSS Agent 6.1+. WSSA 5x only prevents domains fromresolving to IPv6 addresses.

b. Select Allow Google QUIC only if you have a business requirement or a preference for the highest performance tobypass QUIC connections. For more information, see the QUIC section in "Connectivity: About theWSS Agent" onpage 9.

c. Disable Tamper Protection—Select this option if your preference is to allow WSS Agent to fail-open (allowconnections) should the agent be unable to connect to theWSS. Be advised that these connections are not susceptibleto policy checks andmalware detection.

d. Ignore Proxy Settings—TheWSS Agent establishes a direct VPN tunnel, bypassing any possibly set proxy setting aendpoint user attempts to define. However, Ignore Proxy Settings applies only to the tunnel creation. If theCTC connection fails, this setting cannot be retrieved. For a successful on-premesis WSS Agent to go passive, any on-premesis firewall/proxy must bypass traffic to https://ctc.threatpulse.com.

e. By default, aWSS Agent process sends the User ID through the tunnel to theWeb Security Service. This ensures anaccurate account of who initiated the request and allows for policy enforcement and reporting. Your network might havethird-party products that also intercept these connections, which causes theWSS to erroneously view the username assomething similar to the following. Examples of these products include anti-virus programs and applications runbrowsers in a secure virtual container.

NT AUTHORITY\SYSTEM

This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that causethis issue, instruct the Unified Agent to send the logged-in username.

Select Logged in User ID from the Username Format drop-down list.

Tip: For a current list of known third-party applications that cause this issue, see NTAUTHORITY\SYSTEM UsernameReturned From the UA.

Select End User Permissions

As best practice described in "Connectivity: Install theWSS Agent" on page 17, Symantec recommends that you select howmuch control your employees have with theWSS Agent before you push the agent to clients.

In Service mode; select Mobility > WSS Agent. Locate the End User Permissions area.


Decide if the following features are applicable.

n Enable update prompts.

If Prompt end user for update is selected, theWSS Agent notifies the logged-in user that an update is available fordownloading. If you clear this option, you can perform silent WSS Agent updates (the end user is unaware). The default isenabled.

n Allow the Proxy Settings tab. This option applies only to the Unified Agent.

The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decision performedbefore installation.

This is option does not change the system proxy settings for any other application on the client system; it only affectshow the Unified Agent connects its tunnels. Typically, the Unified Agent honors the system proxy setting. This optiondisables that and connections aremade direct instead; the Unified Agent never connects through a proxy (but seebrowser note below). This option is for the very specific case where your environment has proxy settings, but you do notwant the Unified Agent to use the proxy settings when connecting to CTC or establishing their tunnels.

The proxy that is used is the proxy of the user related to the process.

n MAC OSes use one set of proxies.

n Windows—The CTC see connection requests from the SYSTEM user, which can be fromWPAD, a PAC file, orexplicit proxy address/port settings.

Tip: Browser configurations are completely separate. The Unified Agent cannot control thebrowser's behavior relating to proxies. That is, if a proxy is set in the particular browser(wherever that browser stores it), that proxy setting is honored.

n Allow local ability to disable the agent.

If you Allow agent to be disabled by end user, your employees can (temporarily) disable theWSS Agent.

n Require a token for uninstallation.

If you select Require Token to Uninstall, employees are able to uninstall theWSS Agent, but are required to use atoken that you define.


(Optional) Enable challenge-based authentication (Captive Portal).To enforce accurate user credentials rather than rely on locally cached credentials, select Enable Captive Portal forWSS Agents. This option requires deployment of the Auth Connector application, which integrates with your Active Directoryto provide username and group information. Show screen...

On clients, employees are prompted for network credentials.

Windows

macOS

Next Options

WSSA UI

n "About theWSS Agent UI" on page 40.


About theWSS Agent UIAfter theWSS Agent is installed on client systems, one component—the service—runs as a system process that establishes theconnection to theWSS and enforces policies. The other component—the UI—runs an instance per user that is logged in to theclient and provides the status of the service. Two components comprise the user interface.

System Tray/Menun OnWindows clients, the System Tray contains an icon.

n OnmacOS clients, theMenu Bar contains an icon.

The icon indicates the current connection status.

Right-click on a status icon to display a context menu with available actions. Selecting Open Symantec WSS Agent displaysthe agent interface.

Agent InterfaceThis agent interface provides connection status and information that can assist with troubleshooting.

Status Tab

Windows


macOS

a. Status Bar—The background color of the status bar correlates to the status icon in the System Tray / Menu Bar.

n Green—Connected

n Red—Disconnected

n Gray—Passive / Disabled

n Orange—Connecting / Fail Open

b. Information Section—TheWSS Agent displays informationmessages related to the connection, including errors andwarnings.

n Error—An unrecoverable error.

n Warning—A recoverable error.

c. Reconnect Button—Click to reestablish a connection toWSS.

Support Tab

This tab displays the diagnostic information. You will likely view this tab when working in Symantec Technical Support,including the use of the available diagnostic applications. See also—

n "SymDiag Application ForWSS Agent onWindows" on page 46.

n "Debugging Script forWSS Agent onMac Systems" on page 50.

About TabThis tab displays the current WSS Agent version and build number.

Available UpdatesWhen you as administrator distribute new WSS Agent versions, the client displays the following element.


Disable theWSS AgentFor troubleshooting purposes, youmight need to temporarily disable a specific WSS Agent from the portal. For example:

n A user is experiencing performance issues or is unable to access a specific website. Temporarily disabling the agentand retrying the website can help narrow the issues.

n A user, such as a consultant, needs to disable the agent to access the network.

In theWSS portal, an admin can look up a device (or user) and disable it for a specified amount of time. When theWSS Agentattempts a connection, the CTC provides configuration that includes a list of devices to disable (including an expiration dateand time). When aWSS Agent on a client matches a device in the list, the agent enters a passive state.

This feature works on bothWindows andmacOS clients.

Procedure1. Navigate to the Service mode > Mobility > Agent Status.

2. Locate the device to disable. You can use the Search field to filter, including the Installation ID if known.

From the Actions column select Disable. The portal displays the DisableWSS Agent dialog.

3. Specific the disabled duration.


Click Disable Agent.

Tip: The connection terminationmight require up to 30 seconds.

4. (Optional)—If you require testing beyond the original duration, return to the Action column and select Extend DisableDuration.

