Symantec Web Security Service Release Notes -...

Web Security Service

Release NotesVersion 6.10.3.1/May.29.2018

WebSecurity Service Release Notes/Page 2

Symantec Web Security Service: Release Notes

Symantec empowers enterprises to safely and securely choose the best applications, services, devices, data sources, andcontent the world has to offer, so they can create, communicate, collaborate, innovate, execute, compete and win in theirmarkets. Symantec is trusted by a large percent of the Fortune® Global 500.

TheWeb Security Service solutions provide real-time protection against web-borne threats. As a cloud-based product, theWeb Security Service leverages Symantec's proven security technology as well as theWebPulse™ cloud community ofover 75million users.

With extensive web application controls and detailed reporting features, IT administrators can use theWeb Security Serviceto create and enforce granular policies that are instantly applied to all covered users, including fixed locations and roamingusers.

This PDF version of the release notes provides information for themost recent major service releases (X.x). The onlineWebGuide version contains the full service record.

Copyright © 2018 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, andthe Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other coun-tries. Other names may be trademarks of their respective owners. This document is provided for informational purposes onlyand is not intended as advertising. All warranties relating to the information in this document, either express or implied, aredisclaimed to themaximum extent allowed by law. The information in this document is subject to change without notice.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS,REPRESENTATIONS AND WARRANTIES, INCLUDINGANY IMPLIED WARRANTY OFMERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THEEXTENT THAT SUCH DISCLAIMERS ARE HELD TOBE LEGALLY INVALID. SYMANTEC CORPORATION SHALLNOT BE LIABLE FOR INCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THISDOCUMENTATION IS SUBJECT TOCHANGEWITHOUT NOTICE.

Symantec Corporation

350 Ellis StreetMountain View, CA 94043

www.symantec.com

Contents

Symantec Web Security Service: Release Notes 3

Contents 3

Version 6.x New Features 7

6.10.3.1—Service Update ExpectedMAY.22.2018 7

6.10.2.6—Service UpdateMAR.13.2018 7

6.10.2.5—Service Update FEB.28.2018 7

6.10.2.1—Service Update Nov.17.2017 7

6.10.1.4—Service Update 2017.10.03 8

6.10.1.2—Service Update: 2017.06.15 9

Page 3

http://www.symantec.com/


6.9.5.2—Service Update: 2017.05.19 9

6.9.5.1—Service Update: 2016.12.23 9

6.9.4.2—Service Update: 2016.12.02 9

6.9.3.1—Service Update: 2016.11.01 10

6.9.2.1—Service Update: 2016.09.01 10

6.9.1.1—Service Update: 2016.07.01 11

6.8.5.2—Service Update: 2016.05.27 11

6.8.5.1—Service Update: 2016.02.26 11

6.8.4.1—Service Update: 2016.01.15 11

6.8.3.1—Service Update: 2015.12.17 12

6.8.2.4—Service Update: 2015.11.20 12

6.8.2.1—Service Update: 2015.10.23 12

6.7.3—Service Update: 2015.03.27 14

6.7.2—Service Update: 2015.03.06 14

6.7.1—Service Update: 2015.01.30 14

Version 6.x Resolved Issues 16

6.10.2.6—Mar.13.2018 16

6.10.2.5—Feb.28.2018 16

6.10.2.1—2017.12.11 17

6.10.1.4—2017.10.03 18

6.9.10.2—2017.06.15 20

6.9.5.2—2017.05.19 20

6.9.5.1—2017.02.02 Documentation Update 21

6.9.5.1—2016.12.23 21

6.9.4.1—2016.12.02 22

Currently Known Issues 25

Limitations 28

Compatibility Index 29

Recent Unified Agent Resolved Issues 30

Desktop Anti-Virus Compatibility 34

Tested Firewall Devices 35

Supported Browsers 36


Supported Proxy Devices 37

Symantec 37

ProxySG appliances (all are Proxy Editions) 37

SGOS Versions 37

Microsoft 37

Supported SAML IDPs 38

Supported Mobile Devices and MDM Partners 39

Release 6.x WebGuide Update Log 40

New Solution PDF 44

Access Methods WebGuide 44

Solutions WebGuide 45

Hosted ReportingWebGuide 45

New Solution PDF 45












All WebGuides 46



All WebGuides 47













All WebGuides 49



All WebGuides 49



Doc Update Tweets 49


Version 6.x New Features

The following section describe themost recent features added to theWeb Security Service.

6.10.3.1—Service Update Expected MAY.22.2018

n PAC File Management System (PFMS)—A complete redesign of the Explicit Proxy/PAC file distributionmethod.You can now createmultiple PAC files, each with unique bypass lists, and assign them to locations. Furthermore,you can use a dedicated PAC file and integrate Symantec Endpoint Protection (SEP) with theWeb SecurityService.

http://portal.threatpulse.com/docs/am/AccessMethods/Concepts/about_pacfile_rtng_co.htm

n Threat Isolation—Remote web sessions execution that prevents malware from reaching your network and devices.Requires an add-on subscription.

http://portal.threatpulse.com/docs/sol/Solutions/ManageMalware/about_threatiso_co.htm

n EnableMalware Analysis Advanced Service for Universal Policy Enforcement—If employing Universal PolicyEnforcement (UPE), you can configure notifications for theMalware Analysis Advance Service (MAAS).

n "Version 6.x Resolved Issues" on page 16

6.10.2.6—Service Update MAR.13.2018

This release did not introduce any new features.


n "Release 6.x WebGuide Update Log" on page 40

6.10.2.5—Service Update FEB.28.2018

n Symantec WSS (Security Web.Cloud) to Symantec Web Security Servicemigration.

n Roaming Captive Portal—Used for Explicit Proxy access from unknown locations is now 24 hours betweenchallenges (up from 60minutes).

n Symantec DLP Infrastructure—Changes to (secure) ICAP from rest.

n Universal Policy Enforcement (UPE)—Allows you to enable Symantec Cloud DLP.

n For the Firewall/VPN Access Method, theWeb Security Service now supports IKEv2 protocol from gatewaydevices. If you are experienced with firewall devices, you can test configurations. However, Symantec did not testspecific vendor devices. Therefore, the documented procedures to configure firewall devices do not contain thisoption. Upon successful configuration validation, the documentation will be amended.


6.10.2.1—Service Update Nov.17.2017

n Portal updates in support of an upcomingmigration to use the Norton Secure Login (NSL) platform. There are nochanges to existing accounts. Account migrations will occur over time and each organization will receive

http://portal.threatpulse.com/docs/am/AccessMethods/Concepts/about_pacfile_rtng_co.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageMalware/about_threatiso_co.htm


notification andmore information. before that occurs.

Because NSL is now backing the portal log in authentication, you can use your existing NSL account to enable Two-Factor Authentication.

n TheWeb Security Service portal transitions from Blue Coat to Symantec branding and colors. The top border is nowwhite with the Symantec logo. The Service/Solutions mode switch is now a drop-down on the left-hand side of theheader; previously they were links on the right-hand side.

n Admin portal—The Solution/Servicemode setting previously selected on the upper right of the portal has beenmovedto the upper left.

n Customer visible—The blocked/exception page now has the Symantec logo instead of the Blue Coat logo by default.If you previously replaced the default logo with a custom logo, that is retained.

n Authentication Policy—Policy management of authentication surrogates and duration for fixed site locations.

http://portal.threatpulse.com/docs/sol/AccessMethods/auth/auth_policy.htm

n Reviewer Role—Permits auditing of the full configuration without reporting access.

http://portal.threatpulse.com/docs/sol/Admin/UserMgmt/adm_reviewerrole.htm

6.10.1.4—Service Update 2017.10.03

n Office 365 Enhancements.

Office 365 applications function normally. The service automatically bypasses connection types that it cannotprocess without service interruption. Furthermore, the portal now contains toggles for global exemptions ofAuthentication and SSL Interception of Office 365 traffic.

http://portal.threatpulse.com/docs/sol/O365/Office365_ta.htm

n Policy now supports the allowing of password protected files.

Allows you to create policy to exempt specific password-protected files that are by default returned by themalwarescanner.

http://portal.threatpulse.com/docs/sol/Solutions/ManageMalware/mwpol_errorhandling.htm

n Enhanced reporting.

