Web Security Service

Connectivity:
Explicit Proxy and SEP Client
Revision: NOV.07.2020
Symantec Web Security Service/Page 2
 Page 3

Copyrights

Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom”
refers to Broadcom Inc. and/or its subsidiaries.

Copyright © 2020 Broadcom. All Rights Reserved.

The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com.

Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function,
or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any
liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein,
neither does it convey any license under its patent rights nor the rights of others.
 WSS Access Method: Explicit Proxy/Page 5

WSS Access Method: Explicit Proxy

The Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-based
product, the Web Security Service leverages Symantec's proven security technology, including the WebPulse™ cloud
community.

With extensive web application controls and detailed reporting features, IT administrators can use the Web Security Service to
create and enforce granular policies that are applied to all covered users, including fixed locations and roaming users.

This document describes how to use the PAC File Management Service (PFMS) to set up explicit proxy connections to the
WSS for security scanning and policy checks on web-bound traffic. It includes how to implement the WSS and Symantec
Endpoint Protection (SEP) solution.
Symantec Web Security Service/Page 6

Table Of Contents

WSS Access Method: Explicit Proxy 5

Table Of Contents 6

Connectivity: About Explicit Proxy 8

Why Select This Method? 10

Connectivity: PAC File Management Service (EP) 12

Technical Requirements 12
Technical Limitations 12
Example Procedure—New PAC File 13
Edit 17
Duplicate 17
Import 17

Connectivity: Set Browsers to Explicit Proxy 19

Technical Requirements 19

Connectivity: Publish PAC File With WPAD 22

Technical Requirements 22
Procedure 22
DHCP Method 22
DNS Method 22

Connectivity: About Symantec Endpoint Protection 24

Why Select This Method? 25
Why Select This Method? 27
Connection Methods 28
Authentication Support 28
Why Select This Method? 28

Connectivity: WSS-SEP with Captive Portal 30

Technical Requirements 30
Technical Limitation 31
Best Practice 31
Procedure—Enable Web Traffic Redirection on SEP 31
PAC File Management in SEP 33

Connectivity: WSS-SEP-WTR With Seamless Identification 36

Technical Requirements 36
Technical Limitations 37
Best Practice 37
 WSS Access Method: Explicit Proxy/Page 7

Procedure—Enable Web Traffic Redirection and Seamless Identification on SEP 37

Additional Support 42

Connectivity: WSS-SEP-NTR With Seamless Identification 43

Technical Requirements 43
Technical Limitation 43
Best Practice 43
Procedure—Enable Web Traffic Redirection and Seamless Identification on SEP 43
Additional Support 46

Connectivity: WSS-SEP Roaming SAML 47

Technical Requirements 47
Technical Limitations 48
Best Practice 48
Procedure—Enable Web Traffic Redirection and Seamless Identification on SEP 48
Additional Support 54

Prevent IP/Subnet From Routing to the Web Security Service 55

Notes 55
Procedure—Manually Add IP Addresses 55
Import IP Address Entries From a Saved List 56

Add an Explicit Proxy Location 57

Reference: Required Locations, Ports, and Protocols 59

Symantec Resource 59
Connectivity Methods 59
Authentication 61

Reference: Sample PAC File for Explicit Proxy 63

Symantec Web Security Service/Page 8

Connectivity: About Explicit Proxy

The Explicit Proxy Access Method refers to using proxy auto-config (PAC) files to direct internet-bound traffic to the Web
Security Service or to specific proxy servers based on the destinations. It might also refer to the method of using the browser
settings in client browsers to direct traffic to proxy servers that host PAC files.

A PAC file is a JavaScript that automates which proxies web browsers communicate through to reach the internet.

n Requests for external websites or requests made by company-owned computers using an external IP address are routed
through the service.

n Computers inside the firewall are given access to sites on the corporate intranet without routing through WSS.

The Explicit Proxy connectivity method protects endpoints at a fixed location (clients reside behind a single-IP egress device) or
roaming clients.
 Connectivity: About Explicit Proxy/Page 9

About the PAC File Management Service

The WSS PAC File Management Service (PFMS) enables deployment flexibility as you manage PAC
files and PAC file location association through the cloud service. Furthermore, you can create and
update bypass lists and other configurations directly in the WSS portal. With the PFMS, you can
create up to 100 PAC files and assign them to different locations. For example, you want on-premises
work stations in one location to use one PAC file that bypasses specific servers and Office 365
requests. But connections from other remote locations always connect through WSS.

1—For various locations, the Admin generates a PAC file in the WSS portal, possibly providing custom
bypassing of specific servers. The PAC files are installed on client browsers, either through your IT
infrastructure or to Symantec Endpoint Protection (SEP) agents.

2—The PFMS manages the created PAC files, which are available for updating. Amazon Web Services
(AWS) stores the PAC files; AWS provides the automatic health checks and failover infrastructure.

Note: PAC file edits might experience up to a one minute delay for world-
wide propagation.

3—By default, the PAC file script identifies the internal IP address based on the RFC 1918 standard.
Direct access to the internal URL is granted.

4—Location 1's PAC file instructs the browser to bypass WSS for Office 365 requests.

5—For other locations, the PAC files proxies all internet-bound traffic through the nearest WSS
datacenter.
Symantec Web Security Service/Page 10

Why Select This Method?

Benefits—
n Valid if your environment has a PAC-managed proxy.

n Your environment has infrastructure and IP address space.

n You do not want to install an agent.

Select another method if—

n Your network egress is not a static IP address or it requires traversing a NAT devices.

n You require Client IP-based policy, as addresses are not visible to WSS.

Is this the method you require?

n "Connectivity: PAC File Management Service (EP)" on page 12.
 Connectivity: About Explicit Proxy/Page 11

About the Default PAC File

WSS provides a default PAC file: https://portal.threatpulse.com/pac.

Tip: Currently, this is intended for backward compatibility and will be

deprecated in a future service update. The best practice is to create a
custom PAC file with the PFMS.

Is this the method you require?

n "Connectivity: Set Browsers to Explicit Proxy" on page 19.

n "Connectivity: Publish PAC File With WPAD" on page 22.

Symantec Web Security Service/Page 12

Connectivity: PAC File Management Service (EP)

The Web Security Service provides a Proxy Auto Configuration (PAC) File Management Service (PFMS) to facilitate the Explicit
Proxy connectivity method. This system allows you to create more than one PAC file, assign them to different locations, and
customize them to allow or bypass specific web destinations. Then you can create WSS policy based on these locations or
traffic routed from specific PAC files.

You can also create PAC files for roaming endpoints. For example, you plan to integrate the Symantec Endpoint Protection
(SEP) with the WSS. You want a separate PAC file to be used only for the SEP agent connections.

