Smart Connect Deployment Guide
Smart Connect Deployment Guide Documentation version: 1.0 Legal Notice Legal Notice Copyright 2013 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo and are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 http://www.symantec.com Clients are advised to seek specialist advice to ensure that they use the Symantec services in accordance with relevant legislation and regulations. Depending on jurisdiction, this may include (but is not limited to) data protection law, privacy law, telecommunications regulations, and employment law. In many jurisdictions, it is a requirement that users of the service are informed of or required to give consent to their email being monitored or intercepted for the purpose of receiving the security services that are offered by Symantec. Due to local legislation, some features that are described in this documentation are not available in some countries. Configuration of the Services remains your responsibility and entirely in your control. In certain countries it may be necessary to obtain the consent of individual personnel. Symantec advises you to always check local legislation prior to deploying a Symantec service. You should understand your company s requirements around electronic messaging policy and any regulatory obligations applicable to your industry and jurisdiction. Symantec can accept no liability for any civil or criminal liability that may be incurred by you as a result of the operation of the Service or the implementation of any advice that is provided hereto. The documentation is provided "as is" and all express or implied conditions, representations, and warranties, including any implied warranty of merchantability, fitness for a particular purpose or non-infringement, are disclaimed, except to the extent that such disclaimers are held to be legally invalid. Symantec Corporation shall not be liable for incidental or consequential damages in connection with the furnishing, performance, or use of this documentation. The information that is contained in this documentation is subject to change without notice. Symantec may at its sole option vary these conditions of use by posting such revised terms to the website.
Technical support If you need help on an aspect of the security services that is not covered by the online Help or administrator guides, contact your IT administrator or Support team. To find your Support team's contact details in the portal, click Support > Contact us.
Contents Technical support... 3 Chapter 1 Introducing Smart Connect... 7 Other guidance on Web Security... 7 About Smart Connect... 7 About web roaming for Smart Connect... 8 Deploying Smart Connect step-by-step... 8 Deploying Smart Connect with a Client Site Proxy step-by-step... 10 Chapter 2 Deploying Smart Connect by group policy... 13 About deploying Smart Connect with a group policy... 13 Deploying Smart Connect with a group policy step by step... 14 Upgrading Smart Connect with a group policy step by step... 15 Creating a shared folder for the Smart Connect group policy... 16 Downloading Smart Connect from the portal... 17 Setting up your network environment parameters... 17 Creating a Group Policy Object (GPO)... 18 Creating a group policy for Smart Connect... 19 Configuring the proxy settings for Internet Explorer in the group policy... 20 Pushing out the Smart Connect deployment to the users' computers... 22 Chapter 3 Deploying Smart Connect manually... 23 Deploying Smart Connect manually step by step... 23 Installing the Smart Connect software... 25 Configuring Smart Connect... 26 Applying Smart Connect configuration changes... 27 Verifying the proper operation of the Smart Connect service... 28 About web browser configuration changes for Smart Connect... 29 Configuring the proxy by using a PAC file... 29 Configuring the proxy directly in the web browser's configuration settings... 30 Configuring the proxy for dial-up or VPN connections... 31
6 Contents Troubleshooting Smart Connect... 31 Countries where Smart Connect service is not available... 34 Example PAC file for use with Smart Connect... 34 Uninstalling the Smart Connect software... 38 Chapter 4 Setting up your Client Site Proxy for Smart Connect... 39 Defining the roaming NED server... 39 Adding a firewall rule to allow the roaming NED server... 40 Configuring the client site proxy for web roaming... 40 Appendix A References... 43 agentconfigure.xml syntax... 43 Smart Connect diagnostics pages... 48
Chapter 1 Introducing Smart Connect This chapter includes the following topics: Other guidance on Web Security About Smart Connect About web roaming for Smart Connect Deploying Smart Connect step-by-step Deploying Smart Connect with a Client Site Proxy step-by-step Other guidance on Web Security These help topics provide further guidance on the Web Security Services. Table 1-1 Help on Web Security Help page Click to open the help page Web Security Configuration Smart Connect Deployment Web Firewall Configuration Web Security Deployment About Smart Connect The Web Security Smart Connect agent is a Microsoft Windows service. By acting as a local proxy, the Smart Connect agent accepts all traffic from the user's web browser and redirects the web traffic directly to a Symantec infrastructure point of presence.
8 Introducing Smart Connect About web roaming for Smart Connect The Smart Connect agent has two major components: A local HTTP proxy A connectivity agent that securely links the local proxy to the cloud infrastructure Subscribed customers can download the Smart Connect software from the portal. You can install Smart Connect in two ways: Through a group policy Manually on each user's computer About web roaming for Smart Connect Smart Connect protects users who connect to the Internet outside of your organization's local network environment. Acting as a local proxy on a user's computer, the agent accepts all traffic directed from the user's web browser. If you are not using a client site proxy Smart Connect can work on or off your local area network. Smart Connect redirects the web traffic directly to a Symantec infrastructure point of presence. If you are using the optional client site proxy and the user is working on your local area network, Smart Connect forwards web traffic to your client site proxy. The client site proxy then forwards the web traffic to the Web Security infrastructure. With this option when the user works off the local area network Smart Connect still redirects the web traffic directly to a Symantec infrastructure point of presence. Note: Smart Connect has a charge additional to the Web Security fee. Note: Remote Connect for web roaming Remote Connect is available to all clients without any additional charge. Users must use a PAC file to ensure that browsers are directed to our Roaming Proxy server when they are off-site. The policies that apply to users when they are in the office also apply when they roam. See the Remote Connect chapter in the Web Security Deployment Guide. Deploying Smart Connect step-by-step The Smart Connect setup consists of several steps.
