Connectivity: About Symantec Endpoint Protection

The Symantec Endpoint Protection (SEP) solution provides security to endpoint devices, such as laptops. SEP is an agent-based approach that uses PAC file based re-direction to protect traditional endpoints. Integrating SEP with the
Web Security Service
extends the security profile to the network level.
WSS
provides four SEP methods. This topic provides conceptual information to help you determine which is the most appropriate for your network, then provides links to topics that provide best practices and recommended values for configuring a VPN tunnel.
  • If you need to understand the methods before deciding, continue reading the following concept sections.
  • If you need to understand the methods before deciding, continue reading the following sections.
  • The SEP with PFMS section is conceptual and applies to both methods.

About the SEP Client Benefits

WSS-SEP occurs through the Proxy Auto Configuration (PAC) File. SEP updates the proxy settings for the operating system and browsers to point to a PAC file URL published by the
WSS
  PAC File Management Service (PFMS) . The PAC file contains rules about what proxy actions to take for different URLs. When a client application that supports PAC file sends a web request, the PAC file rules instruct the application whether to proxy the request to
WSS
or send the request out directly.
Based on the predefined configuration, the
WSS
proxy redirects, allows, or blocks the traffic.
  • SEP focuses on endpoint detection and remediation.
    • Enforces rule-based security on devices, whether remote or behind a corporate firewall.
    • Leverages a policy-based approach to enforce security on your devices.
    • Detects, identifies, blocks, and remediates threats and other security risks on the client device.
  • SEP provides tamper-proof settings. It also installs the
    WSS
    certificate on the endpoint (if selected by policy). The client-side control, when allowed by a SEP Manager administrator, can help IT to troubleshoot issues.
  • Authentication—The
    Auth Connector
    is required.

Why Select This Method?

Benefits
  • You already have clients with the SEP solution and you want to extend from just local protection to network protection.
  • Your environment has infrastructure and IP address space.
  • You do not want to install an agent.
Select another method if
  • An agent-based method is not permissible or desired. If you have Windows 10/10S clients, you can consider the
    WSS
    /
    Cloud Connect Defense
    app-based solution. See About Cloud Connect Defense.

Sample WSS-SEP with Captive Portal Topography

About SEP Integration
1
—The Admin uses the
WSS
portal to create custom a PAC file —possibly providing custom bypassing of specific servers—and associates it with an Explicit Proxy Location.
2
—The Admin accesses the SEP Manager and configures Web Traffic Redirection (WTR), which includes adding the generated PAC file.
3
—SEP Manager distributes the security policy, including the PAC file URL, to the SEP endpoints. The SEP agent receives the security policy and configures the proxy settings for system and browsers.
4
—The PAC file proxies all internet-bound traffic to the nearest
WSS
for web use and security policy processing.

Why Select This Method?

Benefits
  • Used in conjunction with the PFMS, the SEP client can dynamically update the PAC file on the endpoint’s browser. This feature also allows you to maintain more than one PAC file; for example, for various locations, groups, and so on.
  • Your network egress is not a static IP address or it requires traversing NAT devices.
Select another method if
  • Your network egress is not a static IP address or it requires traversing a NAT devices.
Used in conjunction with the PFMS, the SEP client can dynamically update the PAC file on the endpoint’s browser. This feature also allows you to maintain more than one PAC file; for example, for various locations, groups, and so on.
Is this the method you require?

About WSS-SEP-WTR/NTR—Web or Network Redirection with Seamless Identification

This method requires an integration token that you generate in your
WSS
portal. The token is entered into the SEP Manager, which then pushes the integration out to the SEP clients. When the employee logs in to their system, the SEP client initiates a secure connection (with a session key and a pre-shared key (PSK)) to
WSS
. The SEP client then provides an assertion to
WSS
. The assertion contains the user identity and other information about the endpoint, such as the OS version. This seamless identification means employees do not have to re-login again when accessing the internet through Captive/Roaming Captive Portal. This allows for per-user policy to be applied to traffic and also provides risky client context to
WSS
for logging and reporting. Seamless Identification also prevents issues related to Cross-Origin-Resource-Sharing (CORS).
If the seamless identification is disabled or fails for any reason, user identity is not automatically provided and authentication reverts to a backup method configured for that location (Captive Portal if enabled or Roaming Captive Portal).
Connection Methods
  • WSS-SEP-WTR—Leverage the
    WSS
    PFMS with the SEP Web Traffic Redirection (WTR) option in SEP Manager.
  • WSS-SEP-NTR—Embeds and deploys selective
    WSS Agent
    technology into SEP. This yields the benefits of the full Network Traffic Redirection (NTR) and captures non-proxy applications. You can select what is captured by the agent. This method is beneficial if SEP clients frequently change from one network to another. The tunnel method provides heightened security by encrypting traffic between the endpoint and the data center.
Authentication Support
  • Auth Connector
    —It is possible that client systems can belong to different Active Directory domains or even different forests, which means
    WSS
    cannot discern the proper group. Therefore, the
    Auth Connector
    is required for group-based policies.
  • SAML
    —SEP with Seamless Identification supports Roaming SAML (WSS-SEP-WTR only at this time). Adding a
    WSS
    -generated token to the SEP Manager establishes tenancy, which is required for the SAML IdP.

Why Select This Method?

Benefits—
  • Securely transfers the logged-in user ID and device information to
    WSS
    or SAML IdP, thus Captive Portal is not required.
Is this the method you require?