Professional Documents
Culture Documents
MessageLabss W
Web
eb
Securit
Security.cloud
y.cloud
Smart Connect Roaming Agent
Technical White Paper
Symantec MessageLab
MessageLabss W
Web
eb Securit
Security.cloud
y.cloud
Smart Connect Roaming Agent Technical White Paper
Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Smart Connect Roaming Agent Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Overview of the Agent Technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Network Environment Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
NED Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Network Route Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Agent Connection Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Connection Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Agent State Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Smart Connect Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Agent Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Impact on the Endpoint Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Agent Management and Tamper Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
System Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Introduction
This whitepaper is designed to support technical evaluation teams in their review of the Smart Connect roaming agent
service. It provides technical specifics on the Smart Connect agent software and supporting Symantec.cloud
infrastructure, including: how it works, descriptions of the Network Environment Discovery (NED) functionality, agent
operation and data flow, and security. This paper also discusses how Smart Connect is able to support various internal
network configurations well as external network environments by adjusting the Smart Connect agent service behavior to
accommodate these differences.
Added security Smart Connect protects Web browsing via a Secure Sockets Layer (SSL) channel that is
established between the agent and Symantec.cloud infrastructure. All communication occurs once both agent
and infrastructure have mutually authenticated using X.509 digital certificates.
NED Service
The network discovery process uses a cloud-based service (NED Service), provided by Symantec.cloud. The Smart
Connect agent will attempt to make discovery requests to the NED Service over HTTP and HTTPS connections with
requests made through each Web route. In the diagram below, the agent is shown making NED requests through three
different routes: (1) direct from the end user system, (2) through a premises-based proxy (depicted as Proxy-1) and (3),
through a series of proxies on-premises and elsewhere on the Internet (depicted as Proxy-2 and Proxy-3).
Connection Modes
The Smart Connect agent will operate in one of three connection modes depending on the network environment. Note
that the illustrations below depict HTTP as the Web request protocol but this could be HTTPS as well.
Secure- The secure connection mode establishes a secured SSL tunnel between the agent and the Symantec.cloud
infrastructure. The secure connection mode would only be used when outside of the customers LAN. All traffic, whether
HTTP or HTTPS, is encrypted in transit through the SSL tunnel to SHS infrastructure.
Figure 5: Proxied mode through CSP. Agent uses the CSP as an explicit proxy
Figure 6: Proxied mode direct to SHS. Agent uses Symantec.cloud as an explicit proxy
Direct - The direct connection mode allows the users traffic directly onto the network. The direct mode may be used to
inter-work with a transparent proxy or firewall redirection on the customers LAN, or because an off-LAN user is accessing
the network from a location to which Symantec.cloud does not provide service.
The steps below cover both the initial authentication steps, as well as how the user is able to securely roam from a location
outside the corporate network.
The agent performs an initial HTTP(S) poll request to the globally distributed Network Environment Discovery
(NED) servers (ned.webscanning.com). Once the poll request is successful, server and client certificates are
authenticated such that connection details and customer ID information can be securely transmitted.
The customer ID information will be validated to ensure that the customer is provisioned for the Smart Connect
roaming service. In addition, the agent will send connection details to determine if the user is connecting from
an on-LAN location (i.e. their corporate network) or an off-LAN location that indicates that the user is
roaming.
Agent Deployment
The Smart Connect agent is delivered as a Microsoft Installer (MSI) package that can be pushed out to endpoints via
desktop management tools such as Altiris Client Management Suite, Microsoft SMS, CA Unicenter, and IBM Tivoli, or can
be manually installed on every machine. An appropriate license key is required to activate the Smart Connect service
capabilities once the agent is installed.
During installation, certain parameters must be specified in a configuration file, such as the on-LAN upstream proxy/
gateway, any site exclusions/bypass list and license key information. This file can be distributed along with the MSI
package by any major systems management tool and is ensured to install and run cleanly.
The Smart Connect agent is upgraded via the same process as the initial installation where the prior version of the
software is uninstalled and a new version is installed. Due to the limited amount of processing that is done by the agent
itself, upgrades are likely to be limited to new release versions of the Smart Connect agent.
System Compatibility
The Smart Connect agent installs on Windows XP, Windows Vista and Windows 7 (32 bit and 64 bit) operating systems. It
is designed to be compatible with leading third party Web browsers, including Microsoft Internet Explorer, Firefox, Apple
Safari, and Google Chrome.
Compatibility has been tested with the supported OS versions and a variety of the mentioned browser versions, as well as
other endpoint security products including third party anti-virus, client firewall, VPN, and desktop management products.
In addition, the explicit proxy based design of the Smart Connect agent minimizes much of the future incompatibility risk
with other third party software and applications that may be installed on the end user system.
Summary
The Smart Connect roaming agent helps Web Security.cloud customers protect users who connect to the Internet outside
their corporate network environment. Installed locally on a users workstation, the agent works in conjunction with the
Symantec.cloud infrastructure to defend against Web-borne viruses and spyware while enforcing corporate Web
Acceptable Use Policies (AUPs) to prevent Internet misuse.
Contact Information
AMERICAS
UNITED STATES
512 Seventh Avenue
6th Floor
New York, NY 10018
USA
Toll-free +1 866 460 0000
CANADA
170 University Avenue
Toronto, ON M5H 3B3
Canada
Toll-free :1 866 460 0000
NETHERLANDS
WTC Amsterdam
Zuidplein 36/H-Tower
NL-1077 XV
Amsterdam
Netherlands
Tel +31 (0) 20 799 7929
Fax +31 (0) 20 799 7801
HEADQUARTERS
HONG KONG
Room 3006, Central Plaza
18 Harbour Road
Tower II
Wanchai
Hong Kong
Main: +852 2528 6206
Fax: +852 2526 2646
BELGIUM/LUXEMBOURG
Symantec Belgium
Astrid Business Center
Is. Meyskensstraat 224
1780 Wemmel,
Belgium
EUROPE
ASIA PACIFIC
AUSTRALIA
Level 13
207 Kent Street,
Sydney NSW 2000
Main: +61 2 8220 7000
Fax: +61 2 8220 7075
Support: 1 800 088 099
DACH
Humboldtstrasse 6
United Kingdom
Gewerbegebiet Dornach
85609 Aschheim
Deutschland
LONDON
SINGAPORE
6 Temasek Boulevard
#11-01 Suntec Tower 4
Singapore 038986
Main: +65 6333 6366
Fax: +65 6235 8885
Support: 800 120 4415
3rd Floor
NORDICS
40 Whitfield Street
1264 Copenhagen K
United Kingdom
Danmark
Tel +45 33 32 37 18
Fax +45 33 32 37 06
JAPAN
Akasaka Intercity
1-11-44 Akasaka
Minato-ku, Tokyo 107-0052
Main: + 81 3 5114 4540
Fax: + 81 3 5114 4020
Support: + 852 6902 1130
10