Introducing Smart Connect Deploying Smart Connect step-by-step 9 Table 1-2 Phase Phase 1 Phase 2 Phase 3 Phase 4 (optional) Action Understand Smart Connect Either: Deploy Smart Connect to a group of users or Deploy Smart Connect manually on each user's computer, Troubleshoot deployment issues and test website access Uninstall the software Description See About Smart Connect on page 7. See About web roaming for Smart Connect on page 8. See Countries where Smart Connect service is not available on page 34. See Deploying Smart Connect manually step by step on page 23. See Deploying Smart Connect with a group policy step by step on page 14. See Troubleshooting Smart Connect on page 31. Verify that permitted websites can be accessed Verify that blocked websites cannot be accessed See Uninstalling the Smart Connect software on page 38.
10 Introducing Smart Connect Deploying Smart Connect with a Client Site Proxy step-by-step Deploying Smart Connect with a Client Site Proxy step-by-step Table 1-3 Steps to set up Smart Connect with a Squid Client Site Proxy Step Step 1 Step 2 Step 5 Step 6 Action Understand Smart Connect Install the Client Site Proxy Configure the Client Site Proxy Install Smart Connect on the users' computers Description See About Smart Connect on page 7. See Countries where Smart Connect service is not available on page 34. See Deploying Smart Connect step-by-step on page 8. See the Web Security Deployment Guide See Configuring the client site proxy for web roaming on page 40. See Deploying Smart Connect manually step by step on page 23. or See Deploying Smart Connect with a group policy step by step on page 14. Table 1-4 Steps to set up Smart Connect with an ISA or TMG Client Site Proxy Step Step 1 Action Understand Smart Connect Description See About Smart Connect on page 7. See Countries where Smart Connect service is not available on page 34. See Deploying Smart Connect step-by-step on page 8.
Introducing Smart Connect Deploying Smart Connect with a Client Site Proxy step-by-step 11 Table 1-4 Steps to set up Smart Connect with an ISA or TMG Client Site Proxy (continued) Step Step 2 Step 3 Action Install the ISA or TMG Client Site Proxy Define the Roaming Network Environment Discovery (NED) server Description See the Web Security Deployment Guide See Defining the roaming NED server on page 39. Step 4 Add a firewall rule to permit access for the Roaming NED server See Adding a firewall rule to allow the roaming NED server on page 40. Step 5 Step 6 Configure the ISA or TMG Client Site Proxy Install Smart Connect on the users' computers See Configuring the client site proxy for web roaming on page 40. See Deploying Smart Connect manually step by step on page 23. or See Deploying Smart Connect with a group policy step by step on page 14.
12 Introducing Smart Connect Deploying Smart Connect with a Client Site Proxy step-by-step
Chapter 2 Deploying Smart Connect by group policy This chapter includes the following topics: About deploying Smart Connect with a group policy Deploying Smart Connect with a group policy step by step Upgrading Smart Connect with a group policy step by step Creating a shared folder for the Smart Connect group policy Downloading Smart Connect from the portal Setting up your network environment parameters Creating a Group Policy Object (GPO) Creating a group policy for Smart Connect Configuring the proxy settings for Internet Explorer in the group policy Pushing out the Smart Connect deployment to the users' computers About deploying Smart Connect with a group policy If you work in a Microsoft Active Directory environment you can push out a customized deployment of Smart Connect with Microsoft Group Policy Objects (GPOs). If you roll out Smart Connect with a GPO to a group of users, you can also set up their web browsers for Web Security. To save processing time the best practice is to have as few GPOs as possible. You should create your GPO at the highest level possible in your Active Directory (AD) infrastructure, such as for a site or for a domain. The procedure in this guide is
14 Deploying Smart Connect by group policy Deploying Smart Connect with a group policy step by step for a domain-level group policy. Adapt the instructions in the following procedures to fit in with your own AD setup. If you require some of the computers covered by the group policy to be unmonitored you can bypass the proxy server. Examples might be some members of the marketing department who require access to banned websites for research. for these computers you set up exceptions in the Group Policy Object. You may also require requests from a URL to bypass the proxy server, for example Microsoft updates. For these URLs you set up a bypass list in agentconfigure.xml. See agentconfigure.xml syntax on page 43. When you have set up agentconfigure.xml you then perform an.msi transform to create the deployment.mst for your environment. You push out the deployment.mst to your users with a group policy. See Deploying Smart Connect with a group policy step by step on page 14. Deploying Smart Connect with a group policy step by step The table shows the steps you need to follow to deploy Smart Connect to a group of users. Table 2-1 Step Step 1 Step 2 Step 3 Step 4 GPO deployment of Smart Connect Action Understand the Smart Connect group policy deployment Set up your Smart Connect Client Site Proxy Create a shared folder Download the Smart Connect.msi Description See About deploying Smart Connect with a group policy on page 13. See Countries where Smart Connect service is not available on page 34. See Deploying Smart Connect with a Client Site Proxy step-by-step on page 10. See Creating a shared folder for the Smart Connect group policy on page 16. See Downloading Smart Connect from the portal on page 17.
Deploying Smart Connect by group policy Upgrading Smart Connect with a group policy step by step 15 Table 2-1 GPO deployment of Smart Connect (continued) Step Step 5 Step 6 Step 7 Step 8 Step 9 Step 10 Step 11 (optional) Action Set up your network environment parameters Create a group policy Include Smart Connect in the group policy Include the Internet Explorer proxy server in the group policy Push out the Smart Connect deployment to the users' computers Troubleshoot Redeploy a new version of Smart Connect Description See Setting up your network environment parameters on page 17. See agentconfigure.xml syntax on page 43. See Creating a Group Policy Object (GPO) on page 18. See Creating a group policy for Smart Connect on page 19. See Configuring the proxy settings for Internet Explorer in the group policy on page 20. See Pushing out the Smart Connect deployment to the users' computers on page 22. See Troubleshooting Smart Connect on page 31. See Upgrading Smart Connect with a group policy step by step on page 15. Upgrading Smart Connect with a group policy step by step You need to upgrade Smart Connect on users' computers when a new version of the software is released. An upgrade is a redeployment of Smart Connect where your organization's network environment has not changed. If your organization's network environment has changed, follow the steps for the Smart Connect deployment. See Deploying Smart Connect with a group policy step by step on page 14.