About the Disabled Duration

n Notifications when theWSS Agent is disabled.

o TheWSS Agent displays a status message: Disabled by administrator until yyyy-mm-dd hh:mm, where yyyy-mm-dd hh:mm is the time at whichWSS Agent will automatically re-enable. The time is in the timezone of themachine that is disabled.

o TheWSS Agent log receives an entry: Disabled by administrator until XXXXX, where XXXXX is the time atwhichWSS Agent will automatically re-enable. The time is in the timezone of themachine that is disabled.

o TheWSS Agent tray icon uses passive icon.

o When disabled duration expires is reached, theWSS Agent diagnostic log log receives an entry: Administratordisable expired.

n Neither the disabled state nor expiration time are persisted to the disk on the client. Upon reboot of the device, a newCTC request occurs. The CTC returns the disabled status to the agent.

n After the disabled expiration time expires, theWSS Agent reissues a CTC request to verify that no extension to thedisable time has occurred and then re-enables.

n If theWSS Agent has not re-enabled because, whichmight occur after a network change, click Reconnect agent UI.This re-issues a CTC check and the device re-enables.


Agent LoggingAll taken actions are logged in theWSS Agent diagnostic logs. The following is an example entry.

Disabled by Admin until 2019-08-01 13:22 Pacific Daylight Time

This helps you or support personnel during troubleshooting excercises.

See "SymDiag Application ForWSS Agent onWindows" on page 46 or "Debugging Script forWSS Agent onMac Systems" onpage 50.


SymDiag Application For WSS Agent onWindowsSymDiag is aWSS Agent diagnostic application. It gathers debugging, troubleshooting, and trace log information that SymantecTechnical Support can analyze to assist you in remedying connection issues.

This section describes how to run the SymDiag application. Most issues can be traced and gathered without requiring a reboot.However, debuggingWSS Agent startup process issues requires additional advanced debug logging steps, as outlined in theprocedure.

Technical Requirementsn Obtain the SymDiag application from the link in the Symantec KB article.


n Put the SymDiag application on the test system. You can run SymDiag from any location on the local system. Theprocess does not install anything.

Procedure1. On theWindows desktop, double-click the SymDiag.exe icon.

SymDiag checks for available updates, installs them, and provides you with a license agreement. Accept the EULA tocontinue.

2. The system displays the application.

Click Collect Data for Support.

3. Verify that WSS Agent is selected.

n If theWSS Agent is installed, this option should be automatically selected in the Installed Products area.

n If debugging installer issues, select WSS Agent / Unified Agent in the Other Products area.

Click Next.



4. Collection options.

a. Under Data Type, verify that Limited data for Support is selected.

b. (Optional) Symantec Support might have asked you to provide additional files, such as a packet capture (PCAP)or screenshots of an issue. Select Choose additional files to collect. The app displays a screen from whichyou can browse and attach the files.

c. Startup/Reboot Diagnostic Issues Only—In the Debug Logging area, click Advanced.


i. Click theWPP reboot only preset.

ii. In the resulting dialog, click OK.

d. Click Next, which begins the tracing procecss.

5. Startup/Reboot Diagnostic Issues Only—If you selected the reboot preset inStep 4.c, the application promptsyou. Select Enable and reboot. After the system reboot, do not proceed until SymDiag also restarts.

6. Debug logging/tracing is now active. Perform the steps to reproduce theWSS Agent issue. Youmust leave this SymDiagscreen open until you have fully reproduced the issue.

After you reproduce the issue, click Next.

7. Send to Symantec.


n If you have a current Support Case for this issue, select Open or Update a Support Case. Log In andcomplete the process.

n Save the .sdbz file locally. Exit SymDiag and send the file to your Support Contact.

Related Topics

n "Debugging Script forWSS Agent onMac Systems" on page 50.

n "Disable theWSS Agent" on page 43.


Debugging Script for WSS Agent onMac SystemsForMac systems, Symantec provides a shell script (wssad-diag.sh) that gathers debugging, troubleshooting, and trace loginformation that Technical Support can analyze to assist you in remedying connection issues.

This section describes how to run the script. Most issues can be traced and gathered without requiring a reboot. However,debuggingWSS Agent startup process issues requires additional advanced debug logging steps, as outlined in the procedure.

Technical Requirementsn Download the script zip file.

http://portal.threatpulse.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://cloudwebsecurity.att.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://websaas.dimensiondata.cloud/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

n Put the script on the test system. You can run the script from any location on the local system. The process does notinstall anything.

Startup/Reboot Diagnostic Issues Only—If you are diagnosingWSS Agent startup connection issues, launch the applicationusing the --reboot command line option. When prompted, save your work and reboot. After you are finished, you reboot againto fully stop the debug log.

If you use this --reboot command line option or theWSS Agent is version 6.0.9+, Steps 5 and 8 in the following procedure arenot required.

Procedure1. Open Terminal.app and cd to the directory where you saved the wssad-diag.sh script.

2. Run chmod +x wssa-diag.sh to make the script executable.

3. Run ./wssa-diag.sh.

n Optionally, you can pass a /path/to/output.wdbz to specify the output file name. The default is a file in yourcurrent directory based off your hostname and the time.

4. Enter your administrator (sudo) password.

5. Skip this step if you are diagnosingStartup/Reboot Issues or if theWSS Agent/Unified Agent is version 6.0.8 orprevious.

When prompted, begin the tracing.

n InWSS Agent, click the Play icon in the bottom-right corner of the Support tab.

n In Unified Agent, click Start Tracing on the Advanced tab.

6. Debug logging/tracing is now active. Perform the steps to reproduce theWSS Agent issue.

http://portal.threatpulse.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://cloudwebsecurity.att.com/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm

http://http//websaas.dimensiondata.cloud/docs/sol/connectivity/endpoint/agent/ts-wssa-macdiags.htm


Note: Youmust leave the terminal window open until you have fully reproduced the issue.

After you reproduce the issue, press Enter in your Terminal.appwindow to stop tracing and begin gathering additionalinformation

7. The script then uses the Apple-provided sysdiagnose utility to gather system information. Read the displayed licenseand press Enter to continue gathering information. According to theman page, sysdiagnose collects the following.

n A spindump of the system.

n Several seconds of fs_usage output.

n Several seconds of top output.

n Data about kernel zones.

n Status of loaded kernel extensions.

n Resident memory usage of user processes.

n Recent system logs.

n A System Profiler report.

n Recent crash reports.

n Disk usage information.

n I/O Kit registry information.

n Network status.

8. Skip this step if you are diagnosingStartup/Reboot Issues or if theWSS Agent/Unified Agent is version 6.0.8 orprevious.

