Symantec MessageLab

MessageLabss W
Web
eb
Securit
Security.cloud
y.cloud
Smart Connect Roaming Agent
Technical White Paper

White Paper: Web Security.cloud - Smart Connect Roaming Agent

Symantec MessageLab
MessageLabss W
Web
eb Securit
Security.cloud
y.cloud
Smart Connect Roaming Agent Technical White Paper

Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Smart Connect Roaming Agent Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Overview of the Agent Technology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Network Environment Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
NED Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Network Route Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Agent Connection Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Connection Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Agent State Determination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Smart Connect Flow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Agent Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Impact on the Endpoint Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Agent Management and Tamper Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
System Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper

Introduction
This whitepaper is designed to support technical evaluation teams in their review of the Smart Connect roaming agent
service. It provides technical specifics on the Smart Connect agent software and supporting Symantec.cloud
infrastructure, including: how it works, descriptions of the Network Environment Discovery (NED) functionality, agent
operation and data flow, and security. This paper also discusses how Smart Connect is able to support various internal
network configurations well as external network environments by adjusting the Smart Connect agent service behavior to
accommodate these differences.

Smart Connect Roaming Agent Overview

Smart Connect helps organizations protect users when connecting to the Internet outside their corporate network
environment. As the number of employees who regularly work outside the corporate office continues to increase, Web
security solutions must be flexible enough to provide continuous protection regardless of user location or network
environment. Smart Connect uses agent technology installed locally on the users workstation in conjunction with the
Web Security.cloud service infrastructure to provide the following capabilities:
Network Environment Discovery Smart Connect understands differences in end user networking
environments and adjusts its behavior accordingly. For example, the agent forwards traffic in a passive state
when in a captive portal, e.g. Wi-Fi hotspot, to allow payment authorization. Once the payment process is
complete, the agent automatically switches to an active state by redirecting the user web traffic to an
appropriate Symantec.cloud infrastructure Point Of Presence (POP) for further processing.
Location awareness Smart Connect uses geo-location to identify a users location and then connect them to
the recommended infrastructure Point of Presence within the Symantec.cloud global infrastructure where the
best possible performance can be provided.
End user transparency Smart Connect provides a consistent sign-on experience regardless of whether the
user is roaming off-LAN or connecting through a Web gateway within the corporate LAN environment. The
Smart Connect agent transparently collects logged-on user and company information necessary to apply the
appropriate Web filtering policy.

Added security Smart Connect protects Web browsing via a Secure Sockets Layer (SSL) channel that is
established between the agent and Symantec.cloud infrastructure. All communication occurs once both agent
and infrastructure have mutually authenticated using X.509 digital certificates.

Overview of the Agent Technology

The Smart Connect roaming agent uses a combination of locally installed software in conjunction with the Symantec.cloud
infrastructure to evaluate the network environment and respond properly in terms of agent behavior.
The agent uses a lightweight proxy to forward traffic via a determined best traffic route that is described later on in this
white paper. By acting as a local proxy, the agent accepts all traffic directed from the Web browsers and determines
whether the Web traffic should be forwarded for on LAN traffic handling or redirected to a Symantec.cloud infrastructure

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper
POP when the user is off LAN. On LAN refers to the network traffic forwarding behavior when the user is on the
corporate LAN, e.g. forwarded to client side proxy or default gateway. The Smart Connect proxy design allows end users to
experience a consistent level of traffic handling regardless of whether the user is on LAN versus off LAN with a seamless
transition between the different network states. It also provides agent-based users with the same Web filtering experience
as end users who have no deployed agent, e.g. desktop PC users.

Network Environment Discovery

The Smart Connect agent can handle the presence of various complexities in the network including, but not limited to:
The presence or absence of explicit Web proxies, for example a client site proxy (CSP)
The presence of intercepting or transparent Web proxies
The presence of captive portals, where Internet access is restricted until a payment or registration step is
completed
Movement between on-LAN and off-LAN connections
The presence of VPN connections, effectively making the user on-LAN and off-LAN simultaneous
Firewall configurations where access to non-standard web ports is blocked

NED Service
The network discovery process uses a cloud-based service (NED Service), provided by Symantec.cloud. The Smart
Connect agent will attempt to make discovery requests to the NED Service over HTTP and HTTPS connections with
requests made through each Web route. In the diagram below, the agent is shown making NED requests through three
different routes: (1) direct from the end user system, (2) through a premises-based proxy (depicted as Proxy-1) and (3),
through a series of proxies on-premises and elsewhere on the Internet (depicted as Proxy-2 and Proxy-3).

Figure 1: Discovery Requests from agent to NED Service

Network Route Analysis

For each discovery request, (for each Web route), the NED Service will perform a network route analysis. This network
route analysis process is conducted using a proprietary route analysis protocol that uses XML over HTTP(S) and involves
both port 80 and port 443 (note: port numbers are not configurable).

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper
The network route analysis protocol exchanges the ID of the customer to which the agent software belongs, the requests
source IP addresses and the intermediate Web proxies that processed the requests.

Figure 2: Network Route Analysis Information

Based on this information, the NED Service is able to determine:
1. Whether the discovery request originated from the customers LAN or an off-LAN location, e.g. hotel/hotpot
2. If on the customers LAN, whether the discovery request has been processed by the Symantec.cloud
infrastructure
3. The country from which the discovery request originated
4. The recommended Symantec.cloud infrastructure point-of-presence (POP)

Figure 3: Network Route State Determination

Agent Connection Modes

In order to direct user traffic to the Symantec.cloud infrastructure by the most appropriate route, the agent must select
amongst the available Web routes.
Route selection is based on a priority ranking of the available Web route states with the highest resulting priority is
selected. The ranking is as follows (highest to lowest):
1. No Service - This is highest priority since service will not be provided to the user from this location, even if
other routes may exist.
2. Off-LAN - This is the highest priority of working states since the roaming service is likely to have better
performance when the user is off-LAN even if a VPN connection on LAN route is available.

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper
3. On-LAN Protected. - A fully-protected connection when on LAN is preferred, if there is a choice over the other
options.
4. On-LAN Unprotected - An unprotected connection is provided only when there is no other choice
5. Unreachable
Once the agent has selected its highest priority Web route, it will determine which connection mode to use.

Connection Modes
The Smart Connect agent will operate in one of three connection modes depending on the network environment. Note
that the illustrations below depict HTTP as the Web request protocol but this could be HTTPS as well.
Secure- The secure connection mode establishes a secured SSL tunnel between the agent and the Symantec.cloud
infrastructure. The secure connection mode would only be used when outside of the customers LAN. All traffic, whether
HTTP or HTTPS, is encrypted in transit through the SSL tunnel to SHS infrastructure.

Figure 4: Secure mode

Proxied- The proxied connection mode uses an explicit proxy in order to direct the users traffic to Symantecs data
centers for processing. The explicit proxy might be a local Client Site Proxy (CSP) within the customers network, or might
be the Symantec.cloud hosted proxy. The proxied connection mode would only be used when within the customers LAN.
This mode is essentially equivalent to traditional use of the Symantec MessageLabs Web Security.cloud service.

Figure 5: Proxied mode through CSP. Agent uses the CSP as an explicit proxy

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper

Figure 6: Proxied mode direct to SHS. Agent uses Symantec.cloud as an explicit proxy
Direct - The direct connection mode allows the users traffic directly onto the network. The direct mode may be used to
inter-work with a transparent proxy or firewall redirection on the customers LAN, or because an off-LAN user is accessing
the network from a location to which Symantec.cloud does not provide service.

Figure 7: On-LAN Direct mode with transparent proxy or firewall redirection

Figure 8: Off-LAN Direct mode from an embargoed country

Agent State Determination

The agent state is derived based on a combination of the selected route state (off LAN vs. on LAN), and The specification of
the selected route (proxied vs. direct).
This gives rise to the following possible agent states:
1. Off LAN Protected - The selected route is off-LAN using the secure connection mode.
2. On LAN Protected (Proxied) - The selected route is on-LAN, using a proxied connection mode.
3. On LAN Unprotected (Proxied) Similar to the prior case but the proxy is not pointed to the Symantec.cloud
infrastructure, e.g. customer has a Web security appliance for on LAN filtering.

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper
4. On LAN Protected (Direct) - The selected route is on-LAN and the route specification is direct. This will
ensure that the agent works properly in an environment where there is no proxy for Internet access, transparent
proxying or firewall redirection to Symantec.cloud.
5. On LAN UnProtected (Direct) - Similar to the prior case however, the transparent proxy or firewall
redirection is not directed to Symantec.cloud.
6. No Service Unprotected - If the selected route is no service, the agent will operate using the direct mode.
This allows users to browse when in very remote locations or in countries that are not supported by
Symantec.cloud for trade compliance reasons without impacting latency.
7. Unreachable Unprotected - If the selected route is unavailable, the agent will operate using the direct mode.

Smart Connect Flow Diagram

The diagram below outlines how these different capabilities work together as part of the overall data flow for the Smart
Connect service offering.

The steps below cover both the initial authentication steps, as well as how the user is able to securely roam from a location
outside the corporate network.
The agent performs an initial HTTP(S) poll request to the globally distributed Network Environment Discovery
(NED) servers (ned.webscanning.com). Once the poll request is successful, server and client certificates are
authenticated such that connection details and customer ID information can be securely transmitted.
The customer ID information will be validated to ensure that the customer is provisioned for the Smart Connect
roaming service. In addition, the agent will send connection details to determine if the user is connecting from
an on-LAN location (i.e. their corporate network) or an off-LAN location that indicates that the user is
roaming.

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper
If the user is on-LAN, and this is the best available route, the agent is notified by the NED service to
forward traffic to the designated upstream proxy in the agents configuration file. In addition, the
NED server is able to determine if the initial request was processed using the Symantec.cloud
infrastructure and further delineate whether the on-LAN state is protected (via the Symantec.cloud
infrastructure) or unprotected (direct to Internet).
If the user is off-LAN, the source IP address is used for a geo-location lookup to determine what
country the user is located in. Once the country location is determined, this information is mapped to
the recommended infrastructure POP. The agent receives this information along with a session based
certificate that will be used for the subsequent steps of this process.
When the user is off-LAN and the agent has received the proper infrastructure information from the NED
service, the agent will initiate a SSL connection with the RAS proxies located at the recommended POP
locations. The RAS proxies and agent mutually authenticate using the session certificate provided by the NED
server.
At this point, the agent will be in an off-LAN protected state and ready to communicate the first set of user
requested Web activity. The overall process up to this point including initial authentication will normally occur
within a few seconds. All subsequent requests will use the same session and not require additional
authentication while new sessions can be established in parallel using the same certificate.
Once the user has been fully authenticated and the Web requests have been sent to the Symantec.cloud
infrastructure, the remaining portion of the process is identical to the on-LAN behavior where policies are
applied based on the user/group association, filtering rules, malware scanning, and reporting of the Web
activity. This information is made available via the ClientNet portal where a single set of policies are applied
for roaming and on-LAN activity along with a single reporting view of the Web activity.

Agent Deployment
The Smart Connect agent is delivered as a Microsoft Installer (MSI) package that can be pushed out to endpoints via
desktop management tools such as Altiris Client Management Suite, Microsoft SMS, CA Unicenter, and IBM Tivoli, or can
be manually installed on every machine. An appropriate license key is required to activate the Smart Connect service
capabilities once the agent is installed.
During installation, certain parameters must be specified in a configuration file, such as the on-LAN upstream proxy/
gateway, any site exclusions/bypass list and license key information. This file can be distributed along with the MSI
package by any major systems management tool and is ensured to install and run cleanly.
The Smart Connect agent is upgraded via the same process as the initial installation where the prior version of the
software is uninstalled and a new version is installed. Due to the limited amount of processing that is done by the agent
itself, upgrades are likely to be limited to new release versions of the Smart Connect agent.

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper

Impact on the Endpoint Computer

Smart Connect has minimal impact on endpoint computers and the corporate network. The Smart Connect agent runs as a
Windows service with normal priority. Processing uses a very small amount of the CPU which is not noticeable to the end
user. The agent does not perform URL categorization look-up, rule execution, policy execution, or content signatures. All
Web acceptable use policies and content scanning is applied following the traffics direction to the Symantec.cloud
infrastructure.
The agent requires about 5MB of disk space and will consume no more than 15 MB RAM on the computer for it is installed
upon. A minimal set of connection diagnostic logging occurs locally on the hard disk with all user Web activity stored in
the Symantec.cloud infrastructure instead of locally on the PC.

Agent Management and Tamper Protection

There are several ways that an administrator can reduce the likelihood of an end user removing or tampering with the
endpoint agent:
Silent install - The agent can be installed by the administrator without the users knowledge. There also is no
system tray icon or other indication of the product running that might promote awareness leading to an end
user attempting to disable or remove it.
Windows Access Control List - Only a user with Administrator rights is allowed to disable/remove the Smart
Connect agent or alter the agents behavior.
Agent Process Monitoring - Software distribution products, such as Altiris or SMS, have capabilities that
allow for the monitoring of software processes. If a user disables or uninstalls the Smart Connect agent, the
distribution software can rectify and ensure that the initial settings are restored.

System Compatibility
The Smart Connect agent installs on Windows XP, Windows Vista and Windows 7 (32 bit and 64 bit) operating systems. It
is designed to be compatible with leading third party Web browsers, including Microsoft Internet Explorer, Firefox, Apple
Safari, and Google Chrome.
Compatibility has been tested with the supported OS versions and a variety of the mentioned browser versions, as well as
other endpoint security products including third party anti-virus, client firewall, VPN, and desktop management products.
In addition, the explicit proxy based design of the Smart Connect agent minimizes much of the future incompatibility risk
with other third party software and applications that may be installed on the end user system.

Summary
The Smart Connect roaming agent helps Web Security.cloud customers protect users who connect to the Internet outside
their corporate network environment. Installed locally on a users workstation, the agent works in conjunction with the
Symantec.cloud infrastructure to defend against Web-borne viruses and spyware while enforcing corporate Web
Acceptable Use Policies (AUPs) to prevent Internet misuse.

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper
The key advantages of Smart Connect include our network intelligence and location awareness capabilities in addition to
the seamless experience users are provided with. Supported by a global infrastructure and able to operate in numerous
networking environments, Smart Connect is flexible to support highly mobile users while providing the lowest possible
latency.
Begin a Free Trial of Web Security.cloud:
http://www.messagelabs.com/trials/free_web

Symantec MessageLabs Web Security.cloud

Smart Connect Roaming Agent Technical White Paper

Contact Information
AMERICAS
UNITED STATES
512 Seventh Avenue
6th Floor
New York, NY 10018
USA
Toll-free +1 866 460 0000

CANADA
170 University Avenue
Toronto, ON M5H 3B3
Canada
Toll-free :1 866 460 0000

NETHERLANDS
WTC Amsterdam
Zuidplein 36/H-Tower
NL-1077 XV
Amsterdam
Netherlands
Tel +31 (0) 20 799 7929
Fax +31 (0) 20 799 7801

HEADQUARTERS

HONG KONG
Room 3006, Central Plaza
18 Harbour Road
Tower II
Wanchai
Hong Kong
Main: +852 2528 6206
Fax: +852 2526 2646

BELGIUM/LUXEMBOURG

Support: + 852 6902 1130

Symantec Belgium
Astrid Business Center
Is. Meyskensstraat 224
1780 Wemmel,
Belgium

EUROPE

ASIA PACIFIC

Tel: +32 2 531 11 40

Fax: +32 531 11 41

1270 Lansdowne Court

AUSTRALIA
Level 13
207 Kent Street,
Sydney NSW 2000
Main: +61 2 8220 7000
Fax: +61 2 8220 7075
Support: 1 800 088 099

Gloucester Business Park

DACH

Gloucester, GL3 4AB

Humboldtstrasse 6

United Kingdom

Gewerbegebiet Dornach

Tel +44 (0) 1452 627 627

85609 Aschheim

Fax +44 (0) 1452 627 628

Deutschland

Freephone 0800 917 7733

Tel +49 (0) 89 94320 120

Support :+44 (0)870 850 3014

LONDON

SINGAPORE
6 Temasek Boulevard
#11-01 Suntec Tower 4
Singapore 038986
Main: +65 6333 6366
Fax: +65 6235 8885
Support: 800 120 4415

3rd Floor

NORDICS

40 Whitfield Street

St. Kongensgade 128

London, W1T 2RH

1264 Copenhagen K

United Kingdom

Danmark

Tel +44 (0) 203 009 6500

Tel +45 33 32 37 18

Fax +44 (0) 203 009 6552

Fax +45 33 32 37 06

Support +44 (0) 1452 627 766

Support +44 (0)870 850 3014

JAPAN
Akasaka Intercity
1-11-44 Akasaka
Minato-ku, Tokyo 107-0052
Main: + 81 3 5114 4540
Fax: + 81 3 5114 4020
Support: + 852 6902 1130

10

Symantec.cloud uses the power of cloud computing

to secure and manage information stored on
endpoints and delivered via email, Web, and instant
messaging.
More than ten million end users at more than
31,000 organizations ranging from small
businesses to the Fortune 500 use Symantec.cloud
to secure and manage information.

Visit our websites:

http://www.MessageLabs.com
http://www.symantec.com/business/
theme.jsp?themeid=symantec-cloud

Copyright 2011 Symantec Corporation. All rights

reserved. Symantec and the Symantec Logo are
trademarks or registered trademarks of Symantec
Corporation or its affiliates in the U.S. and other
countries. Other names may be trademarks of their
respective owners.
2/2011 21169981