16 Deploying Smart Connect by group policy Creating a shared folder for the Smart Connect group policy Note: The Smart Connect.msi should be placed in the same directory you used for the original deployment. Table 2-2 Step Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 GPO upgrade of Smart Connect Action Download the Smart Connect.msi Create a group policy Include Smart Connect in the group policy Include the Internet Explorer proxy server in the group policy Push out the Smart Connect deployment to the users' computers Troubleshoot Description See Downloading Smart Connect from the portal on page 17. See Creating a Group Policy Object (GPO) on page 18. See Creating a group policy for Smart Connect on page 19. See Configuring the proxy settings for Internet Explorer in the group policy on page 20. See Pushing out the Smart Connect deployment to the users' computers on page 22. See Troubleshooting Smart Connect on page 31. Creating a shared folder for the Smart Connect group policy You require three files to customize the deployment. The three files are: Smart Connect.msi Your customized version of agentconfigure.xml ConfigFilePath.mst We recommend that you place, these files together in the same directory. When you have set up agentconfigure.xml you then perform an.msi transform to create the deployment.mst for your environment. You push out the deployment.mst to your users with a group policy.
Deploying Smart Connect by group policy Downloading Smart Connect from the portal 17 Before you start, you need to have installed a.msi packaging tool to customize the Smart Connect installation package. Next step See Downloading Smart Connect from the portal on page 17. Downloading Smart Connect from the portal To download the Smart Connect.msi from the portal 1 Create a share path on your network that all the target users for your deployment can access in read mode. 2 In the portal select Tools > Downloads. 3 Under Smart Connect Agent select your language option. 4 Click Download. 5 Browse through the navigation pane to the share path for the folder you created earlier. 6 Click Save. Next step Deployment: See Setting up your network environment parameters on page 17. Upgrade: See Creating a Group Policy Object (GPO) on page 18. Setting up your network environment parameters Before starting you need to create a version of agentconfigure.xml to customize your deployment with your license key and local network environment. An example of agentconfigure.xml is available at the following location: See agentconfigure.xml syntax on page 43. Note: The portal displays the license key that you copy and paste into agentconfigure.xml. To set up the configuration parameters 1 In your shared folder create an agentconfigure.xml file. 2 In the portal select Tools > Downloads.
18 Deploying Smart Connect by group policy Creating a Group Policy Object (GPO) 3 Under Smart Connect Agent copy the license key. 4 In agentconfigure.xml paste the license key into the <license_key> element. 5 Update the other elements in agentconfigure.xml to reflect your network environment. You create a configuration file path with a.msi packaging tool. The following procedures are an example implementation. You may need to adapt the instructions for the.msi packaging tool you use. To create a configuration file path 1 In your.msi packaging tool, open the Smart Connect.msi file. 2 In the navigation pane select the Tables tab. 3 Select Property and on the Transform menu, click New Transform. 4 In the navigation pane browse to your shared folder, in Filename type ConfigFilePath.mst and then click Save. 5 In the navigation pane select the Tables tab, right-click Property and click Add Row. 6 In Property type CONFIGFILEPATH. 7 In Value type \agentconfigure.xml and click OK. Note: To deploy the file from a directory different to your shared folder, in Value type the network path, in the format \\[computer name]\[shared folder]\agentconfigure.xml. 8 On the File menu, click Save and then click OK. Next step See Creating a Group Policy Object (GPO) on page 18. Creating a Group Policy Object (GPO) After you have downloaded the Smart Connect.msi you create a Group Policy Object. You then create a Group Policy for Smart Connect. To create the GPO 1 Open the Group Policy Management Console. 2 Browse through the navigation pane to the domain to which you want to deploy Smart Connect.
Deploying Smart Connect by group policy Creating a group policy for Smart Connect 19 3 Right-click the domain name. 4 Click Create and Link a GPO Here. 5 In Name type a name for the GPO; for example, Smart Connect. 6 Click OK. To change the GPO status 1 In the navigation pane select the new Smart Connect GPO. 2 In the right pane click the Details tab 3 In GPO Status select User configuration settings disabled. This option lets users log on more quickly, as it limits the parts of the GPO that are applied. Next step See Creating a group policy for Smart Connect on page 19. Creating a group policy for Smart Connect To create a group policy for Smart Connect you modify the Smart Connect.msi. When you push out the group policy, Smart Connect deploys on a computer when the user next logs on or restarts. Note: Before setting up Smart Connect in the group policy, you must ensure your Smart Connect.msi, agentconfigure.xml and ConfigFilePath.mst are in the same shared folder To open the Smart Connect.msi 1 Open the Group Policy Management Console. 2 In the navigation pane, right-click the Smart Connect GPO and select Edit. 3 Browse through the navigation pane to User Configuration. 4 Under Software Settings right-click Software Installation. 5 Click New and then click Package. 6 Browse through the navigation pane to your shared folder and double-click the Smart Connect.msi. 7 On the File menu, click Open.
20 Deploying Smart Connect by group policy Configuring the proxy settings for Internet Explorer in the group policy To assign the Smart Connect.msi 1 Open the Smart Connect.msi. 2 Click Advanced. 3 In the Deployment tab select the checkboxes: Assigned Uninstall this application when it falls out of scope of management Install this application at logon Basic You assign your organization's network environment parameters for a first-time deployment. For an upgrade you do not need to perform these steps. To assign your organization's network environment parameters 1 Open the Smart Connect.msi. 2 Select the Modifications tab and click Add. 3 Browse through the navigation pane to your share path, select ConfigFilePath.mst, and then click OK. Next step See Configuring the proxy settings for Internet Explorer in the group policy on page 20. Configuring the proxy settings for Internet Explorer in the group policy Using the group policy, you can set up your users' Microsoft Internet Explorer proxy server settings. You can also secure the proxy server settings, so the user cannot browse the Internet without the Web Security filters. To configure and enable the proxy settings 1 Open the Group Policy Management Console. 2 Browse through the navigation pane to User Configuration. 3 Under Windows Settings right-click Internet Explorer Maintenance and click Connection. 4 In the right pane double-click Proxy Settings and select the Enable proxy settings check box. 5 Click to clear the Use the same proxy server for all protocols check box.