Summary Wide Report; updated aesthetics.

http://portal.threatpulse.com/docs/sol/Solutions/ManageReports/rpt_what_from_dashboards_ta.htm

n Additional portal interface features for Unified Agent (bypass QUIC traffic; disable tamper protection; ignore proxysettings).

http://portal.threatpulse.com/docs/am/AccessMethods/Concepts/about_remoteclients_co.htm

http://portal.threatpulse.com/docs/sol/AccessMethods/Concepts/about_remoteclients_co.htm

n Policy controls for 18,000+ web applications (with CASB Audit license).

http://portal.threatpulse.com/docs/sol/Solutions/ManageWebApps/casb_policy.htm

n Meraki Firewall Access Method.

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/onpremise/firewallvpn/cscoMeraki_config_ta.htm

n New 3rd-party SAML Identity Provider support: Microsoft Azure, Okta, and Symantec VIP Access Manager.

http://portal.threatpulse.com/docs/sol/AccessMethods/auth/auth_policy.htm

http://portal.threatpulse.com/docs/sol/Admin/UserMgmt/adm_reviewerrole.htm


http://portal.threatpulse.com/docs/sol/Solutions/ManageMalware/mwpol_errorhandling.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageReports/rpt_what_from_dashboards_ta.htm

http://portal.threatpulse.com/docs/sol/AccessMethods/Concepts/about_remoteclients_co.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageWebApps/casb_policy.htm

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/onpremise/firewallvpn/cscoMeraki_config_ta.htm


http://portal.threatpulse.com/docs/am/AccessMethods/Concepts/AuthDetail/about_saml_co.htm


6.10.1.2—Service Update: 2017.06.15

n Support for Universal Policy Enforcement.

Currently, this solution is for new Web Security Service customers only. It requires the integration of theWebSecurity Service with Symantec Management Center to achieve a single policy to use with the cloud service andSymantec ProxySG appliances. The solution is described in a different documentation.

Because of this solution, the Initial ConfigurationWizard includes a new screen for selecting the policy source.

6.9.5.2—Service Update: 2017.05.19

This release did not introduce any new features.


6.9.5.1—Service Update: 2016.12.23

n Malware Analysis Advanced Service.

With the Malware Analysis Advanced Service, provides post-downloadmalware discovery and detonation fromsandboxing results.

http://portal.threatpulse.com/docs/sol/Solutions/ManageMalware/about_malware_co.htm

n Exempt sources and destinations from authentication checks.

If SAML or Captive Portal authentication prevent login screens because of the redirection requirement, you caninstruct theWeb Security Service to not perform authentication checks for specified sources and destinations.

http://portal.threatpulse.com/docs/sol/AccessMethods/auth/auth_exempt.htm

n IntegrationWith Symantec Cloud DLP.

If you have a Symantec Cloud DLP account, you can integrate with the SymantecWeb Security Service andcontinue to provide sensitive information scanning service-bound clients.

http://portal.threatpulse.com/docs/sol/Solutions/ManageDLP/SYMDLP/symdlp_co.htm

6.9.4.2—Service Update: 2016.12.02

n IntegrationWith On-Premises DLP.

If you have on-premises DLP servers deployed in your infrastructure, you can integrate with the Symantec WebSecurity Service and continue to provide sensitive information scanning service-bound clients.

http://portal.threatpulse.com/docs/sol/Solutions/ManageDLP/c2premdlp_sol.htm

n Datacenter assets upgraded to SHA256 certificates.

In theWeb Security Service datacenters, the assets used to authenticate various connections now have SHA256-strength certificates. These connections include:


http://portal.threatpulse.com/docs/sol/Solutions/ManageMalware/about_malware_co.htm

http://portal.threatpulse.com/docs/sol/AccessMethods/auth/auth_exempt.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageDLP/SYMDLP/symdlp_co.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageDLP/c2premdlp_sol.htm


o Auth Connectors

o IPsec clients: Cert-based firewalls, iOS and Android devices

o Unified Agents

o The CP-Link (for the cloud-to-premises DLP solution)

Windows 7+ andMac, iOS, and Android devices all trust the new root certificate by default. If you have a certificate-based firewall deployed for the Access Method, youmust add the new certificate.

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/onpremise/firewallvpn/fwvpn_selectcertdevice.htm

n Unilateral explicit proxy IP address.

All access methods that involve an explicit proxy connection now resolve to proxy.threatpulse.net:8080.

o PAC files hosted on theWeb Security Service and Proxy Forwarding

o Roaming Captive Portal

o Trans-Proxy

For backwards compatibility, your existing configurations still resolve. But the documentation now reflects the newentry.

n Unified Agent Handling of IPv6 IP Addresses.

The Unified Agent that accompanies this service update changes how the Unified Agent processesIPv6 IP addresses. For the details about this operation, see the Unified Agent concept topic.


n Mobile DeviceManagement (MDM) support: MobileIron.

TheWeb Security Service can now integrate with MobileIron. The following link now describes how to obtain theMobileIron procedure.

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/mobile/mdm/mdm_int.htm

6.9.3.1—Service Update: 2016.11.01

n CASB Audit Service

The CASB Audit Service is an integration between theWeb Security Service and the Symantec-acquired ElasticaCloudSOC™platform. Gain access to visibility to 15,000 cloud applications plus over 60 attributes per application,which helps you defined policy for web applications and Shadow IT. Requires the CASB Audit license.

http://portal.threatpulse.com/docs/sol/Solutions/ManageWebApps/CASB/casb_audit.htm

6.9.2.1—Service Update: 2016.09.01

n Unified Agent enhancement.

Improved location awareness detection addresses corporate full-tunnel VPNs. When a user connects to a full tunnelcorporate VPN on a known protected network, the Unified Agent receives a command to enter passivemode withoutopening a new VPN tunnel. When the Unified Agent disconnects from the full tunnel corporate VPN (and enters anunprotected network), the Unified Agent reconnects to theWeb Security Service.


http://portal.threatpulse.com/docs/am/AccessMethods/deploy/onpremise/firewallvpn/fwvpn_selectcertdevice.htm


http://portal.threatpulse.com/docs/am/AccessMethods/deploy/mobile/mdm/mdm_int.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageWebApps/CASB/casb_audit.htm


6.9.1.1—Service Update: 2016.07.01

EnhancedMalware Analysis Reporting

The 6.9.1.1 service update introduces theMalware Analysis Standard Service (MASS), which provides the ability blockmalicious content in real-time based on sandboxing resources (Malware Anaylsis + Content Analysis) that are hosted inSymantec datacenters. This functionality requires an additional license added to your current Web Security Serviceaccount. After this entitlement is added to your account, relevant Threats report provides indications of which technologyblocked themalware: the standard service Threat Protection (AV) or Malware Analysis (sandbox). The following tech-nologies comprise theMASS.

n Predictive Analysis

n Static Analysis

n YARA Rules

n Behavior Analysis

n Emulation of Windows Processes

For this initial standard service, the sandboxing results are from scans against exe and dll content.

http://portal.threatpulse.com/docs/sol/Solutions/ManageMalware/malware_sol.htm

6.8.5.2—Service Update: 2016.05.27

This release did not introduce any new features, but includes a critical fix and documentation updates.


n "Release 6.x WebGuide Update Log" on page 40 (updatedMay 27, 2016)

6.8.5.1—Service Update: 2016.02.26

This service updated did not introduce any new features. See the following.


n "Release 6.x WebGuide Update Log" on page 40 (updated April 21, 2016)

6.8.4.1—Service Update: 2016.01.15

Agent Status Privacy Controls

n When displaying connected devices, theWeb Security Servicemust use the device identification provided by theclient system (commonly a laptop) or mobile device. Many times, these devices are named by IT personal or byphone/tablet owners and contain whole or pieces of names, which implicates the transferal and storage of personalidentity information (PII) on local data center servers.

The 6.8.4.1 update sets the default collection status as Disabled. The first time you access the page following theupdate, youmust enable the feature and acknowledge that theWeb Security Service will transfer and store deviceidentification.

http://portal.threatpulse.com/docs/sol/AccessMethods/deploy/mobile/mbl_verify.htm


http://portal.threatpulse.com/docs/sol/AccessMethods/deploy/mobile/mbl_verify.htm


6.8.3.1—Service Update: 2015.12.17

SSL Policy Improvements. The following changes take effect when you clickActivate policy following the service update.

n Global Blocked Categories now part of ruleG3 (previously were put inG4) in theContent Filtering > Policy editor.

n Ensures that blocking a domain or category results in a site is blocked when using https:// and not interceptingSSL.

n Blocking a domain such as http://example.com does not block access to https://example.com (protocolsdo not match).

n Blocking a domain such example.com or https://example.com blocks access to https://example.comwhen SSL interception is disabled.

n The globally blocked URLs/Domains list now display eitherURL orDomain for each entry.