Stop tracing in theWSS Agent.

9. Send the .wdbz file to Symantec Support.

Note: If debugging start up issues—After troubleshooting is complete, clear the Enable tracingon startup option inWSS Agent and reboot theMac system again.

Related Topics

n "SymDiag Application ForWSS Agent onWindows" on page 46.

n "Disable theWSS Agent" on page 43.


Uninstall theWSS Agent

WindowsTo uninstall, you can remove the application from theWindows Control Panel. If an uninstall token has been set on the portal,youmust enter the token to proceed.

Alternatively, you can uninstall from the command line.

msiexec /x {msi_token}

Command if an uninstall token was defined in the portal.

msiexec /x {msi_token} uninstall_token=token

For a list of MSI codes, see "Reference: Windows WSSA/UA Package Versions" on page 98.

macOSTo uninstall, hold the <option> key on your keyboard when clicking on themenubar icon. If an uninstall token has been set onthe portal, youmust enter the token to proceed.

Alternatively, you can uninstall from the command line.

$ sudo "/Library/Application Support/Symantec WSS Agent/wssa-uninstall.app/Contents/MacOS/uninstall-helper"

Command if an uninstall token was defined in the portal.

$ sudo "/Library/Application Support/Symantec WSS Agent/wssa-uninstall.app/Contents/MacOS/uninstall-helper" -ut token


Unified AgentThe Unified Agent is the Symantec agent forWindows 7/8 andmacOS Sierra and previous.

n "Connectivity: About the Unified Agent" on page 54

n "Connectivity: Manually Deploy the Unified Agent (Windows)" on page 63

n "Connectivity: Manually Deploy the Unified Agent (Mac)" on page 68

n "Route Remote Connections Through an HTTP Proxy" on page 72

n "Uninstall the Unified Agent" on page 78

n "Troubleshoot..." on page 83


Connectivity: About the Unified Agent

Note: Symantec recommends deployment of theWSS Agent ("Connectivity: About theWSS Agent" on page 9). However, until further notice, Symantec continues to support theUnified Agent, as theWSS Agent is not supportedWindows on 7/8 andmacOS pre-High Sierraclients.—Microsoft has announced a plan to endWindows 7 support in January, 2020.—Apple has announced a plan to endmacOS Sierra support in September, 2019.

The Symantec Unified Agent provides web security to remote users when a route through the corporate network is not possibleor practical.

When installed on client systems, the Unified Agent works as part of the client system's configuration; after the application isinstalled, no further configuration is required on the client system. It directs content requests to the Symantec Web SecurityService over a secure connection (port 443). To enforce proxy avoidance, the Unified Agent detects and drops HTTP_CONNECTmethod requests to any external, non-WSS IP addresses. As such connections are dropped, the user is unable to circumventfiltering andmalware scanning.

Furthermore, the Unified Agent provides additional security features.

n The Unified Agent prevents employees from stopping and starting the service from the Services Management Console,even if such employee has Windows Administrator privileges.

n You can hide the Proxy Setting tab in the application. Employees cannot attempt proxy avoidance by routing trafficthrough another egress device.

n You can give the ability for employees to temporarily disable the Unified Agent should they be experiencing connectionissues.

The Symantec Unified Agent provides web security to remote users when a route through the corporate network is not possibleor practical.

When installed on client systems, the Unified Agent works as part of the client system's configuration; after the application isinstalled, no further configuration is required on the client system. It directs content requests to the Symantec Web SecurityService over a secure connection (port 443). To enforce proxy avoidance, theWSS Agent detects and redirects HTTP proxyrequests to any external, non-WSS IP addresses. As such requests are redirected, the user is unable to circumvent filtering andmalware scanning.

Furthermore, the Unified Agent provides additional security features.

n TheWSS Agent prevents employees from stopping and starting the service from the Services Management Console,even if such employee has Windows Administrator privileges.

n [UA only] You can hide the Proxy Setting tab in the application. Employees cannot attempt proxy avoidance by routingtraffic through another egress device.

n You can give the ability for employees to temporarily disable theWSS Agent should they be experiencing connectionissues.


Why Select This Method?Benefits—

n Always active. The user does not have to log in to the agent.

n Works in the background and is transparent to users.

n Captures the user and system names for reporting.

n Viable solution for a premises with fewer than 100 clients and where location-based network infrastructure (such as afirewall) is not available.

Select another method if—

n Youwant to manage remote clients throughmultiple PAC files. See Connectivity: About Symantec EndpointProtection.


Topographies

High-Level Example

The following diagram illustrates how theWSS Unified Agent facilitates web requests.

1—A Sales person on a business trip in India initiates a web request.

2—The Unified Agent initiates a connection over port 443 to theWeb Security Service(ctc.threatpulse.com) because it detects web-bound traffic on a port it is capturing. The agentattempts to connect to the Client Traffic Controller (CTC) in the nearest three geographicalSymantecWSS data centers. In this example, Mumbai accepts the request.

n If the CTC is not able to respond, the request defaults to a DNS ask (client.threapulse.net).

n Unified Agent 4.9.1+: The agent evaluates network conditions to attempt a UDP connection; ifthe conditions are not met, the connection reverts to TCP.

2.1—If this is the initial connection, the client receives additional configuration.

3—The client establishes a tunnel to the service for each logged in user, which serves content from thedestination website.

4—In addition, the client establishes a default tunnel that is used for system level requests, such asWindows updates or other requests initiated by a system owned process.

TheWSS provides the policy rule enforcement.

5—Requests for internally-hosted resources do not transport through theWeb Security Service.Furthermore, the Unified Agent cannot compete with other installed VPNs, such as Cisco AnyConnect.


Youmust configure other VPN applications to Split Tunnel so that Internet-hosted destinations routethrough theWSS or add entries to the bypass list.

Tip: If your enterprise requires specific location connections, contactSymantec Technical Support to request assistance.

Dynamic User Location Example

If the user logs in while on a protected network—for example, a corporate location—the client agent goesinto passivemode. That is, the acceptable web use policies are enforced by the on-site web service.

The following diagram illustrates the various access points from remote users to theWSS.

n A—An employee logs in and is detected by the on-premise network. As a gateway ProxySGappliance provides the security and web access policies, the Unified Agent enters into PassiveMode; that is, it does not intercept any traffic.

