Configuring Web and Cloud Access Protection

The
Web and Cloud Access Protection
policy integrates Symantec Web Security Service (WSS) functionality into
Symantec Endpoint Protection
.
Web and Cloud Access Protection
automatically redirects all Internet traffic or just web traffic on the client to the Symantec WSS, where the traffic is allowed or blocked based on the WSS policies.
For more information, see:
To use this feature in
Symantec Endpoint Protection Manager
(SEPM), you must have a valid Symantec Web Security Service subscription. Contact your account representative for a subscription.
In 14.3 RU2, Network Traffic Redirection was renamed to Web and Cloud Access Protection. In 14.3 RU1, WSS Traffic Redirection was renamed to Network Traffic Redirection and the Integrations policy was renamed to the Network Traffic Redirection policy.
Technical requirements and limitations
Requirement
Description
Supported Browsers
Windows:
  • Microsoft Internet Explorer 9 - 11
  • Mozilla Firefox
  • Google Chrome
  • Microsoft Edge
Mac:
  • Macs support Apple Safari, Google Chrome, and Mozilla Firefox.
  • Firefox versions 65 and later are supported in 14.2 RU1 or later.
Limitations
  • The Web Security Service is delivered on IPv4 and not IPv6.
  • If the Web and Cloud Access Protection feature is installed on an endpoint, the standalone Symantec WSS Agent (WSSA) cannot be installed. Similarly, if WSSA is installed, the Web and Cloud Access Protection feature does not install. However, you can remove Web and Cloud Access Protection from existing endpoints without having to uninstall the whole client by using one of the following methods:
    • In Symantec Endpoint Protection Manager, create a Client Install Feature Set that does not include Web and Cloud Access Protection and apply it to the endpoints. See:
    • The following command line option uses the client installation file to remove Web and Cloud Access Protection:
      setup.exe /s /v" REMOVE=NTR /qn"
The tunnel method has the following limitations:
  • Runs on Windows 10 64-bit version 1703 and later (Semi-Annual Servicing Channel) only. This method does not support any other Windows operating systems or the Mac client.
  • The Long-Term Servicing Channel (LTSC) is not supported. Microsoft intends for LTSC to be used only for specialized systems.
  • Does not support HVCI-enabled Windows 10 64-bit devices
  • The client computer contacts ctc.symantec.com during the installation to convert the integration token to your CustomerID. If that contact can't be made, the installation fails. To avoid this possibility for all clients, you can use your CustomerID instead of the integration token so that the conversion is not necessary.
  • Outbound traffic from the
    Symantec Endpoint Protection
    client is redirected to WSS before it gets evaluated by either the client's firewall or the URL reputation rules. Instead, that traffic is evaluated against the WSS firewall and the URL rules. For example, if a SEP client firewall rule blocks google.com and a WSS rule allows google.com, the client allows users to access google.com. Inbound local traffic to the client is still processed by the
    Symantec Endpoint Protection
    firewall.
  • The WSS Captive Portal is not available for the tunnel method, and the client ignores the challenge credentials. In a future release, SAML authentication in the WSS agent will replace the Captive Portal, and will be available in the
    Symantec Endpoint Protection
    client.
  • If a client computer connects to the WSS using the tunnel method and hosts virtual machines, each guest user needs to install the SSL certificate provided in the WSS portal.
  • Traffic for local network like your home directory or Active Directory authentication is not redirected.
  • It is not compatible with the Microsoft DirectAccess VPN.
Configuring the
Web and Cloud Access Protection
policy with the PAC file method
The WSS administrator provides the Proxy Auto Configuration (PAC) file URL or the integration token from the WSS portal. You then update the
Web and Cloud Access Protection
policy with the PAC file or integration token, and assign the Web and Cloud Access Protection policy to a group. See:
Configuring
Web and Cloud Access Protection
with the tunnel method
The tunnel method is considered an early adopter release feature. You should perform thorough testing with your applications against your WSS policies.
Configuring the tunnel method
Steps
Description
Step 1: Obtain an integration token from the WSS portal
  1. Add the integration token a new or default
    Web and Cloud Access Protection
    policy. See:
  2. Keep the policy unlocked.
  3. Assign the Web and Cloud Access Protection policy to the test group.
Step 2: Check that
Web and Cloud Access Protection
is enabled on the client
While you test the client, make sure that the
Web and Cloud Access Protection
is enabled and connected to the WSS. You also want to make sure that the client user can disable
Web and Cloud Access Protection
in case a misconfigured WSS policy keeps the user from accessing a resource. See:
Step 3: Configure and test WSS policies.
To test
Web and Cloud Access Protection
, you first set up or modify the WSS policies in a lab environment. You then run the various test scenarios against the WSS policy, which often involves comparing a device’s compliance against a WSS policy. See:
Step 4: Lock the
Web and Cloud Access Protection
policy.
After you are sure that the WSS policies work the way you expect them to on the
Symantec Endpoint Protection
client, lock the policy so that the client computer is protected and that the user cannot disconnect the client from the WSS.
To lock Web and Cloud Access Protection, lock the padlock in the SEPM
Web and Cloud Access Protection
policy.
Reporting
  • Configuration changes to the
    Web and Cloud Access Protection
    policy appear in the Symantec Endpoint Protection Manager Audit log.
  • Events for the tunnel method appear in the client's Web and Cloud Access Protection log. These events get uploaded to the Symantec Endpoint Protection Manager System log.
To view the Web and Cloud Access Protection log on the client
  1. On the client computer
    Status
    page, next to
    Web and Cloud Access Protection
    , click
    Options
    >
    View Logs
    .
Version changes
  • For versions 14.0.1 MP1 to 14.2 RU1, WSS Traffic Redirection applies to Windows computers only.
  • In 14.2 RU2, support was added for Mac computers.
  • In 14.2, support was added to allow enhanced client authentication with WSS and a more granular control of web traffic, which is based on the user who sends it.
  • In 14.3 RU1, WSS Traffic Redirection was renamed to Network Traffic Redirection
    Web and Cloud Access Protection
    .
  • In 14.3 RU1, a new connection method was added, called the tunnel method.