Deploying Smart Connect by group policy Configuring the proxy settings for Internet Explorer in the group policy 21 6 In rows 1.HTTP, 2.Secure, and 3.FTP in Address of proxy type 127.0.0.1 and in Port type the number you defined in <HTTP_port> in agentconfigure.xml. 7 Clear rows 4.Gopher and 5.Socks. 8 Under Exceptions, select the Do not use proxy server for local (intranet) addresses check box. 9 If you need IP addresses such as for an extranet to bypass the proxy server, in Do not use proxy server for addresses beginning with, type the IP addresses. 10 Click OK. To secure the proxy settings 1 In the Group Policy window, browse through the navigation pane to User Configuration. 2 Under Administrative Templates select Internet Explorer. 3 In the right pane, double-click Disable changing proxy settings. 4 Click Enabled. 5 Click OK. Assign the GPO to an Active Directory group 1 In the Group Policy window browse through the navigation pane to your shared folder and select the Smart Connect.msi. 2 In the right pane, open the Delegation tab, select Authenticated Users, and click Remove. 3 In the Security tab, select the group to which you want to deploy Smart Connect. 4 In the Allow check box column, select Read and select Apply group policy. 5 Click OK and then click Add. Next step See Pushing out the Smart Connect deployment to the users' computers on page 22.
22 Deploying Smart Connect by group policy Pushing out the Smart Connect deployment to the users' computers Pushing out the Smart Connect deployment to the users' computers When you have set up the group policy you are ready to deploy Smart Connect on users' computers. Smart Connect deploys when the user next logs on or restarts their computer. Note: You need to have created a shared folder in which you saved the Smart Connect.msi, agentconfigure.xml, and ConfigFilePath.mst. See Downloading Smart Connect from the portal on page 17. To push out the Smart Connect deployment 1 Log on to your computer with administrator rights and open the Command Prompt. 2 Type GPUPDATE /Force. On the user's computers the Smart Connect agent deploys the next time the user starts their computer. Next step See Troubleshooting Smart Connect on page 31.
Chapter 3 Deploying Smart Connect manually This chapter includes the following topics: Deploying Smart Connect manually step by step Installing the Smart Connect software Configuring Smart Connect Applying Smart Connect configuration changes Verifying the proper operation of the Smart Connect service About web browser configuration changes for Smart Connect Configuring the proxy by using a PAC file Configuring the proxy directly in the web browser's configuration settings Configuring the proxy for dial-up or VPN connections Troubleshooting Smart Connect Countries where Smart Connect service is not available Example PAC file for use with Smart Connect Uninstalling the Smart Connect software Deploying Smart Connect manually step by step Before you set up Smart Connect on a user's computer, ensure that you have set up your client site proxy.
24 Deploying Smart Connect manually Deploying Smart Connect manually step by step See the Web Security Deployment Guide To set up Smart Connect locally on a user's computer: Set up the Smart Connect software on the user's computer. Configure the web browser proxy settings on the user's computer. Test and troubleshoot. Table 3-1 Deploy Smart Connect manually on the user's computer Phase Phase 1 Phase 2 Phase 3 Action Set up your Smart Connect Client Site Proxy Set up the Smart Connect software on the user's computer Install the Smart Connect software Configure the Smart Connect software (agentconfigure.xml) Apply the Smart Connect configuration changes Start the Smart Connect service Configure the web browser proxy settings on the user's computer Description See Deploying Smart Connect with a Client Site Proxy step-by-step on page 10. See Installing the Smart Connect software on page 25. See Configuring Smart Connect on page 26. See agentconfigure.xml syntax on page 43. See Applying Smart Connect configuration changes on page 27. See Verifying the proper operation of the Smart Connect service on page 28. See Smart Connect diagnostics pages on page 48. See About web browser configuration changes for Smart Connect on page 29.
Deploying Smart Connect manually Installing the Smart Connect software 25 Table 3-1 Deploy Smart Connect manually on the user's computer (continued) Phase Action Deploy a PAC file Configure web browsers directly Configure the proxy for dial-up or VPN connections Description See Configuring the proxy by using a PAC file on page 29. See Example PAC file for use with Smart Connect on page 34. See Configuring the proxy directly in the web browser's configuration settings on page 30. See Configuring the proxy for dial-up or VPN connections on page 31. Phase 4 Troubleshoot deployment issues and test website access See Troubleshooting Smart Connect on page 31. Phase 5 (optional) Uninstall the software Verify that permitted websites can be accessed Verify that blocked websites cannot be accessed See Uninstalling the Smart Connect software on page 38. Installing the Smart Connect software The Smart Connect software is supported on the following operating systems: Windows 7 Windows Vista Windows XP
26 Deploying Smart Connect manually Configuring Smart Connect To download the software 1 In the portal, click Tools > Downloads. 2 In the Web Agent section, select the language version you require and click Download. If you have not been provisioned with the Smart Connect service, this link does not appear in the portal. 3 Download the installation file SmartConnectSetup.msi. Warning: Your license key for the agent software is displayed on this page in the portal. You must have this key when you install the agent software on users' computers. Note: You must download the software again whenever there is an update. The Support team alerts you when an update is available. Next step See Configuring Smart Connect on page 26. Configuring Smart Connect The agent comes with an example configuration file (agentconfigure-example.xml) that can be copied to agentconfigure.xml and edited with your requirements. A copy of this file, and an example that you can download, are available at the following location: See agentconfigure.xml syntax on page 43. Most organizations can configure a single version of this file for use on all computers. This file to be copied into the installation directory after the software has been installed. To perform a normal Installation 1 Download the installation file SmartConnectSetup.msi. 2 Double-click the file SmartConnectSetup.msi. 3 Click Next to install the Agent software in the default installation folder. 4 Start the Smart Connect service 5 Verify the installation. See Verifying the proper operation of the Smart Connect service on page 28.