Technical Requirements
n Know the single static public egress IP address.

n Browsers and operating systems are able to accept and use PAC files.

n Firewall rules:

o Open port 443.

o If your firewall allows white-listing by DNS, white-list pfms.wss.symantec.com; this is the preferred method.

o If your firewall does not allow white-listing by DNS, allow the following static IP address: 34.120.17.44
(November 7, 2020).

If you employed the PFMS before November 7, 2020, the following IP addresses were used. Firewall rules for
these IP addresses can remain in place in the near-term as a precaution for failover or fallback. A follow up
announcement will be made after the existing IPs have been fully decommissioned.

o 35.155.165.94

o 35.162.233.131

o 52.21.20.251

o 52.54.167.220

o 199.247.42.187

o 199.19.250.187

n The WSS supports up to 100 different PAC files.

n The PFMS supports existing, supported authentication methods (Auth Connector, SAML, Captive Portal).

Technical Limitations
n Use Firefox 57.0.2+; older versions of Firefox may not apply PAC file correctly. This is third-party limitation with the
Firefox browser.

n Internet Explorer versions 11, Edge, and newer might cache old PAC file execution results for a particular host. If this
occurs, restart Internet Explorer.
 Connectivity: About Explicit Proxy/Page 13

n If the browser does not accept cookies or PAC files, supportability becomes difficult.

n If the user agent is unable to process the PAC file, there will be no protection or exceptions.

Example Procedure—New PAC File

One option is to duplicate the default PAC file and modify it.

To demonstrate the PAC File Management feature, the following steps create a new PAC file and designate its use for the SEP
test Explicit Proxy location (previously entered on the Connectivity > Locations page).

1. In the WSS portal, navigate to Connectivity > PAC Files.

2. Click New File. The portal switches to the PAC File Editor.

a. Name the PAC file.

b. (Optional) Describe the purpose of this PAC file.

c. Include WSS Bypass adds any IP addresses or domains that were previously added to the portal bypass lists
(Connectivity > Bypassed Traffic). You can click the expander to view those entries; however, you cannot edit
those entries here.
Symantec Web Security Service/Page 14

Tip: Bypass lists cannot exceed 256 KB in size.

d. Include Office 365 Bypass adds all of the currently known Microsoft Office web application domains.

3. Click Save.

The portal generates an explicit PAC File URL. You can copy this URL and use it for an explicit proxy configuration to
guarantee that this PAC is used. For example, you can send this to the Admin who is configuring the SEP clients to direct
traffic to WSS.

4. Continuing with the example, click the Locations tab.

 Connectivity: About Explicit Proxy/Page 15

a. Click Edit Locations.

b. Select a Location that is to connect through this PAC file. This example selects a previously added Explicit
Proxy Location created to test SEP integration.

Tip: You can have more than one location that uses the same PAC file. For more
information about the Roaming Endpoints, see "About the Roaming Location" on
page 17.

c. Click Add and Save.

5. Click the PAC Files link (or the Up arrow icon next to the PAC file name). The portal now displays the newly-created
PAC file.
Symantec Web Security Service/Page 16

About PAC File Hierarchy

With the possibility of multiple PAC files, the WSS evaluates and connects according to the following hierarchy.

n Full custom PAC File URL—The connection always uses the parameters in this PAC file.

n Locations—The WSS checks to see if the Location has an assigned PAC file. If yes, the connection proceeds with those
parameters.

n Default PAC File—If no Location is assigned to the connection, WSS uses the default PAC file
(http://portal.threatpulse.com:8080/pac).

Note: The default PAC file behavior is fail open. If for some reason the client cannot
connect to WSS, it falls back and goes DIRECT.

n If you configure a connection to use the PAC File URL only up to the customer ID portion (see screenshot), then WSS
follows the Locations/Default hierarchy described in the previous two bullets.
 Connectivity: About Explicit Proxy/Page 17

About the Roaming Location

The PFMS provides a Location called Roaming Endpoints. You can create a PAC file that applies to WSS Agents and mobile
devices that access the internet when outside of the corporate network. This is available on the Locations tab of the PAC File
dialog.

After the traffic reaches the WSS, your configured Authentication method is triggered (Identity > Auth Connector > Roaming
Captive Portal option or Identity > SAML).

PAC File Management

Edit
During the creation phase or any time after, you can Edit a PAC file to change the parameters. Be advised that this requires a
moderate knowledge of network connections.

Note: PAC file edits might experience up to a one minute delay for world-wide propagation.

Duplicate
You can Duplicate an existing PAC file and modify it for another purpose. For example, you want to test a configuration update
before implementing it.

Import
If you have created PAC files in text files, you can Import them for use in WSS.
Symantec Web Security Service/Page 18

Troubleshooting
n Verify the browser can download the PAC file.

n Confirm provided PAC file is the correct one for the situation (Location, Roaming).

n Verify issue applies to all browsers.

n Confirm if the issue is related to one webserver or several.

n Create three troubleshooting test policies.

o Public URL with no auth required.

o URL requiring Auth no policy.

o URL with Auth policy.

 Connectivity: Set Browsers to Explicit Proxy/Page 19

Connectivity: Set Browsers to Explicit Proxy

Manually configure web browsers on client systems or a demonstration client to point to the location of the Symantec Proxy
Automatic Configuration (PAC), which provides the route to the Web Security Service. See "Connectivity: About Explicit
Proxy" on page 8.

Tip: Currently, this is intended for backward compatibility and will be deprecated in a future
service update. The best practice is to create a custom PAC file with the PFMS.

Technical Requirements
n Verify that firewall port 8080 is open.

Warning: If you continue to use the default PAC file and for some reason WSS is not
accessible—for example, firewall issue on 8080, mis-configured URL, deleted PAC file),
fail open occurs and the connection goes direct.

Apple Safari
1. Select Apple menu > System Preferences.

2. Select the Internet and Network tab.

3. Select an option:

n If you are connected by cable to the network, select Ethernet.

n If you are connected using WiFi, select the AirPort option.

4. Click Advanced. Enter the address of your PAC file in the Address field. For example,
https://portal.threatpulse.com/pac.

5. Click the Proxies tab.

a. Select Using a PAC file.

b. Enter the Web Security Service PAC file location in the Address
field: https://portal.threatpulse.com/pac.

6. Select Quit to exit System Preferences.

Symantec Web Security Service/Page 20

Google Chrome
1. In the top-right corner of the browser, select the wrench .

2. From the drop-down list, select Options. The browser displays the Google Chrome Options dialog.

3. In the Network section, click Change proxy settings. The browser displays the Internet Properties dialog.

4. Click the Connections tab.

5. In the Local Area Network (LAN) Settings section, click LAN settings. The Local Area Network (LAN) Settings dialog
displays.

a. In the Automatic configuration area, select Use automatic configuration script.

b. Enter the Web Security Service PAC file location in the Address field: https://portal.threatpulse.com/pac.

