blue coat web security service: unified agent brief

Web Security Service

Unified AgentAccess Method Guide

Version 6.10.2.5/Feb.28.2018

Symantec Web Security Service/

Copyrights

Copyright © 2018 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, andthe Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other coun-tries. Other names may be trademarks of their respective owners. This document is provided for informational purposes onlyand is not intended as advertising. All warranties relating to the information in this document, either express or implied, aredisclaimed to themaximum extent allowed by law. The information in this document is subject to change without notice.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDINGANY IMPLIED WARRANTY OFMERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THEEXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THISDOCUMENTATION IS SUBJECT TOCHANGEWITHOUT NOTICE.

Symantec Corporation

350 Ellis StreetMountain View, CA 94043

www.symantec.com

http://www.symantec.com/

Symantec Web Security Service:Unified Agent Guide

The Symantec Web Security Service solutions provide real-time protection against web-borne threats. As a cloud-basedproduct, theWeb Security Service leverages Symantec's proven security technology as well as theWebPulse™ cloud com-munity of over 75million users.

With extensive web application controls and detailed reporting features, IT administrators can use theWeb Security Serviceto create and enforce granular policies that are instantly applied to all covered users, including fixed locations and roamingusers.

To provide security to employees who take corporate clients beyond the corporate network, such as laptops on businesstrips, Symantec provides the Unified Agent that routes web requests through theWeb Security Service.

This brief provides remote client conceptual information and installation tasks. The document breaks out information intophases.

"Learn..." on page 8

"Configure..." on page 24

"Troubleshoot..." on page 61

This document contains topics collected from theWeb Security Service online documentation. For the complete doc set,see:

Symantec Support Site > WSS Documentation

Table Of Contents

Copyrights 3

Symantec Web Security Service:Unified Agent Guide 5

Table Of Contents 5

Learn... 8

About Remote User Protection 9

High-Level Example 9

Dynamic User Location Example 11

Noticeable Behavior 11

About Bypyassed Non-Routable IP Addresses 12

About the QUIC Protocol 12

About Proxy Avoidance Attempts 12

About Password Protection 13

About SSLCertificate Installation 13

Challenge-based Authentication (Captive Portal) 13

https://support.symantec.com/content/unifiedweb/en_US/Documentation.html?prodRefKey=1145533&locale=en_US


About IPv6 IP Addresses 13

About Time Zones 13

Why Select This Method? 14

About Challenge-based Auth (Captive Portal) 15

Enable Captive Portal? 17

Reference: Required Locations, Ports, and Protocols 18

Symantec Resource 18

Access Methods 18

Authentication 19

Cloud-to-Premises DLP 19

Recent Unified Agent Resolved Issues 20

Configure... 24

Plan 24

Install 24

Configure Service 24

Plan the Remote User Access Method 25

Alternate Media 25

PDF 25

Select Remote Client Access Method 26

Windows 7, 8, 10 26

Windows XP 26

Apple OS X 9.x/10.x 26

Windows: Unified Agent Single Client Installation 27

About the CTC and SSL Certificate 29

Next Selection 29

Windows: Unified Agent GPODistribution 30


Next Selection 32

Mac OS X: Unified Agent JAMF Distribution 33


Next Selection 35

Mac OS X: Unified Agent Single Client Installation 37


Unified Agent Guide/

Next Selection 39

Set Unified Agent Network/Security Options 40

Unified Agent Security Options 40

Prevent IP/Subnet From Routing to theWeb Security Service 44

Prevent a Domain From Routing to theWeb Security Service 46

Block Web Access When Service is Unavailable to Remote Users 48

Prevent Automatic Updates to Remote Clients 49

Route Remote Connections Through an HTTP Proxy 50

Next Step 51

Forward a Specific Port from Remote Clients 52

Next Step 52

Require Authentication Challenges 53

Verify Service Connectivity to Locations 54

Uninstall the Unified Agent 57

Available Options 57

Unified Agent—With Uninstall Token 57

No Token Defined/Client Connector 60

CLI 60

MSI VersionMis-Match (UnknownMSI) 60

Troubleshoot... 61

Unified Agent Drops Connections 62

ManageWeb Security Service Client Connections 63

Manually Disable the Unified Agent 64

Activate the Disable Option 64

Instruct Employess How to Disable the Unified Agent 64

Windows 64

OS X 64

Reference: Remote Client Application Package Versions 65

Captive Portal Diagnostic Messages 66

Review System Events Generated by Remote Clients 67

Capture Remote Client Trace Log 68

Learn...

This section describes the purpose of the Unified Agent application, which provides security to users who use cor-porate clients, such as laptops, outside of the corporate network.

n "About Remote User Protection" on page 9

n "About Challenge-based Auth (Captive Portal)" on page 15

n "Reference: Required Locations, Ports, and Protocols" on page 18

n "Recent Unified Agent Resolved Issues" on page 20 andOS Versions

- 8 -


About Remote User Protection

The Symantec Unified Agent provides web security to remote users when a route through the Corporate network is not pos-sible or practical. Remote users are defined as:

n Users with laptops that are taken outside of the corporate network.

n Users in micro-branch offices where it is not practical to deploy a corporate firewall or proxy.

n Users in micro-branch offices where the firewall does not support IPsec or in the case where the firewall is controlledby another entity such as an Internet service provider.

When installed on client systems, the Unified Agent works as part of the client system's configuration; after the applicationis installed, no further configuration is required on the client system. It directs content requests to the Symantec Web Secur-ity Service (ThreatPulse) over a secure connection (port 443). To enforce proxy avoidance, the Unified Agent detects anddrops HTTP_CONNECTmethod requests to any external, non-Web Security Service IP address. As such connections aredropped, the user is unable to circumvent filtering andmalware scanning.

Additional Security with the Unified Agent

Furthermore, the Unified Agent provides additional security features.

n The Unified Agent prevents employees from stopping and starting the service from the Services ManagementConsole, even if such employee has Windows Administrator privileges.

n You can hide the Proxy Setting tab in the application. Employees cannot attempt proxy avoidance by routing trafficthrough another egress device.

n You can give the ability to employees to temporarily disable the Unified Agent should they be experiencingconnection issues.

High-Level Example

The following diagram illustrates how theWeb Security Service Unified Agent facilitates web requests.


Example Data Flow

1—A Sales person on business trip in India initiates a web request for a website.

2—The Unified Agent initiates a connection over port 443 to theWeb Security Service ctc.threatpulse.com) because itdetects web-bound traffic on a port it is capturing. The agent attempts to connect to the Client Traffic Controller (CTC) inthe nearest three geographical Symantec Web Security Service data centers. In this example, Mumbai accepts therequest.

n If the CTC is not able to respond, the request defaults to a DNS ask (client.threapulse.com).

n Unified Agent 4.9.1+: The agent evaluates network conditions to attempt a UDP connection; if the conditions arenot met, the connection reverts to TCP.

2.1—If this is the initial connection, the client receives additional configuration.

3—The client establishes a tunnel to the service for each logged in user, which serves content from the destination web-site.

4—In addition, the client establishes a default tunnel that is used for system level requests, such as Windows update orother requests initiated by a system owned process.

TheWeb Security Service provides the policy rule enforcement.

5—Requests for internally-hosted resources do not transport through theWeb Security Service. Furthermore, the UnifiedAgent cannot compete with other installed VPNs, such as Cisco AnyConnect. Youmust configure other VPN applicationsto Split Tunnel so that Internet-hosted destinations route through theWeb Security Service.


If your enterprise requires specific location connections, contact Symantec Technical Support to request assistance.

Dynamic User Location Example

If the user logs in while on a protected network—for example, a corporate location—the client agent goes into passivemode.That is, the use policies are enforced by the on-site web service.

The following diagram illustrates the various access points from remote users to theWeb Security Service.

n A—An employee logs in and is detected by the on-premise network. As a gateway ProxySG appliance provides thesecurity and web access policies, the Unified Agent enters into PassiveMode; that is, it does not intercept anytraffic.

n B—The same employee travels to a hotel near a client and logs into the hotel's WiFi service. The Unified Agent nowengages and connects to the nearest Symantec Web Security Service datacenter, which provides the web accesspolicies.