6.8.2.4—Service Update: 2015.11.20

This release contains no new features. It contains fixes and enhancements to theWeb Security Service datacenter sys-tems and the portal. See "Version 6.x Resolved Issues" on page 16.

6.8.2.1—Service Update: 2015.10.23

IMPORTANT: In your Web Security Service portal, you must activate or delete all currently non-activated policiesby 23 October 2015. If you do not, the portal will indicate these policies as activated after the 6.8.2.1 updateoccurs; however, they will remain non-activated. This might cause unintended results as portal visible con-figuration will not match applied policy in the service.

New Unified Agent OS Support and Installer File Type

n TheWeb Security Service supports the Unified Agent running only on the following operating systems.

o Windows 7, 8, and 10

o Apple OS X 10.9.x

o Apple OS X 10.10.x

This release ends the support for OS X 10.8.x and previous versions. Previous Unified Agent versions can stilloperate on these older OSes, but Symantec will not provide support for issues. Youmust upgrade clients to OS X10.9.x or 10.10.x before installing the current Unified Agent.

You can install the legacy Client Connector onWindows XP clients.

n TheMac OS X version of the Unified Agent is now a .pkg file instead of a .dmg file.

JAMF Support (Unified Agent)

n TheWeb Security Service supports the widely-used third-party JAMF application to distribute the Unified Agent toOS X clients.

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/remote/ua_jamf_ta.htm

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/remote/ua_jamf_ta.htm


Force Safe Search Changes

n This release introduces changes to the Force Safe Search feature. The feature now fully supports Google safesearch.

If you had previously enabled Safe Search and specified actions for specific engines, theWeb Security Servicedefaults to this policy: Enable Safe Search for Google Search andAllow Unsafe Searches.

http://portal.threatpulse.com/docs/sol/Solutions/ManagePolicy/AdvancedPolicy/advpol_safesearch_ta.htm

Unified Agent—Select Which Connection Provides the Username

n To be compatible with third-party applications that also intercept web traffic, you can instruct the Unified Agent touse the logged in username versus the username provided by the process. Requires Unified Agent 4.6+.

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/remote/ua_security_ta.htm

http://portal.threatpulse.com/docs/am/Troubleshooting/ua_username_ts.htm

Granular SSL Interception

n This release introduces the ability to exempt SSL interception by Web Security Service, based on elements suchas users, groups, locations, and IP addresses.

If you had previously enabled Safe Search and specified actions for specific engines, theWeb Security Servicedefaults to this policy: Enable Safe Search for Google Search andAllow Unsafe Searches.

http://portal.threatpulse.com/docs/sol/Solutions/ManagePolicy/SSL/ssl_enable_ta.htm

All Ports License

n If you have a firewall device that cannot selectively send port 80/443 traffic to theWeb Security Service, theAll Ports License is available.

http://portal.threatpulse.com/docs/sol/AccessMethods/Concepts/about_allports.htm

IP Surrogates for SAML Authentication

n The behavior change applies only the following deployments:

o Firewall/VPN (IPsec) Access Method with SAML authentication

o Captive Portal enabled

Previously, theWeb Security Service redirected all requests for new domains, which caused some connectionlatency and inmany cases manual whitelisting. TheWeb Security Service now uses IP surrogates to provide amore efficient authentication process with user agents that cannot handle redirects. If your environment involvesthese deployment methods and you continue to experience connection issues, contact Symantec TechnicalSupport.

Documentation Renovation

n All WebGuides.

o Responsive to any device (browser/tablet/mobile).

o Embedded, targeted solution PDFs.

http://portal.threatpulse.com/docs/sol/Solutions/ManagePolicy/AdvancedPolicy/advpol_safesearch_ta.htm

http://portal.threatpulse.com/docs/am/AccessMethods/deploy/remote/ua_security_ta.htm

http://portal.threatpulse.com/docs/am/Troubleshooting/ua_username_ts.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManagePolicy/SSL/ssl_enable_ta.htm

http://portal.threatpulse.com/docs/sol/AccessMethods/Concepts/about_allports.htm


o Links to related Symantec video content.

n Access Methods—Redesigned to provide linear deployment topics.

n New URLs—Because of the redesigned output, the HTML links have changed. Be advised if you bookmarked anytopics that you frequently access, youmust search the new content and re-bookmark.

n http://portal.threatpulse.com/docs/am/AMDoc.htm

n http://portal.threatpulse.com/docs/sol/SOLDoc.htm

n http://portal.threatpulse.com/docs/hr/HRDoc.htm

6.7.3—Service Update: 2015.03.27

This release did not introduce any new features. See the following.




This release did not introduce any new features. See the following.




Unsubscribe From E-Mail Notifications

n Opt out of e-mail broadcasts sent by Symantec regarding different subjects—maintenance alerts to service outageupdates.

http://portal.threatpulse.com/docs/sol/Solutions/Admin/Account/adm_ntfysubs.htm

Unified Agent Enhancements

n The Unified Agent now supports multiple domains in an Active Directory forest. This allows you to create policyusing a universal group that is located in a different domain than where a user is located. For example, you have aCORP domain and aUSERS domain; you want to put a user from theUSERS domain into a universal group in theCORP domain.

n Beginning with v6.7.1, theWeb Security Service halts requesting user group affiliation from clients running theUnified Agent and Client Connector applications. TheWeb Security Service now performs the lookup to determinegroup affiliation. Although the on-premise Auth Connector installation has been part of the official deployment(Access Methods documentation), this means that the Auth Connector is now required to enable group-based policyfrom remote users.

The Unified Agent released in conjunction withWSS v6.7.1 provides greater scalability for the cloud networkresources. Symantec recommends upgrading to this version (4.5.1.152154).

Near Real-Time Log Data Sync

http://portal.threatpulse.com/docs/am/AMDoc.htm

http://portal.threatpulse.com/docs/sol/SOLDoc.htm

http://portal.threatpulse.com/docs/hr/HRDoc.htm



n The Sync API is available that enhances the ability of the Download API. It allows a local client to obtain recentlyhardened log data from the cloud by downloading the current hour in smaller up-to-the-minute segments. This isstandalone feature from theWeb Security Service; youmust provide the client programs and scripts to facilitatesync requests and data processing (third-party Security Information & Event Management (SIEM) engine). Youmust request the document from Symantec Technical Support.


Version 6.x Resolved Issues

The Symantec Web Security Service v6.x contains the following user-visible fixes.

6.10.2.6—Mar.13.2018

n SAML CertificateWarning.

ISSUE: Tunneled SSL requests should have been bypassed from authentication; however, users received certificatewarning when browsing to HTTPS sites.

(B#255708)

n Certificate-based VPN.

ISSUE: Intermittent connections with certificate-based Firewall/VPN Access Method.

(B#255852)

n WhenDLP is enabled, a URLwas rewritten causing a DNS failure.

ISSUE:Universal Policy Enforcement with DLP enabled. ICAP request scanners that responded with the schemaas part of the URLwere affected by proxy forward tunnel termination handling.

(B#255648, 256530)

n IPsec location indicated disconnected status.

ISSUE: In the portal, an IPsec location displayed the disconnected status despite the active tunnel.

(B#257304)

6.10.2.5—Feb.28.2018

n Could not remove reporting alerts.

ISSUE:Corrected an issue that prevented you enabling, disabling, or deleting reporting alerts from the portal.

(B#255777)

n NSL onboarding.

ISSUE:Service providers could not onboard their customers through NSL.

(B#255644, 255431)

n SAML requests.

ISSUE:SAML did not authenticate HTTP methods that were not GETs or POSTs..

(B#255089, 255086)

n Pulse Connect Secure Server and SAML.

ISSUE:SAML authentication failed if Pulse Connect Secure Server is used as the IDP.

(B#253342)


n IE 11/Reporter Filter.

ISSUE: Internet Explorer 11: Was unable to set the value forReport Filter Criteria—Hour of Day—when reportswere run.

(B#247666)

6.10.2.1—2017.12.11

n Object Library search.

ISSUE:Search did not function as expected in the User DefinedObjects area of the Object Library.

(B#248899)

n Audit log e-mail addresses.

ISSUE: The Audit Log displayed unrecognized email addresses.

