Tech Whitepaper Ext WSS SmartConnect Global Feb11

SSymantec MessageLabymantec MessageLabs Ws WebebSecuritSecurity.cloudy.cloud

Smart Connect Roaming AgentTechnical White Paper

White Paper: Web Security.cloud - Smart Connect Roaming Agent

SSymantec MessageLabymantec MessageLabs Ws Web Securiteb Security.cloudy.cloud

Smart Connect Roaming Agent Technical White Paper

Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Smart Connect Roaming Agent Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Overview of the Agent Technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Network Environment Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

NED Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Network Route Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Agent Connection Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Connection Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Agent State Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Smart Connect Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Agent Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Impact on the Endpoint Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Agent Management and Tamper Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

System Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

IntroductionThis whitepaper is designed to support technical evaluation teams in their review of the Smart Connect roaming agent

service. It provides technical specifics on the Smart Connect agent software and supporting Symantec.cloud

infrastructure, including: “how it works”, descriptions of the Network Environment Discovery (NED) functionality, agent

operation and data flow, and security. This paper also discusses how Smart Connect is able to support various internal

network configurations well as external network environments by adjusting the Smart Connect agent service behavior to

accommodate these differences.

Smart Connect Roaming Agent OverviewSmart Connect helps organizations protect users when connecting to the Internet outside their corporate network

environment. As the number of employees who regularly work outside the corporate office continues to increase, Web

security solutions must be flexible enough to provide continuous protection regardless of user location or network

environment. Smart Connect uses agent technology installed locally on the user’s workstation in conjunction with the

Web Security.cloud service infrastructure to provide the following capabilities:

• Network Environment Discovery – Smart Connect understands differences in end user networking

environments and adjusts its behavior accordingly. For example, the agent forwards traffic in a passive state

when in a captive portal, e.g. Wi-Fi hotspot, to allow payment authorization. Once the payment process is

complete, the agent automatically switches to an active state by redirecting the user web traffic to an

appropriate Symantec.cloud infrastructure Point Of Presence (POP) for further processing.

• Location awareness– Smart Connect uses geo-location to identify a user’s location and then connect them to

the recommended infrastructure Point of Presence within the Symantec.cloud global infrastructure where the

best possible performance can be provided.

• End user transparency – Smart Connect provides a consistent sign-on experience regardless of whether the

user is roaming off-LAN or connecting through a Web gateway within the corporate LAN environment. The

Smart Connect agent transparently collects logged-on user and company information necessary to apply the

appropriate Web filtering policy.

• Added security– Smart Connect protects Web browsing via a Secure Sockets Layer (SSL) channel that is

established between the agent and Symantec.cloud infrastructure. All communication occurs once both agent

and infrastructure have mutually authenticated using X.509 digital certificates.

Overview of the Agent TechnologyThe Smart Connect roaming agent uses a combination of locally installed software in conjunction with the Symantec.cloud

infrastructure to evaluate the network environment and respond properly in terms of agent behavior.

The agent uses a lightweight proxy to forward traffic via a determined best traffic route that is described later on in this

white paper. By acting as a local proxy, the agent accepts all traffic directed from the Web browsers and determines

whether the Web traffic should be forwarded for ‘on LAN’ traffic handling or redirected to a Symantec.cloud infrastructure

Symantec MessageLabs Web Security.cloudSmart Connect Roaming Agent Technical White Paper

1

POP when the user is off LAN. ‘On LAN’ refers to the network traffic forwarding behavior when the user is on the

corporate LAN, e.g. forwarded to client side proxy or default gateway. The Smart Connect proxy design allows end users to

experience a consistent level of traffic handling regardless of whether the user is on LAN versus off LAN with a seamless

transition between the different network states. It also provides agent-based users with the same Web filtering experience

as end users who have no deployed agent, e.g. desktop PC users.

Network Environment DiscoveryThe Smart Connect agent can handle the presence of various complexities in the network including, but not limited to:

• The presence or absence of explicit Web proxies, for example a client site proxy (CSP)

• The presence of intercepting or transparent Web proxies

• The presence of captive portals, where Internet access is restricted until a payment or registration step is

completed

• Movement between on-LAN and off-LAN connections

• The presence of VPN connections, effectively making the user on-LAN and off-LAN simultaneous

• Firewall configurations where access to non-standard web ports is blocked

NED ServiceThe network discovery process uses a cloud-based service (“NED Service”), provided by Symantec.cloud. The Smart

Connect agent will attempt to make discovery requests to the NED Service over HTTP and HTTPS connections with

requests made through each Web route. In the diagram below, the agent is shown making NED requests through three

different routes: (1) direct from the end user system, (2) through a premises-based proxy (depicted as Proxy-1) and (3),

through a series of proxies on-premises and elsewhere on the Internet (depicted as Proxy-2 and Proxy-3).

Figure 1: Discovery Requests from agent to NED Service

Network Route AnalysisFor each discovery request, (for each Web route), the NED Service will perform a network route analysis. This network

route analysis process is conducted using a proprietary route analysis protocol that uses XML over HTTP(S) and involves

both port 80 and port 443 (note: port numbers are not configurable).


2

The network route analysis protocol exchanges the ID of the customer to which the agent software belongs, the requests’

source IP addresses and the intermediate Web proxies that processed the requests.

Figure 2: Network Route Analysis Information

Based on this information, the NED Service is able to determine:

1. Whether the discovery request originated from the customer’s LAN or an off-LAN location, e.g. hotel/hotpot

2. If on the customer’s LAN, whether the discovery request has been processed by the Symantec.cloud

infrastructure

3. The country from which the discovery request originated

4. The recommended Symantec.cloud infrastructure point-of-presence (POP)

Figure 3: Network Route State Determination

Agent Connection ModesIn order to direct user traffic to the Symantec.cloud infrastructure by the most appropriate route, the agent must select

amongst the available Web routes.

Route selection is based on a priority ranking of the available Web route states with the highest resulting priority is

selected. The ranking is as follows (highest to lowest):

1. No Service - This is highest priority since service will not be provided to the user from this location, even if

other routes may exist.

2. Off-LAN - This is the highest priority of “working” states since the roaming service is likely to have better

performance when the user is off-LAN even if a VPN connection ‘on LAN’ route is available.


3

3. On-LAN Protected. - A fully-protected connection when on LAN is preferred, if there is a choice over the other

options.

4. On-LAN Unprotected - An unprotected connection is provided only when there is no other choice

5. Unreachable

Once the agent has selected its highest priority Web route, it will determine which connection mode to use.

Connection ModesThe Smart Connect agent will operate in one of three connection modes depending on the network environment. Note

that the illustrations below depict HTTP as the Web request protocol but this could be HTTPS as well.

Secure- The secure connection mode establishes a secured SSL tunnel between the agent and the Symantec.cloud

infrastructure. The secure connection mode would only be used when outside of the customer’s LAN. All traffic, whether

HTTP or HTTPS, is encrypted in transit through the SSL tunnel to SHS infrastructure.

Figure 4: Secure mode

Proxied- The proxied connection mode uses an explicit proxy in order to direct the user’s traffic to Symantec’s data

centers for processing. The explicit proxy might be a local Client Site Proxy (CSP) within the customer’s network, or might

be the Symantec.cloud hosted proxy. The proxied connection mode would only be used when within the customer’s LAN.

This mode is essentially equivalent to traditional use of the Symantec MessageLabs Web Security.cloud service.

Figure 5: Proxied mode through CSP. Agent uses the CSP as an explicit proxy


4

Figure 6: Proxied mode direct to SHS. Agent uses Symantec.cloud as an explicit proxy

Direct - The direct connection mode allows the user’s traffic directly onto the network. The direct mode may be used to

inter-work with a transparent proxy or firewall redirection on the customer’s LAN, or because an off-LAN user is accessing

the network from a location to which Symantec.cloud does not provide service.

Figure 7: On-LAN Direct mode with transparent proxy or firewall redirection

Figure 8: Off-LAN Direct mode from an embargoed country

Agent State DeterminationThe agent state is derived based on a combination of the selected route state (off LAN vs. on LAN), and The specification of

the selected route (proxied vs. direct).

This gives rise to the following possible agent states:

1. Off LAN – Protected - The selected route is off-LAN using the secure connection mode.

2. On LAN – Protected (Proxied) - The selected route is on-LAN, using a proxied connection mode.

3. On LAN– Unprotected (Proxied) – Similar to the prior case but the proxy is not pointed to the Symantec.cloud

infrastructure, e.g. customer has a Web security appliance for on LAN filtering.


5

4. On LAN – Protected (Direct) - The selected route is on-LAN and the route specification is direct. This will

ensure that the agent works properly in an environment where there is no proxy for Internet access, transparent

proxying or firewall redirection to Symantec.cloud.

5. On LAN – UnProtected (Direct) - Similar to the prior case however, the transparent proxy or firewall

redirection is not directed to Symantec.cloud.

6. No Service – Unprotected - If the selected route is no service, the agent will operate using the direct mode.

This allows users to browse when in very remote locations or in countries that are not supported by

Symantec.cloud for trade compliance reasons without impacting latency.