6. Click OK and exit out of all open dialogs.

Microsoft Internet Explorer

1. Select Tools > Internet Options.

2. Select the Connections tab.

3. If you are using a VPN connection, click Add to set up the connection wizard. If you are using a LAN connection, click
LAN settings

4. LAN settings dialog:

a. Select Automatically detect settings and Use automatic configuration script.

b. Enter the Web Security Service PAC file location in the Address field: https://portal.threatpulse.com/pac.

5. Click OK and exit out of all open dialogs.

Mozilla Firefox
1. Select Tools > Options. The browser displays the Options dialog.

2. Select the Advanced > Network tab.

3. In the Connections area, click Settings.

4. Configure Connection Settings:

a. Select Automatic proxy configuration URL.

b. Enter the WSS PAC file location in the Address field: https://portal.threatpulse.com/pac.

5. Click OK and exit out of all open dialogs.

 Connectivity: Set Browsers to Explicit Proxy/Page 21

Next Step
n Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 55.
Symantec Web Security Service/Page 22

Connectivity: Publish PAC File With WPAD

Enforce the use of a Proxy Automatic Configuration (PAC) file without manual web browser configuration by using the Web
Proxy Auto-Discovery (WPAD) protocol. WPAD offers two options to publish the location of the PAC file: Dynamic Host
Configuration Protocol (DHCP) and Domain Name System (DNS). See "Connectivity: About Explicit Proxy" on page 8.

Tip: Currently, this is intended for backward compatibility and will be deprecated in a future
service update. Symantec strongly encourages you to create a custom PAC file with the PFMS.

Technical Requirements
n Verify that firewall port 8080 is open.

Warning: If you continue to use the default PAC file and for some reason the WSS is not
accessible—for example, firewall issue on 8080, mis-configured URL, deleted PAC file),
fail open occurs and the connection goes direct.

n Example PAC File.

"Reference: Sample PAC File for Explicit Proxy" on page 63

Procedure

Step 1—Select and perform a publish method.

DHCP Method
1. Before retrieving the first page, the web browser sends the local DHCP server a DHCPINFORM query.

2. The web browser uses the URL returned from the server to locate the PAC file.

3. If the DHCP server does not return the location of the PAC file, the DNS method is used.

DNS Method
1. Change the name of the PAC file located on the web server from proxy.pac to wpad.dat.

2. The web browser searches the web server for the PAC file using URLs until the proxy configuration file is found in the
domain of the client. The URL format is http://wpad.x.x.com/wpad.dat. WPAD.dat is the name for the PAC file and x
is a part of the domain name.
 Connectivity: Publish PAC File With WPAD/Page 23

Step 2—Bypass IP Addresses/Subnets

Some IP addresses or subnets do not require WSS processing. For example, you want to exclude test networks. Configure the
service to ignore these connections.

See "Prevent IP/Subnet From Routing to the Web Security Service" on page 55.

Step 3—Add an Explicit Proxy Location in the portal.

See Add an Explicit Proxy Location.

Next Step
n Proceed to "Prevent IP/Subnet From Routing to the Web Security Service" on page 55.
Symantec Web Security Service/Page 24

Connectivity: About Symantec Endpoint Protection

The Symantec Endpoint Protection (SEP) solution provides security to endpoint devices, such as laptops. SEP is an agent-
based approach that uses PAC file based re-direction to protect traditional endpoints. Integrating SEP with the Web Security
Service extends the security profile to the network level.

WSS provides four SEP methods. This topic provides conceptual information to help you determine which is the most
appropriate for your network, then provides links to topics that provide best practices and recommended values for configuring a
VPN tunnel.

n If you need to understand the methods before deciding, continue reading the following concept sections.

n If you know what deployment you require, select a link to the configuration topic.

o "Connectivity: WSS-SEP with Captive Portal" on page 30

o "Connectivity: WSS-SEP-WTR With Seamless Identification" on page 36

o "Connectivity: WSS-SEP-NTR With Seamless Identification" on page 43

o "Connectivity: WSS-SEP Roaming SAML" on page 47

 Connectivity: About Symantec Endpoint Protection/Page 25

About the SEP Client Benefits

WSS-SEP occurs through the Proxy Auto Configuration (PAC) File. SEP updates the proxy settings
for the operating system and browsers to point to a PAC file URL published by the WSS PFMS. The
PAC file contains rules about what proxy actions to take for different URLs. When a client application
that supports PAC file sends a web request, the PAC file rules instruct the application whether to
proxy the request to WSS or send the request out directly.

Based on the predefined configuration, the WSS proxy redirects, allows, or blocks the traffic.

n SEP focuses on endpoint detection and remediation.

o Enforces rule-based security on devices, whether remote or behind a corporate firewall.

o Leverages a policy-based approach to enforce security on your devices.

o Detects, identifies, blocks, and remediates threats and other security risks on the client
device.

n SEP provides tamper-proof settings. It also installs the WSS certificate on the endpoint (if
selected by policy). The client-side control, when allowed by a SEP Manager administrator, can
help IT to troubleshoot issues.

n Authentication—The Auth Connector is required.

Why Select This Method?

Benefits—
n You already have clients with the SEP solution and you want to extend from just local
protection to network protection.

n Your environment has infrastructure and IP address space.

n You do not want to install an agent.

Select another method if—

n Your network egress is not a static IP address or it requires traversing a NAT devices.
Symantec Web Security Service/Page 26

Sample WSS-SEP with Captive Portal Topography

1—The Admin uses the WSS portal to create custom a PAC file —possibly providing custom bypassing
of specific servers—and associates it with an Explicit Proxy Location.

2—The Admin accesses the SEP Manager and configures Web Traffic Redirection (WTR), which
includes adding the generated PAC file.

3—SEP Manager distributes the security policy, including the PAC file URL, to the SEP endpoints. The
SEP agent receives the security policy and configures the proxy settings for system and browsers.

4—The PAC file proxies all internet-bound traffic to the nearest WSS for web use and security policy
processing.
 Connectivity: About Symantec Endpoint Protection/Page 27

Why Select This Method?

Benefits—
n Used in conjunction with PFMS, the SEP client can dynamically update the PAC file on the
endpoint’s browser. This feature also allows you to maintain more than one PAC file; for
example, for various locations, groups, and so on.

n Your network egress is not a static IP address or it requires traversing NAT devices.

Select another method if—

n Your network egress is not a static IP address or it requires traversing a NAT devices.