(B#250644)

n False positive occurred.

ISSUE:A false positive occurred when the blocked executables (.com) and URL contained domain.

(B#238146)

n Reporter Filter incomplete.

ISSUE: Filtering a report forSite sometimes returned an incomplete result.

(B#250496, 250469)

n Emailed PDF reports.

ISSUE:Scheduled emailed reports failed to display LDAP groups.

(B#247931, 247930)

n SAML imports.

ISSUE: Fixed issue with importing SAML information.

(B#251667)

n Overlapping calendar dates.

ISSUE: Fixed issue with selecting custom dates in reporting.

(B#251540, 251538)

n Hybrid devices could not be deleted.

ISSUE:Added devices used for hybrid policy could not be deleted.

(B#250939)

n Could not cancel out of Profile.

ISSUE: The Cancel button on the user profile dialog was unresponsive.

(B#250797)


n Deleted policy rule still marked.

ISSUE:After deleting a policy rule, the portal policy editor still displayed it as marked.

(B#250740)

n Drill-down required refresh.

ISSUE:Before drilling down a selected column in a report, you had to refresh the page.

(B#250386)

n Several fixes to the hero report bar.

ISSUE:Several fixes to the hero report bar.

(B#249680, 250834)

6.10.1.4—2017.10.03

n Incomplete Exception Page when Roaming Captive Portal enabled.

ISSUE:WhenRoaming Captive Portal is enabled and a blocked site was reached, the service displayed anincomplete exception page.

(B#247326)

n Roaming Captive Portal failure.

ISSUE:Roaming Captive Portal failed when authenticating users from a different trusted forest from the forest onwhich the Auth Connector is installed.

(B#246136)

n Auth Connector connections changed to TLS1.2.

ISSUE: ForWindows greater than 6.1 (2008R2), the Auth Connector now uses TLS1.2 instead of 1.0.

(B#245364)

n Reporting Role Users not able to see full data.

ISSUE:Example: A user has Web Security Service access in a Reporting Role. They run a filter to view reports for aspecific group from LDAP, but the query displayed no results. The Admin User could see the results.

(B#244323)

n Report Center link became inactive.

ISSUE:After performing an action on a report, such as drilling down for details, the service displayed only a whitepage. Elements, such as theReporter Center link, became unresponsive.

(B#245858)

n Changes in Saved Reports did not take effect until a browser refresh.

ISSUE:After performing changes (such as apply a filter) in a report in theSaved Reports applet, the changes didnot take effect following the clicking of Save. The changes only took effect if the user refreshed the browser.

(B#245268, 245355)


n The portal displayed incorrect value for Schedules in User DefinedObjects.

ISSUE:After a user created and saved aUser Defined Objects forSchedules and then clicked the newly-createdobject, the Start Date and End Dates were the current dates instead of the configured dates.

(B#245354)

n Reporting: Downloaded report results different than emailed version.

ISSUE:Example: A generated and downloaded report had 15 users and 45 categories per user. However, the samereport emailed to someone displayed only ten categories per user.

(B#246527)

n Inconsistent results in reports with CIDR prefix in filter.

ISSUE:Example: In a report summarized by Client IP, a filter with a CIDR-formatted IP address causedinconsistent reporting results.

(B#242505, 254667)

n Drilling down in reports produced empty reports.

ISSUE:Continuous drilling down in a report eventually produced an empty report.

(B#240913)

n Hyphen (-) inserted in front of category names.

ISSUE: The portal added a hyphen character in front of the real URL category in theCategories column of theWeb Browsing per Site report.

(B#242124)

n User-defined IP addresses/objects could not be removed.

ISSUE: The portal did not allow you to delete an IP or User Object from theObject Library or other places whereyou can add entries.

(B#240185)

n Sort Ascending/Descending did not work for the Roles or Status columns.

ISSUE:Sort Ascending/Descending did not work for theRoles orStatus columns.

(B#239270, 242070)

n Emailed reports produced a corrupted PDF.

ISSUE: Trying to generate a PDF version of the Threats report resulted in an un-openable PDF in the email.

(B#242869, 243247)

n PDF blocked because of a recognized executable.

ISSUE:PDFs served with the Content-Type: application/octet-streamwere blocked by theWeb SecurityService defined executable policy.

(B#238857)

n Blocked pages missing Username and User-Agent information.

ISSUE:With SSL Interception disabled, the Unified Agent matched a Deny policy for HTTPS and SSL was


required on the exception. The Username and User-Agent information was missing from the Exception page.

(B#232372)

n Archived report did not have first column.

ISSUE:When accessing an archived report, the portal failed to display the first column in the report.

(B#240481)

n Notify/Block pages did not display company logo without enabled SSL Interception.

ISSUE:Notify/Block pages did not display company logo without enabled SSL Interception.

(B#235417)

n Employees intermittently lost their Group affiliation.

ISSUE:At random times, employees lost their groupmembership, which caused them to be denied to websites towhich they should have access.

(B#248995)

n Could not register iOS 10.x devices.

ISSUE:Corrected an issue than prevented users from registering iOS devices with anMDM.

(B#238955)

6.9.10.2—2017.06.15

n Re-onboarding required.

ISSUE:Datacenter operations forced some accounts to re-onboard the service.

(B#242911, 248071)

n Policy Wizardmissing Office Online options.

ISSUE: The policy wizard was missing Office Online as a selectable component.

(B#239214, 248233)

6.9.5.2—2017.05.19

n Custom Block page settings were lost.

ISSUE:Any customization of block pages, such as phone number, email address, contact info, company name,custom logo, were lost following the December 2, 2016 service update. The issue causing this is resolved.

(B#242061)

n Blue Coat Notification site reached instead of coaching page.

ISSUE:After reaching a destination that triggered a coach policy and clicking Accept to proceed, the client wasredirected to notify.bluecoat.com instead of the intended destination.

(B#241096, 241578)

n Reports displayed abnormally large transaction sizes.

ISSUE: In a use report, tunneled transactions over 4GB in size weremisrepresented as 16million TB.


(B#240547)

n Location status icon for IPsec not GREEN when passing traffic.

ISSUE:When a site VPN firewall redirects its IPSec tunnel from one data pod to another, a race conditionmayoccurred that caused the DISCONNECTmessage for original data pod to be processed after the CONNECTmessage for the other data pod. This caused the IPSec tunnel status for that site to be incorrectly shown asDISCONNECTED.

(B#241994)

n Portal update complicated Object Library task.

ISSUE: Following a portal update, adding URLs to a User DefinedObject requiredmanually moving URLs to theobject after performing the import of a long list, which was an impractical method. The fix allows you tomove theentire imported group at once.

(B#242204)

6.9.5.1—2017.02.02 Documentation Update

n Auth Connector Logon Application operates before VPN tunnel established.

ISSUE: This ACLogon Application, which is used for Auth Connector deployments where domain controllers arespread across the enterprise organization, operated before the VPN became fully established. The link embedded intheWebGuide downloads a version that corrects this issue.

(B#239242)

6.9.5.1—2016.12.23

n Agent Status search function did not work.

ISSUE:On theService mode > Mobility > Agent Status page, theSearch field did not work.

(B#241839, 241938)

n Portal did not reflect a Unified Agent reconnection.

ISSUE:After reconnecting a specific Unified Agent in the portal, the connection status still indicated disconnectedeven though traffic was transmitting to the service.

(B#241842, 242053)

n WinSSO auth breaks when SAML is configured and then disabled for all IP addresses except for a few.

ISSUE:Using an IPsec tunnel with SAML enabled for just a few IP addresses, the non-SAML related IP addressesdid not useWinSSO for the authmethod. The portal displayed all suchWinSSO traffic as unauthenticated usertraffic and policy was not enforced.

(B#241443)

n Mis-identified web application classifications.

ISSUE: Following the previous Web Security Service update, some customers saw their web applicationdefinitions were not properly identified.

(B#241545, 241573)


n Web application actions not blocked.

ISSUE:Policies to block actions—for example, Facebook posts—were not applied.

(B#242090)

n URLs from Object Library not referenced in G2 policy layer.

ISSUE: If you created custom URL objects and used them in theG2 policy layer of the Content Filtering editor, theywere not referenced in thePolicy Usage column of the library.

(B#235363)

n Could not add comments when importing into the Object Library.

ISSUE: If you imported an IP address list from a text file into a new Object Library object, you could not addcomments to the object.

(B#232387, 237436)

n Could not add comments when importing into the Object Library.

