Install the
WSS Agent
Application

This topic describes what is required and how to manually install the
WSS Agent
on a supported Windows or macOS client.

Technical Requirements

  • Symantec employs a two year End of Maintenance period per major
    WSS Agent
    version. To learn more about the currently supported versions, review the following topic:
  • WSS Agent
    7.2.x and previous only—Each client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to
    WSS
    . For more information, consult the following Knowledge Base article:
  • Supported clients—
    • Windows Clients:
      • WSSA 6.x: 64-bit Windows 10 Professional, Enterprise or Education version 1703 and later
      • WSSA 7.x: 64-bit Windows 10 Professional, Enterprise or Education version 1803 and later
    • macOS Clients:
      • 6x: High Sierra (10.13)
      • 7.1.x: 7.1.x: Mojave (10.14), Catalina (10.15)
      • 7.2.x: Mojave (10.14), Catalina (10.15), Big Sur (11.1)
    You must use the fully-patched vendor-provided versions of the operating systems. All attempts to install on an unsupported OS fail.
  • You must have administrator rights on the client.
  • Allow protocols: UDP, SSL, TCP
  • Allow port
    443
    to
    ctc.threatpulse.com
    (for TCP, UDP, and software updates)
  • On macOS, the contents of the stamped installer are notarized using Apple's notarization process. This means that the driver, service, and all parts of the
    WSS Agent
    function correctly on a system that requires notarization. However, the
    .pkg
    file itself is
    not
    notarized. If you require a notarized
    .pkg
    file, contact
    Symantec
    Technical Support.
  • SEP 14.2 with WTR running in parallel with
    WSS Agent
    is not a supported configuration
  • The
    WSS Agent
    currently does
    not
    support IPv6 connections. The best practice is to disable IPv6 on client systems and select Block IPv6 Traffic on the
    Connectivity > WSS Agent
    page.
  • Long-term Servicing Channel (LTSC) is
    not
    supported. Microsoft intends for LTSC to be used only for specialized systems.

About the
WSS Agent
Installation or Upgrade

  • You can upgrade from the
    Unified Agent
    or previous versions of the
    WSS Agent
    . However, if the
    Unified Agent
    was installed with custom options, they are not preserved or migrated to the
    WSS Agent
    .
  • You can configure the portal to automatically prompt the end user to update
    WSS Agent
    . However, if you are upgrading from the
    Unified Agent
    to the
    WSS Agent
    , you must push a new installation notification to all clients. Client reboots are then required.
  • Subsequent
    WSS Agent
    upgrades do
    not
    require a client system reboot.

About Bypassed Non-Routable IP Addresses

By default,
WSS
bypasses the following RFC 1918 addresses.
  • 10.0.0.0/8
  • 169.254.0.0/16
  • 172.16.0.0/12
  • 192.168.0.0/16
If a destination request contains one of these IP addresses, the traffic bypasses the
Web Security Service
and the client connects directly.