7. Unreachable – Unprotected - If the selected route is unavailable, the agent will operate using the direct mode.

Smart Connect Flow DiagramThe diagram below outlines how these different capabilities work together as part of the overall data flow for the Smart

Connect service offering.

The steps below cover both the initial authentication steps, as well as how the user is able to securely roam from a location

outside the corporate network.

• The agent performs an initial HTTP(S) poll request to the globally distributed Network Environment Discovery

(NED) servers (ned.webscanning.com). Once the poll request is successful, server and client certificates are

authenticated such that connection details and customer ID information can be securely transmitted.

• The customer ID information will be validated to ensure that the customer is provisioned for the Smart Connect

roaming service. In addition, the agent will send connection details to determine if the user is connecting from

an ‘on-LAN’ location (i.e. their corporate network) or an off-LAN location that indicates that the user is

roaming.


6

◦ If the user is on-LAN, and this is the best available route, the agent is notified by the NED service to

forward traffic to the designated upstream proxy in the agent’s configuration file. In addition, the

NED server is able to determine if the initial request was processed using the Symantec.cloud

infrastructure and further delineate whether the on-LAN state is protected (via the Symantec.cloud

infrastructure) or unprotected (direct to Internet).

◦ If the user is off-LAN, the source IP address is used for a geo-location lookup to determine what

country the user is located in. Once the country location is determined, this information is mapped to

the recommended infrastructure POP. The agent receives this information along with a session based

certificate that will be used for the subsequent steps of this process.

• When the user is off-LAN and the agent has received the proper infrastructure information from the NED

service, the agent will initiate a SSL connection with the RAS proxies located at the recommended POP

locations. The RAS proxies and agent mutually authenticate using the session certificate provided by the NED

server.

• At this point, the agent will be in an off-LAN protected state and ready to communicate the first set of user

requested Web activity. The overall process up to this point including initial authentication will normally occur

within a few seconds. All subsequent requests will use the same session and not require additional

authentication while new sessions can be established in parallel using the same certificate.

• Once the user has been fully authenticated and the Web requests have been sent to the Symantec.cloud

infrastructure, the remaining portion of the process is identical to the on-LAN behavior where policies are

applied based on the user/group association, filtering rules, malware scanning, and reporting of the Web

activity. This information is made available via the ClientNet portal where a single set of policies are applied

for roaming and on-LAN activity along with a single reporting view of the Web activity.

Agent DeploymentThe Smart Connect agent is delivered as a Microsoft Installer (MSI) package that can be pushed out to endpoints via

desktop management tools such as Altiris Client Management Suite, Microsoft SMS, CA Unicenter, and IBM Tivoli, or can

be manually installed on every machine. An appropriate license key is required to activate the Smart Connect service

capabilities once the agent is installed.

During installation, certain parameters must be specified in a configuration file, such as the on-LAN upstream proxy/

gateway, any site exclusions/bypass list and license key information. This file can be distributed along with the MSI

package by any major systems management tool and is ensured to install and run cleanly.

The Smart Connect agent is upgraded via the same process as the initial installation where the prior version of the

software is uninstalled and a new version is installed. Due to the limited amount of processing that is done by the agent

itself, upgrades are likely to be limited to new release versions of the Smart Connect agent.


7

Impact on the Endpoint ComputerSmart Connect has minimal impact on endpoint computers and the corporate network. The Smart Connect agent runs as a

Windows service with normal priority. Processing uses a very small amount of the CPU which is not noticeable to the end

user. The agent does not perform URL categorization look-up, rule execution, policy execution, or content signatures. All

Web acceptable use policies and content scanning is applied following the traffic’s direction to the Symantec.cloud

infrastructure.

The agent requires about 5MB of disk space and will consume no more than 15 MB RAM on the computer for it is installed

upon. A minimal set of connection diagnostic logging occurs locally on the hard disk with all user Web activity stored in

the Symantec.cloud infrastructure instead of locally on the PC.

Agent Management and Tamper ProtectionThere are several ways that an administrator can reduce the likelihood of an end user removing or tampering with the

endpoint agent:

• Silent install - The agent can be installed by the administrator without the user’s knowledge. There also is no

system tray icon or other indication of the product running that might promote awareness leading to an end

user attempting to disable or remove it.

• Windows Access Control List - Only a user with ‘Administrator’ rights is allowed to disable/remove the Smart

Connect agent or alter the agent’s behavior.

• Agent Process Monitoring - Software distribution products, such as Altiris or SMS, have capabilities that

allow for the monitoring of software processes. If a user disables or uninstalls the Smart Connect agent, the

distribution software can rectify and ensure that the initial settings are restored.