Deploying Smart Connect manually Applying Smart Connect configuration changes 27 The details for how to deploy the software using an automated installation depend on your usual method for performing this type of installation. The following steps are typical. To perform an automated Installation 1 Download the installation file SmartConnectSetup.msi 2 Run the following command: msiexec /quiet /i SmartConnectSetup.msi 3 Once the agent has been installed, copy your edited agentconfigure.xml configuration file into the installation folder: C:\Program Files\Web Security Services\Smart Connect\ 4 Start the service: sc start smartconnect Next step See Applying Smart Connect configuration changes on page 27. Applying Smart Connect configuration changes After installing and configuring the software, you must start the service. It does not automatically start. You then change and save the configuration file. You must restart the Smart Connect Service or restart the computer for the changes to take effect. Starting the Smart Connect service 1 Select Start > Control Panel > Administrator Tools > Services > Smart Connect. 2 Right-click to open the context menu, and click Start. Restarting the Smart Connect service 1 Select Start > Control Panel > Administrator Tools > Services > Smart Connect. 2 Right-click to open the context menu, and click Restart. Next step See Verifying the proper operation of the Smart Connect service on page 28.
28 Deploying Smart Connect manually Verifying the proper operation of the Smart Connect service Verifying the proper operation of the Smart Connect service When you have installed and configured the Smart Connect software and started Smart Connect, the service normally operates immediately. Similarly, after you modify the configuration and restart the service, it normally operates immediately. If you can access either of these webpages, the agent works as expected. A description of the diagnostics is at: See Smart Connect diagnostics pages on page 48. To verify that the Smart Connect service is running Browse to the following URL: http://localhost/ra/connection.html This page indicates the status of the agent, and the user name you are logged on as. This example works if you use the default port setting of <http_port>80<http_port>. If you specify a different port number in the configuration file you must specify this port number in the URL, for example: http://localhost:1234/ra/connection.html. To verify the version number of the agent: Browse to the following URL: http://localhost/ra/about.html This example works if you use the default port setting of <http_port>80<http_port>. If you specify a different port number in the configuration file, you must specify this port number in the URL, for example: http://localhost:1234/ra/about.html Warning: Once you have verified that the service operates correctly, you must confirm that the protected state works correctly both on-lan and off-lan. Then there is no risk that an end user roams unprotected unless they modify the standard configuration that you provide for their agent. This configuration should be locked down to prevent the configuration from changes by the user.
Deploying Smart Connect manually About web browser configuration changes for Smart Connect 29 Next step See Configuring the proxy by using a PAC file on page 29. See Configuring the proxy directly in the web browser's configuration settings on page 30. See Configuring the proxy for dial-up or VPN connections on page 31. About web browser configuration changes for Smart Connect To use the Smart Connect service, modify the web browser to do the following: use the local Smart Connect agent as a proxy for all Internet traffic, and bypass the proxy for Intranet/LAN traffic. At a minimum, the browser must bypass: localhost/127.0.0.1 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 Any URL that is on the corporate LAN The agent works as expected if you only send to it the traffic that is destined for the Internet. Do not send to the agent any traffic for your corporate LAN. If this setting is misconfigured, it is possible that everything works correctly when the user is OnLAN. However, when OffLAN the user is unable to connect to any Intranet/LAN resources, even when connected using a VPN. Configuring the proxy by using a PAC file We recommend that you use a PAC file when you configure the Smart Connect software. The PAC file helps to ensure continued access to the Internet in the event that the Smart Connect software fails. The PAC file must be accessible when the user is not connected to the LAN. An example PAC file is available on the following link. You can customize this PAC file for your own configuration. See Example PAC file for use with Smart Connect on page 34. Typically only two states of connection need to be allowed for in the PAC file configuration:
30 Deploying Smart Connect manually Configuring the proxy directly in the web browser's configuration settings If the user is on a LAN location that is known in the portal you put the user's computer in an on LAN protected state. To set up the on LAN protected state, you point the agent to the Client Site Proxy, upstream proxy or default gateway. If the user is on any other location that is not configured in the portal the Smart Connect connection should be used. Warning: If the agent is not configured properly on a corporate LAN that has access to the Internet, the agent discovers this access. The agent then allows the user to connect to the Internet in an on LAN unprotected state. You may want this behavior, so that if there are problems with the CSP connecting to the Internet, your users can still access the Internet. However, if Smart Connect is in the 'on LAN unprotected' state, the users' web traffic bypasses Web Security. In this case, your Web Security rules in the portal have no effect. For information on preventing users from accessing the Internet directly by Smart Connect, contact Support. Next step See Troubleshooting Smart Connect on page 31. Configuring the proxy directly in the web browser's configuration settings The Smart Connect service supports all commonly used web browsers. Specific instructions follow for configuring Microsoft Internet Explorer and Mozilla Firefox. To configure the proxy setting in Internet Explorer 1 In Internet Explorer, on the Tools menu click Internet Options. On the Connections tab, click LAN Settings. 2 Check Use a proxy server for your LAN. 3 In the Proxy Server box, type 127.0.0.1 4 In the Port box, type 80 (for the default configuration, or the number that you used in the <http_port>80</http_port> element in the Smart Connect configuration file). 5 Click OK twice to close the options screens and save your settings. To configure the proxy setting in Mozilla Firefox 1 In Firefox, on the Tools menu, click Options. 2 On the Advanced > Network tab, click Settings. 3 Click Manual proxy configuration.
Deploying Smart Connect manually Configuring the proxy for dial-up or VPN connections 31 4 In the HTTP Proxy box, type 127.0.0.1 5 In the Port box, type 80 (for the default configuration, or the number that you used in the <http_port>80</http_port> element in the Smart Connect configuration file). 6 Click OK twice to close the options screens and save your settings. Next step See Troubleshooting Smart Connect on page 31. Configuring the proxy for dial-up or VPN connections If you use a dial-up or VPN connection, you must configure the computer to use the PAC file for those connections. To configure the proxy setting in Internet Explorer 1 In Internet Explorer, select Tools > Internet Options. 2 Select the Connections tab. 3 Select the Dial-up or VPN entries from the list as required and click Settings on the right. 4 Check the box to enable Use automatic configuration script. 5 Enter the address of your PAC file, for example file://c:\roaming_pac.txt. 6 Select OK. 7 Select OK. Next step See Troubleshooting Smart Connect on page 31. Troubleshooting Smart Connect The following lists problems and the possible cause, and resolution without the need to contact the Support team. Also, having performed some of the following checks may save you time if you do need to contact the Support team.