Procedure—Prepare for Installation

VPN Compatibility
The
WSS Agent
cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on client systems. You can configure a full or split tunnel with other configurations.
  • Full Tunnel—This is possible if the VPN server egress IP address is configured as an IPSec Location in
    WSS
    (
    Connectivity > Locations
    ).
    WSS Agent
    enters into Passive Mode when on the Location network.
  • Split Tunnel—To prevent connection flapping, add the IP address of the VPN server to the IP Bypass list.
Step 1—Select End User Permissions
As best practice, select how much control your employees have with the
WSS Agent
before
you push the agent to clients.
Navigate to
Connectivity >  WSS Agent
. Locate the
End User Permissions
area.
WSSA End Permissions
Decide if the following features are applicable.
  • Enable Update Prompts
    If
    Prompt end user for update
    is selected, the
    WSS Agent
    notifies the logged-in user that an update is available for downloading. If you clear this option, you can perform silent
    WSS Agent
    updates (the end user is unaware). The default is enabled.
  • Allow Local Ability to Disable the Agent
    If you
    Allow agent to be disabled by end user
    , your employees can (temporarily) disable the
    WSS Agent
    .
  • Require Token for Uninstallation
    If you select
    Require Token to Uninstall
    , employees are able to uninstall the
    WSS Agent
    , but are required to use a token that you define.
Step 2—Download the
WSS Agent
Installer.
  1. The right side of the
    Connectivity >  WSS Agent
    page provides the
    Installers
    area.
    Symantec
    WSS
    Operations manages what
    WSS Agent
    Windows and macOS installers are available to download at any given time:
    • A
      Recommended Release
      is a recent
      WSS Agent
      version that has been available for a period of time and has not experienced any major performance issues. If you have
      not
      selected the
      Prompt end user for update
      option, clients automatically receive this version when it is promoted.
    • A
      Maintenance Release
      is a
      newer
      WSS Agent
      version that contains more recently resolved issues, but has not been available as long as the
      Recommended Release
      . After this version is deployed in enough accounts for a period of time without major performance issues, Symantec promotes the
      Maintenance Release
      to
      Recommended Release
      .  
    • The
      Other Release
      area might contain multiple versions, such as preview or legacy.
    Symantec continuously evaluates which
    WSS Agent
    versions are appropriate for each installer area. Symantec also communicates the end-of-life policies for each version. To review version information, such as resolved issues in each version, click the
    Release Notes
    link.
    After you confirm the version that is appropriate for your deployment, download the installer.
  2. If this is the first time you are attempting to download the installer, the service displays the Profile dialog.
    Client Download Export Control Profile
    As a company that provides security services across the globe,
    Symantec
    supports and complies with United States and local export controls. As an authorized member of your enterprise/organization, you must complete this form before downloading the
    WSS Agent
    .
    1. Click the
      Ensure...enterprise account
      link, which opens your Broadcom profile page.
    2. Complete your enterprise information and click
      Next
      .
    3. Verify and click
      Upgrade Account
      . Broadcom sends you a confirmation email.
    4. Return to the portal, log out, and log in again. If you do not, you still cannot download the agent.
  3. Download the installation file and place it in a network location that is accessible by test clients.

Installation Options

  • Default Windows/macOS Windows Installers—Proceed to the next sections.
  • CLI methods provide the ability to install the
    WSS Agent
    with configuration options. You can also modify existing installations. Refer to the following topics.

Procedure—Windows Installer

  1. Put the installer on the test client.
  2. Launch the installer.
    1. In Windows, navigate to the directory where you saved the
      wssa-<snip>.msi
      file.
      Record the full application name. It might be required for future uninstallation tasks.
    2. Double-click the file, which launches the installer.
  3. Follow the prompts in the wizard. Select a directory for installation. Click
    Next
    .
  4. Click
    Install
    . The installation begins.
  5. Click
    Finish
    to complete the installation. The service displays the Installer Information dialog.
  6. Only required if upgrading a client from
    Unified Agent
    —Click
    Yes
    to reboot the computer.

Procedure—macOS Installer

  1. Put the installer on the test client.
  2. Launch the installer.
    1. Open the
      wssa-<snip>.dmg
      file by double-clicking on it.
      Record the full
      .dmg
      name. It might be required for future uninstallation tasks.
    2. Double-click the
      .pkg
      file, which launches the installer.
  3. Follow the prompts in the wizard. Select a directory for installation. Click
    Next
    .
  4. Click
    Install
    . The installation begins.
  5. Click
    Finish
    to complete the installation. The service displays the Installer Information dialog.
  6. Only required if upgrading a client from
    Unified Agent
    —Click
    Yes
    to reboot the computer.

Next Step

About WSS Agent Versions and Support

Symantec employs a two year End of Maintenance period per major
WSS Agent
version. To learn more about the currently supported versions, review the following topic: