Some 3rd party applications, such as SSL VPN clients do not support connecting though a loopback proxy. This document provides information on using the Symantec Windows executable LPSFlags.exe to add a list of one or more addresses to the proxy.pac file hosted by the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) Local Proxy Service (LPS).
Configure the Proxy Auto Configuration (PAC) file
Before making any changes, compile a list of addresses that need to be exempted from connecting through LPS. The default PAC file hosted by LPS directs clients to send requests to internal (RFC1918, and APIPA) addresses, and plain hostname addresses directly instead of through LPS. Any resources hosted on a public IP address will need to be added to the PAC file. These can be specified either by Fully Qualified Domain Name (FQDN), IP address, or IP address range.
Click Service > Mobility > PAC File Management, click on the correctly configured PAC file, and click Download
Save the file to an accessible folder as proxy.pac, and open the saved file in a text editor
Locate the following line: return "PROXY
Replace the WSS URL, with your configured LPS PAC file URL (http://localhost:2968/proxy.pac by default)
Save the changes to the proxy.pac
Replace the PAC file
Use one of the following methods to update the SEP LPS PAC file. For a small number of clients, manually run LPSFlags.exe. For larger numbers of clients, use the provided SEP Host Integrity (HI) policy* to direct clients to download a copy of the HI policy and your modified proxy.pac and apply it automatically.
Manually replace the PAC file
Download LPSFlags.exe attached to this document to the same folder as the modified proxy.pac file
Open a command-prompt as Administrator and change directories to the folder containing LPSFlags.exe and proxy.pac
Enter the following command: LPSFlags.exe --pac-script proxy.pac --restart
Download LPSFlags.exe and 'Update WTR proxy.pac v3.1.dat' attached to this document to the same folder as the modified proxy.pac file
On your SEPM, create a folder called 'LPSFlags' under C:\Program Files (x86)\Symantec\Symantec Endpoint Protection Manager\Inetpub\content
Copy LPSFlags.exe and proxy.pac to the the 'LPSFlags' directory created above
Log in to the SEPM console and click Policies > Host Integrity > Import a Host Integrity policy
Browse to the downloaded copy of 'Update WTR proxy.pac.dat' and click Import
Open the newly imported 'Update WTR proxy.pac' policy, click Requirements > Update LPS proxy.pac with LPSFlags.exe > Edit..
Select the File: Download a file requirement and modify File URL to the address where you've hosted LPSFlags.exe
If following these steps, you should only need to edit the 'sepm14:8014' section of the URL to reflect the SEPM hostname/IP and port
Select the Utility: Run a sript requirement
For best results, copy the script content to a text editor and read the documentation in the comments at the beginning of the script, then make the following modifications:
Modify the value of LPS to reflect any custom LPS ports (default is 2968) - Unless using a custom port, this doesn't need to be changed
Modify the value of web_server to the location where you host LPSFlags.exe and proxy.pac (The URL must include the trainling "/")
This URL should match the URL specified in step 7 above
Click OK > OK to save the changes
Click Assign the policy, select the groups and locations you wish to apply the policy to and click Assign
*The 'Update WTR proxy.pac v3.day' Host Integrity policy is an example, provided as is and includes no support or guarantee of functionality. It has been tested against Windows 10 and confirmed to work. Results may vary depending on system hardening configuration and other environmental factors.
LPSFlags.exe - utility to update the PAC file hosted by the SEP client LPS