ISSUE: If you imported an IP address list from a text file into a new Object Library object, you could not addcomments to the object.

(B#237436)

6.9.4.1—2016.12.02

n Differing exception pages.

ISSUE: If you configured a custom exception page and accessed a blocked HTTP website, the service displays thecorrect custom exception page . However, accessing the same blocked website using HTTPS, the servicedisplayed the default exception page instead of the custom page.

(B#195233, 239657)

n Complex reports failed.

ISSUE:When generating complex reports, the portal occasionally aborted and the service failed to display the report.

(B#238653)

n Columns omitted from reports.

ISSUE:Some downloaded or emailed reports omitted the first column.

(B#23969)

n All Ports feature: not all enabled.

ISSUE:With the All Ports license, not all IPsec locations indicated that the feature was enabled.

(B#237567)

n Cannot scroll Trusted Destinations.

ISSUE:You could not vertically scroll long lists of Trusted Destination entries, which prevented configuration edits.

(B#236139, 237427)


n Cannot scroll reports on small screen.

ISSUE: For some reports viewed on a smaller resolution screen, such as a latptop, you could not scroll elements.

(B#237486, 238842)

n Policy failed to evaluate when conditional on workstation IP address.

ISSUE:Corrected the forwarding policy to accommodate conditional workstation IP addresses.

(B#237433)

n Bypassing SSL based onGroup did not work.

ISSUE:Proxy policy error prevented the SSL Intercept bypass from working when based onGroups unless thatGroup was part of Content Filtering policy.

(B#235933, 237429)

n URL blocked by Server Certificate rating.

ISSUE:Destination URLs were blocked because the Server Certificate was blocked, not because of categoryrating.

(B#235930)

n Working IPsec tunnel indicates UNKNOWN.

ISSUE: The portal displays an IPsec location as UNKNOWN; however, the tunnel was working normally.

(B#236152, 237506)

n Policy wizard did not accept some domains.

ISSUE: The order of alpha-numeric characters prevented the policy wizard from accepting some domains. Forexample, http://1a.b2.comwas accepted, but http://a1.2b.comwas not.

(B#23319, 237423)

n Unable to select tenth item in a report.

ISSUE: In a displayed report, you could not select the tenth item in the list, but you could search for the user.

(B#233979)

n Japanese language: exported reports contain malformed characters.

ISSUE:When exported a report, such as to CSV-format, some Japanese language characters displayedas ???? or other malformed characters.

(B#231834)

n Report RBAC: applied caused incomplete reports.

ISSUE:When a filter was applied that consists of many subnets and a location, aWeb Security Service in a Reportonly role did receive the fully generated report.

(B#232498)

n Report RBAC: applied caused incomplete reports.

ISSUE:Blocks caused by the server.certficate.hostname lead to confusion about why a domain was blocked.

(B#230345)


n Authentication connection caused datacenter issue.

ISSUE:Auth connection timeouts caused the datapod to go offline.

(B#230075, 232015)

n Hybrid policy: Late Conditions.

ISSUE:When ProxySGwas deployed in hybrid-policy mode andGroup A in theWeb Security Service ContentFiltering policy editor contained categories, some Late Condition errors occurred.

(B#232486)

n Empty reports for some filters.

ISSUE:Attempting to run theWhere Subnet Contains filter resulted in an empty report. Related, searching forWhere User Contains failed if you entered the full username (domain\username).

(B#216415)

n Could not access archived reports.

ISSUE: If there weremore than ten archived reports, you could access/view beyond the first ten.

(B#232024)

n Edited location not reflected in reports.

ISSUE:After editing a location in the portal, reports did not display the new name.

(B#216040)

n Emailed reports did not contain graphs.

ISSUE:Generated, downloaded reports contained graphs; however, when the report was emailed, the graphs weremissing.

(B#210984)

n SAML: redirect loop.

ISSUE:When SAML is enabled for an IPsec location, attempting to access any subdomain.blogspot.comURLresulted in a direct loop.

(B#211151)


Currently Known Issues

Symantec is aware of the following issues in theWeb Security Service.

Android Device

n Android device battery life reduced.

ISSUE: Battery life for an Android device using themobility agent is significantly reduced.

(B#237558)

n Blocked Android device.

ISSUE: If you select theBlock action, the portal displays theConnection Status as Disconnecting; the app onthe Android device indicates it is connected. The device is blocked, but the device is not receiving the status.

(B#240588)

Common Policy

n Default Block Categories not copying to on-premises proxy.

ISSUE: Following an update, not all blocked category policies correctly propagated.

(B#238438)

iOS Devices

n Password overridemight not work for iOS connections.

ISSUE: Policy is set to override a blocked verdict with a password. An iOS device with a VPN profile connects;when prompted, the employee enters the correct password, but the page redirects to notify.bluecoat.com.

(B#214867)

Hybrid

n SSL interceptionmismatch.

ISSUE:A hybrid policy downloads to an on-premise proxy, which does not have SSL interception enabled. Thehybrid policy matches a DENY rule for ssl://traffic, yet the transaction is allowed.

(B#225136)

Mobile Device Service

n Registering a device from a second domain fails.

ISSUE: After creating a two-way trust relationship between two domains, you cannot register a device withcredentials from the second domain.

(B#179689)

Policy

n Dropbox not supported.

ISSUE:Because of some required SSL interception intricacies, theWeb Security Service does not support policy


enforcement, such as file uploading, for the Dropbox application.

WORKAROUND:Navigate toSolutions mode > Content Filtering > Policy and click Activate.

(B#214531)

n Google SafeSearch policy causes images and other elements of Google's search results page not to display.

ISSUE: In some instances, Google searches and displays a specific website, but with some elements (such asimages or Googlemaps) missing. After refreshing the page, the browser displays everything correctly.

(B#222782)

n PDF file is blocked as an Executable because of Content-Type.

ISSUE:WebSecurity Service policy blocks PDFs served with Content-Type: application/octet-streambecause it is viewed as an executable.

(B#238911)

n HTTPS policy evaluation.

ISSUE:Following aWeb Security Service datacenter infrastructure upgrade, some accounts noticed some contentthat was supposed to be blocked by a policy rule was allowed through. This is because of a policy evaluation changeand is under investigation.

(B#240186, 240361)

n HTTPS policy evaluation.

ISSUE:Following aWeb Security Service datacenter infrastructure upgrade, some accounts noticed some contentthat was supposed to be blocked by a policy rule was allowed through. This is because of a policy evaluation changeand is under investigation.

(B#240186, 240361)

Portal

n The Profile dialogue remains open after changes.

ISSUE:Even after clickingSave, the Profile dialog remains open. Youmust manually close it. Future changemightimplement a Save and Close button.

(B#208852)

Reporting

n Portal displays Slice instead of No Group.

ISSUE:When you create a new report and selectMore > Group from theCategory drop-down, the generated reportlabels theNo Group section as Slice.

(B#199257)

n Scheduled report for previous months shows the previous 30 days rather than the previous month's data.

ISSUE:Also, the report contains dates of this month and the date range is only 15 days. The Report should containonly the dates and information of the previous month.

(B#179098)


SAML

n Misleading SAML error.

ISSUE: The following SAML error is incorrect and not indicative of the root problem.

Account Restricted, you cannot log in, because your account is locked out

The Service Provider (saml.threatpulse.net) and the proxy authentication realm exceptions should providemeaningful information, such as:

n The assertion was signed by an unknownCA.

n The date/time on the assertion did not match the time on the data pod.

(B#215445)


Limitations

Add your text here.

n Plus (+) signs in report names (not Firefox).

ISSUE: The prompt to open or save Japanese-language reports contains plus (+) signs between words in reportnames.

(B#205510)

n SomeCRLURLs are blocked.

ISSUE:Some configured policy might block CRLURLs.

(B#180357, SR 2-479877708)

n Java error when saving a user list from Users In Reporting.

ISSUE: In the Advanced Policy editor, attempting to create a User List in an existing rule and use it in the rulegenerates a Java-based error (Java version 7, update 11).

WORKAROUND: Use users instead of user lists.

(B#184432, SR 2-538925851)

n Multiple domains are unreachable through iOS8.1.3 VPN + 3G/4G.

ISSUE: iPhone with the following configuration only: (iOS8.1.3 + 4G/3G + VPN profile). The browser cannot reachmultiple domains.

(B#214945)


Compatibility Index

Configuring and administering the Symantec Web Security Service requires using other Symantec and third-party tech-nologies. This page provides an index to those supported technologies.

