Configuring the Web and Cloud Access Protection policy

The Web and Cloud Access Protection features enable continuous secure connection to the Symantec Web Security Service (WSS) so that
Symantec Endpoint Security
can provide advanced security features, such as content filtering and threat protection for all the network communication.
Web and Cloud Access Protection automates Internet traffic redirection to the Symantec Web Security Service, which allows or blocks the traffic based on policy rules that your WSS administrator sets up. It secures the Internet traffic on each device that uses Symantec Enpoint Security.
To use this feature within Symantec Endpoint Security, you must have a valid Web Security Service subscription. Contact your account representative for a subscription.
Before you create or update the Web and Cloud Access Protection policy, make sure that you have configured the Symantec Web Security Service (WSS) integration on the
Endpoint > Settings > Web Security Service Integration
page. Integration with WSS lets you automate the security of full network traffic or web traffic on all the registered devices.
For
Web and Cloud Access Protection
policies, you can use the lock option on the policy details page to restrict the modification of the policy settings on the device. The policy lock option is enabled by default. After you create the policy, you must apply it to a group.
Web and Cloud Access Protection Redirection Methods
Method
Description
Tunnel
(formerly Full Traffic Redirection)
The
Tunnel
method manages the integrated WSS component and automatically redirects all Internet traffic to the WSS. It redirects all the traffic to the WSS through a VPN for traffic inspection. As soon as the Symantec Agent is installed, it connects to a VPN which redirects all the network traffic through the Symantec WSS proxy.
By default, the VPN is set to be always on and it automatically reconnects in case the connection gets disconnected due to device restart, sleep or hibernate.
This method is currently supported only on Windows 10 x64 devices.
Existing reconnect and bypass settings are removed. Agent now follows the WSS policies.
PAC File
(formerly Web Traffic Redirection)
The
PAC File
method redirects web traffic only to the WSS through a Proxy Automatic Configuration (PAC) file. The WSS provides secure proxy settings for your web browsers. Only web traffic is redirected to the WSS.
Every time you access a website using a web browser, the browser sends all web browser traffic through the nearest cloud-hosted WSS as defined by the PAC file. Based on the predefined configuration, the Symantec WSS proxy can allow or block the traffic.
To use this method, you need to first configure the PAC file in the WSS console and get a PAC file URL. The PAC file URL is required to configure the
Proxy auto-configuration (PAC) file URL
setting in the Web and Cloud Access Protection policy.
The
Traffic Interception Port
indicates the port in use by the local proxy service.
Use the
Enable Symantec WSS certificate installation on clients to facilitate the protection of encrypted traffic
option to install the appropriate root certificate on Symantec Agents to protect encrypted traffic.
The PAC File redirection method is available as part of the
Symantec Endpoint Security
subscriptions and work with
Endpoint Security
14.2 RU2 and later only
Network Integrity policy restrictions when the Tunnel redirection method is in use
When the Symantec Windows Agent is configured for Tunnel redirection over WSS, it is recommended that you do not apply the Network Integrity policy on the Windows devices that are using the optional Secure Connection Agent. While this should not cause any issues on the devices, there is an edge case where if an administrator sets up a corporate wireless definitions within the Network Integrity policy to trigger a network detection. In this case, the Secure Connection Agent attempts to establish its own VPN connection, which would fail. In this scenario, the Secure Connection sends events to the backend and potentially marking the device at risk.
The options to prevent this edge case are:
  1. Remove the optional Secure Connection Agent from your Windows devices.
  2. Remove any assignment of the Network Integrity policy to Windows devices. The policy should still be applied to the mobile devices.
  3. Turn off the automatic VPN activation for the three network threat detections settings in the Network Integrity policy. As these settings are still important for your mobile devices, you must create another policy to ensure that the mobile devices are properly protected.
More information