Used in conjunction with the PFMS, the SEP client can dynamically update the PAC file on the
endpoint’s browser. This feature also allows you to maintain more than one PAC file; for example, for
various locations, groups, and so on.

Is this the method you require?

n "Connectivity: WSS-SEP with Captive Portal" on page 30.
Symantec Web Security Service/Page 28

About WSS-SEP-WTR/NTR—Web or Network

Redirection with Seamless Identification
This method requires an integration token that you generate in your WSS portal. The token is entered
into the SEP Manager, which then pushes the integration out to the SEP clients. When the employee
logs in to their system, the SEP client initiates a secure connection (with a session key and a pre-
shared key (PSK)) to WSS. The SEP client then provides an assertion to WSS. The assertion contains
the user identity and other information about the endpoint, such as the OS version. This seamless
identification means employees do not have to re-login again when accessing the internet through
Captive/Roaming Captive Portal. This allows for per-user policy to be applied to traffic and also
provides risky client context to WSS for logging and reporting. Seamless Identification also prevents
issues related to Cross-Origin-Resource-Sharing (CORS).

If the seamless identification is disabled or fails for any reason, user identity is not automatically
provided. Authentication reverts to a backup method configured for that location (Captive Portal if
enabled or Roaming Captive Portal).

Connection Methods
n WSS-SEP-WTR—Leverage the WSS PFMS with the SEP Web Traffic Redirection (WTR)
option in SEP Manager.

n WSS-SEP-NTR—Embeds and deploys selective WSS Agent technology into SEP. This yields
the benefits of the full Network Traffic Redirection (NTR) and captures non-proxy applications.
You can select what is captured by the agent. This method is beneficial if SEP clients frequently
change from one network to another. The tunnel method provides heightened security by
encrypting traffic between the endpoint and the data center.

Authentication Support
n Auth Connector—It is possible that client systems can belong to different Active Directory
domains or even different forests, which means WSS cannot discern the proper group.
Therefore, the Auth Connector is required for group-based policies.

n SAML—SEP with Seamless Identification supports Roaming SAML (WSS-SEP-WTR only at

this time). Adding a WSS-generated token to the SEP Manager establishes tenancy, which is
required for the SAML IdP.

Why Select This Method?

Benefits—
n Securely transfers the logged-in user ID and device information to WSS or SAML IdP, thus
Captive Portal is not required.
 Connectivity: About Symantec Endpoint Protection/Page 29

Is this the method you require?

n "Connectivity: WSS-SEP-WTR With Seamless Identification" on page 36.

n "Connectivity: WSS-SEP-NTR With Seamless Identification" on page 43

n "Connectivity: WSS-SEP Roaming SAML" on page 47.

Symantec Web Security Service/Page 30

Connectivity: WSS-SEP with Captive Portal

Redirect traffic from Symantec Endpoint Protection (SEP) clients to the Web Security Service to extend from local to network-
level protection.

n See "Connectivity: About Symantec Endpoint Protection" on page 24 for more information about the solution.

Technical Requirements
n Admin access to an WSS account.

n Admin access to SEP Manager.

n SEP client 14.2+ Windows and MAC clients.

n Captive Portal—Employees must log in to the Captive or Roaming Captive Portal. This method requires the on-premises
Auth Connector integration.

n You must backup the client proxy settings because the new SEP install erases them (Symantec is investigating this
issue). Restore the settings after installing SEP.

n Before installing, verify no listener on TCP 2968.

n Firewall rule: Open port 8080.

n Supported browsers:

o Apple Safari

o Google Chrome

o Microsoft Edge

o Microsoft Internet Explorer 9 through 11

o Mozilla Firefox

n If you plan to use the PAC File Management Service (PFMS) in conjunction with SEP clients, you must run
Norton LiveUpdate on the client to obtain the required certificate.

https://support.norton.com/sp/en/us/home/current/solutions/kb20080520094501EN_EndUserProfile_en_us

ISSUE: If you encounter issues with Live Update, download the SSL Intercept cert from the WSS portal and manually
install it on the test machine(s).

n https://portal.threatpulse.com/docs/am/Solutions/ManagePolicy/SSL/ssl_chrome_cert_ta.htm

n https://portal.threatpulse.com/docs/am/Solutions/ManagePolicy/SSL/ssl_ie_cert_ta.htm
 Connectivity: WSS-SEP with Captive Portal/Page 31

Technical Limitation
n Some browsers do not support proxy settings change in already running sessions. Changing a policy state
(enabled/disabled) requires browser restarts.

Best Practice
n Keep SEP clients updated to the latest versions; the updates provide critical fixes and performance enhancements.

Procedure—Enable Web Traffic Redirection on SEP

This procedure is for high-level reference. For greater detail, consult the documentation for your SEP/SEP Manager versions.

Prerequisite Step—Obtain a PAC File URL

WSS-SEP requires a PAC File URL, which instructs the browsers on machines where to download the PAC File. Use the
PAC File Management Service to create one for use with SEP connections. See "Connectivity: PAC File Management Service
(EP)" on page 12.

Step 1—Obtain and Distribute the SEP Client

n If you already have a supported SEP client, proceed to Step 2.

n Consult the welcome letter you receive from Symantec regarding how to access the SEP Manager.

n SEP Client Downloads—https://knowledge.broadcom.com/external/article?legacyId=TECH103088.

Step 2—Enable WSS Traffic Redirection in the SEP Manager

1. Log in to the Symantec Endpoint Protection Manager.

2. Select Policies > Integrations.

3. Click Add an Integrations Policy. The SEP Manager displays the Integrations Policy dialog.

4. Select WSS Traffic Redirection.

Symantec Web Security Service/Page 32

a. Select Enable WSS Traffic Redirection.

b. Select Install the...root certificate....

c. In the PAC Auto Configuration (PAC) File URL field, enter the URL obtained from the WSS.

Example format: https://pfms.wss.symantec.com/v1/pac?tenant=f6104d245&pac=6027c20d1.

d. Click OK.

Tip: If you click Mixed Control under Client User Interface Control Settings and then click
Customize, no option exists in the client user interface settings to configure WSS Traffic
Redirection.

Verify WTR on the SEP Client

1. Access the SEP client on a system that is receiving this configuration.

2. Select the WTR tab.

 Connectivity: WSS-SEP with Captive Portal/Page 33

a. Enable WSS Traffic Redirection is enabled.

b. PAC file URL is the same.

PAC File Management in SEP

The SEP Manager provides additional admin options and options to further refine how users connect through the PAC files.

Assign a PAC File to Specific Assets

The SEP Manager allows you to select specific groups, client systems, and users. For IE and Chrome, the PAC files are then
managed and inserted into the browsers (check the respective browser PAC settings).

1. In the SEP Manager, select Clients. There are three sub-categories: Default Group, Computers, and Users.

2. Each group contains a series of tabs.

n Clients—Specify the user systems in the group.

