Bypass Endpoint Protection Web Traffic Redirection using LPSFlags.exe
Last Updated June 07, 2019
Some 3rd party applications, such as SSL VPN clients do not support connecting though a loopback proxy. This document provides information on using LPSFlags.exe to add a list of one or more addresses to the proxy.pac file hosted by the Symantec Endpoint Protection (SEP) client Web Traffic Redirection (WTR) Local Proxy Service (LPS).
Configure the Proxy Auto Configuration (PAC) file
Before making any changes, compile a list of addresses that need to be exempted from connecting through LPS. The default PAC file hosted by LPS directs clients to send requests to internal (RFC1918, and APIPA) addresses, and plain hostname addresses directly instead of through LPS. Any resources hosted on a public IP address will need to be added to the PAC file. These can be specified either by Fully Qualified Domain Name (FQDN), or IP address.
Use the PAC File Management Service (PFMS) PAC file
Click Service > Mobility > PAC File Management, click on the correctly configured PAC file, and click Download
Save the file to an accessible folder as proxy.pac, and open the saved file in a text editor
Locate the following line: return "PROXY
Replace the WSS URL, with your configured LPS PAC file URL (http://localhost:2968/proxy.pac by default)
Save the changes to the proxy.pac
Replace the PAC file
Use one of the following methods to update the SEP LPS PAC file. For a small number of clients, manually run LPSFlags.exe. For larger numbers of clients, use the provided SEP Host Integrity (HI) policy to direct clients to download a copy of the HI policy and your modified proxy.pac and apply it automatically.
Manually replace the PAC file
Download LPSFlags.exe attached to this document to the same folder as the modified proxy.pac file
Open a command-prompt as Administrator and change directories to the folder containing LPSFlags.exe and proxy.pac
Enter the following command: LPSFlags.exe --pac-script proxy.pac --restart