System CompatibilityThe Smart Connect agent installs on Windows XP, Windows Vista and Windows 7 (32 bit and 64 bit) operating systems. It

is designed to be compatible with leading third party Web browsers, including Microsoft Internet Explorer, Firefox, Apple

Safari, and Google Chrome.

Compatibility has been tested with the supported OS versions and a variety of the mentioned browser versions, as well as

other endpoint security products including third party anti-virus, client firewall, VPN, and desktop management products.

In addition, the ‘explicit’ proxy based design of the Smart Connect agent minimizes much of the future incompatibility risk

with other third party software and applications that may be installed on the end user system.

SummaryThe Smart Connect roaming agent helps Web Security.cloud customers protect users who connect to the Internet outside

their corporate network environment. Installed locally on a user’s workstation, the agent works in conjunction with the

Symantec.cloud infrastructure to defend against Web-borne viruses and spyware while enforcing corporate Web

Acceptable Use Policies (AUPs) to prevent Internet misuse.


8

The key advantages of Smart Connect include our network intelligence and location awareness capabilities in addition to

the seamless experience users are provided with. Supported by a global infrastructure and able to operate in numerous

networking environments, Smart Connect is flexible to support highly mobile users while providing the lowest possible

latency.

Begin a Free Trial of Web Security.cloud:

http://www.messagelabs.com/trials/free_web


9

http://www.messagelabs.com/trials/free_web

AMERICAS

UNITED STATES

512 Seventh Avenue

6th Floor

New York, NY 10018

USA

Toll-free +1 866 460 0000

CANADA

170 University Avenue

Toronto, ON M5H 3B3

Canada

Toll-free :1 866 460 0000

EUROPE

HEADQUARTERS

1270 Lansdowne Court

Gloucester Business Park

Gloucester, GL3 4AB

United Kingdom

Tel +44 (0) 1452 627 627

Fax +44 (0) 1452 627 628

Freephone 0800 917 7733

LONDON

3rd Floor

40 Whitfield Street

London, W1T 2RH

United Kingdom

Tel +44 (0) 203 009 6500

Fax +44 (0) 203 009 6552

Support +44 (0) 1452 627 766

NETHERLANDS

WTC Amsterdam

Zuidplein 36/H-Tower

NL-1077 XV

Amsterdam

Netherlands

Tel +31 (0) 20 799 7929

Fax +31 (0) 20 799 7801

BELGIUM/LUXEMBOURG

Symantec Belgium

Astrid Business Center

Is. Meyskensstraat 224

1780 Wemmel,

Belgium

Tel: +32 2 531 11 40

Fax: +32 531 11 41

DACH

Humboldtstrasse 6

Gewerbegebiet Dornach

85609 Aschheim

Deutschland

Tel +49 (0) 89 94320 120

Support :+44 (0)870 850 3014

NORDICS

St. Kongensgade 128

1264 Copenhagen K

Danmark

Tel +45 33 32 37 18

Fax +45 33 32 37 06

Support +44 (0)870 850 3014

ASIA PACIFIC

HONG KONG

Room 3006, Central Plaza

18 Harbour Road

Tower II

Wanchai

Hong Kong

Main: +852 2528 6206

Fax: +852 2526 2646

Support: + 852 6902 1130

AUSTRALIA

Level 13

207 Kent Street,

Sydney NSW 2000

Main: +61 2 8220 7000

Fax: +61 2 8220 7075

Support: 1 800 088 099

SINGAPORE

6 Temasek Boulevard

#11-01 Suntec Tower 4

Singapore 038986

Main: +65 6333 6366

Fax: +65 6235 8885

Support: 800 120 4415

JAPAN

Akasaka Intercity

1-11-44 Akasaka

Minato-ku, Tokyo 107-0052

Main: + 81 3 5114 4540

Fax: + 81 3 5114 4020

Support: + 852 6902 1130

Contact Information


10

Symantec.cloud uses the power of cloud computing

to secure and manage information stored on

endpoints and delivered via email, Web, and instant

messaging.

More than ten million end users at more than

31,000 organizations ranging from small

businesses to the Fortune 500 use Symantec.cloud

to secure and manage information.

Visit our websites:

http://www.MessageLabs.com

http://www.symantec.com/business/

theme.jsp?themeid=symantec-cloud

Copyright © 2011 Symantec Corporation. All rightsreserved. Symantec and the Symantec Logo aretrademarks or registered trademarks of SymantecCorporation or its affiliates in the U.S. and othercountries. Other names may be trademarks of theirrespective owners.2/2011 21169981

Documents

Tech Whitepaper Ext WSS SmartConnect Global Feb11