This allows you to write different policies for corporate locations versus remote locations.

About Hybrid Policy and Unified Agent Connections

If you are employing the Symantec Hybrid Policy solution, the Unified Agent has slightly different connection behaviors. Inthis deployment, the on-premises ProxySG appliance is configured to use common policy. The client workstations that usethat common policy proxy haveWeb Security Service version of the Unified Agent installed. Normally, the Unified Agent isin Passivemode on workstations connecting from behind a proxy that is providing common policy.

Noticeable Behavior

n On theWeb Security Service portal, the Network Location status changes from green to red. This causes all newUnified Agent connections to switch to active versus passive.


n After a networking event, such as a change in IP address and the Network Location is red, the Unified Agentswitches to active.

n When the Network Location status is green, the Unified Agent switches to passivemode.

If the common policy proxy is unable to establish a connection to the portal for approximately 35minutes, then the hybridlocation changes from green to red. If the Unified Agent is in passivemode, it remains passive unless a networking eventoccurs. The Unified Agent goes to activemode for all new connections from that red-status network. This is by design. Ifthe on-premises ProxySG appliance is experiencing issues and is configured to Fail Open, the Unified Agent must be inactivemode for theWeb Security Service to provide protection.

If you notice that the Unified Agent is switching to activemode for reasons not described above, check the hybridlocation in the portal. If the hybrid location status is red, check connectivity between the on-premises ProxySGappliance and theWeb Security Service (might require a packet capture to diagnose). You can run the update-nowcommandwhile in the cloud-service configurationmode to generate traffic destined to the service.

About Bypyassed Non-Routable IP Addresses

By default, the Web Security Service bypasses the following RFC 1918 addresses.

n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16

If a destination request contains one of these IP addresses, the traffic bypasses theWeb Security Service the client con-nects directly.

About the QUIC Protocol

TheQuick UDP Internet Connections (QUIC) protocol, introduced in 2013, is a transport layer designed to reduce latencywhen compared to TCP (HTTP/HTTPS) connections. Browsers with QUIC enabled and smaller devices receive thebenefit. Chrome 29+ has QUIC enabled by default (chrome://net-internals/#quic). Other browsers are beginning toincludeQUIC.

To allow for a seamless experience, when clients send web requests that are intercepted for processing, such as by theWeb Security Service for security purposes, the connections revert to TCP.

If you have a business requirement or a preference for the highest performance, you can instruct theWeb Security Serviceto bypass QUIC connections. For security reason, be advised that Symantec does not recommend this option. BecauseQUIC is UDP-based, these connections are bypassed at the client end-point, whichmeans the traffic is not checkedagainst policy nor is reporting against the Unified Agent possible. Only select this bypass option if the highest performancefor these clients supersedes the security requirement.

About Proxy Avoidance Attempts

To enforce proxy avoidance, the Unified Agent detects proxy HTTP requests in outbound streams for ports other thanthose configured to be forwarded to the service (typically 80 and 443). Such connections are dropped and the user isunable to circumvent filtering andmalware scanning. Furthermore, the Unified Agent does not interpret proxy auto-configuration (PAC) settings as a proxy avoidance attempt. If your deployment uses a PAC control to manage outboundweb connections, the Unified Agent detects it and uses this connection to forward web traffic (on ports 80, 443, and bydefault). If the Unified Agent cannot connect with the PAC settings, it attempts a direct connection to theWeb Security


Service IP address. You can allow additional ports. Also, Symantec recommends adding internal subnets to the IP BypassList so that internal traffic is not sent to theWeb Security Service.

For clients running Unified Agent 4.8+, you have the option to disable tamper detection, which allows uninterruptedservice if it cannot connect to theWeb Security Service.

About Password Protection

You can configure a un-installation token in the portal. Users cannot uninstall the remote client application from their sys-tems without the token.

About SSL Certificate Installation

The Unified Agent to CTC requires the SSLRoot Certificate. Unified Agent installations also install this certificate. If the cer-tificate is not present, Unified Agent remains operational but might fail to connect to the CTC in theWeb datacenter. If thisoccurs, the agent reverts to the legacy DNS method to connect to theWeb Security Service.

If the certificate is not installed because of unforeseen permission issue, you canmanually download it and install it (seeInstall Encrypted Traffic Certificates).

Challenge-based Authentication (Captive Portal)

For enhanced security, enable the Captive Portal option during configuration. When enabled, Captive Portal displays a chal-lenge dialog to users each time that they begin a new browser session (or 24 hours after their previous successful entry).This eliminates cached credential access. For more information, see "About Challenge-based Auth (Captive Portal)" onpage 15.

MAC CLIENT NOTE

You can install Unified Agent onWindows andMac clients. If a Mac user's username is the same as in the your AD andthere is only one domain in your AD, then user based policy is applied for theMac client. The domain defaults to the singledomain in the AD. You can, however, enable the Captive Portal feature, which allows users and groups to be available forpolicy checks.

About IPv6 IP Addresses

The Unified Agent that accompanies theWeb Security Service 6.9.4.1 service update (December, 2016) changes how theUnified Agent processes IPv6 IP addresses.

n In situations where IPv6 access is available, most clients ask the DNS for both IPv4 and IPv6 destinationaddresses. The Unified Agent modifies the IPv6 DNS responses to provide no IPv6 addresses and an NXDOMAINstatus code, whichmeans that no IPv6 addresses are available. Therefore, the clients use IPv4 by default, and theUnified Agent intercepts the subsequent connection. This behavior allows for proper application of policy andmalware scanning.

n If the DNS server returns no IPv4 addresses, the client cannot resolve the destination and receives a DNS error.

n Be advised that an employee can circumvent the interception by entering the IPv6 IP directly into the browser(versus entering the destination URL).

About Time Zones

When a user's system connects to theWeb Security Service from the Unified Agent, the time zone is the recognized sys-tem time of their machine.


Why Select This Method?

l Always active. The user does not have to log in to the agent.

l Works in the background and is transparent to users.

l Captures the user and system names for reporting.


About Challenge-based Auth (Captive Portal)

By definition, challenge-based authentication displays a credential dialog to users each time they open a web browser.Users must enter their corporate network username and password into the dialog and click Accept before performing webcontent requests. In this context, this feature is also commonly referred to as Captive Portal.

TheWeb Security Service provides the Captive Portal for the following deployment methods:

n As an alternativemethod to check user credentials rather than themethod provided by the Unified Agent applicationthat is installed on remote systems.

n Allows an authenticationmethod for BYOD—employees access the network from their personal devices.

n This option also provides user credential checks for Explicit Proxy (PAC file) deployments.

n Required for SAMLAuthentication integration (Firewall/VPN and Explicit Proxy Access Methods).

n Quickly configure a browser or device for authentication demonstration.

The following diagram illustrates the various Captive Portal solutions based on employee-to-network connectionmethod. AllCaptive Portal deployments require the Auth Connector application that integrates with your Active Directory to verify usercredentials.


A—Firewall/VPN/Guest WiFi Over IPSec

TheWeb Security Service recognizes a connection from firewall/router device as a fixed location (versus from a roaminguser). Using the Authentication Policy Editor, you can specify the surrogate type (IP address or cookie) and authenticationrefresh intervals on a per-location basis.

With the proliferation of bring your own devices (BYOD), companies must find a way to accommodate employees who usetheir personal phones and tablets for both work and personal use. Onemethod is to maintain a separateWiFi for BYODuse. TheWiFi network might be seen by theWeb Security Service as its own location or as one or subnets. With CaptivePortal enabled, users must enter their network credentials. Closing and re-opening a browser window within that time doesnot trigger a new authentication challenge.

DEPLOYMENT NOTE: The following applies to IP surrogates only. For clients behind NAT'ed firewalls, theSymantec recommends using Cookie Surrogates.After a user authenticates from an IP address, all further requests from that IP address are treated as from thatuser. If the client is behind a NAT or on amulti-user system, the first user’s credentials are used. For example,Employee A requests web content and theWeb Security Service successfully authenticates him. Employee B thenconnects, but she is not sent an authentication challenge. She is seen as Employee A and thus receives all policydesignated for Employee A.