Symantec Web Security Service/Page 34

n Policies—Assign or remove the WSS PAC file.

Give Users the Ability to Turn the Service On or Off

Allow specific users and SEP groups the ability to turn the service on and off. For example, a specific consulting group requires
the ability to turn off these settings; however, a help desk employee cannot turn off these settings.

On the integration policy created in Step 3 (Policy > Integrations), the interface displays a gold padlock icon.
 Connectivity: WSS-SEP with Captive Portal/Page 35

The gold padlock icon enables or disables the end user ability to turn on or off the WSS redirection settings. By default, the
policy is locked, which means users cannot disable the service. Click the padlock (which switches to an unlocked icon) to
allow users to disable connection to the service on their systems.

You can review all enable/disable activities on the Monitors > Logs SEP Manager page.

Take Policy Offline

You can disable the policy for all clients assigned Integrations Policy. Perhaps you have a need to troubleshoot some policy
and don't want employee productivity to be impacted.

1. On the integration policy screen, click Overview.

2. Clear the Enable this policy option.

The next time SEP connects to the management server, it receives the instruction. If you change policy and re-enable it, the
same occurs. Upon the next management server connection, the client receives the policy.
Symantec Web Security Service/Page 36

Connectivity: WSS-SEP-WTR With Seamless

Identification
Redirect traffic from Symantec Endpoint Protection (SEP) clients to the Web Security Service to extend from local to network-
level protection. This topic provides the information for a fixed-location that uses SEP Web Traffic Redirection (WTR), which
requires a PAC File.

n See "Connectivity: About Symantec Endpoint Protection" on page 24 for more information about the solution.

Technical Requirements
n SEP 14.2+ is required for this feature.

n Requires an Explicit Proxy Location defined in Connectivity > PAC Files. The examples in this procedure use a location
named PAC-SA.

n Authentication method—

The Seamless Identification feature securely transfers the logged-in user ID and device information to WSS, thus
Captive Portal is not required. However, you can enable Captive Portal or Roaming Captive Portal for backup
authentication method should it become disabled or fail for any reason. This method supplies only the individual user
information. To perform group-based policy, the Auth Connector is still required.

n Verify that your WSS portal is not configured to bypass client-id.wss.symantec.com or any domains that could
contain client-id.wss.symantec.com.

n If you plan to use the PAC File Management Service (PFMS) in conjunction with SEP clients, you must run
Norton LiveUpdate on the client to obtain the required certificate.

https://support.norton.com/sp/en/us/home/current/solutions/kb20080520094501EN_EndUserProfile_en_us

ISSUE: If you encounter issues with Live Update, download the SSL Intercept cert from the WSS portal and manually
install it on the test machine(s).

n https://portal.threatpulse.com/docs/am/Solutions/ManagePolicy/SSL/ssl_chrome_cert_ta.htm

n https://portal.threatpulse.com/docs/am/Solutions/ManagePolicy/SSL/ssl_ie_cert_ta.htm

n Supported browsers:

o Apple Safari

o Google Chrome

o Microsoft Edge

o Microsoft Internet Explorer 9 through 11

o Mozilla Firefox
 Connectivity: WSS-SEP-WTR With Seamless Identification/Page 37

Technical Limitations
n WSS-SEP does not support remote logins if:

o The client is not in the domain tied with the Auth Connector;

o And policies based on groups exist in the policy editor.

Best Practice
n Keep SEP clients updated to the latest versions, which provide critical fixes and performance enhancements.

Procedure—Enable Web Traffic Redirection and Seamless

Identification on SEP

Step 1—Obtain and Distribute the SEP Client (SEP 14.2+)

n If you already have a supported SEP Client, proceed to Step 2.

n Consult the welcome letter you receive from Symantec regarding how to access the SEP Manager.

n SEP Client Downloads—https://knowledge.broadcom.com/external/article?legacyId=TECH103088.

Step 2—Obtain an Integration Token

For SEP clients to securely forward user ID and client-context information to the WSS, you must generate an integration token
to be entered in SEP Manager.

1. In the WSS portal, navigate to Connectivity > Symantec Endpoint Protection.

2. Click New Token.

Symantec Web Security Service/Page 38

a. Verify that Local Device Authentication is selected.

b. (Optional) Enter a Comment to reference the purpose of this token.

c. Click Generate Token. WSS generates the randomized token.

d. Copy or record the token.

e. Click Save.

Step 3—Obtain a PAC URL

1. In the WSS portal, navigate to Connectivity > PAC Files.

2. Click New File. The portal switches to the PAC File Editor.
 Connectivity: WSS-SEP-WTR With Seamless Identification/Page 39

a. Name the PAC file.

b. (Optional) Describe the purpose of this PAC file.

c. Include WSS Bypass adds any IP addresses or domains that were previously added to the portal bypass lists.
You can click the expander to view those entries; however, you cannot edit those entries here.

d. Include Office 365 Bypass adds all of the currently known Microsoft Office web application domains.

3. Click Save.

The portal generates an explicit PAC File URL. Copy this URL (click the Copy icon at the right-side of the field), as it is
required during the SEP integration step.

4. Continuing with the example, click the Locations tab.

Symantec Web Security Service/Page 40

Tip: You can have more than one location that uses the same PAC file.

a. Select a Location that is to connect through this PAC file. This example selects a previously added Explicit Proxy
Location (named PAC-SA) created to test SEP integration.

Tip: The Roaming Endpoints option applies the PAC file to all remote client (non-
corporate network) connections.

b. Click Add and Save.

5. Click the PAC Files link (or the Up arrow icon next to the PAC file name). The portal now displays the newly-created
PAC file.

Step 4—Configure WTR in the SEP Manager

In the Symantec Endpoint Protection Manager, configure WSS Traffic Redirection (WTR).

1. Log in to the Symantec Endpoint Protection Manager.

2. Select Policies > Network Traffic Redirection.

3. Double-click Network Traffic Redirection policy. The SEP Manager displays the Network Traffic Redirection dialog.

4. On the Overview tab, verify that Enable This Policy is selected.

5. Select Network Traffic Redirection.

 Connectivity: WSS-SEP-WTR With Seamless Identification/Page 41

a. Select Enable WSS Traffic Redirection.

Tip: The gold padlock icon enables or disables the end user ability to turn on or off
the WSS Redirection settings. By default, the policy is locked, which means users
cannot disable the service. Click the padlock (which switches to an unlocked icon)
to allow users to disable connection to the service on their systems. You can review
all enable/disable activities on the Monitors > Logs SEP Manager page.

b. From the Redirection Method drop-down, select PAC File.

c. In the Proxy auto-configuration (PAC) file URL field, enter the URL obtained from the WSS (in Sub-Step 3.3
above).