Note: For a successful on-premises Unified Agent to go passive, anyon-premises firewall/proxy must bypass traffic tohttps://ctc.threatpulse.com.


n B—The same employee travels to a hotel and logs into the hotel's WiFi service. The UnifiedAgent now engages and connects to the nearest SymantecWSS datacenter, which enforces theweb access policies.

This allows you to write different policies for corporate locations versus remote locations.


Unified Agent Connection Concepts

About the QUIC ProtocolTheQuick UDP Internet Connections (QUIC) protocol, introduced in 2013, is a transport layerdesigned to reduce latency when compared to TCP (HTTP/HTTPS) connections. Browsers withQUIC enabled and smaller devices receive the benefit. Chrome 29+ has QUIC enabled by default(chrome://net-internals/#quic). Other browsers are beginning to includeQUIC.

To allow for a seamless experience, when clients send web requests that are intercepted forprocessing, such as by theWSS for security purposes, the connections revert to TCP.

If you have a business requirement or a preference for the highest performance, you can instruct theWSS to bypass QUIC connections. For security reason, be advised that Symantec does notrecommend this option. BecauseQUIC is UDP-based, these connections are bypassed at the clientend-point, whichmeans the traffic is not checked against policy nor is reporting against the UnifiedAgent possible. Only select this bypass option if the highest performance for these clients supersedesthe security requirement.

About Proxy Avoidance AttemptsTo enforce proxy avoidance, the Unified Agent detects proxy HTTP requests in outbound streams forports other than those configured to be forwarded to the service (typically 80 and 443). Suchconnections are dropped and the user is unable to circumvent filtering andmalware scanning.Furthermore, the Unified Agent does not interpret proxy auto-configuration (PAC) settings as a proxyavoidance attempt. If your deployment uses a PAC control to manage outbound web connections, theUnified Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and bydefault). If the Unified Agent cannot connect with the PAC settings, it attempts a direct connection totheWSS IP address. You can allow additional ports. Also, Symantec recommends adding internalsubnets to the IP Bypass List so that internal traffic is not sent to theWSS.

Note: For clients running Unified Agent 4.8+, you have the option to disabletamper detection, which allows uninterrupted service if it cannot connect totheWeb Security Service.

About Password ProtectionYou can configure a un-installation token in the portal. Users cannot uninstall the remote clientapplication from their systems without the token.

About SSL Certificate InstallationThe Unified Agent to CTC requires the SSLRoot Certificate. Unified Agent installations also installthis certificate. If the certificate is not present, Unified Agent remains operational but might fail toconnect to the CTC in theWeb datacenter. If this occurs, the agent reverts to the legacy DNS methodto connect to theWeb Security Service.


Upon installation, the Unified Agent installs theWSS root certificate. If the certificate is not installedbecause of unforeseen permission issue, you canmanually download it and install it.

About Challenge-based Authentication (Captive Portal)For enhanced security, enable the Captive Portal option during configuration. When enabled, CaptivePortal displays a challenge dialog to users each time that they begin a new browser session (or 24 hoursafter their previous successful entry). This eliminates cached credential access.

MAC CLIENT NOTE

You can install WSS Agent onWindows andMac clients. If a Mac user's username is the same as inthe your AD and there is only one domain in your AD, then user based policy is applied for theMacclient. The domain defaults to the single domain in the AD. You can, however, enable the Captive Portalfeature, which allows users and groups to be available for policy checks.

About IPv6 IP AddressesThe Unified Agent that accompanies theWSS 6.9.4.1 service update (December, 2016) changes howthe Unified Agent processes IPv6 IP addresses.

n In situations where IPv6 access is available, most clients ask the DNS for both IPv4 and IPv6destination addresses. The Unified Agent modifies the IPv6 DNS responses to provide no IPv6addresses and an NXDOMAIN status code, whichmeans that no IPv6 addresses are available.Therefore, the clients use IPv4 by default, and the Unified Agent intercepts the subsequentconnection. This behavior allows for proper application of policy andmalware scanning.

n If the DNS server returns no IPv4 addresses, the client cannot resolve the destination andreceives a DNS error.

n Be advised that an employee can circumvent the interception by entering the IPv6 IP directly intothe browser (versus entering the destination URL).

About Time ZonesWhen a user's system connects to theWeb Security Service from the Unified Agent, the time zone isthe recognized system time of their machine.

About Hybrid Policy and Unified Agent ConnectionsIf you are employing the Symantec Hybrid Policy solution, the Unified Agent has slightly differentconnection behaviors. In this deployment, the on-premises ProxySG appliance is configured to usecommon policy. The client workstations that use that common policy proxy haveWSS version of theUnified Agent installed. Normally, the Unified Agent is in Passivemode on workstations connectingfrom behind a proxy that is providing common policy.

Noticeable Behavior

n On theWSS portal, the Network Location status changes from green to red. This causes all newUnified Agent connections to switch to active versus passive.


n After a networking event, such as a change in IP address and the Network Location is red, theUnified Agent switches to active.

n When the Network Location status is green, the Unified Agent switches to passivemode.

If the common policy proxy is unable to establish a connection to the portal for approximately 35minutes, then the hybrid location changes from green to red. If the Unified Agent is in passivemode, itremains passive unless a networking event occurs. The Unified Agent goes to activemode for all newconnections from that red-status network. This is by design. If the on-premises ProxySG appliance isexperiencing issues and is configured to Fail Open, the Unified Agent must be in activemode for theWSS to provide protection.

Tip: If you notice that the Unified Agent is switching to activemode forreasons not described above, check the hybrid location in the portal. If thehybrid location status is red, check connectivity between the on-premisesProxySG appliance and theWSS (might require a packet capture todiagnose). You can run the update-now commandwhile in the cloud-serviceconfigurationmode to generate traffic destined to the service.


Select a Distribution Method

You canmanually install to individual clients or use an application to distribute tomultiple clients.

Windows

n "Connectivity: Manually Deploy the Unified Agent (Windows)" on page 63

n "Connectivity: DistributeWSS Agent With GPO" on page 26

MAC OS X

n "Connectivity: Manually Deploy the Unified Agent (Mac)" on page 68

n "Connectivity: DistributeWSS Agent With JAMF" on page 30

.


Connectivity: Manually Deploy the Unified Agent (Windows)When installed on client systems, theWeb Security Service Unified Agent protects remote users when the internet connectionis from a non-corporate location. This topic describes how tomanually install the agent on aWindows client and configureWSS security options. It is practical if you are installing to one or several client systems. If you require distribution to a largenumber of clients, see "Connectivity: DistributeWSS Agent With GPO" on page 26.