B—Explicit Proxy

By default, the Explicit Proxy access method neither provides authentication nor sends user and group information to theWeb Security Service for use in reports or custom policy. Tomake username/group information available, youmust enablethe Captive Portal option for each location configured in theWeb Security Service.

Using the Authentication Policy Editor, you can specify the authentication refresh intervals on a per-location basis.

C—Remote Users (Unified Agent)

The SymantecWeb Security Service provides the Captive Portal as an alternativemethod to check user credentials ratherthan themethod provided natively by the Unified Agent application that is installed on remote systems

Without Captive Portal enabled, remote users log into the corporate network using their cached credentials. With CaptivePortal enabled, the challenge dialog initiates from the client system, which ensures that the correct person logging in isrecorded. This allows the system to be accessed by multiple users. Furthermore, the benefit for network administrators isthat you havemore control of your network access. If a laptop becomes lost or you need to deny a remote employeeaccess, change their status in the Active Directory and that user's access credentials are now denied.

D—Quick Authentication Demonstration (Roaming Captive Portal)

Roaming Captive Portal allows you to quickly connect a non-enrolled device (mobile device or laptop) to theWeb SecurityService and receive an authentication challenge. For browsers, this allows the enforcement of employee credentials toaccess web content. For mobile devices, this allows for quick demonstrations of authentication and policy. These browser-s/devices are configured to explicitly proxy to theWeb Security Service and a user's corporate e-mail addresses are usedto validate access.

Additional Information

n Client systems must have third-party cookies enabled.

n Client systems must have the Symantec Web Security Service SSL Root Certificate on their browsers. This isdescribed in the configuration topics.

n If your enterprise comprises multiple domains, users must enter the full domain name rather than just their loginname. For example, they must enter [email protected], not just alan.user.


n If the Auth Connector becomes unavailable, the user receives the following error message: Authenticationserver error, connecting as unauthenticated user (also, theWeb Security Service adds the event to thediagnostic log). The behavior defaults to what happens when Captive Portal is not enabled. That is, the users'access credentials creates a tunnel. For diagnostic analysis, this Advanced dialog entry is unauthenticated(user_name). For other diagnostic entries, see "Captive Portal Diagnostic Messages" on page 66.

n Verify that each user to be authenticated has their e-mail address attribute populated in the AD (User Propertiesdialog > General > E-mail). For example, EXAMPLECORP\alan.user has an e-mail attribute [email protected]. If you are employing Exchange, default policies automatically create this attribute. Ifyou are not employing Exchange and have a large number of users with undefined e-mail attributes in the AD, searchonline for resources about how to use a script to populate.

About Challenges

WhenCaptive Portal is enabled:

n Challenges are based on each browser session. For example, users are challenged when they open Firefox and thencan browse (including new tabs). If they then open a Internet Explorer browser, they must enter their credentials inthat browser to continue.

n Entered passwords, represented as auth tokens, are retained in a credential cache on the device in the data centerthat is processing authentication for that client. They are not stored permanently in the cloud. TheAuthentication Policy Editor allows you to specify surrogate times for the Firewall/VPN Access Method andcredential refresh times for both the Firewall/VPN and Explicit Proxy Access Methods.

The following conditions prompt employees to re-enter their credentials.

n When the user attempts to reconnect to the web after those respective time thresholds.

n Other network activity, such as that employee's data gettingmoved from one data pod to another.

n The Auth Connector abides by the lockout settings in the AD. For example, the AD is configured to allow threeattempts to log in. If the third attempt fails, the user is locked out for 30minutes before they can attempt again.

n If a lockout configuration exists and the user triggers it or if the user attempts to use an expired password:

n All web-bound transaction intended for theWeb Security Service is dropped; all other traffic continuesnormally.

n If the fault is an Auth Connector problem, the user connects to theWeb Security Service as anunauthenticated user.

n If you render an employee disabled, theWeb Security Service requires 15minutes to complete the transaction; theemployee is still able to browse during that time period.

Enable Captive Portal?

n Firewall/VPN (IPsec) Access Method—Proceed to Captive Portal Surrogates and Times.

n Remote Users—Select Service mode > Mobility > Unified Agent. This page contains the Enable Captive Portaloption.


Reference: Required Locations, Ports, and Protocols

Depending on your configured Symantec Web Security Service Access Methods, some ports, protocols, and locationsmust be opened on your firewalls to allow connectivity to the various cloud service components and data centers.

Symantec Resource

support.symantec.com Support site links to support tools and documentation.

Access Methods

Access Method Port(s) Protocol Resolves To

Web Security Service IP addresses 199.19.250.192

199.116.168.192

Firewall/VPN (IPsec) 80/443

UDP 500 (ISAKMP)

IPsec/ESP

Proxy Forwarding 8080/8443

8084*

HTTP/HTTPS Port 8080 to proxy.threatpulse.net

Port 8443 to proxy.threatpulse.net

*Port 8084 to proxy.threatpulse.net

*If this forwarding host is configured for localSSL interception.

Explicit Proxy 8080 To proxy.threatpulse.net

https://portal.threatpulse.com/pac

Trans-Proxy 8080 (VPN Tunnel) ep.threatpulse.net resolves to the following pseudoaddress.

199.19.250.205

Unified Agent 443 UDP (v4.9.1+),TCP, SSL

Port 443 to ctc.threatpulse.com

Port 443 to proxy.threatpulse.com

Port 443 to portal.threatpulse.com (199.19.250.192)

MDM (registered iOS and Androiddevices)

UDP 500 (ISAKMP)

UDP 4500 (NAT-T)

IPSec/ESP

Hybrid Policy 8.28.16.231

(expires July 21, 2017)

199.19.250.195199.116.168.195

(available July 21, 2017)

If connectivity to the Web Security Service is behindstringent firewall rules, adjust the rules to allow traffic topass to these IP addresses on port 443.


Authentication

Auth Method Port(s) Protocol Resolves To

Auth Connector 443 SSL to auth.threatpulse.com:

199.19.250.193

199.116.168.193

portal.threatpulse.com:

199.19.250.192

Additional RequiredInformation: Reference: AuthenticationIPAddresses.

Auth Connector to Active Directory 139,445 TCP

389 LDAP

3268 ADSI LDAP

135 Location Services

88 Kerberos

49152-65535 TCP If installed on a newWindows Server 2012 Mem-ber rather than a Domain Controller.

AC-Logon App 80 Port 80 fromall clients to the server.

SAML 8443 Explicit and IPSec

Roaming Captive Portal 8080

Cloud-to-Premises DLP

For connection coordination andmanagement status.

n Port 443 (traffic from client device)

n XMPP port 5222 to comm.threatpulse.com


Recent Unified Agent Resolved Issues

This topic lists the recent Unified Agent versions and the resolved issues for each version.

Split Tunnel Prerequisite

The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on clientsystems. Youmust configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceedthrough theWeb Security Service.

Release Date: 2/2018

Supported Client Operating Systems:

n Windows 7 32/64 bit (excluding home editions)

n Windows 8.x 32/64 bit (excluding home editions)


n Apple OS X (Mavericks (version 10.9.x))

n Apple OS X (Yosemite (version 10.10.x))

n Apple OS X (High Sierra (version 10.13.x))

Features

n Added adaptive protocol support to improve Unified Agent performance.

n The agent evaluates network conditions to attempt a UDP connection; if the conditions are not met, the connectionreverts to TCP.

n Added support for Mac OS X: High Sierra (10.13).

Resolved Issues:

n The Unified Agent failed to reconnect from the passive state after disconnecting from a third-party VPN.

n Resolved a service crash related to situations where a network interfacemight not be available when the servicestarts.

n Unified Agent 4.8.1 onOS X did not honor the bypassed domains from the portal.

n Unified Agent did not connect to the service when connecting over a USB data card connection.

n Unified Agent stopped attempting to connect to the service before the network became available. For example,when a NAC scan occurs on start up.

n Unified Agent woke systems from sleepmode.

n Unified Agent prevented internet access after disconnecting from one docking station and connecting to another.

n Unified Agent would not establish a user tunnel on systems using anOpenOTP solution.