Example format: https://pfms.wss.symantec.com/v1/pac?tenant=f6104d245&pac=6027c20d1.......

d. In the Network Integration Token field, enter the token that you created in Step 2.

e. (Optional) Select Allow direct traffic when network protection is not available to allow the request to go
continue should the PFMS not be reachable. This option lowers security.

f. Click OK.
Symantec Web Security Service/Page 42

Step 5—(Optional) Verify the SEP Client Settings

On a test system with SEP client installed with Admin rights, you can review the settings.

1. Access the SEP client application.

2. On the Status page, click Options for Network Traffic Redirection.

n Enable WSS Traffic Redirection—This client has the feature enabled.

n Redirection Method is PAC File.

Additional Support
n Refer to the Symantec SEP documentation.
 Connectivity: WSS-SEP-NTR With Seamless Identification/Page 43

Connectivity: WSS-SEP-NTR With Seamless

Identification
Redirect traffic from Symantec Endpoint Protection (SEP) clients to the Web Security Service to extend from local to network-
level protection. This topic provides the information required for enabling Network Traffic Redirection (NTR) in SEP Manager.

n See "Connectivity: About Symantec Endpoint Protection" on page 24 for more information about the solution.

Technical Requirements
n SEP 14.3-RU1 is required for this feature.

n Authentication method—

The Seamless Identification feature securely transfers the logged-in user ID and device information to WSS, thus
Captive Portal is not required. However, you can enable Captive Portal or Roaming Captive Portal for backup
authentication method should Seamless Identification become disabled or fail for any reason. This method supplies only
the individual user information. To perform group-based policy, the Auth Connector is still required.

n Verify that your WSS portal is not configured to bypass client-id.wss.symantec.com or any domains that could
contain client-id.wss.symantec.com.

Technical Limitation
n WSS-SEP does not support remote logins if:

o The client is not in the domain tied with the Auth Connector;

o And policies based on groups exist in the policy editor.

Best Practice
n Keep SEP clients updated to the latest versions, which provide critical fixes and performance enhancements.

Procedure—Enable Web Traffic Redirection and Seamless

Identification on SEP

Step 1—Obtain and distribute the SEP client (SEP 14.3-RU1).

n If you already have a supported SEP Client, proceed to Step 2.

n Consult the welcome letter you received from Symantec regarding how to access the SEP Manager.

n SEP Client Downloads—https://knowledge.broadcom.com/external/article?legacyId=TECH103088.

Symantec Web Security Service/Page 44

Step 2—Obtain an Integration Token.

For SEP clients to securely forward user ID and client-context information to WSS, you must generate an integration token to be
entered in SEP Manager.

1. In the WSS portal, navigate to Connectivity > Symantec Endpoint Protection.

2. Click New Token.

a. Verify that Local Device Authentication is selected.

b. (Optional) Enter a Comment to reference the purpose of this token.

c. Click Generate Token. The WSS generates the randomized token.

d. Copy or record the token.

e. Click Save.

Step 3—Configure NTR in the SEP Manager.

In the Symantec Endpoint Protection Manager, configure WSS Network Traffic Redirection (NTR).
 Connectivity: WSS-SEP-NTR With Seamless Identification/Page 45

1. Log in to the Symantec Endpoint Protection Manager.

2. Select Policies > Network Traffic Redirection.

3. Double-click Network Traffic Redirection policy. The SEP Manager displays the Network Traffic Redirection dialog.

4. On the Overview tab, verify that Enable This Policy is selected.

5. Select Network Traffic Redirection.

a. Select Enable Network Traffic Redirection.

Tip: The gold padlock icon enables or disables the end user ability to turn the WSS
Redirection settings on or off. By default, the policy is locked, which means users
cannot disable the service. Click the padlock (which switches to an unlocked icon)
to allow users to disable the connection to the service on their systems. You can
review all enable/disable activities on the Monitors > Logs SEP Manager page.

b. From the Redirection Method drop-down, select Tunnel.

c. In the Network Integration Token field, enter the token that you created in Step 2.

d. Click OK.
Symantec Web Security Service/Page 46

Step 4—(Optional) Verify the SEP client Settings.

On a test system with a SEP client installed with Admin rights, you can review the settings.

1. Access the SEP client application.

2. On the Status page, click Options for Network Traffic Redirection.

n Enable WSS Traffic Redirection—This client has the feature enabled.

n Redirection Method is Tunnel.

Additional Support
n Refer to the Symantec SEP documentation.
 Connectivity: WSS-SEP-NTR With Seamless Identification/Page 47

Connectivity: WSS-SEP Roaming SAML

Redirect traffic from Symantec Endpoint Protection (SEP) clients to the Web Security Service to extend from protection to
SAML-authenticated clients when not connecting through a corporate network. The Seamless Identification feature securely
transfers the logged-in user ID and device information to the cloud-based or on-premises SAML Identity Provider (IdP). This
method is a solution for roaming SEP clients because the SAML realm must receive the tenancy before authentication occurs;
that is, client-to-IdP traffic cannot route through WSS.

n See "Connectivity: About Symantec Endpoint Protection" on page 24 for more information about the solution.

Technical Requirements
n SEP 14.2+ is required for this feature.

n Authentication method.

o Your environment has a functioning SAML/IdP solution.

o Allow saml.threatpulse.net:8443.

o IdP NOTE—As the client to SAML IdP traffic cannot route through WSS because, you must add an entry to the
PAC file to make the IdP traffic go direct.

o The default SAML method is Cookie. CORS-issues are mitigated because the procedure includes
generating and providing an integration token, which is included in the HTTP header.

n The IdP must have an internet-facing IP address.

n For traffic bypass best practices, consult the following KB article.

n https://knowledge.broadcom.com/external/article?legacyId=TECH252765

n If you plan to use the PAC File Management Service (PFMS) in conjunction with SEP clients, you must run
Norton LiveUpdate on the client to obtain the required certificate.

https://support.norton.com/sp/en/us/home/current/solutions/kb20080520094501EN_EndUserProfile_en_us

ISSUE: If you encounter issues with Live Update, download the SSL Intercept cert from the WSS portal and manually
install it on the test machine(s).

n http://portal.threatpulse.com/docs/sol/Solutions/ManagePolicy/SSL/ssl_chrome_cert_ta.htm

n http://portal.threatpulse.com/docs/sol/Solutions/ManagePolicy/SSL/ssl_ie_cert_ta.htm

n Supported browsers:

o Apple Safari

o Google Chrome

o Microsoft Edge
Symantec Web Security Service/Page 48

o Microsoft Internet Explorer 9 through 11

o Mozilla Firefox

Technical Limitations
n Some browsers do not support proxy settings change in already running sessions. Changing a policy state
(enabled/disabled) requires browser restarts.