32 Deploying Smart Connect manually Troubleshooting Smart Connect Cannot connect to the Internet The proxy configuration may be wrong or the agent may not work properly. Check that the proxy server setting is correct. The default proxy server setting is to local host on port 80. This setting may have been modified on installation. Attempt to load the Connection page. See Smart Connect diagnostics pages on page 48. If the page appears, that shows that you are proxied to the agent properly and that the agent is running. The Network Environment Status status is displayed (on-lan or off-lan) Take a screen shot of Connection page, and make a copy of the log file: C:\Program Files\Web Security Services\Smart Connect\agent.log If the diagnostic page displays an error in connecting to NED, you must check that the CSP configuration is correct. If there are still problems, manually change your web browser settings to remove any proxy settings, and verify that your Internet connection works properly. Problem with accessing the Internet when you use the PAC file Cannot browse a website A temporary resolution may be to remove the PAC file's settings from the web browser, and enter the proxy configuration (127.0.0.1:80) manually. Is this site blocked by your organization's Web Security policy? If not, and you still cannot access the website, but other webpages can be loaded, contact the Support team. Provide the full details of the URL, web browser version, and the following information: Load the Connection page. See Smart Connect diagnostics pages on page 48. From this page, check what mode the agent is in, and the infrastructure name you point to. Take a screen shot of the diagnostic page, and make a copy of the log file: C:\Program Files\Web Security Services\Smart Connect\agent.log
Deploying Smart Connect manually Troubleshooting Smart Connect 33 Web security policy is not applied Load the Connection page. See Smart Connect diagnostics pages on page 48. From this page, check what mode the agent is in. If this shows as Unprotected, it means that there is an issue such as any of the following: The license key may have been entered incorrectly The user is unknown The user is in an embargoed country (where the Smart Connect service is unavailable) The NED cannot be accessed Is my connection being secured? Load the Connection page. See Smart Connect diagnostics pages on page 48. From this page, check what mode the agent is in. If this shows as Protected, your connection is secured. Latency issues Possible causes include: The proxy server configuration may point to the wrong country The user is in an embargoed country (where the Smart Connect service is unavailable) The user's Internet connection is too slow for the service to operate effectively. If the latency problems persist, contact the Support team. Application does not work when you use the Smart Connect agent Is the application attempting to use your Internet Explorer proxy server settings, or its own proxy server configuration? If it uses its own proxy server settings, configure it to access the Internet directly, which may resolve the problem. Network status indicates that you are off-lan, but you are on-lan Load the Connection page. See Smart Connect diagnostics pages on page 48. From the diagnostic information displayed, make a note of what gateway is used. Check the configuration in the portal, to ensure that the details match. If the problem persists, contact the Support team.
34 Deploying Smart Connect manually Countries where Smart Connect service is not available Countries where Smart Connect service is not available The Smart Connect service is available in almost all countries. The following document contains details of the exceptions: Smart Connect - No Service Countries Example PAC file for use with Smart Connect The following PAC file is an example only. // ******************************************************************** // roaming2-pac.pac: Version 1.0 // // Proxy Auto-Config (PAC) template file for web browser and roaming // agent users. Follow the instructions throughout this configuration // file in order to update for your specific environment. // // Notes: // - "host" refers to the host portion of the URL being requested (i.e. // everything after the :// at the beginning of the URL up to the // first colon (:) or slash (/) (e.g. www.example.com). // - "url" refers to the entire URL being requested. This includes // the protocol and file (e.g. http://www.example.com/index.html). // - Microsoft IE processes the PAC file once per hostname and caches // the result. You cannot have different behaviour for the same // hostname (e.g. http://www.example.com/index.html must be // directed to the same proxy as http://www.example.com/foo.html). // - isinnet will perform a DNS lookup for non IP addresses. Ensure the // host is a raw IP before using this function. // - For debugging, set the debug variable to true. // ******************************************************************** function FindProxyForURL(url, host) { //******************************************************************* // CUSTOMIZATION SECTION // All changes to customize this PAC file for your environment should // appear in this section. // If a section does not apply to you, you can remove it by placing a // // at the beginning of each line in the section // 1) Listening port for the roaming agent. // * This must match the <http_port> entry in your roaming // agent's agentconfigure.xml file
Deploying Smart Connect manually Example PAC file for use with Smart Connect 35 // * The default value is 80 // var ROAMING_AGENT_LISTENING_PORT = "80"; // 2) Bypassed URLs // * Define entries for URLs that should not be accessed // through the WSS service. // * Examples include: // - URLs on your company intranet // * You many optionally include URLs that you consider // safe // * The * character may be used as a wildcard. // var BYPASS_LIST = [ "*.download.microsoft.com", "*.windowsupdate.com", "*.windowsupdate.microsoft.com", "windowsupdate.microsoft.com", "*.update.microsoft.com", "update.microsoft.com" ]; // 3) On-LAN Web Gateways // * This section can be used to define secondary proxies // that can be used in the event that the roaming agent // software fails. // * If the roaming agent is not functional, the browser // will be directed to the proxies listed below. Note // that this may cause traffic to be backhauled through // a VPN when off the company LAN. // // * Define entries for each CSP or Web gateway in your // corporate LAN(s) // * Use the format proxy_hostname_or_ip_address:port // e.g. // mycsp.intranet.mycompany.com:3128 // OR // 10.1.2.1:80 // var WEB_GATEWAYS = [ "myproxy:3128", "myotherproxy:3129" ];