Release Date: 10/2017






n Apple OS X (Mavericks (version 10.9.x))

n Apple OS X (Yosemite (version 10.10.x))

n Apple OS X (High Sierra (version 10.13.x))

Features

n Added adaptive protocol support to improve Unified Agent performance.

n The agent evaluates network conditions to attempt a UDP connection; if the conditions are not met, the connectionreverts to TCP.

n Added support for Mac OS X: High Sierra (10.13).

Resolved Issues:

n The Unified Agent failed to reconnect from the passive state after disconnecting from a third-party VPN.

n Resolved a service crash related to situations where a network interfacemight not be available when the servicestarts.

n Unified Agent 4.8.1 onOS X did not honor the bypassed domains from the portal.

n Unified Agent did not connect to the service when connecting over a USB data card connection.

n Unified Agent stopped attempting to connect to the service before the network became available. For example, whena NAC scan occurs on start up.

n Unified Agent woke systems from sleepmode.

n Unified Agent prevented internet access after disconnecting from one docking station and connecting to another.

n Unified Agent would not establish a user tunnel on systems using anOpenOTP solution.

Release Date: 6/22/2017





n OS X 10.9+

Resolved Issues:

n Fixes compatibility with AnyConnect over UDP port 443.

Note:

n Uninstall passwords for versions prior to 4.4 are removed. You are required to use the portal to define the uninstallpassword.

Known Issue

n Domain bypass for multi-homedwebsites might result in bypassing other URLs that resolve to the same IP address.


Release Date: 2/17/2017





n OS X 10.9+

Resolved Issues:

n Resolved a BSOD onWindows 10.

n Resolved a service crash onWindows when a system goes to sleep or wakes up.

n Resolved a Captive Portal issue where after sending invalid credentials to the system, a user could get logged in asan unauthenticated user.

n Resolved a Captive Portal issue where user credentials expire after 120 seconds. Unified Agent now caches theuser name for 24 hours.

n Resolved an issue where the agent service point probe was preventing the retrieval of a PAC file. Not applicable tocloud enforcement.

n Resolved a compatibility issue with Checkpoint VPN. The fix requires Checkpoint VPN E80.62 or later.

Features:

n Added ability to block DNS responses for IPv6 and force the use of IPv4 whenever possible.

n On installation, the Unified Agent attempts to install the SSL root certificate for SSL interception.

n The Unified Agent no longer uses DNS as the default to resolve a data center for connection. The appropriate datacenter is provided by a service in the cloud (data center).

Resolved Issues:

n Updated to OpenSSL 1.0.2j

Features:

n Unified Agent now queries theWeb Security Service before attempting to connect. This allows the agent to gopassive when appropriate without establishing a connection to the service.

Resolved Issues:

n Resolved an uninstall failure on Japanese versions of Windows.

n Resolved a service crash on Japanese versions of Windows.

Known Issues:

n Uninstall password for versions previous to 4.4 will be removed. Youmust use the portal to configure this option.

n Domain bypass for multi-homedwebsites might result in bypassing other URLs that resolve to the same IPaddress.

Compatibility Issues:


n ZoneAlarm: Unified Agent must be configured as a trusted application.

n Kaspersky: Unified Agent must be configured as a trusted application.

n Sophos: Cannot install Unified Agent onWindows 8 after Sophos Antivirus has been uninstalled.

.

Configure...

To connect remote users to the Symantec Web Security Service, youmust download the Unified Agent applicationand install it on client systems, then configure various options on the service.

Plan

n "Plan the Remote User Access Method" on the next page

Install

n "Select Remote Client Access Method" on page 26

n "Route Remote Connections Through an HTTP Proxy" on page 50

n "Set Unified Agent Network/Security Options" on page 40

Configure Service

n "Prevent IP/Subnet From Routing to theWeb Security Service" on page 44

n "Prevent a Domain From Routing to theWeb Security Service" on page 46

n "Block Web Access When Service is Unavailable to Remote Users" on page 48

n "Prevent Automatic Updates to Remote Clients" on page 49

n "Route Remote Connections Through an HTTP Proxy" on page 50

n "Forward a Specific Port from Remote Clients" on page 52

n "Require Authentication Challenges" on page 53

n "Verify Service Connectivity to Locations" on page 54

- 24 -


Plan the Remote User Access Method

Complete the forms in the following sheet (one per location).

Information Comments Values

Remote Client OS Windows

5 Unified Agent

5Windows 7 32-64bit (excluding Home edi-tions)

5Windows 8 32-64bit (Pro and Enterprise)

5 Windows 10

Apple OS X

5 Unified Agent

5Mavericks (version10.9.x)

5 Yosemite (version10.10.x)

5 (High Sierra (ver-sion 10.13.x))

Entrust Root CA 2048Installed?

Applies to Windows clients. Required for Internet connection. Consult the followingKnowledge Base article.

Entrust KBArticle

Network Information Proxy server locations:

To where is the application downloaded (network/folder location)?

VPNClient Tunnel 5 Split tunnel (cannot befull tunnel)

Corporate Web UsePolicy

List trusted sources:

List trusted destinations:

List blocked categories/types:

Captive Portal Enable challenge-based auth? 5 Yes

5 No

Alternate Media

PDF

http://bluecoat.force.com/knowledgebase/articles/Solution/AuthenticationConnectorfailstoinstall-Entrust2048error


Select Remote Client Access Method

How to use this page.

n Learn—Provides information about the Access Method. What are benefits? What are the disadvantages? Click tolearn.

n Begin—Follow a procession of topics that walk you through the deployment for that Access Method. Click an iconor link to begin the walkthrough.

To provide SymantecWeb Security Service to remote users, youmust download the Unified Agent and install it on clientsystems.

Windows 7, 8, 10

Select a Unified Agent installationmethod.

n "Windows: Unified Agent Single Client Installation" on page 27

n "Windows: Unified Agent GPODistribution" on page 30

Windows XP

Windows XP (SP3, 32 Bit) is no longer a supported platform for the client agent (formerly the Client Connector).

Apple OS X 9.x/10.x

Select a Unified Agent installationmethod.

n "Mac OS X: Unified Agent Single Client Installation" on page 37

n "Mac OS X: Unified Agent JAMF Distribution" on page 33


Windows: Unified Agent Single Client Installation

To provide SymantecWeb Security Service to remote users onWindows 7.x, 8.x, or 10.x clients, youmust download theUnified Agent and install it on client systems. See "About Remote User Protection" on page 9.



Step 1—HTTP Proxy Connection Required? (Unified Agent 4.4+ only)

This applies to Unified Agent 4.4 and later only. Youmust make the following decision before installing the Unified Agent.

In ServiceMode; select Mobility > Unified Agent.

n A scenario might require this or other clients require to connect to theWeb Security Service through an HTTPproxy. For example, you have a test or demonstration network. Before installing the Unified Agent on a client, youmust select the Allow access to Proxy Settings in agent, which allows Proxy tab to be visible after its installation.

n For increased security in a production installation, Symantec recommends clearing this option, whichmeans that theProxy tab is not visible nor available on the Unified Agent application on the employee's client system.

If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it, return to this page andenable it. However, the Unified Agent on does not display the tab until after the next client restart/reboot.

Step 2—Entrust Certificate Prerequisite

EachWindows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWeb SecurityService. For more notes and installation steps, consult the following Symantec Knowledge Base article:

https://support.symantec.com/en_US/article.TECH242793.html

Step 3—Download the Unified Agent Installer.

If you downloaded the Unified Agent during the Initial ConfigurationWizard process, begin with Step 4: Install the Client.

1. In ServiceMode; select Mobility > Unified Agent.

2. In the Installers area, click the 32-bit or 64-bit buttons in theWindows 7.x, 8.x and 10.x Unified Agent section.



3. If this is the first time you are attempting to download the application after theWeb Security Service version 6.5.2went live, the service displays the Profile dialog.

As a company that provides security services across the globe, Symantec supports and complies with UnitedStates and local export controls. As an authorizedmember of your enterprise/organization, youmust complete thisform before downloading the Unified Agent. The fields with blue asterisks (*) are required.

Click Save to update your profile and then close the dialog.

4. Download the installation file.

Step 4—Install the Unified Agent on a Client System.