For more solution details, see "Connectivity: About theWSS Agent" on page 9.

Technical Requirementsn WSS Unified Agent license.

n WSS account Admin access.

n Windows clients—

o Windows 7.x 32-64 bit (Pro and Enterprise)

o Windows 8.x 32-64 bit (Pro and Enterprise)

o Windows 10.x (However, Symantec strongly recommends deploying theWSS Agent instead("Connectivity: About theWSS Agent" on page 9)).


n Allow the following IPsec ports on firewalls.

o Port 80/443 to portal.threatpulse.com (199.19.250.192) (for captive network information and updates)

o Port 443 to ctc.threatpulse.com

o Port 443 to client.threatpulse.net (DNS fallback)




n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16




Procedure








n Your network might require theWSS Agent to connect to theWSS through an HTTP proxy. For example, you have a testor demonstration network. Before installing the Unified Agent on a client, youmust select the Allow access toProxy Settings in agent, which allows Proxy tab to be visible after its installation.


Tip: If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it,return to this page and enable it. However, the Unified Agent on does not display the tabuntil after the next client restart/reboot.

Step 2—Entrust Certificate Prerequisite

EachWindows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWSS. For more


notes and installation steps, consult the following Symantec Knowledge Base article:




1. In Service mode; select Mobility > Unified Agent.

2. In the Installers area, click the 32-bit or 64-bit buttons in theWindows 7.x, 8.x and 10.xUnified Agent section.


As a company that provides security services across the globe, Symantec supports and complies with United Statesand local export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading the Unified Agent. The fields with blue asterisks (*) are required.


4. Download the installation file.



Step 4—Install the Unified Agent on a Client System.


a. InWindows, navigate to the directory where you saved the UnifiedAgentInstaller[32 | 64]-version_number.msi file. Symantec strongly recommends that you record this full MSI name; it might be required forfuture uninstallation tasks.

b. Double-click the file, which launches the installer.



4. Click Finish to complete the installation.

5. The service displays the Installer Information dialog. Click Yes to reboot the computer.

Step 5—Verify the Client Installation.

When the system reboots, it connects to theWSS and begins intercepting web-bound traffic.

1. In the Windows system tray, locate the Unified Agent icon and double-click it. Windows displays the a dialog with theStatus tab.

2. Verify that the connection to theWSS is active.

(If the system detects a defined location, the agent displays ...in Passive Mode).


3. Use a browser on the client and attempt to access a site that belongs to a blocked category. The browser displays anexception (blocked content) page.

Next Selection




Connectivity: Manually Deploy the Unified Agent (Mac)When installed on client systems, theWeb Security Service Unified Agent protects remote users when the internet connectionis from a non-corporate location. This topic describes how tomanually install the agent on aMac OS X client and configureWebSecurity Service security options. It is practical if you are installing to one or several client systems. If you require distribution toa large number of clients, see "Connectivity: DistributeWSS Agent With JAMF" on page 30.

For more solution details, see "Connectivity: About theWSS Agent" on page 9.

Technical Requirementsn WebSecurity Service Unified Agent license.

n WebSecurity Service account Admin access.

n Mac OS X clients 10.9+


n Allow the following IPsec ports on firewalls.

o Port 80/443 to portal.threatpulse.com (199.19.250.192) (for captive network information and updates)

o Port 443 to ctc.threatpulse.com

o Port 443 to client.threatpulse.net (DNS fallback)




n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16


Procedure


TheWSS Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client



systems. You can configure full or split tunnel with additional configurations.

n Full Tunnel—This is possible if the VPN server's egress IP address is configured as an IPSec Location in theWebSecurity Service (Service mode > Network > Locations). This enables theWSS Agent to enter Passivemode whenon the Location network.







Tip: If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it,return to this page and enable it. However, the Unified Agent on does not display the tabuntil after the next client restart/reboot.




2. In the Installers area, click the Download button in the OS X 10.9 or laterUnified Agent section.



As a company that provides security services across the globe, Symantec supports and complies with United States andlocal export controls. As an authorizedmember of your enterprise/organization, youmust complete this form beforedownloading the Unified Agent. The fields with blue asterisks (*) are required.


4. Download the installer.

Step 3—Install the Unified Agent on a Client System.

1. Launch the installer assistant.

a. Navigate to the directory where you saved the installer. Double-click it to mount the disk image.

b. Navigate in the Finder and select the Unified Agent.pkg file; double-click. TheOS displays the Unified Agent


installer.

2. Click Continue. The Unified Agent Installation wizard begins.

3. The installer displays a prompt for the administrator user name and password.

4. When the installation completes, click Close.

From the toolbar, select the Unified Agent icon and select Status. On the Advanced tab, verify that agent is running (ifyou still require a proxy connection to the Internet, see below).

Next Selection




Route Remote Connections Through an HTTP ProxyIf you encounter a situation that requires the Unified Agent to connect to the SymantecWeb Security Service through an HTTPproxy, such as a test network trial or demonstration, youmust provide the proxy IP address.

Perform the following steps onWindows or Mac clients.

Deployment Notesn This is not applicable to theWSS Agent.

n If you do not see the Proxy tab, you or another administrator installed the client with the option to hide that tab enabled.This is a higher-security measure that prevents employees from evading the corporate-to-Internet egress addresses thatare linked to enforced browsing policies. If a particular client requires this setting, youmust re-install the agent on thesystem.

n If you configure this option, you cannot select the Unified Agent 4.8+ Ignore Proxy Settings option on theMobilty> Unified Agent page.

InWindows

This section demonstrates the Unified Agent.

1. Right-click the Unified Agent icon in the system tray and select Proxy Settings.


a. Select the Connect to the Blue Coat Cloud Service using the HTTP proxy at: option.

b. Enter the IP address and port number in the appropriate fields.

c. (Optional) If required to gain access to the proxy server, enter the proxy user name and password.

d. Click Apply.

In OS X:

This section demonstrates the Unified Agent.

1. Click the Unified Agent icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Thesystem displays the dialog.

2. Click the Proxy tab.

a. Select Connect to the Blue Coat Cloud Service using the HTTP proxy at.

b. Enter the HTTP proxy IP Address and Port.

c. (Optional) If the HTTP proxy requires a User Name and Password for access, enter those.

3. Click Apply.

Next Step

n Proceed to "Set WSSA Network/Security Options" on page 34.