Technology Reference

Unified Agent "Recent Unified Agent ResolvedIssues" on page 30

I will install the Unified Agent for remote users. What are the desktop anti-virus(AV) compatibilities?

"Desktop Anti-VirusCompatibility" onpage 34

What browsers can I use to access the Web Security Service? "Supported Browsers" on page 36

I will use the Firewall/VPN (IPsec) AccessMethod to route web traffic to theWeb Security Service. What firewall devices are supported?

"Tested FirewallDevices" on page 35

I will use the Proxy Forwarding AccessMethod to route web traffic to the WebSecurity Service. What proxy appliances and operating systems are sup-ported?

"Supported ProxyDevices" onpage 37

I want to employ SAML authetication. "Supported SAML IDPs" on page 38

To which mobile devices can the Web Security Service provide security? "SupportedMobile DevicesandMDM Partners" on page 39


Recent Unified Agent Resolved Issues

This topic lists the recent Unified Agent versions and the resolved issues for each version.

Split Tunnel Prerequisite

The Unified Agent cannot compete with multiple VPN clients, such as Cisco AnyConnect, that might be installed on clientsystems. Youmust configure any such VPN clients to Split Tunnel, which allows Internet-hosted requests to proceedthrough theWeb Security Service.

Release Date: 2/2018

Supported Client Operating Systems:

n Windows 7 32/64 bit (excluding home editions)

n Windows 8.x 32/64 bit (excluding home editions)


n Apple OS X (Mavericks (version 10.9.x))

n Apple OS X (Yosemite (version 10.10.x))

n Apple OS X (High Sierra (version 10.13.x))

Features

n Added adaptive protocol support to improve Unified Agent performance.

n The agent evaluates network conditions to attempt a UDP connection; if the conditions are not met, the connectionreverts to TCP.

n Added support for Mac OS X: High Sierra (10.13).

Resolved Issues:

n The Unified Agent failed to reconnect from the passive state after disconnecting from a third-party VPN.

n Resolved a service crash related to situations where a network interfacemight not be available when the servicestarts.

n Unified Agent 4.8.1 onOS X did not honor the bypassed domains from the portal.

n Unified Agent did not connect to the service when connecting over a USB data card connection.

n Unified Agent stopped attempting to connect to the service before the network became available. For example, whena NAC scan occurs on start up.

n Unified Agent woke systems from sleepmode.

n Unified Agent prevented internet access after disconnecting from one docking station and connecting to another.

n Unified Agent would not establish a user tunnel on systems using anOpenOTP solution.

Release Date: 10/2017






n Apple OS X (Mavericks (version 10.9.x))

n Apple OS X (Yosemite (version 10.10.x))

n Apple OS X (High Sierra (version 10.13.x))

Features

n Added adaptive protocol support to improve Unified Agent performance.

n The agent evaluates network conditions to attempt a UDP connection; if the conditions are not met, the connectionreverts to TCP.

n Added support for Mac OS X: High Sierra (10.13).

Resolved Issues:

n The Unified Agent failed to reconnect from the passive state after disconnecting from a third-party VPN.

n Resolved a service crash related to situations where a network interfacemight not be available when the servicestarts.

n Unified Agent 4.8.1 onOS X did not honor the bypassed domains from the portal.

n Unified Agent did not connect to the service when connecting over a USB data card connection.

n Unified Agent stopped attempting to connect to the service before the network became available. For example,when a NAC scan occurs on start up.

n Unified Agent woke systems from sleepmode.

n Unified Agent prevented internet access after disconnecting from one docking station and connecting to another.

n Unified Agent would not establish a user tunnel on systems using anOpenOTP solution.

Release Date: 6/22/2017





n OS X 10.9+

Resolved Issues:

n Fixes compatibility with AnyConnect over UDP port 443.

Note:

n Uninstall passwords for versions prior to 4.4 are removed. You are required to use the portal to define the uninstallpassword.

Known Issue


n Domain bypass for multi-homedwebsites might result in bypassing other URLs that resolve to the same IP address.

Release Date: 2/17/2017





n OS X 10.9+

Resolved Issues:

n Resolved a BSOD onWindows 10.

n Resolved a service crash onWindows when a system goes to sleep or wakes up.

n Resolved a Captive Portal issue where after sending invalid credentials to the system, a user could get logged in asan unauthenticated user.

n Resolved a Captive Portal issue where user credentials expire after 120 seconds. Unified Agent now caches theuser name for 24 hours.

n Resolved an issue where the agent service point probe was preventing the retrieval of a PAC file. Not applicable tocloud enforcement.

n Resolved a compatibility issue with Checkpoint VPN. The fix requires Checkpoint VPN E80.62 or later.

Features:

n Added ability to block DNS responses for IPv6 and force the use of IPv4 whenever possible.

n On installation, the Unified Agent attempts to install the SSL root certificate for SSL interception.

n The Unified Agent no longer uses DNS as the default to resolve a data center for connection. The appropriate datacenter is provided by a service in the cloud (data center).

Resolved Issues:

n Updated to OpenSSL 1.0.2j

Features:

n Unified Agent now queries theWeb Security Service before attempting to connect. This allows the agent to gopassive when appropriate without establishing a connection to the service.

Resolved Issues:

n Resolved an uninstall failure on Japanese versions of Windows.

n Resolved a service crash on Japanese versions of Windows.

Known Issues:


n Uninstall password for versions previous to 4.4 will be removed. Youmust use the portal to configure this option.

n Domain bypass for multi-homedwebsites might result in bypassing other URLs that resolve to the same IPaddress.

Compatibility Issues:

n ZoneAlarm: Unified Agent must be configured as a trusted application.

n Kaspersky: Unified Agent must be configured as a trusted application.

n Sophos: Cannot install Unified Agent onWindows 8 after Sophos Antivirus has been uninstalled.

.


Desktop Anti-Virus Compatibility

If you plan to install the Unified Agent application onto employee systems to support remote access to the Symantec WebSecurity Service, some desktop anti-virus (AV) applications might cause various results. The following list describes whichAV applications were tested to work by Symantec; additional behavior noted where applicable. Other vendor products mightor might not function with the product. As more are tested, they will be listed here. Symantec recommends testing non-sup-ported vendors during a trial on a non-production basis.

TrendMicro is a known vendor product that is not officially compatible. However, the following Knowledge Base art-icle discusses a possibleworkaround. KB Link

AVG Internet Security 2012

Windows XP; 7 (32-bit and 64-bit):

After the client system reboot, the client attempts to connect to the cloud service. The AVG Firewall asks for confirmation toallow Web Security Service permission to connect to the Internet. Grant permission; the client successfully connects to thecloud service, establishes tunnels, and applies policies.

Kaspersky Internet Security

The Unified Agent must be configured as a trusted application.

McAfee Total Protection 2012

Windows XP; Windows 7 (32-bit and 64-bit):

Following the client system reboot, tunnels connect and policies applied with no further issues reported.

Sophos

Cannot install Unified Agent onWindows 8 after Sophos Antivirus has been uninstalled.

Symantec Endpoint Protection: 11.0.6005.562

Update to the latest definitions.

Windows XP; Windows 7 (32-bit and 64-bit):

Following the client system reboot, tunnels connect and policies applied with no further issues reported.

ZoneAlarm

Update to the latest databases.

The Unified Agent must be configured as a trusted application.

https://support.symantec.com/en_US/article.TECH241083.html


Tested Firewall Devices

The Symantec Web Security Service Firewall/VPN (IPsec) Access Method requires you tomodify the configuration ofyour network egress firewall device to perform a site-to-site VPN connection (or a certificate-based connection). AlthoughtheWeb Security Service can support any device capable of this configuration, Symantec tested and supports the fol-lowing devices.

n Checkpoint

n Cisco (includingMeraki)

n Fortinet

n Juniper

n Palo Alto

Support For Other Devices

As stated, the above list is for devices that Symantec internally validated. In practice, any firewall device that supportsIPsec site-to-site VPN connections could be configured to properly route web traffic to theWeb Security Service. The fol-lowing is a list of devices that Symantec have successfully configured. Be advised that the devices listed below were nottested by Symantec.

n AdTran NetVanta 4305


Supported Browsers

Use one of the following browsers to access the Symantec Web Security Service interface.

n Microsoft Internet Explorer 9.x, 10.x, 11.x

n Mozilla Firefox 51.x-

n Google Chrome 56.x-

n Apple Safari 9

Newer versions should function correctly, but might not have been officially qualified by Symantec.