1. Launch the installer.

a. InWindows, navigate to the directory where you saved the UnifiedAgentInstaller[32 | 64]-version_number.msi file. Symantec strongly recommends that you record this full MSI name; it mightbe required for future uninstallation tasks.

b. Double-click the file, which launches the installer.

2. Follow the prompts in the wizard. Select a directory for installation. Click Next.

3. Click Install. The installation begins.

4. Click Finish to complete the installation.

5. The service displays the Installer Information dialog. Click Yes to reboot the computer.

Step 5—Verify the Client Installation.

When the system reboots, it connects to theWeb Security Service and begins intercepting web-bound traffic.


1. In the Windows system tray, locate the Unified Agent icon and double-click it. Windows displays the a dialog withthe Status tab.

2. Verify that the connection to theWeb Security Service is active.

(If the system detects a defined location, the agent displays ...in Passive Mode).

3. Use a browser on the client and attempt to access a site that belongs to a blocked category. The browser displays anexception (blocked content) page.

About the CTC and SSL Certificate

The Unified Agent to CTC requires the SSLRoot Certificate. Unified Agent installations also install this certificate. If the cer-tificate is not present, Unified Agent remains operational but might fail to connect to the CTC in theWeb Security Servicedatacenter. If this occurs, the agent reverts to the legacy DNS method to connect to theWeb Security Service.


Next Selection

n If you enabled the Allow access to Proxy Settings option in Step 1, proceed to "Route Remote ConnectionsThrough an HTTP Proxy" on page 50.

n If not, proceed to "Set Unified Agent Network/Security Options" on page 40.


Windows: Unified Agent GPO Distribution

To provide Symantec Web Security Service to remote users onWindows 7.x or 8.x clients, youmust download the Uni-fied Agent and install it on client systems. See "About Remote User Protection" on page 9. This section describes how touseGroup Policy Object (GPO) to distribute the Unified Agent to multipleWindows 7.x or 8.x clients.

This method does not support using a command line to add optional parameters.

Server Prerequisites

This method requires the following.

n AWindows 2008 or 2012 domain controller.

n A DNS server.

n The Active Directory (AD) and DNS must be functional; this includes the DNS lookups of the AD domain controller.

n Verify the client system can resolve the name of the AD server that contains the client library.







n For increased security in a production installation, Symantec recommends clearing this option, whichmeans thatthe Proxy tab is not visible nor available on the Unified Agent application on the employee's client system.

You cannot regain visibility of the Proxy tab post-installation. Youmust re-install the Unified Agent with thisoption enabled.


Step 2—Entrust Certificate Prerequisite

EachWindows client must have the Entrust Root CA 2048 installed. Without it, clients cannot connect to theWeb SecurityService. For more notes and installation steps, consult the following Symantec Knowledge Base article:





2. In the Installers area, click the 32-bit or 64-bit buttons in theWindows 7+Unified Agent section.




4. Download the installation file. If the location of the file is not aWindows share, create a share. Verify that thedirectory and files have Read and Execute file system rights.

Step 4—Distribute the Unified Agent



1. On the domain controller, click Start and select Control Panel > Administrative Tools > Active Directory Usersand Computers.

2. Right-click the domain and select Properties.

3. On theGroup Policy tab, click New. Name the policy, such as InstallCloudClientMSI. Highlight the new GPOobject and click Edit.

4. Navigate to Computer Configuration > Software Settings > Software installation.

a. Right-click Software Installation and select New > Package.

Verify that you have a valid UNC path. Click My Network Places > Entire Network > MicrosoftWindows Network > server_domain > server_name > client_binary_share_name > select_the_binary.

b. For Deployment Method, select Assigned and click OK. If your new policy is not visible, right-clickSoftware Installation and click Refresh.

5. If the workstation properly joins the domain, the client installs on the second reboot (it reads policy on the firstbootup) and executes policy. The workstation installs the client and reboots oncemore.

6. Test.


The Unified Agent to CTC requires the SSLRoot Certificate. Unified Agent installations also install this certificate. If thecertificate is not present, Unified Agent remains operational but might fail to connect to the CTC in theWeb datacenter. Ifthis occurs, the agent reverts to the legacy DNS method to connect to theWeb Security Service.


Next Selection




Mac OS X: Unified Agent JAMF Distribution

To provide Symantec Web Security Service to remote users on AppleMac OS X 9.x or later, youmust download the Uni-fied Agent and install it on client systems. See "About Remote User Protection" on page 9.

JAMF provides a widely used software solution to distribute applications. This section describes how to distribute the Uni-fied Agent to Mac/OS X clients. For general information about using JAMF polices and packages, see the user doc-umentation for JAMF at www.jamfsoftware.com.








You cannot regain visibility of the Proxy tab post-installation. Youmust re-install the Unified Agent with thisoption enabled.




2. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section.


http://www.jamfsoftware.com/




4. Download the installation file.

Step 3—High-Level JAMF Procedure

1. Create the upgrade packages for Unified Agent installation.

If you deploy both the on-box and cloud versions of the Unified Agent on your network, create two packageswith different names.

2. Upload the packages to the JAMF file-distribution server. Place both packages in the same directory.

3. Create a policy with the following settings.

n Category—Select the appropriate setting for your network.

n Triggers—Select the appropriate setting for your network.

n Execution Frequency—Once per device.

n Add the following script.

sudo defaults write com.bluecoat.ua cmurl https://ProxySG_IP_address:8084


n Priority—Before. This permits the CMURL to be set before installation.

n Scope—Add the devices to update. Each of the devices must bemarked as Managed.

n Restart—Not needed.

The interface displays the new policy in the list.

What Occurs on Employee Clients?

After you use JAMF to push the update package, the following events occur on the employeeOS X client.

1. The client displays aManagement Notification dialog.

2. The employee follows the prompts to accept and install the Unified Agent application.

Employee Template

(Optional) To notify your impacted employees and provide them with instructions, consider using the following template.Copy contents in an email; edit as needed; send.

[Company] is distributing a security update to your corporateMac client. You will be prompted to [install / update] an applic-ation called Unified Agent. Perform the following steps.

1. When your Mac client receives the update, the client displays aManagement Notification.

2. To complete the installation, click through the prompts.

3. If the client displays a prompt to accept a certificate, accept it. This is required to receive the application.

If you have any questions or issues, contact IT.




Next Selection




Mac OS X: Unified Agent Single Client Installation

To provide Symantec Web Security Service to remote users on AppleMac OS X 10.9.x or later, youmust download theUnified Agent and install it on client systems. See "About Remote User Protection" on page 9.








If you elect to hide the Proxy tab, but decide you want the Unified Agent to display it, return to this page andenable it. However, the Unified Agent on does not display the tab until after the next client restart/reboot.




2. In the Installers area, click the Download button in the OS X 10.9 or later Unified Agent section.





4. Download the installer.

Step 3—Install the Unified Agent on a Client System.

1. Launch the installer assistant.

a. Navigate to the directory where you saved the installer. Double-click it to mount the disk image.

b. Navigate in the Finder and select the Unified Agent .pkg file; double-click. TheOS displays the Unified Agent


installer.

2. Click Continue. The Unified Agent Installation wizard begins.

3. The installer displays a prompt for the administrator user name and password.

4. When the installation completes, click Close.

From the toolbar, select the Unified Agent icon and select Status. On the Advanced tab, verify that agent isrunning (if you still require a proxy connection to the Internet, see below).




Next Selection




Set Unified Agent Network/Security Options

TheWeb Security Service provides several options that allow you to specify how the Unified Agent behaves on the clientand how to route traffic.

Unified Agent Security Options


This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by the dis-playedmessage.

Step 1—Configure client-side options.

a. Determine the Fail Behavior, which is what happens to web requests if theWeb Security Service is not availablefrom remote locations. For more details, see "Block Web Access When Service is Unavailable to Remote Users" onpage 48.

b. You have the option to Prompt users when a new Unified Agent version is available or prevent automatic updatesand distribute from a central location at a time of your choosing. For more details, see "Prevent Automatic Updates toRemote Clients" on page 49.

Step 2—Define Unified Agent-specific options.