Manually Disable the Unified AgentTheSymantec Unified Agent, installed on employee devices such as laptops, provides web security when the client is notconnected to an on-premise network. Although the Unified Agent should function in any network, sometimes an unforeseenenvironment might cause connection issues or prevent the Unified Agent from passing web traffic to theWSS. Your businessmight depend on the efficiency of personnel in field who cannot be disrupted by a lack of an Internet connection.

You can configure theWSS to allow employees to temporarily disable the Unified Agent should connection issues occur. TheUnified Agent remains disabled only until the client machine reboots or the employee initiates a reconnect from the Unified Agentinterface.

Furthermore, this setting in theWSS applies to all Unified Agents in the field. You cannot selectively target which installationsreceive the disable option.

Note: This feature only functions for clients running Unified Agent v4.4+ (released July 11,2014).

Activate the Disable Option1. In Service mode; select Mobility > Unified Agent.

2. In the Unified Agent Settings area, select Yes for the Allow agent to be disabled by user option.

Instruct Employees How to Disable the Unified AgentWindows

In the system tray, right-click the Unified Agent icon and select Disable Unified Agent. Employees can also return here andEnable the agent.

OS X

Click the Unified Agent icon in themenu bar and select Disable Unified Agent. Employees can also return here and Enable theagent.


Verify ConnectionsAfter configuring access to the Symantec Web Security Service, verify that the service is receiving and processing contentrequests.

From a client system that has web access (or the specific test client if so configured), browse to the following site:

test.threatpulse.com

The test is successful if you see the following webpage.

1. Click the Service link (upper-right corner).

2. Select Network > Locations.

3. Verify the status of each location.

Various icons represent the connection status.


Icon Connection Status Description

The Web Security Service recognizes the location and accepts web traffic.

A location has been configured, but the Web Security Service cannot connect. Verify that the webgateway device is properly configured to route traffic.

A previously successful web gateway to Web Security Service configuration is currently not connected.

n Proxy Forwarding—Verify the gateway address in the forwarding host is correct.

Remote UsersIn Service Mode; select Mobility > Agent Status.

n ForWSS Agent, see theWSS Agent topics.

n For Unified Agent, click (or double-click) the application icon in themenu bar and click Status.

If the system detects a corporate network that provides web access and security, the Unified Agent enters into passivemode.


Mac (UA)

If the system detects a corporate network that provides web access and security, the Unified Agent enters into passivemode.


Uninstall the Unified AgentThe Symantec Unified Agent in an application installed on remote systems that frequently connect to the Internet from non-corporate networks. You have the option to require an uninstall token, which employees must enter to remove the Unified Agent.

Available Optionsn "Unified Agent—With Uninstall Token" below

n "No Token Defined/Client Connector" on page 81

n "CLI" on page 81

n "MSI VersionMis-Match (UnknownMSI)" on page 81

Unified Agent—With Uninstall TokenEmployees attempting to uninstall the Unified Agent require an uninstall token that you define in theWeb Security Service portal.

Informationn This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014).

n If you have previously deployed Unified Agent to clients and used the CLI options (Windows: SUP=password; OSX: "--args -SUP password"), those passwords are no longer valid. Youmust log in to the portal and define the uninstall token.

n Each time that a Unified Agent reconnects to theWeb Security Service (for example, a user who takes a laptop offcampus and connects through a non-corporate network), the client receives the latest uninstall token.

n If you did not define an uninstall token, you can use the Control Panel.

Procedure1. In Servicemode, select Mobility > Unified Agent.

2. Define the uninstall token.


a. Select Require token to uninstall agent: Yes.

b. Click Uninstall Token (or Change Token if you or someone previously obtained a token). The service displaysthe Set Unified Agent Uninstall Token dialog.

c. Name the Uninstall Token and click Set Token. The service displays that an uninstall token was set on a givendate and time.

d. Distribute the uninstall token and instructions (see below) to those who have permission to uninstall the Unified


Agent.

You can change the uninstall token any time.

WindowsIf it still exists on the client, running the correct MSI installer allows you to remove the client application. If theMSI does notexist, you can download it again from theWeb Security Service portal. If you attempt this method and receive an error string thatbegins with Another version of this product is already installed..., see "MSI VersionMis-Match (UnknownMSI)"on the facing page below.

n Execute the Unified Agent installer (MSI). Show screen...

In the Removal...uninstall token field, enter the token and click Validate.

Note: The equivalent CLI command is UNINSTALL_TOKEN=password, where password isthe token obtained from the portal.

Tip: If an employee attempts to remove the Unified Agent from theWindows > Control Panelmenu, they receive a pop-message prompting them to contact their Administrator for removalpermission.

OS X1. In themenu bar, click the Unified Agent icon.

2. Hold down theOption and Alt keys. TheQuit menu changes to Uninstall.

3. The system prompts you for the uninstall token. Show screen...


Enter the uninstall token and click OK.

4. Click Uninstall.

No Token Defined/Client ConnectorIf an uninstall token was not generated in the token, follow the standard process for removing a program.

Windows

(Start > Control Panel > Add/Remove Programs). Youmust have administrative rights to the system.

OS X

1. In themenu bar, click the Unified Agent icon.

2. Hold down theOption and Alt keys. TheQuit menu changes to Uninstall.

3. Click Uninstall.

Alternative

Navigate to /Library/Application Support/Blue Coat Systems and double-click the cloud-client-uninstaller.

CLI

If you know or recorded the exact MSI that was used to install the application, use the CLI command to remove it.

msiexec /x {MSI_Value} [/quiet UNINSTALL_TOKEN=password]

Reference—MSI Versionsn See "Reference: Windows WSSA/UA Package Versions" on page 98 for versions.

MSI Version Mis-Match (Unknown MSI)The following scenario creates anMSI-versionmis-match.

n You configured the option in theWeb Security Service portal to allow Unified Agent clients to automatically update.

n You defined an uninstall token.


For example, you downloaded and installed Unified Agent 4.4, then (per configuration) the portal automatically updates theinstalled client versions to 4.5 when Symantec posts it to datacenters. With the uninstall token option defined, you or employeescannot uninstall the application because noMSI was downloaded and paired with the upgraded product ID.

To remove the application, youmust use the CLI commandwith correct product ID code.

msiexec /x {product_id_code} /quiet UNINSTALL_TOKEN=password

You find this code one of two ways:

n (Recommended) Review theMSI uninstall failure log.

n Find it in the registry. For more information about this method, see the Knowledge Base article.


The product ID is the same for all installation instances, whichmeans you can create scripts to remove the application frommultiple clients.