36 Deploying Smart Connect manually Example PAC file for use with Smart Connect // END OF CUSTOMIZATION SECTION - do not edit below this point // **************************************************************** var debug = false; var debug_string = ""; var direct = "DIRECT"; var proxy_string = "PROXY localhost:"+roaming_agent_listening_port; if ((typeof WEB_GATEWAYS)!= "undefined") { var i=0; while (i < WEB_GATEWAYS.length) { proxy_string += "; PROXY " + WEB_GATEWAYS[i]; i++; } } proxy_string = proxy_string + "; DIRECT"; if (debug) debug_string += "PAC:\nProxy string is: " + proxy_string + "\n"; // If the host is this computer, connect directly if ((host == "localhost") (host == "localhost.localdomain") (host == "127.0.0.1")) { if (debug) { debug_string += "Host is local, using " + direct; alert(debug_string); } return direct; } // If host name is local (i.e. contains no dots), connect directly. if (isplainhostname(host)) { if (debug) { debug_string += "Host contains no dots, using " + direct; alert(debug_string); } return direct; } // If host name is part of the IANA private IP address ranges, connect // directly. if (/^\d+\.\d+\.\d+\.\d+$/.test(host) &&
Deploying Smart Connect manually Example PAC file for use with Smart Connect 37 (isinnet(host, "10.0.0.0", "255.0.0.0") isinnet(host, "172.16.0.0", "255.240.0.0") isinnet(host, "192.168.0.0", "255.255.0.0"))) { if (debug) { debug_string += "Host is IANA private IP, using " + direct; alert(debug_string); } return direct; } // ***************************************************************** // Specify remote URLs that are trusted and don't require proxying // and should be bypassed when roaming. // ***************************************************************** if ((typeof BYPASS_LIST)!= "undefined") { var i=0; while (i < BYPASS_LIST.length) { if (shexpmatch(host, BYPASS_LIST[i])) { if (debug) { debug_string += "Host matches bypass entry: "; debug_string += BYPASS_LIST[i] + "\ngoing direct"; alert(debug_string); } return direct; } i++; } if (debug) debug_string += "No matching bypass\n"; } else { if (debug) debug_string += "No bypass list specified\n"; } if (debug) { debug_string += "Using proxy string"; alert (debug_string); }
38 Deploying Smart Connect manually Uninstalling the Smart Connect software return proxy_string; } Note: The latest version of this PAC file is available for download at: RA_PAC.txt. Uninstalling the Smart Connect software To uninstall the Smart Connect software, complete the first procedure and then either the second or third procedure, depending on your requirements. To delete the installation files 1 The uninstall process does not remove the diagnostic log (agent.log) and the configuration file (agentconfigure.xml). If you think you may require these files later, back them up before you continue. 2 Delete the diagnostic log and configuration file before uninstalling the software, so that the directories are deleted. To perform a normal uninstall 1 On the Start menu, click Control Panel > Add or Remove Programs. 2 Click Symantec Smart Connect Service to select it. 3 Click Remove. To perform an automated uninstall 1 If the.msi package is available, type the following command: msiexec /quiet /x RoamingAgentSetup.msi 2 If the.msi package is not available, type the following command: msiexec /quiet /x {E3112BFC-BB4D-4169-AC6C-A907BB58CFE3} Note: You cannot disable the Smart Connect agent by disabling the user in the portal. You must either uninstall the agent software, or remove the user from the directory.
Chapter 4 Setting up your Client Site Proxy for Smart Connect This chapter includes the following topics: Defining the roaming NED server Adding a firewall rule to allow the roaming NED server Configuring the client site proxy for web roaming Defining the roaming NED server The Network Environment Discovery (NED) server is responsible for determining the roaming behavior of the Smart Connect agent. To define the roaming NED server 1 Open the Microsoft ISA Server Management Console. In the left pane Select Firewall Policy 2 In the right pane Expand Toolbox. Expand Network Objects. Select Domain Name Sets. 3 Right-click to open the context menu Select New Domain Name Set. Type the name Roaming NED Server.
40 Setting up your Client Site Proxy for Smart Connect Adding a firewall rule to allow the roaming NED server Add the domain ned.webscanningservice.com. Add a description (optional). Click OK. 4 Click Apply to apply the changes. Next step See Adding a firewall rule to allow the roaming NED server on page 40. Adding a firewall rule to allow the roaming NED server Open the Microsoft ISA Server Management Console. To add a firewall rule to allow the roaming NED server 1 In the left pane, right-click FireWall Policy, select New, then select Access Rule 2 Enter a name for the rule, then select Next 3 Select Allow, then select Next 4 In the Protocols page, on the This rule applies to drop-down menu, select Selected protocols. 5 Select Add, from the common Protocols add HTTP and HTTPS, then select Next. 6 For source, select Internal. 7 If you use NAT, also select local host and then Select Next. 8 For the Destination, select Roaming NED server, then select Next. 9 For the User sets, All users should be listed, then select Next. 10 Select Finish. 11 Ensure that this rule is the first rule in the firewall policy, then Apply. Next step See Configuring the client site proxy for web roaming on page 40. Configuring the client site proxy for web roaming If your Web Security configuration permits your users to access the Internet without authentication, there is no requirement to change your CSP configuration. However, if you have Web Security rules based on user name or group membership,
Setting up your Client Site Proxy for Smart Connect Configuring the client site proxy for web roaming 41 this information must be passed to the Web Security infrastructure. See the example configuration that follows. To configure Squid CSP for roaming 1 Edit the following file: C:\ClientSiteProxy\etc\squid.conf 2 Locate the following line: http_access allow authproxy Preceding the located command, add the following commands: acl neddomain dstdomain ned.webscanningservice.com http_access allow neddomain 3 Save the file. 4 Restart the CSP. Next step See Deploying Smart Connect with a group policy step by step on page 14. or See Deploying Smart Connect manually step by step on page 23..