The following configurations apply only to the Unified Agent.


a. The option to allow employees access the Proxy Settings tab on their Unified Agent applications is a decisionperformed before installation. Return to "Select Remote Client Access Method" on page 26.

b. Allow agent to be disabled by user (only available for Unified Agent v4.4+). If you select Yes, your employeescan (temporarily) disable the Unified Agent. For a business use case andmore information, see "Manually Disablethe Unified Agent" on page 64.

c. Available for Unified Agent v4.4+. See "Uninstall the Unified Agent" on page 57 for more details.

d. Block IPv6 traffic prevents requested connections to destinations with IPv6 addresses.

Step 3—(Optional) Bypass QUIC traffic (v4.8+ only).

Select Allow Google QUIC only if you have a business requirement or a preference for the highest performance to bypassQUIC connections. For more information, see the QUIC section in "About Remote User Protection" on page 9.

Step 4—Override Employee Actions (v4.8+ only).

The following options determines behavior from actions that employees could attempt from their client systems.

n Disable Tamper Protection—Select this option if your preference is to allow Unified Agent to fail-open (allowconnections) should the agent be unable to connect to theWeb Security Service. Be advised that theseconnections are not susceptible to policy checks andmalware detection.

n Ignore Proxy Settings—Select this option to ensure that nomatter what proxy connection setting the client userattempt to define, the Unified Agent always connects directly to theWeb Security Service.

Step 5—Select what connection provides the username (v4.6+ only).

By default, a Unified Agent process sends the User ID through the tunnel to theWeb Security Service. This ensures anaccurate account of who initiated the request and allows for policy enforcement and reporting. Your network might havethird-party products that also intercept these connections, which causes theWeb Security Service to erroneously view theusername as something similar to the following. Examples of these products include anti-virus programs and applicationsrun browsers in a secure virtual container.

NT AUTHORITY\SYSTEM

This prevents user-based policy enforcement and reporting. To be compatible with third-party interceptions that cause thisissue, instruct the Unified Agent to send the logged-in username (applies to Unified Agent v4.6+).


On theMobility > Unified Agent page, select Logged in User ID from the Username Format drop-down list.

For a current list of known third-party applications that cause this issue, see NT AUTHORITY\SYSTEM UsernameReturned From the UA.

Step 6—Define Network Connections.

1. Change listening ports.

If clients are configured to have ports other than the defaults (80, 443, and 8080) listen for web requests, add thoseports to theWeb Security Service. For more information, see "Forward a Specific Port from Remote Clients" onpage 52.

2. Bypass IP addresses/subnets and domains.

By default, the Web Security Service bypasses the following RFC 1918 addresses.

n 10.0.0.0/8

n 169.254.0.0/16

n 172.16.0.0/12

n 192.168.0.0/16

If a destination request contains one of these IP addresses, the traffic bypasses theWeb Security Service the clientconnects directly.


Personal choices or business requirements might require you to configure theWeb Security Service to bypassadditional IP addresses/Subnets and Domains. For example, bypass test networks.

Clicking Network > Bypassed Sites link takes you to that screen, as this is a shared configuration with otherWebSecurity Service features.

n Formore details, see "Prevent IP/Subnet From Routing to theWeb Security Service" on page 44.

n Allow remote client requests to bypass specific domains (only available for Unified Agent v4.4+). See"Prevent a Domain From Routing to theWeb Security Service" on page 46.

Step 7—(Optional) Enable challenge-based authentication (Captive Portal).To enforce accurate user credentials rather than rely on locally cached credentials, select Enable CaptivePortal for remote users (using Unified Agent). This option requires deployment of the Auth Connector applic-ation, which integrateswith your Active Directory to provide username and group information.

Formore details about the network footprint, see "About Challenge-based Auth (Captive Portal)" on page 15.


Prevent IP/Subnet From Routing to the Web Security Service

IMPORTANT—This topic only applies to locations that use the Explicit Proxy and Unified Agent (v4.4+) Access Methods toconnect to the SymantecWeb Security Service. All other access methods ignore any bypass domain configurations.

Some source IP addresses or subnets do not require Symantec Web Security Service processing. For example, you wantto exclude test networks. Configure the service to ignore these connections.

Notes

n TheWeb Security Service allows an unlimited number of bypassed IP addresses/subnets.

n Each time that a Unified Agent reconnects to theWeb Security Service (for example, a user who takes a laptop offcampus and connects through a non-corporate network), the client checks against any updates to the list.

Manually Add IP Addresses

1. In ServiceMode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab.

2. Click Add Bypass IP(s). The service displays a dialog.

a. Enter an IP/Subnet.

b. (Optional) Enter a Comment.

c. (Optional) Click the + icon to add another row for another entry.

d. Click Add Bypass IP(s).

The new entries display in the tab view. You can edit or delete any entry from here.

Import IP Address Entries From a Saved List

This procedure assumes that you have already created an accessible list (text file) of IP addresses to be bypassed. Eachentry in the file must be on its own line.


1. In ServiceMode, select the Network > Bypassed Sites > Bypassed IP/Subnets tab.

2. Click Add Bypass IP(s). The service displays the Add Bypass IP Address/Subnet dialog.

3. Click Add Bypass IP(s). The portal displays a dialog.

a. Select Import From File.

b. Click Browse. The service displays the File Upload dialog. Navigate to the file location andOpen it.

c. Click Add Bypass IP(s).

All of the new entries display in the tab view. You can edit or delete any entry from here.

If you linked to this page from the Remote User Location solution page, return to Connect Remote Users.


Prevent a Domain From Routing to the Web Security Service

IMPORTANT—This topic only applies to locations that use the Explicit Proxy and Unified Agent (v4.4+) Access Methods toconnect to the Symantec Web Security Service. All other access methods ignore any bypass domain configurations.

Some destinations, such as intranets, do not requireWeb Security Service processing. Configure the service to ignorethese connections. Another use case is you have use policy enabled, such as blocking several leisure categories, but youwant to relax restraints for remote users and allow their requests to bypass theWeb Security Service en route to specificsites.

Notes

n TheWeb Security Service allows an unlimited number of bypassed domains.

n The setting is global; that is, it applies to every location/client in yourWeb Security Service account.

n Be advised that multi-homed domains might lead to over-bypassing a site.

n Each time that a Unified Agent reconnects to theWeb Security Service (for example, a user who takes a laptop offcampus and connects through a non-corporate network), the client checks against any updates to the list.

Manually Add Domain Entries

1. In ServiceMode, select the Network > Bypassed Sites > Bypassed Domains tab.

2. Click Add Bypass Domains. The portal displays a dialog.

a. Enter a valid Domain.

b. (Optional) Enter a Comment.

c. (Optional) Click the + icon to add another row for another entry.


d. Click Add Bypass Domain.

The new entries display in the tab view. You can edit or delete any entry from here.

Import Domain Entries From a Saved List

This procedure assumes that you have already created an accessible list (text file) of domains to be bypassed. Each entryin the file must be on its own line.

1. In ServiceMode, select the Network > Bypassed Sites > Bypassed Domains/URL tab.

2. Click Add Bypass Domain(s). The service displays the Add Bypass Domain dialog.

3. Click Add Bypass Domain(s). The portal displays a dialog.

a. Select Import From File.

b. Click Browse. The service displays the File Upload dialog. Navigate to the file location andOpen it.

c. Click Add Bypass Domain.

All of the new entries display in the tab view. You can edit or delete any entry from here.

If you linked to this page from the Remote User Location solution page, return to Connect Remote Users.


Block Web Access When Service is Unavailable to Remote Users

By default, theSymantec Web Security Service allows remote clients unabated web access if the service becomes unavail-able. For maximum security, set the fail behavior to block access until IT or Symantec restores the service.

1. In ServiceMode, select Mobility > Unified Agent.

2. The default is Allow All Traffic. From the Fail Behavior drop-down list, select Block All Traffic.

This page does not contain an Apply button. Selecting the option sets the configuration, as indicated by thedisplayedmessage.


Prevent Automatic Updates to Remote Clients

Symantec periodically updates the Unified Agent, which is an application that allows remote users to connect to theWebSecurity Service. By default, theWeb Security Service alerts remote users when a new Unified Agent software version isavailable. Similar to other application updates, the end user receives a prompt to update the software. They must clickInstall and follow themanual process to replace the current version with the new version (this operation does not requireadministrative access).

