You want to learn about the best practices for configuring and using Symantec Endpoint Protection (SEP) and Web Security Services (WSS) Traffic Redirection (WTR).
Use the latest version of the SEP client and WTR content
Ensure your clients regularly update to the latest WTR content in order to maintain the best possible performance and functionality.
Symantec has made several enhancements to the WSS integration feature of the SEP client since the its initial release in SEP 14.0.1 MP1. One example of these enhancements is Seamless Integration, which was added to the SEP 14.2 client for Windows clients. In order to take advantage of the latest functionality enhancements, ensure your clients use the latest version of the SEP client.
Allow WTR through firewall/proxy
If your clients connect to the Internet through a corporate proxy or firewall, ensure you allow unrestricted access to the DNS addresses the SEP client will need for access/authentication.
Proxy connection to WSS
Roaming clients roam between networks. To minimize disruptions to Web connectivity when roaming between networks, ensure the following:
Ensure you are using the latest WTR content and engine.
Each Location should include an enabled WTR Integrations policy.
In this scenario the SEP client has less to change on the local system as opposed to removing the policy completely for a location switch.
For an On-Net and Off-Net Location scenario, you may also find improvements by pointing to a local/internal proxy, if available, for faster response.
Configure VPN clients for WTR
The WTR engine uses the Local Proxy Service (LPS) to listen on the client's loopback adapter for HTTP/HTTPS requests and forward those requests to the WSS infrastructure. The WTR engine configures the system proxy settings to point to a pac file hosted by LPS (http://localhost:2968/proxy.pac). Any applications that use the system proxy settings will be directed to connect to LPS for all HTTP/HTTPS traffic. The LPS will send its requests to WSS based on the routing table of the client computer. If the routing table is altered to send traffic through a VPN adapter, the LPS will do so. Use the following best practices to optimize the performance of VPN clients and SEP WTR
Configure SSL VPN clients to bypass the system proxy settings and send VPN traffic directly to the VPN concentrator(s).
Configure all VPN clients for split tunneling. Send internal (Intranet) HTTP/HTTPS traffic directly through the VPN tunnel, and send external (Internet) traffic through the LPS, not through the VPN.
DNS Server performance
Slow DNS server response will adversely affect the latency of Web traffic through WTR. This is because the WTR engine must resolve the DNS address of the sites being browsed in order to determine if the requests are for local or remote Web resources. DNS server response time should average no greater than 50ms.
Configuring WTR for use with on-premise proxies
The SEP WTR engine does not support Kerberos authentication
The current release version of the Microsoft Edge browser does not support NTLM authentication to localhost, and will not authenticate over NTLM through WTR
The current beta version of Microsoft Edge using the Chromium engine allows NTLM authentication through WTR.
Internet Explorer Enhanced Security Configuration/Protected Mode
With Internet Explorer Enhanced Security (IE ESC) or Enhanced Protected Mode enabled local loopback requests are not sent by IE. As a result, the SEP Local Proxy Service doesn't receive web traffic to forward from IE. It is required that Enhanced Security/Protected Mode be disabled for WTR to work.
WSS Bypass Lists
Ensure that there are no entries for Symantec.com domains (e.g. *.wss.symantec.com) in the WSS bypass list. If wss.symantec.com is bypassed, the SEP Local Proxy Service will be unable to complete the seamless authentication handshake when using a SEP Integration Token.
Local traffic bypass
For situations that require bypassing network traffic from the Windows Local Proxy Service, Symantec provides an exe utility called LPSFlags.exe. This tool allows swapping out the default proxy.pac hosted by LPS with a custom PAC file to bypass the necessary traffic (e.g. SSL VPNs).