About Web Isolation With UPE

Web Isolation is a client-less solution that enables employees to safely browse the internet using any browser.
WSS
supports integration with Symantec
Management Center
in a solution called Universal Policy Enforcement (UPE). This allows you to author policy locally (with
ProxySG
appliance/
Management Center
) and determine which traffic goes to
WSS
where the centralized, cloud-based policy implements Web Isolation.
WSS UPE Web Isolation
1
The Admin
  • Uses
    Management Center
    to manage
    ProxySG
    policy, including adding policy language to identity which categories are susceptible to Web Isolation.
  • Defines granular Web Isolation policy.
    WSS
    applies the policy, such as destination and categorizing matching. Also reviews reports from Web Isolation results.
2
—On-corporate premises clients browse for content and the response is a category, such as
Suspicious
, that triggers Web Isolation.
3
—The response is a category, such as
Suspicious
, that triggers Web Isolation.
4
—On the
WSS
datacenter asset, the Threat Isolation Engine (TIE) in the data center asset runs the website within a secure disposable container. Simultaneously,
WSS
returns safely rendered information to users' browsers. This occurs over a secure web socket. The employee can still scroll, navigate, and enter keystrokes. However, no possibly malicious content, including browser-based exploits, reaches the client browser.

Technical Requirements

Before implementing the policy provided in this topic, ensure the following technical requirements are met.
  • You have an existing Universal Policy Enforcement (UPE) implementation; that is, the Visual Policy Manager (VPM) has policy designated for
    WSS
    upload. This topic does not contain initial UPE configuration procedures.
  • Your
    WSS
    has the Web Isolation license (Selective or Full). Without the license, the policy objects are suppressed.

Limitations

  • The user and group names in UPE policy must match the user and group names authenticated in
    WSS
    .

Supported Deployments

There are two deployment variations to achieve Web Isolation through UPE.

Deployment Use Case—Existing Web Isolation On-Premises/Service

In this deployment, there is an existing Web Isolation solution that is either an on-premises Symantec Web Isolation platform or a Symantec Web Isolation service account. Policy on the Symantec Secure Web Gateway determines what traffic is susceptible to isolation. You want to use
Management Center
to push that existing Web Isolation policy to
WSS
.
UPE Web Isolation On-Prem
A
—Web Isolation on-premises deployment: a Symantec Secure Web Gateway appliance (
ProxySG
or ASG) interacts with either an on-premises, dedicated Symantec Web Isolation platform or a Web Isolation service.
B
WSS
interacts with a Symantec Web Isolation cloud service (dedicated or shared).
1
—The Admin uses the Web Isolation Management UI to determine which traffic is susceptible to isolation based on criteria such as risk score, category, destination. The Management UI generates a Secure Web Gateway policy template. The Admin uses
Management Center
to push that template to
WSS
.
2
—An on-site employee issues a web request that triggers Web Isolation.
3
—The Threat Isolation Engine (TIE) in the data center asset runs the website within a secure disposable container.
4
—The client browser is allowed to continued (rendered) site access while content scanners perform.
5
—In the above example, remote clients connect to
WSS
. The same traffic is sent to Isolation based on the defined criteria (flow step 1). The Web Isolation service performs the same disposable container and rendered site tasks. You might have also on-premises connections, such as from an IPsec or explicit proxy location.
WSS
can forward to only the Web Isolation cloud service. Forwarding to an on-premises environment is not supported.

Perform This Option?

As mentioned above, the Web Isolation platform has the policy (Content Policy Language—CPL). The Symantec Web Isolation platform documentation has more details about how to retrieve this.
Other Deployment Notes.
  • If the Symantec Secure Web Gateway is forwarding to a dedicated Web Isolation service, the appliance must trust the Web Isolation default root CA. Custom root CAs are not supported.
  • If the Symantec Secure Web Gateway is forwarding to a dedicated on-premises Threat Isolation platform, the appliance forwards isolated traffic to
    Isolation_Forwarding_Group_Production
    .

Deployment—
WSS
Web Isolation Policy

In this deployment, you do not have any existing proxy forwarding to an isolation product. You want to solely leverage the
WSS
; however, you are using UPE to manage
WSS
policy and want to include Web Isolation.
A
—Web Isolation deployment:
WSS
interacts with a Symantec Web Isolation cloud service (dedicated or shared).
B
—Symantec
Management Center
determines which traffic goes to
WSS
.
1
—The Admin adds an isolation policy template to a CPL Layer and determines which traffic is susceptible to isolation based on criteria such as risk score, category, destination. The Admin uses
Management Center
to push that template to
WSS
.
2
—An on-site employee issues a web request that triggers Web Isolation.
3
—The Threat Isolation Engine (TIE) in the data center asset runs the website within a secure disposable container.
4
—The client browser is allowed to continued (rendered) site access while content scanners perform.
5
—In the above example, remote clients connect to
WSS
. The same traffic is sent to Isolation based on the defined criteria (flow step 1). The Web Isolation service performs the same disposable container and rendered site tasks. You might have also on-premises connections, such as from an IPsec or explicit proxy location.

Perform This Option?