Your standard practices might not now allow for users tomanage their own business applications. Or youmight find itmore efficient to roll out all business software updates on a set calendar basis. You can configure theWeb Security Ser-vice to not notify end users of new Unified Agent updates, which allows you to download the new version to your centrallocation and distribute at a time of your choosing.


2. For the Prompt client user for update option, select No.

There is no Apply button on this page. Selecting the option sets the configuration, as indicated by the displayedmessage.


Route Remote Connections Through an HTTP Proxy

If you encounter a situation that requires the Unified Agent to connect to the SymantecWeb Security Service through anHTTP proxy, such as a test network trial or demonstration, youmust provide the proxy IP address.

Perform the following steps onWindows or Mac clients.

If you do not see the Proxy tab, you or another administrator installed the client with the option to hide that tabenabled. This is a higher-security measure that prevents employees from evading the corporate-to-Internet egressaddresses that are linked to enforced browsing policies. If a particular client requires this setting, youmust re-installthe agent on the system.

If you configure this option, you cannot select the Unified Agent 4.8+ Ignore Proxy Settings option on theMobilty> Unified Agent page.

In Windows

This section demonstrates the Unified Agent.

1. Right-click the Unified Agent icon in the system tray and select Proxy Settings.

a. Select the Connect to the Blue Coat Cloud Service using the HTTP proxy at: option.

b. Enter the IP address and port number in the appropriate fields.

c. (Optional) If required to gain access to the proxy server, enter the proxy user name and password.

d. Click Apply.

In OS X:

This section demonstrates the Unified Agent.


1. Click the Unified Agent icon in themenu bar (located at the upper right-hand corner of the screen) and click Status.The system displays the dialog.

2. Click the Proxy tab.

a. Select Connect to the Blue Coat Cloud Service using the HTTP proxy at.

b. Enter the HTTP proxy IP Address and Port.

c. (Optional) If the HTTP proxy requires a User Name and Password for access, enter those.

3. Click Apply.

Next Step

n Proceed to "Set Unified Agent Network/Security Options" on page 40.


Forward a Specific Port from Remote Clients

By default, the Symantec Web Security Service accepts traffic from the Unified Agent, that is installed on client systems,from common gateway ports of 80 (HTTP), 443 (HTTPS) and 8080 (Explicit Proxy HTTP). The default ports are not change-able, but if your remote clients are configured to use other or additional ports for HTTP/HTTPS traffic, configure theWebSecurity Service to listen on those ports. For example, theWeb Security Servicemust also listen to ports 8000 (HTTP) and8083 (HTTPS).


2. In the Forwarding Ports area, click Edit Ports. The service displays the Edit Forward Ports dialog.

3. Specify the ports.

a. Select Ports to Forward.

b. Defaults Ports—You cannot select the default ports of 80 and 443, but you can select 8080.

c. Additional Ports—If your gateway forwards web traffic on ports other than the defaults, specify them byselecting the appropriate traffic type and entering the port. You can only enter one port in each field.

d. Click Save.

Next Step

n Return to Connect Remote Users.


Require Authentication Challenges

To enforce accurate user credentials rather than rely on locally cached credentials, you enable Captive Portal on theWebSecurity Service. See About Challenge-based Auth (Captive Portal).

This option requires deployment of the Symantec Auth Connector application, which integrates with your Active Directoryto provide username and group information.

1. In ServiceMode; select Network > Mobility.

2. Enable Captive Portal.

3. As mentioned above, Captive Portal requires a deployed Auth Connector, which forward user and group informationto the service. The blue Authentication section link in the descriptive paragraph takes you to this location in the userinterface.


Verify Service Connectivity to Locations

After configuring access to the SymantecWeb Security Service, verify that the service is receiving and processing contentrequests.

1. Click the Service link (upper-right corner).

2. Select Network > Locations.

3. Verify the status of each location.

Various icons represent the connection status.

Icon Connection Status Description

The Web Security Service recognizes the location and accepts web traffic.

A location has been configured, but the Web Security Service cannot connect. Verify that the web gateway device isproperly configured to route traffic.

A previously successful web gateway to Web Security Service configuration is currently not connected.

n Proxy Forwarding—Verify the gateway address in the forwarding host is correct.

If the system detects a corporate network that provides web access and security, the Unified Agent enters into passivemode.


Mac

If the system detects a corporate network that provides web access and security, the Unified Agent enters into passivemode.

From a client system that has web access (or the specific test client if so configured), browse to the following site:

test.threatpulse.com


The test is successful if you see the following webpage.


Uninstall the Unified Agent

The Symantec Unified Agent in an application installed on remote systems that frequently connect to the Internet fromnon-corporate networks. You have the option to require an uninstall token, which employees must enter to remove the Uni-fied Agent.

Available Options

n "Unified Agent—With Uninstall Token" below

n "No Token Defined/Client Connector" on page 60

n "CLI" on page 60

n "MSI VersionMis-Match (UnknownMSI)" on page 60

Unified Agent—With Uninstall Token

Employees attempting to uninstall the Unified Agent require an uninstall token that you define in theWeb Security Serviceportal.

Information

n This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014).

n If you have previously deployed Unified Agent to clients and used the CLI options (Windows: SUP=password;OSX: "--args -SUP password"), those passwords are no longer valid. Youmust log in to the portal and define theuninstall token.

n Each time that a Unified Agent reconnects to theWeb Security Service (for example, a user who takes a laptop offcampus and connects through a non-corporate network), the client receives the latest uninstall token.

n If you did not define an uninstall token, you can use the Control Panel.

Procedure

1. In Servicemode, select Mobility > Unified Agent.

2. Define the uninstall token.


a. Select Require token to uninstall agent: Yes.

b. Click Uninstall Token (or Change Token if you or someone previously obtained a token). The servicedisplays the Set Unified Agent Uninstall Token dialog.

c. Name the Uninstall Token and click Set Token. The service displays that an uninstall token was set on agiven date and time.

d. Distribute the uninstall token and instructions (see below) to those who have permission to uninstall theUnified Agent.

You can change the uninstall token any time.


Windows

If it still exists on the client, running the correct MSI installer allows you to remove the client application. If theMSI doesnot exist, you can download it again from theWeb Security Service portal. If you attempt this method and receive an errorstring that begins with Another version of this product is already installed..., see "MSI VersionMis-Match(UnknownMSI)" on the next page below.

n Execute the Unified Agent installer (MSI). Show screen...

In the Removal...uninstall token field, enter the token and click Validate.

The equivalent CLI command is UNINSTALL_TOKEN=password, where password is the token obtained fromthe portal.

If an employee attempts to remove the Unified Agent from theWindows > Control Panel menu, they receive apop-message prompting them to contact their Administrator for removal permission.

OS X

1. In themenu bar, click the Unified Agent icon.

2. Hold down theOption and Alt keys. TheQuit menu changes to Uninstall.

3. The system prompts you for the uninstall token. Show screen...


Enter the uninstall token and click OK.

4. Click Uninstall.

No Token Defined/Client Connector

If an uninstall token was not generated in the token, follow the standard process for removing a program.

Windows

(Start > Control Panel > Add/Remove Programs). Youmust have administrative rights to the system.

OS X

1. In themenu bar, click the Unified Agent icon.

2. Hold down theOption and Alt keys. TheQuit menu changes to Uninstall.

3. Click Uninstall.

Alternative

Navigate to /Library/Application Support/Blue Coat Systems and double-click the cloud-client-uninstaller.

CLI

If you know or recorded the exact MSI that was used to install the application, use the CLI command to remove it.

msiexec /x {MSI_Value} [/quiet UNINSTALL_TOKEN=password]

Reference—MSI Versions

n See "Reference: Remote Client Application Package Versions" on page 65 for versions.

MSI Version Mis-Match (Unknown MSI)

The following scenario creates anMSI-versionmis-match.

n You configured the option in theWeb Security Service portal to allow Unified Agent clients to automatically update.

n You defined an uninstall token.

For example, you downloaded and installed Unified Agent 4.4, then (per configuration) the portal automatically updates theinstalled client versions to 4.5 when Symantec posts it to datacenters. With the uninstall token option defined, you oremployees cannot uninstall the application because noMSI was downloaded and paired with the upgraded product ID.