Furthermore, browsers requires Javascript and cookie support.


Supported Proxy Devices

The Symantec Web Security Service Proxy Forward Access Method requires you to configure the network egress proxydevice to forward web-bound requests to the service.Symantec tested the following proxies.

Symantec

ProxySG appliances (all are Proxy Editions)

n SG210 n SG300 n SG510 n SG600n SG810-(5-25

only)n SG900 n SG9000

SGOS Versions

n 5.5.x n 6.1.x n 6.2.xn 6.3.x n 6.4.x n 6.5.x n 6.6.x

Microsoft

n Internet Security and Acceleration (ISA)™ 2006 -- 32-bit

n Forefront Threat Management Gateway™ (TMG) -- 64-bit


Supported SAML IDPs

Currently, Symantec tested and supports the following Identity Providers (IDPs).

n The Symantec Auth Connector—Instead of a third-party vendor SAML Identity Provider (IDP), the Auth Connectorcan function as the IDP.

http://portal.threatpulse.com/docs/am/AMDoc.htm#Deployment/Tasks/Auth/SAML/saml_authconnIDP_sol.htm

n Active Directory Federation Services (AD FS) 2.0

http://portal.threatpulse.com/docs/am/AMDoc.htm#Deployment/Tasks/Auth/SAML/saml_3rdparty_sol.htm

n Symantec VIP Access Manager

http://portal.threatpulse.com/docs/am/AccessMethods/auth/SAML/saml_symIDP.htm

n Microsoft Azure

http://portal.threatpulse.com/docs/am/AccessMethods/auth/SAML/saml_azureIDP.htm

Okta—SeeWebGuide for legacy PDF.

Other IDPs might work. When attempting to configure, verify that the assertion contains the signing certificate.Some IDP implementation do not by default.

http://portal.threatpulse.com/docs/am/AMDoc.htm#Deployment/Tasks/Auth/SAML/saml_authconnIDP_sol.htm

http://portal.threatpulse.com/docs/am/AMDoc.htm#Deployment/Tasks/Auth/SAML/saml_3rdparty_sol.htm

http://portal.threatpulse.com/docs/am/AccessMethods/auth/SAML/saml_symIDP.htm

http://portal.threatpulse.com/docs/am/AccessMethods/auth/SAML/saml_azureIDP.htm


Supported Mobile Devices and MDM Partners

The Symantec Web Security Service provides features to authenticate users, block malware, and enforce web browsingpolicies onmobile devices.

n Apple®

You can register Apple® iOS mobile devices—iPhones™, iPads™, and iPods™ that are running iOS™7.x andlater. Full Web Security Service features and functionality are available.

n Android™

You can register Android™mobile devices that are running 4.0 and later. Full Web Security Service features andfunctionality are available.

n Mobile DeviceManagers

Symantec has partnered with the followingMobile DeviceManagers (MDMs). By generating aMDM Identifier APIKey in theWeb Security Service, you can integrate the cloud service with your existingMDM-partner deployment.

n AirWatch® (7.0+)—http://www.air-watch.com/

n MobileIron—

o https://www.mobileiron.com/en/solutions/mobile-device-management-mdm

o Symantec Integration—MobileIron KB: DOC-5345.

http://www.air-watch.com/

https://www.mobileiron.com/en/solutions/mobile-device-management-mdm


Release 6.x WebGuide Update Log

This page lists updates to the Symantec Web Security ServiceWebGuides. Periodic updates occur to inform you aboutnew features, address user feedback, clarify information, and improve overall quality. TheWebGuide version displays at thebottom of each page. Click a date to view recent major updates and corrections.

WebGuide Version—92/MAY.22.2018

WebSecurity Service Version: 6.10.3.1 MAY.22.2018

Edits

n Edits. See New Features.

WebGuide Version—91/MAY.07.2018

WebSecurity Service Version: 6.10.2.6 Mar.13.2018

Edits

n SAML Federation topic—Clarified step for obtainingmetadata.

n Clarified Ignore Proxy Settings definition for Unified Agents.

n Corrected:

o Proxy Forwarding Policy template.

o BrokenWeb Application Reference link.

o Updated links on the Resource Portal.

WebGuide Version—90/MAR.13.2018

WebSecurity Service Version: 6.10.2.6 Mar.13.2018

Edits

n Corrected erroneous authentication headers in the Proxy Forwarding sample policy.

n The PDF icon on the About Migrating From Symantec Web.cloud topic linked to the Unified Agent PDF.

n The TopNav menus did not drill-down past three levels.

n Verify Connections topic displayed the incorrect PAC file URL.

n New SAML IDP support: Google G Suite.

n http://portal.threatpulse.com/docs/am/AccessMethods/auth/SAML/saml_google.htm

WebGuide Version—89/FEB.28.2018

WebSecurity Service Version: 6.10.2.5 Feb.28.2018

http://portal.threatpulse.com/docs/am/AccessMethods/auth/SAML/saml_google.htm


Edits

n General Edits.

WebGuide Version—88/FEB.12.2018

WebSecurity Service Version: 6.10.2.1 Nov.11.2017

Edits

n Broken links from Tiles and cross-references.

Access Methods WebGuide

n New SAML IDP: PingID

n Checkpoint topics: Added Trans-proxy step.

n Auth Connector: Previously stated that you can install on a Domain Controller or member server. For securityreasons, this is now changed tomember server only.

n Proxy Forwarding:

o ForMicrosoft ISA/TMG topics: Youmust manually add the X-Forwarded-For header to the filter .ini file.

o Updated the Proxy Forwarding CPL example template; enhanced with option to send authentication detailfor local SSL intercept bypassed traffic.

n Reference: Supported Cipher Suites for the portal.

WebGuide Version—87.2017.12.11

WebSecurity Service Version: 6.10.2.1 2017.11.17

Edits

n Broken links from Tiles and cross-references.



Solutions WebGuide

n Office 365 Policy.

Updated topic with policy examples based onOffice-related web applications.





n New Firewall/VPN Access Method topic: CiscoMeraki Firewall.

n New SAML IDP topics/options: Microsoft Azure; Symantec VIP Access Manager; Okta.



Solutions WebGuide

n Malware Analysis description revised.

TheMalware Analysis Standard and Advanced functional descriptions are revised to clarify post-downloaddetections and detonations.




n Notation in relevant topics: Port 5222 to comm.threatpulse.commust be open for the CP-Link (DLP) solution.

n Check Point: Added required step to enable Dead Peer Dead.

n Minor edits.

Solutions WebGuide

n Malware Analysis description revised.

TheMalware Analysis Standard and Advanced functional descriptions are revised to clarify post-downloaddetections and detonations.




n Changed the link for the DLP/CP-Link download.

n The date of theMilan datacenter VIP changed.

n Minor edits.



n Support for Universal Policy Enforcement (outside the scope of Web Security Service documentation) except for theinitial configuration wizard change.

n Link changes to Symantec assets (formerly Symantec).

n Datacenter VIP and Authentication ingress updates.



Maintenance release. See the Fixes topic.






Access Methods and Solutions WebGuides

The Remote Clients concept topic has a new section about the behavior of the Unified Agent in a Hybrid(Common Policy) deployment.

n http://portal.threatpulse.com/docs/sol/AccessMethods/Concepts/about_remoteclients_co.htm




n Firewall/VPN Access Method—Where applicable, corrected the Lifetime Timeout values.

n New data center location: Amsterdam, Netherlands: (149.13.178.164). This location is available close of businessPacific Time on April 7, 2017.

n Auth Ingress IP addresses for the Amsterdam, Netherlands location:

o 149.13.178.197

o 149.13.178.205

o 149.13.178.213

o 149.13.178.221

Available close of business Pacific Time on April 7, 2017.

n Additional Auth Ingress IP addresses added. Tokyo, Japan:

o 103.246.39.149

o 103.246.39.157

Available March 24, 2017.

n Additional Auth Ingress IP address added. Chenai, Mumbai:

o 180.179.40.109

Available March 24, 2017.

n Symantec Cloud DLP concept slightly revised.

Solutions WebGuide

n Subscription Notifications topic amended.