Troubleshoot...Attempt to solve remote client application connections.

n "Unified Agent Connection Troubleshooting" on page 84

n "ManageWeb Security Service Client Connections" on page 88

n "Manually Disable the Unified Agent" on page 89

n "Capture Remote Client Trace Log" on page 91

n "Uninstall the Unified Agent" on page 78


Unified Agent Connection Troubleshooting

Connection Issues

n Symptom

The Unified Agent redirects or connects to wrong datacenter

Check

UA Installation Article.

n Symptom

The Unified Agent randomly loses connection and then reconnect causing interruptions to internet access.

Check

On computers with a wired and wireless network connection, ensure both interfaces are not connected at the same time.This causes the client to roll from one interface to the other, whichmight connection interruptions.

n Symptom

Unified Agent installation fails.

Check

Multiple failed installation attempts might cause registry entries that compound the failures. See

UA KB Query

n Symptom

The Unified Agent returns a username similar to the following.

NT AUTHORITY\SYSTEM

The cause a third-party application intercepting the traffic, which prevents the Unified Agent from returning the correctusername as derived from its process.

Check

With Unified Agent v4.6+, you can instruct theWeb Security Service to return the logged-in username. On theMobility> Unified Agent page, select Logged in User ID from the Username Format drop-down list.

System Events

You can view a list of system events recorded by the Unified Agent by opening the diagnostics log file. This text file displaysevents with time stamps whenever the network or client status changes as a result of user input or other system disturbances.

The diagnostic log file is automatically created by the remote client application and does not require setup. To view the auto-generated log file, refer to the following action steps.

InWindows:


https://support.symantec.com/en_US/search.html?product=&keyword=Unified+Agent+installation+fails


1. In the system tray, double-click the installed client icon. The service displays the Status tab of the client dialog.

2. Click the Advanced tab.

3. Click Show File to open the folder containing the log files. Double-click a log file to view the contents. The log filenameshows log creation date (for example, the filename UnifiedAgent_Diag_07072016-1047.txt indicates the file wascreated on July 7, 2016 at 10:47 AM).

In OS X:

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Theservice displays the Status tab of the client dialog.



If your remote user employees are sending complaints about network access to the web and they have the Unified Agentinstalled and routing web requests to the SymantecWeb Security Service, you can capture tracing logs from the client to helpdiagnose client-related issues (if you are working with Technical Support, they might also request this information). As thecapturemust be performed on the client system, youmust initiate the process by performing one of the following actions:

n Have the employee bring you their client system.

n Gain access to their system through a remote connection.

n Instruct the employee on how to perform the capture and send you the file.

Packet Capture

To perform a packet capture, refer to the following action steps:

In Windows

1. In the system tray, double-click the installed client icon. The system displays the Status tab of the client dialog.



a. Click Start Tracing to initiate a trace capture. When you begin a trace capture, the service displays the path to thetrace file.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart Windows, and return to this dialog to stop the capture.

c. Stop the trace capture by clicking Stop Tracing.

d. Click Open Trace Folder to display the folder that contains the trace file to send to support.

In OS X

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Thesystem displays the Status tab of the client dialog.



a. Click Start Tracing to initiate a trace capture.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart the computer, and return to this dialog to stop the capture.


d. To view the trace (packet capture) information, use the OS X Console application to open the System Log. Youcan find the Console application in the OS X Utilities folder. Unified Agent tracemessages are added to thesystem log. To just see thesemessages, enter bcua in the search field (upper-right) in the Console application.To copy/paste all of themessages, select one and select Select All from the Edit menu; paste into a text file.

Symptom

The Unified Agent returns a username similar to the following.

NT AUTHORITY\SYSTEM

The cause a third-party application intercepting the traffic, which prevents the Unified Agent from returning the correctusername as derived from its process.

Solution

With Unified Agent v4.6+, you can instruct theWeb Security Service to return the logged-in username. On theMobility> Unified Agent page, select Logged in User ID from the Username Format drop-down list.


Manage Web Security Service Client ConnectionsIf employees are sending complaint requests regarding dropped connections to the web, reviewing the Symantec Web SecurityService client connections status might help you determine if this is a widespread or minimal issue. Also, if you see a client onthe system that you do not believe belongs in your organization (for example, a stolen laptop), you can log in to theWeb SecurityService portal and block access to that client while you investigate.

To review client connections, in Service mode click > Mobility > Agent Status tab.

Your organizationmight have hundreds to thousands of client connections at any givenmoment. Use the search field to yieldtargeted results. As you enter text, the portal uses auto-fill to match entries. Select the option on which to sort.

SeeManage Remote/Mobile Device Connections for more details.


Manually Disable the Unified AgentTheSymantec Unified Agent, installed on employee devices such as laptops, provides web security when the client is notconnected to an on-premise network. Although the Unified Agent should function in any network, sometimes an unforeseenenvironment might cause connection issues or prevent the Unified Agent from passing web traffic to theWSS. Your businessmight depend on the efficiency of personnel in field who cannot be disrupted by a lack of an Internet connection.

You can configure theWSS to allow employees to temporarily disable the Unified Agent should connection issues occur. TheUnified Agent remains disabled only until the client machine reboots or the employee initiates a reconnect from the UnifiedAgent interface.

Furthermore, this setting in theWSS applies to all Unified Agents in the field. You cannot selectively target which installationsreceive the disable option.

Note: This feature only functions for clients running Unified Agent v4.4+ (released July 11,2014).

Activate the Disable Option


2. In the Unified Agent Settings area, select Yes for the Allow agent to be disabled by user option.

Instruct Employees How to Disable the Unified Agent

Windows

In the system tray, right-click the Unified Agent icon and select Disable Unified Agent. Employees can also return here andEnable the agent.

OS X

Click the Unified Agent icon in themenu bar and select Disable Unified Agent. Employees can also return here and Enablethe agent.


Review System Events Generated by Remote ClientsYou can view a list of system events recorded by the Unified Agent by opening the diagnostics log file. This text file displaysevents with time stamps whenever the network or client status changes as a result of user input or other system disturbances.

The diagnostic log file is automatically created by the remote client application and does not require setup. To view the auto-generated log file, refer to the following action steps.

In Windows

1. In the system tray, double-click the installed client icon. The service displays the Status tab of the client dialog.



In OS X

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Theservice displays the Status tab of the client dialog.