To remove the application, youmust use the CLI commandwith correct product ID code.

msiexec /x {product_id_code} /quiet UNINSTALL_TOKEN=password

You find this code one of two ways:

n (Recommended) Review theMSI uninstall failure log.

n Find it in the registry. For more information about this method, see the Knowledge Base article.


The product ID is the same for all installation instances, whichmeans you can create scripts to remove the application frommultiple clients.


Troubleshoot...

Attempt to solve remote client application connections.

n "Unified Agent Drops Connections" on the next page

n "ManageWeb Security Service Client Connections" on page 63

n "Captive Portal Diagnostic Messages" on page 66

n "Capture Remote Client Trace Log" on page 68


Unified Agent Drops Connections

n Symptom

TheUnified Agent randomly loses connection and then reconnect causing interruptions to internet access.

Check

On computers with a wired and wireless network connection, ensure both interfaces are not connected at the sametime. This causes the client to roll from one interface to the other, whichmight connection interruptions.

n Symptom

Unified Agent installation fails.

Check

Multiple failed installation attempts might cause registry entries that compound the failures. See

UA Installation Article

https://bluecoat.my.salesforce.com/ka338000000L527


Manage Web Security Service Client Connections

If employees are sending complaint requests regarding dropped connections to the web, reviewing the Symantec WebSecurity Service client connections status might help you determine if this is a widespread or minimal issue. Also, if yousee a client on the system that you do not believe belongs in your organization (for example, a stolen laptop), you can log into theWeb Security Service portal and block access to that client while you investigate.

To review client connections, in ServiceMode click the Service mode > Mobility > Agent Status tab.

Your organizationmight have hundreds to thousands of client connections at any givenmoment. Use the search field toyield targeted results. As you enter text, the portal uses auto-fill to match entries. Select the option on which to sort.

SeeManage Remote/Mobile Device Connections for more details.


Manually Disable the Unified Agent

TheSymantec Unified Agent, installed on employee devices such as laptops, provides web security when the client is notconnected to an on-premise network. Although the Unified Agent should function in any network, sometimes an unforeseenenvironment might cause connection issues or prevent the Unified Agent from passing web traffic to theWeb Security Ser-vice. Your business might depend on the efficiency of personnel in field who cannot be disrupted by a lack of an Internet con-nection.

You can configure theWeb Security Service to allow employees to temporarily disable the Unified Agent should connectionissues occur. The Unified Agent remains disabled only until the client machine reboots or the employee initiates a reconnectfrom the Unified Agent interface.

Furthermore, this setting in theWeb Security Service applies to all Unified Agents in the field. You cannot selectively targetwhich installations receive the disable option.

This feature only functions for clients running Unified Agent v4.4+ (released July 11, 2014).

Activate the Disable Option


2. In the Unified Agent Settings area, select Yes for the Allow agent to be disabled by user option.

Instruct Employess How to Disable the Unified Agent

Windows

In the system tray, right-click the Unified Agent icon and select Disable Unified Agent. Employees can also return hereand Enable the agent.

OS X

Click the Unified Agent icon in themenu bar and select Disable Unified Agent. Employees can also return here andEnable the agent.


Reference: Remote Client Application Package Versions

MSI String

Unified Agent

o UnifiedAgentInstaller64-4.9.4.212024.msi {1536286D-6678-4FCD-A732-9E794A0ACDF7}

o UnifiedAgentInstaller64-4.9.1.208066.msi


{758D4802-6245-4EAA-8C8C-EEA3B50A246B}

o UnifiedAgentInstaller64-4.8.0.201333.msio UnifiedAgentInstaller32-4.8.0.201333.msi

{12C3173D-00E4-4D80-B229-D0DA792E8898}



{5FEBEFA8-C6F2-4395-B329-2461C973DE34}

{CD54CD6F-C16C-4155-9E1D-26A58C3D24D8}



{57A84D92-77A7-4C63-B847-FF7087C7D878}

{226C2DE9-7D3E-4A8C-8078-47DF0BE257F8}

o UnifiedAgentInstaller64-v4.6.0.157065.msi {D6FD56F5-00E5-4954-8CED-DC1F9F2887F6}



o MacUnifiedAgentInstaller-4.5.0.1499220.dmg

{61BDFA31-62A5-41CB-9833-D602056B8751}



o MacUnifiedAgentInstaller-4.5.0.1499220.dmg

{216652C2-709F-449B-B92F-9723C7E78384}


Captive Portal Diagnostic Messages

WhenCaptive Portal is enabled for remote clients on the Symantec Web Security Service, various messages are logged inassociation with user login activities and authentication. They display on the Service mode > Troubleshooting > MobileClients page.

Log Entry Description

CAResp<0> Captive Portal enabled: true Indicates when Captive Portal was enabled (Servicemode > Network> Mobility).

.

Captive portal authentication succeeded forusername

Indicates when a user successfully logged in.

Authentication server error, connecting asunauthenticated user

If the Auth Connector becomes unavailable, the user receives the followingerrormessage: Authentication server error, connecting asunauthenticated user (also, Web Security Service adds the event to thediagnostic log). The behavior defaults to what happens when Captive Portalis not enabled. That is, the users' access credentials creates a tunnel. Fordiagnostic analysis, this Advanced dialog entry is unauthenticated(user_name).

Account restricted - CP auth failed foruser: username

A user attempted to login in with incorrect credentials more times than the setlimit in the Active Directory.


Review System Events Generated by Remote Clients

You can view a list of system events recorded by the Unified Agent by opening the diagnostics log file. This text file dis-plays events with time stamps whenever the network or client status changes as a result of user input or other system dis-turbances.

The diagnostic log file is automatically created by the remote client application and does not require setup. To view theauto-generated log file, refer to the following action steps.

In Windows:

1. In the system tray, double-click the installed client icon. The service displays the Status tab of the client dialog.

2. Click the Advanced tab.

3. Click Show File to open the folder containing the log files. Double-click a log file to view the contents. The logfilename shows log creation date (for example, the filename UnifiedAgent_Diag_07072016-1047.txt indicatesthe file was created on July 7, 2016 at 10:47 AM).

In OS X:

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status.The service displays the Status tab of the client dialog.


3. Click Show File to open the folder containing the log files. Double-click a log file to view the contents. The logfilename shows log creation date (for example, the filename UnifiedAgent_Diag_07072016-1047.txt indicatesthe file was created on July 7, 2016 at 10:47 AM).


Capture Remote Client Trace Log

If your remote user employees are sending complaints about network access to the web and they have the Unified Agentinstalled and routing web requests to the Symantec Web Security Service, you can capture tracing logs from the client tohelp diagnose client-related issues (if you are working with Technical Support, they might also request this information). Asthe capturemust be performed on the client system, youmust initiate the process by performing one of the followingactions:

n Have the employee bring you their client system.

n Gain access to their system through a remote connection.

n Instruct the employee on how to perform the capture and send you the file.

To perform a packet capture, refer to the following action steps:

In Windows

1. In the system tray, double-click the installed client icon. The system displays the Status tab of the client dialog.


a. Click Start Tracing to initiate a trace capture. When you begin a trace capture, the service displays the pathto the trace file.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startupoption, restart Windows, and return to this dialog to stop the capture.

c. Stop the trace capture by clicking Stop Tracing.

d. Click Open Trace Folder to display the folder that contains the trace file to send to support.

In OS X

1. Click the installed client icon in themenu bar (located at the upper right-hand corner of the screen) and click Status.The system displays the Status tab of the client dialog.



a. Click Start Tracing to initiate a trace capture.

b. (Optional) To capture information that begins with system boot up, select the Enable tracing on startupoption, restart the computer, and return to this dialog to stop the capture.

c. Stop the trace capture by clicking Stop Tracing.

d. To view the trace (packet capture) information, use the OS X Console application to open the System Log.You can find the Console application in the OS X Utilities folder. Unified Agent tracemessages are addedto the system log. To just see thesemessages, enter bcua in the search field (upper-right) in the Consoleapplication. To copy/paste all of themessages, select one and select Select All from the Edit menu; pasteinto a text file.

blue coat web security service: unified agent brief

Documents