Best Practice
n Keep SEP clients updated to the latest versions, which provide critical fixes and performance enhancements.

Procedure—Enable Web Traffic Redirection and Seamless

Identification on SEP

Step 1—Obtain and Distribute the SEP Client (SEP 14.2+)

n If you already have a supported SEP Client, proceed to Step 2.

n Consult the welcome letter you receive from Symantec regarding how to access the SEP Manager.

n SEP Client Downloads— https://knowledge.broadcom.com/external/article?legacyId=TECH103088.

Step 2—Obtain an Integration Token

For SEP clients to securely forward user ID and client-context information to the WSS, you must generate an integration token
to be entered in SEP Manager.

1. In the WSS portal, navigate to Connectivity > Symantec Endpoint Protection.

2. Click New Token.

 Connectivity: WSS-SEP-NTR With Seamless Identification/Page 49

a. For Authentication, select SAML (SEP only).

b. Click Generate Token. WSS generates the randomized token.

c. Copy the token to a local text file or email if another admin is to configure SEP Manager. (Click the copy icon at
the end of the field.)

Tip: Enter Comments to help future admins understand the token's role when
viewed in the portal.

d. Click Save.

Step 3—Obtain a PAC URL

1. In the WSS portal, navigate to Connectivity > PAC Files.

2. Click New File. The portal switches to the PAC File Editor.
Symantec Web Security Service/Page 50

a. Name the PAC file.

b. (Optional) Describe the purpose of this PAC file.

c. Include WSS Bypass adds any IP addresses or domains that were previously added to the portal bypass lists.
You can click the expander to view those entries; however, you cannot edit those entries here.

d. Include Office 365 Bypass adds all of the currently known Microsoft Office web application domains.

e. Add an entry to bypass the SAML IdP server.

3. Click Save.

The portal generates an explicit PAC File URL. Copy this URL (click the Copy icon at the right-side of the field), as it is
required during the SEP Manager integration step.

4. Continuing with the example, click the Locations tab.

 Connectivity: WSS-SEP-NTR With Seamless Identification/Page 51

a. Select Roaming Endpoints and click Add.

b. Click Save.

5. Click the PAC Files link (or the Up arrow icon next to the PAC file name). The portal now displays the newly-created
PAC file.

Step 4—Configure WTR in the SEP Manager

In the Symantec Endpoint Protection Manager, configure WSS Traffic Redirection (WTR).

1. Log in to the Symantec Endpoint Protection Manager.

2. Select Policies > Integrations.

3. Click Add an Integrations Policy. The SEP Manager displays the Integrations Policy dialog.

4. On the Overview tab, verify that Enable This Policy is selected.

5. Select WSS Traffic Redirection.

Symantec Web Security Service/Page 52

a. Select Enable WSS Traffic Redirection.

b. In the PAC Auto Configuration (PAC) File URL field, enter the URL obtained from the WSS (in Sub-Step 3.3
above; screenshot example format is not valid).

Example format: https://pfms.wss.symantec.com/v1/pac?tenant=f6104d245&pac=6027c20d1.......

c. In the WSS Integration Token field, enter the token that you created in Step 2.

d. Select Install the...root certificate....

e. Click OK.

Tip: The gold padlock icon enables or disables the end user ability to turn on or off the WSS
Redirection settings. By default, the policy is locked, which means users cannot disable
the service. Click the padlock (which switches to an unlocked icon) to allow users to
disable connection to the service on their systems. You can review all enable/disable
activities on the Monitors > Logs SEP Manager page.

Step 5—(Optional) Verify the SEP Client Settings

On a test system with SEP client installed with Admin rights, you can review the settings.

1. Access the SEP client application.

2. In the Client Management row, click Configure Settings.

3. Select the WSS Traffic Redirection tab.

 Connectivity: WSS-SEP-NTR With Seamless Identification/Page 53

a. Enable WSS Traffic Redirection—This client has the feature enabled.

b. The PAC URL is the same as in Sub-Step 3.3 above.

c. Enable Local Proxy Service.

n Disabled—All web browser traffic uses the Symantec WSS PAC file URL. This option might be used
during troubleshooting scenarios.

n Enabled—The recommended setting. All web browser traffic visits a locally cached PAC file.

Tip: In any Browser Settings dialog, the PAC File displays the local proxy
URL; not the WSS-generated PAC File URL.

d. Click OK.

Step 6—Verify Authentication/Troubleshoot

To verify configuration, use a client to connect. The SEP agent redirects to the SAML service (saml.threatpulse.net:8443),
followed by the IdP server to authenticate. After authentication and the assertion is correctly validated by WSS, all subsequent
requests include additional headers that WSS requires.
Symantec Web Security Service/Page 54

Additional Support
n Refer to the Symantec SEP documentation.
 Prevent IP/Subnet From Routing to the Web Security Service/Page 55

Prevent IP/Subnet From Routing to the Web Security

Service
IMPORTANT—This topic only applies to locations that use the Explicit Proxy and WSS Agent Web Security
Serviceconnectivity methods. All other access methods ignore any bypass domain configurations.

Some IP addresses or subnets do not require WSS processing. For example, you want to exclude test networks. Configure the
service to ignore these connections.

Notes
n WSS allows an unlimited number of bypassed IP addresses/subnets.

n Each time that a WSS Agent reconnects to WSS (for example, a user who takes a laptop off campus and connects
through a non-corporate network), the client checks against any updates to the list.

Procedure—Manually Add IP Addresses

1. Navigate to the Policy > Bypassed Traffic > Bypassed IPs/Subnets tab.

2. Click Add. The service displays a dialog.

a. Enter an IP/Subnet.

b. (Optional) Enter a Comment.

Symantec Web Security Service/Page 56

c. (Optional) Click the + icon to add another row for another entry.

d. Click Add IPs/Subnets.

The new entries display in the tab view. You can edit or delete any entry from here.

Import IP Address Entries From a Saved List

This procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Each entry
in the file must be on its own line.

1. Navigate to the Policy > Bypassed Traffic > Bypassed IPs/Subnets tab.

2. Click Add. The service displays the Add Bypass IP Address/Subnet dialog.

3. Click Import IPs/Subnets.

a. Click Browse. The service displays the File Upload dialog. Navigate to the file location and Open it.

b. Click Import.

All of the new entries display in the tab view. You can edit or delete any entry from here.
 Add an Explicit Proxy Location/Page 57

Add an Explicit Proxy Location

When configuring Explicit Proxy as the connectivity method, each gateway IP address defined in a PAC file requires an
equivalent Symantec WSS location configuration.