42 Setting up your Client Site Proxy for Smart Connect Configuring the client site proxy for web roaming
Appendix A References This appendix includes the following topics: agentconfigure.xml syntax Smart Connect diagnostics pages agentconfigure.xml syntax As part of the installation process, a configuration file is created, specifying the location of components on your company's network. See Configuring Smart Connect on page 26. If you accept the default installation location, the path to the file is: C:\Program Files\Web Security Services\SmartConnect\ agentconfigure.xml The following configuration file cannot be used as presented here. It must be modified to suit the environment within which you deploy it. <?xml version="1.0" encoding="iso-8859-1"?> <roaming_agent> <http_port>80</http_port> <upstream_proxy> <address>proxy1.us.webscanningservice.com</address> <port>3128</port> </upstream_proxy> <license_key>xxxxxx-xxxx-xxxx-xxxxxx-xxxxxx-xxxxxx</license_key> <bypass_list> <bypass> <url>http://*.update.microsoft.com</url>
44 References agentconfigure.xml syntax <pattern>isawildcard</pattern> <mode>offlan</mode> </bypass> <bypass> <url>http://*.download.windowsupdate.com</url> <pattern>isawildcard</pattern> <mode>offlan</mode> </bypass> </bypass_list> </roaming_agent> Note: The latest version of this configuration file is available for download at: agentconfigure.xml. You must configure the following elements for your own environment. Table A-1 Element <http_port> Elements to configure in Smart Connect Description The proxy's listening port (web browsers point here) Default: 80 The TCP port that the Smart Connect service listens for incoming connections from the web browser. We recommend that you use a privileged port (under 1024).. You may need to change the port number from port 80 if other software (such as a web server) listens on this port. When redirecting the browser to the Smart Connect service, http_port is the port that must be specified (e.g. local host:80 or 127.0.0.1:80).
References agentconfigure.xml syntax 45 Table A-1 Element <upstream_proxy> Elements to configure in Smart Connect (continued) Description The address and the port number of any upstream proxies that your employees use to access the Internet from your LAN (no default setting) If you have multiple proxies, this element should be repeated once for each proxy Warning: If you have no proxies to configure, omit this element. When On-LAN, these entries indicate the proxy servers that the Smart Connect service should use. When the endpoint is On-LAN, traffic from your web browser is forwarded to one of these proxy servers. This traffic then goes through the Web Security infrastructure to enforce your policy and to block any malware. What you enter here depends on your specific networking requirements. Typically, one of these two options: The host name or IP address of your CSP (or other on-site proxy) The regional host name of the Web Security infrastructure These settings are typically the same that your web browser uses to access the Internet. The order in which these proxies are listed is not significant. Smart Connect agent resolves the names using DNS and uses the one that is quickest to respond. Note: If you do not have an explicit proxy, but rely on a transparent proxy to access the Web Security infrastructure, this list can remain empty. <license_key> Your license key as provided by the Support team. (no default setting) Your organization's license key is available by logging into the portal. Copy it and paste it into the configuration file here. Without a license key, the Smart Connect service does not function.
46 References agentconfigure.xml syntax Table A-1 Element <debug_level> Elements to configure in Smart Connect (continued) Description The logging level of the proxy. Valid values are (in order of verbosity): FATAL (least verbose) ERROR WARN INFO DEBUG TRACE (most verbose) Default: INFO Increasing the debug level can produce very large log files. <connect_timeout> The time, in seconds, before connection attempts timeout. Default: 10 <idle_connection_timeout> The time, in seconds, of no traffic before idle OnLAN proxy connections are dropped. Default: 60 <idle_offlan_connection_timeout> The time, in seconds, of no traffic before idle OffLAN connections (Secure Mode SSL tunnels) are dropped. Default: 600 <dns_timeout> The time, in seconds, before entries in the DNS cache expire. Default: 30 <ned_server> The host name of the NED server. ned.webscanningservice.com
References agentconfigure.xml syntax 47 Table A-1 Element <failure_mode> Elements to configure in Smart Connect (continued) Description The failure_mode can be CLOSED OPEN Default: OPEN Setting is case-sensitive. When the agent cannot connect to RAS in OFFLAN, it generates an error page if it is CLOSED. Otherwise, it tries again to connect to web server directly if it is OPEN. <bypass_ned> The bypass_ned can be YES NO Default: NO Setting is case-sensitive. <bypass_list> bypass_list is the URL list to bypass the request to the upstream proxy. It can contain multiple bypass tags (or none). Default: (empty) Only the first bypass_list tag takes effect if multiple bypass_list tags are defined. <bypass> bypass should be defined under bypass_list tag. Each bypass can contain the url, pattern, and mode, where the url is the URL to match. (no default setting) All matches are case-insensitive. <url> url should be defined under bypass tag. It is the URL pattern to match. Default: (cannot be empty)
48 References Smart Connect diagnostics pages Table A-1 Element <pattern> Elements to configure in Smart Connect (continued) Description pattern should be defined under the bypass tag. The pattern can be Exact ISAWildcard Regex. Default: Regex Exact matches the whole URL exactly. ISAWildcard follows the rules for the ISA URL Set. Regex uses the POSIX Extended regular expression syntax. <mode> mode should be defined under bypass tag. It defines when to bypass: OnLAN OffLAN Never Always Default: Always Smart Connect diagnostics pages The Smart Connect service provides three local webpages for diagnostic purposes. After the roaming agent is started, you can access these diagnostics pages at the following URLs. About About page: http://localhost/ra/about.html Software version number Copyright information Connection Status http://localhost/ra/ connection.html Connection status page: Status (for example, OnLAN protected HTTP) Proxy (for example 10.1.1.1:3128) User name (DOMAIN\username)
References Smart Connect diagnostics pages 49 Diagnostics Diagnostics page: http://localhost/ra/diagnostics.html Save the diagnostics data. This diagnostics data saves the following information into a text file: Windows version Route trace to ned.webscanningservice.com Route trace to www.google.com TCP/IP network configuration Route configuration DNS lookup for ned.webscanningservice.com DNS lookup for www.webscanningservice.com Ping to proxy server, if applicable Configuration file Recent agent log entries These example URLs work if you use the default port setting of port 80 (set using this entry in the configuration file: <http_port>80</http_port>). If a different port number has been specified in the configuration file, such as <http_port>1234</http_port>, then this port number must be specified in the URL also, for example: http://localhost:1234/ra/diagnostics.html
50 References Smart Connect diagnostics pages