Web Traffic Redirection (WTR) is a new feature of the Symantec Endpoint Protection (SEP) client that allows customers who own both SEP and Web Security Service (WSS) to redirect their Windows and Macintosh client's Web traffic through the SEP client. This removes the need for a 3rd party WSS agent, or 3rd party proxy server configurations on clients, and allows users to access the Web through WSS both on premise, and while roaming. The WTR engine leverages the SEP client's functionality to seamlessly identify clients based on user name and domain.
How does Web Traffic Redirection work?
The WTR engine creates a Local Proxy Service (LPS) and configures supported browsers and the operating system to forward Web requests to the LPS via a PAC file. When Web clients make a request for a resource, the request is sent to the LPS, which forwards the request to the downstream proxy (WSS, or on-premise proxy), the filtered Web responses are sent back to the LPS, which returns them to the Web client.
I already have the WSS Unified Agent. Do I need another agent with SEP?
If you are already using a Unified Agent to redirect traffic to WSS, you do not necessarily need the SEP agent (client). However, if you are looking to fortify endpoint defenses with an endpoint detect and response product such as SEP, and want a singular management location for PAC file designation you can use the SEP agent to redirect the traffic to WSS without the use of multiple agents.
SEP also provides the following additional benefits:
SEP provides tamper-proof settings, which includes a continuous monitoring of the PAC file every three minutes and updates it as needed.
It will, if enabled in the Integrations policy, install the WSS root certificate on the endpoint allowing for SSL inspection in WSS.
The client-side control, when allowed by a Symantec Endpoint Protection Manager (SEPM) administrator, can help IT to troubleshoot issues.
With the PAC File Management Service (PFMS) in WSS, the SEP client can dynamically update the PAC file on the endpoint’s browser.
SEP currently provides captive portal authentication through seamless identificaiton (client-id auth or CIA). Future plans may include authentication using 2FA.
Since SEP updates the browser settings with the PAC file info, it may have less of a performance and latency impact for the end user.
Does SEP provide tamper protection for the browser settings?
The SEP client's WTR engine makes the appropriate system proxy settings. On Windows clients, LAN Settings in Internet Explorer/Chrome and Proxy Settings for Edge and Firefox, the WTR engine makes the appropriate proxy changes and then locks the UI. This prevents users from changing their proxy settings manually in Internet Explorer, Edge and Chrome.
On the SEP for Mac client, system proxy settings are configured but not locked.
On both operating systems, the WTR engine checks the proxy settings on a 3 minute interval to ensure they haven't been modified by other means, and, if changed, sets them back to the Integrations policy defined configuration.
Note: Proxy configurations set in a Windows Group Policy Object (GPO) will override WTR proxy settings when the GPO applies. It's also possible to lock the WTR engine from being able to make proxy settings by disabling the option to make proxy settings computer specific and not user specific. See Endpoint Protection Web Traffic Redirection fails to set proxy settings for more details.
What do I need to do to prevent a user from disabling the proxy settings?
The SEP Manager provides multiple options (server, client, mixed mode) to an administrator to configure the SEP client to allow or deny control over client settings. A SEP admin can choose to retain full control, in which case, only the system admin is allowed to modify the WTR PAC file URL or other settings. See Preventing and allowing users to change the client's user interface for more details.
Can we have as many unique PAC file / location combinations as needed?
Each SEP Integrations policy can only be configured to specify a single PAC file URL. Clients can be directed to different PAC files by specifying different Integrations policies for different SEP client groups and locations.
Where can PAC files be hosted?
PAC files can be hosted on any Web server in the customer's environment, or through Pac File Management Service (PFMS) in WSS can be leveraged. PFMS allows users to create and manage PAC files and WSS locations through the WSS portal.
Does SEP 15 (Evergreen) provide similar capabilities as SEP (on-premise) WTR?
At this time, SEP 15 does not provide WTR functionality.
Does SEP mobile provide similar capabilities as SEP (on-premises) WTR?