Release Notes WebGuide

n The 6.9.4.2 update section below erroneously listed that the Unified Agent intercepts IPv6 addresses.

n New topic for Unified Agent versions/resolved issues.

http://portal.threatpulse.com/docs/rn/ReleaseNotes/RN_UA_fixes.htm

http://cloudwebsecurity.att.com/docs/rn/ReleaseNotes/RN_UA_fixes.htm

n http://websaas.dimensiondata.com/docs/rn/ReleaseNotes/RN_UA_fixes.htm



http://portal.threatpulse.com/docs/rn/ReleaseNotes/RN_UA_fixes.htm

http://cloudwebsecurity.att.com/docs/rn/ReleaseNotes/RN_UA_fixes.htm

http://websaas.dimensiondata.com/docs/rn/ReleaseNotes/RN_UA_fixes.htm





n New Android feature (OS 5+): Fail/Closed when administered with anMDM.

http://portal.threatpulse.com/docs/am/AccessMethods/Concepts/about_android_co.htm




n Explicit Proxy PDF.

n New ACLogon (Auth Connector Logon) application version. This version fixes an issue that caused the application tooperate before the VPN became fully established. In the zip file, this new version is: ACLOGON 1.0.400.800021.

n Clarified Admin password and challenge password requirements in the Registration topic.

n The cloud icon in theWebGuide footer linked to an older service status dashboard. It now links to the correctlocation.

n Updated relevant Firewall/VPN topics: the pre-shared key cannot contain special characters.

n Because of the SHA256 certificate upgrade, the Client Connector, which was available for off-campus protectionsfor systems runningWindows XP, is no longer supported. The relevant content is now removed from thedocumentation.

Solutions WebGuide

n New topic for high-level Microsoft Office 365 best practices. This is an evolving topic.

n Added conceptual topics for how the Reporting service calculates browse times and combines web pages to givemore accurate results.

http://portal.threatpulse.com/docs/sol/Solutions/ManageReports/about_browsetimes_co.htm

n The cloud icon in theWebGuide footer linked to an older service status dashboard. It now links to the correctlocation.

WebGuide Version—053: 2014.07.31

WebSecurity Service Version: 6.5.2 2014.07.31

New Solution PDF

n WebSecurity Service Policy Cookbook—Located on https://bto.bluecoat.com/documentation/threatpulse.Version 2 contains some edits based on architect review.


n General edits.

http://portal.threatpulse.com/docs/am/AccessMethods/Concepts/about_android_co.htm

http://portal.threatpulse.com/docs/sol/Solutions/ManageReports/about_browsetimes_co.htm

https://bto.bluecoat.com/documentation/threatpulse


Solutions WebGuide

n General edits.

Hosted Reporting WebGuide

n General edits.



New Solution PDF

n WebSecurity Service Policy Cookbook—Located on https://bto.bluecoat.com/documentation/threatpulse.


n General edits.

Solutions WebGuide

n General edits.


n General edits.




n Because of a carrier change, the Denver, Colorado, USA data center IP address changed to: (8.39.233.132).

n Because of a carrier change, the Denver, Colorado, USA data center Auth Connector connection IP addresschanged to: (8.39.233.133).

http://portal.threatpulse.com/docs/am/AMDoc.htm#Deployment/Reference/AuthIPs_ref.htm

n General edits.

Solutions WebGuide

n Updated the Content Filtering categories that theWeb Security Service blocks by default.http://portal.threatpulse.com/docs/sol/SOLDoc.htm#03Solutions/ManageMalware/malware_sol.htm

n General edits.


n Changed references of data synch every 24 hours to every hour. Adjusted procedures accordingly.

n General edits.



https://bto.bluecoat.com/documentation/threatpulse

http://portal.threatpulse.com/docs/am/AMDoc.htm#Deployment/Reference/AuthIPs_ref.htm

http://portal.threatpulse.com/docs/sol/SOLDoc.htm#03Solutions/ManageMalware/malware_sol.htm



n New data center location: Chennai, India (180.179.40.84).

n Changed data center location: Chicago, Illinois, USA (198.135.124.164)

n New Chicago and Chennai data center Auth Connector IP addresses.

n General edits.

Solutions WebGuide

n Updated the Content Filtering categories that theWeb Security Service blocks by default.

n General edits.


n Changed references of data synch every 24 hours to every hour. Adjusted procedures accordingly.

n General edits.




n Firewall/VPN and ISA/TMG Proxy Forwarding planning topics and forms reorganized to better present data center IPaddresses; also corrected the New York IP.

n Added new topic that links to existing and new reference topics, which provide a centralized viewing of the datacenter IP addresses, required ports and protocols, and the data center IP addresses to which the Auth Connectorconnects.

n Corrected typo in hyperlink used to generate API for the Cisco 891 cert-based firewall Access Method.

n Corrected some API errors in the Create or ChangeMultiple Gateway IP Addresses topic.

n General edits.

Solutions WebGuide

n The Solutions WebGuide contains the same reference links described in bullet two above.

n General edits.



All WebGuides

n Most references to the [[[Undefined variable BC_Variables.BCCS Short]]] service are replaced with themore genericWeb Security Service term. The exceptions are direct references to the [[[Undefined variable BC_Variables.BCCS Short]]] product.



n Second datacenter location: London, England (185.2.196.164).

n General edits.

Solutions WebGuide

n General edits.



All WebGuides

n Most references to the ThreatPulse service are replaced with themore generic Web Security Service term. Theexceptions are direct references to the ThreatPulse product.


n Re-emphasized the requirement to send Auth Connector traffic to theWeb Security Service.

n General edits.

Solutions WebGuide

n The privacy topic incorrect stated in the Disaster Recovery section: Currently, each line of log data is stored on twogeographically distinct Control Pods. The sentence was corrected to say to say Reporting Pods.

n General edits.




n New datacenter location: Oslo, Norway (193.240.54.68).

n General edits.




n Fixed somemissing screenshots.

n General edits.

Solutions WebGuide

n Fixed somemissing screenshots.

n General edits.





n Rebranded locationmap.

n New datacenter: Montreal, Quebec, Canada (199.19.253.164).

n General edits.




n Production errors caused erroneous datacenter IPs. Corrected.

n New datacenter: Denver, Colorado, United States (38.99.227.164).

n General edits.

Solutions WebGuide

n General edits.




n Because of a provider change, the Seoul, South Korea datacenter VIP changed from 68.251.98.84 to203.246.168.164.

n Also corrected a few other erroneous IPs on some planning forms: New York, South Africa, Buenos Aires, and HongKong.

n General edits.


ThreatPulse Version: 6.2.1 2013.10.15


n Corrected theMilan, Italy datacenter IP address.

n Added screenshot to MDM partner configuration topic.

n General edits.

Solutions WebGuide

n General edits.




All WebGuides

All [[[Undefined variable BC_Variables.BCCS Service]]] feature an updated skin and icon set to align with the newSymantec identity.


n General edits.

Solutions WebGuide

n Content Filtering: Symantec Category Name Update.

The reference topic linked below describes all of the revised categories and indicates which names anddescriptions are new or renamed.

http://portal.threatpulse.com/docs/sol/SOLDoc.htm#03Solutions/Reference/categories_ref.htm

n General edits.



All WebGuides

All [[[Undefined variable BC_Variables.BCCS Service]]] feature an updated skin and icon set to align with the newSymantec identity.


n For the Firewall/VPN and Explicit Proxy Access Methods, you can select SAML as the user Authenticationmethod.

n Perform yourself or instruct your employees to register their Android devices (4.0 and later) with the [[[Undefinedvariable BC_Variables.BCCS Service]]] MDS.

n All relevant planning sheets and reference topics contain IP addresses for the new Helsinki, Finland(46.235.157.164) and Dallas, Texas, USA (199.116.171.164) datacenters.

n The Auth Connector concept topic is updated to contain muchmore detail regarding requirements and connections.

n New reference topic for required ports.

n General edits, including correcting the Toronto IP address in the relevant planning sheets.

Solutions WebGuide

n The above topics are also included in the Solutions WebGuide and accessible through the TOC and Help buttons.

n General edits.

Doc Update Tweets

Have a Twitter account? Follow BCThreatPulse Dox @BCCloudSvcsDocs to receive tweets when updates to theWebSecurity ServiceWebGuides occur.

http://portal.threatpulse.com/docs/sol/SOLDoc.htm#03Solutions/Reference/categories_ref.htm


https://twitter.com/#!/BCCloudSvcsDocs

Date post:	29-Apr-2018
Category:	Documents
Upload:	hoanghanh
View:	239 times
Download:	7 times

Symantec Web Security Service Release Notes -...

Documents