Capture Remote Client Trace LogIf your remote user employees are sending complaints about network access to the web and they have the Unified Agentinstalled and routing web requests to the Symantec Web Security Service, you can capture tracing logs from the client to helpdiagnose client-related issues (if you are working with Technical Support, they might also request this information). As thecapturemust be performed on the client system, youmust initiate the process by performing one of the following actions:

n Have the employee bring you their client system.

n Gain access to their system through a remote connection.

n Instruct the employee on how to perform the capture and send you the file.

To perform a packet capture, refer to the following action steps:

In Windows

1. In the system tray, double-click the installed client icon. The system displays the Status tab of the client dialog.


a. Click Start Tracing to initiate a trace capture. When you begin a trace capture, the service displays the path tothe trace file.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart Windows, and return to this dialog to stop the capture.


d. Click Open Trace Folder to display the folder that contains the trace file to send to support.


In OS X

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status. Thesystem displays the Status tab of the client dialog.


a. Click Start Tracing to initiate a trace capture.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startup option,restart the computer, and return to this dialog to stop the capture.


d. To view the trace (packet capture) information, use the OS X Console application to open the System Log. Youcan find the Console application in the OS X Utilities folder. Unified Agent tracemessages are added to thesystem log. To just see thesemessages, enter bcua in the search field (upper-right) in the Console application. Tocopy/paste all of themessages, select one and select Select All from the Edit menu; paste into a text file.


Prevent a Domain From Routing to the Web SecurityServiceIMPORTANT—This topic only applies to locations that use the Explicit Proxy andWSS Agent WSS connectivity methods. Allother access methods ignore any bypass domain configurations.

Some destinations, such as intranets, do not requireWSS processing. Configure the service to ignore these connections.Another use case is you have use policy enabled, such as blocking several leisure categories, but you want to relax restraintsfor remote users and allow their requests to bypass theWSS en route to specific sites.

Notesn TheWSS allows an unlimited number of bypassed domains.

n The bypass setting is a simplematch; the hostname and top level domain are used for policy matching. For example, arequest for www.test.commatches bypass policy for test.com, but also for shop.test.com.

n The setting is global; that is, it applies to every location/client in yourWSS account.

n Be advised that multi-homed domains might lead to over-bypassing a site.

n Each time that aWSS Agent reconnects to theWSS (for example, a user who takes a laptop off campus and connectsthrough a non-corporate network), the client checks against any updates to the list.

Procedure—Manually Add Domain Entries1. In Service mode, select the Network > Bypassed Sites > Bypassed Domains tab.

2. Click Add Bypass Domains. The portal displays a dialog.


a. Enter a valid Domain.

b. (Optional) Enter a Comment.

c. (Optional) Click the + icon to add another row for another entry.

d. Click Add Bypass Domain.

The new entries display in the tab view. You can edit or delete any entry from here.

Import IP Address Entries From a Saved ListThis procedure assumes that you have already created an accessible list (text file) of domains to be bypassed. Each entry in thefile must be on its own line.

1. In Service mode, select the Network > Bypassed Sites > Bypassed Domains/URL tab.

2. Click Add Bypass Domain(s). The service displays the Add Bypass Domain dialog.

3. Click Add Bypass Domain(s). The portal displays a dialog.


a. Select Import From File.

b. Click Browse. The service displays the File Upload dialog. Navigate to the file location andOpen it.

c. Click Add Bypass Domain.

All of the new entries display in the tab view. You can edit or delete any entry from here.


Prevent IP/Subnet From Routing to the Web SecurityServiceIMPORTANT—This topic only applies to locations that use the Explicit Proxy andWSS Agent WSS connectivity methods. Allother access methods ignore any bypass domain configurations.

Some IP addresses or subnets do not require Symantec WSS processing. For example, you want to exclude test networks.Configure the service to ignore these connections.

Notesn TheWSS allows an unlimited number of bypassed IP addresses/subnets.

n Each time that aWSS Agent reconnects to theWSS (for example, a user who takes a laptop off campus and connectsthrough a non-corporate network), the client checks against any updates to the list.

Procedure—Manually Add IP Addresses1. In Service mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab.

2. Click Add Bypass IP(s). The service displays a dialog.

a. Enter an IP/Subnet.

b. (Optional) Enter a Comment.


c. (Optional) Click the + icon to add another row for another entry.

d. Click Add Bypass IP(s).

The new entries display in the tab view. You can edit or delete any entry from here.

Import IP Address Entries From a Saved ListThis procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Each entryin the file must be on its own line.

1. In Service mode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab.

2. Click Add Bypass IP(s). The service displays the Add Bypass IP Address/Subnet dialog.

3. Click Add Bypass IP(s). The portal displays a dialog.

a. Select Import From File.

b. Click Browse. The service displays the File Upload dialog. Navigate to the file location andOpen it.

c. Click Add Bypass IP(s).

All of the new entries display in the tab view. You can edit or delete any entry from here.


Reference: Windows WSSA/UA Package VersionsMSI String

WSS Agent

wssa-6.1.110751-x64.msi {07EEAD61-94F6-447D-9DB6-2F78955ED56E}

wssa-5.1.1.238363-x64.msi {87B9C4EB-3640-49FE-8FAE-5666E47FFEC1}

Unified Agent

UnifiedAgentInstaller64-4.10.6.230466.msi {DBC6623E-500F-4FFA-BB8D-B119ABA56F8A}

UnifiedAgentInstaller64-4.10.3.225009.msi {58660032-15F8-4B48-848F-63D31541305C}

UnifiedAgentInstaller64-4.10.1.219990.msi {BD6535C4-B66E-472C-A4FC-473B4F93DC10}

UnifiedAgentInstaller64-4.9.4.212024.msi {1536286D-6678-4FCD-A732-9E794A0ACDF7}

o UnifiedAgentInstaller64-4.9.1.208066.msi


{758D4802-6245-4EAA-8C8C-EEA3B50A246B}



{12C3173D-00E4-4D80-B229-D0DA792E8898}



{5FEBEFA8-C6F2-4395-B329-2461C973DE34}

{CD54CD6F-C16C-4155-9E1D-26A58C3D24D8}



{57A84D92-77A7-4C63-B847-FF7087C7D878}

{226C2DE9-7D3E-4A8C-8078-47DF0BE257F8}

o UnifiedAgentInstaller64-v4.6.0.157065.msi {D6FD56F5-00E5-4954-8CED-DC1F9F2887F6}



{61BDFA31-62A5-41CB-9833-D602056B8751}



{216652C2-709F-449B-B92F-9723C7E78384}

websecurityservice connectivity: wss agent · 2020-01-28 · symantecwebsecurityservice/page10 use...

Documents