1. Navigate to Connectivity > Locations.

2. Click Add Location.

3. Complete the Location dialog.

a. Name the location. For example, use the fixed geographical location or organization name.

b. Select Explicit Proxy as the Access Method.

c. Enter the IP/Subnet that forwards web traffic to the WSS.

4. Enter resource and location information.

Symantec Web Security Service/Page 58

a. Select the Estimated User range that will be sending web requests through this gateway interface. Symantec
uses this information to ensure proper resources.

b. Select a Country and Time Zone.

c. Fill out location information and enter comments (optional).

5. Click Save.

n The Firewall/VPN connectivity method supports Captive Portal.

 Reference: Required Locations, Ports, and Protocols/Page 59

Reference: Required Locations, Ports, and Protocols

Most Symantec Web Security Service connectivity and authentication methods require communication through specific ports,
protocols, and locations. If you have firewall rules in place, use this reference to verify the ports and services that must be
opened to allow connectivity.

Symantec Resource
support.broadcom.com Provides knowledge base articles and support information.

Connectivity Methods
Method Port(s) Protocol Resolves To

WSS portal access URL. 443 portal.threatpulse.com

35.245.151.224
IP addresses for administration of your 34.82.146.64
WSS policy and configuration.
Partner Portal Functionality

35.245.151.231
34.82.146.71

Firewall/VPN (IPsec) UDP 500 IPsec/ESP

(ISAKMP)

UDP4500 if
firewall is
behind a NAT.

Proxy Forwarding TCP 8080/8443 HTTP/HTTPS proxy.threatpulse.net

TCP 8084* * Use when the forwarding host is configured for local
SSL interception.
Symantec Web Security Service/Page 60

Method Port(s) Protocol Resolves To

Explicit Proxy TCP 443 n Firewall rules to allow PFMS access:

SEP PAC File Management System or o By hostname:

Default PAC file pfms.wss.symantec.com

o By IP Address: 34.120.17.44

The following addresses were used

before November 7, 2020. They are
acceptable for backup and failover until
Symantec announces their
decommissioned status.

o 35.155.165.94

o 35.162.233.131

o 52.21.20.251

o 52.54.167.220
Default PAC
file: TCP 8080 o 199.247.42.187

o 199.19.250.187

n The default PAC file directs browser traffic to

proxy.threatpulse.net.

Explicit Over IPsec (Trans-Proxy) UDP 500 ep.threatpulse.net resolves to 199.19.250.205

(ISAKMP)
In this deployment method, all traffic is ep-all.threatpulse.net returns the following.
transmitted from your network to WSS. UDP4500 if
Two scenarios are common: firewall is 199.19.248.205
behind a NAT. 199.19.250.205
n On-premises ProxySG appliance. 199.19.250.206
199.19.250.207
Explicit browser settings direct 199.19.250.208
traffic to the proxy, which forwards 199.19.250.209
that traffic to WSS through a 199.19.250.210
configured IPsec tunnel. 199.19.250.211
199.19.250.212
n Explicit settings in the browser
199.19.250.213
pointed to ep.threatpulse.net.
199.19.250.214
Direct all firewall traffic destined
ep-roundrobin.threatpulse.net returns all IPs in
for ep.threatpulse.net to WSS
a round-robin fashion; each two-minute Time-To-Live
through your configured IPsec
(TTL) period returns a different address.
tunnel.
 Reference: Required Locations, Ports, and Protocols/Page 61

Method Port(s) Protocol Resolves To

WSS Agent TCP/UDP 443 SSL ctc.threatpulse.com

130.211.30.2
TCP port 443 for CTC requests and configuration.

portal.threatpulse.com

TCP port 443 for downloading updates.

Unified Agent TCP/UDP 443 TCP, SSL ctc.threatpulse.com

130.211.30.2
Port 80 TCP port 443 for CTC requests and configuration.

portal.threatpulse.com

TCP port 443 for downloading updates.

TCP/UDP port 443 to client.threatpulse.net

(DNS fallback)

Port 80 for captive network information and updates.

Mobile (SEP-Mobile iOS/Android app) UDP 500 IPSec/ESP mobility.threatpulse.com

(ISAKMP)
35.245.151.228
UDP 4500 34.82.146.68
(NAT-T)

Universal Policy Enforcement On-Premises Policy Management

(UPE)/Hybrid Policy (sgapi.threatpulse.com and
sgapi.es.bluecoat.com)

35.245.151.229

34.82.146.69

If connectivity to WSS is behind stringent firewall rules,

adjust the rules to allow traffic to pass to these IP
addresses on port 443.

Authentication
Auth Method Port(s) Protocol Resolves To

Auth Connector TCP 443 SSL auth.threatpulse.com:

35.245.151.226
34.82.146.65

portal.threatpulse.com:

Tip: Additional Required Information: Reference:

Authentication IP Addresses.
Symantec Web Security Service/Page 62

Auth Method Port(s) Protocol Resolves To

Auth Connector to TCP 139, 445 SMB

Active Directory
TCP 389 LDAP

TCP 3268 ADSI LDAP

TCP 135 Location Services

TCP 88 Kerberos

49152-65535 TCP Open when Auth Connector is installed on a new Windows Server
2012 Member rather than a Domain Controller.

AC-Logon App TCP 80 Port 80 from all clients to the server.

SAML TCP 8443 Explicit and saml.threatpulse.net

(over VPN) IPSec

Roaming Captive TCP 8080

Portal
 Reference: Sample PAC File for Explicit Proxy/Page 63

Reference: Sample PAC File for Explicit Proxy

The following is sample text that makes up a Proxy Automatic Configuration (PAC) file from which Web browsers receive
routing instructions. The PAC file redirects all non-internal traffic to the Symantec Web Security Service.

function FindProxyForURL(url, host) {

// If URL has no dots in host name, send traffic direct.
if (isPlainHostName(host)) return "DIRECT";
// If specific URL needs to bypass proxy, send traffic direct.
if (shExpMatch(url,"*bluecoat.com*") ||
shExpMatch(url,"*cacheflow.com*"))
return "DIRECT";
// If IP address is internal send direct.
if (isInNet(host, "10.0.0.0", "255.0.0.0") ||
isInNet(host, "172.16.0.0", "255.240.0.0") ||
isInNet(host, "192.168.0.0", "255.255.0.0") ||
isInNet(host, "216.52.23.0", "255.255.255.0") ||
isInNet(host, "127.0.0.0", "255.255.255.0") ||
isInNet(host, "192.41.79.240", "255.255.255.255"))
return "DIRECT";
// All other traffic uses below proxies, in fail-over order.
return "PROXY proxy.threatpulse.net:8080; DIRECT"; return "PROXY 199.19.250.164:8080; DIRECT"; }