The content filtering restrictions imposed by the proxy appliance when connected to an internal network & get wide open when an organization asset/laptop is connected to the public internet. This allows uncontrolled and complete access to unwanted, unauthorized and malicious websites access on organization laptop.
This allowed users off-network to successfully click and access malicious content on organization laptop, thus leaving it open to malware and risk downloads, resulting in the compromise of the user and/or organization's official data.
How can we avoid the same?
There is a complementary product to ProxySG, called Web Security Service (WSS), which is a cloud based implementation of ProxySG, offering the same features as ProxySG as a cloud service.
This gives you the ability to block malware and restrict sites regardless of the network the user is connecting with. You can implement WSS using either a unified agent, Symantec Endpoint Protection (SEP), or other methods (including PAC files, etc).
Ask your channel sales rep for more information on WSS.
Another option is to make sure that all traffic is always directed through your company network, regardless where the client is. For example you can use an Always-On VPN solution for that (as soon as the client starts, a VPN tunnel with a default route is created) or use client side firewall rules which block all traffic except the VPN tunnel into your company datacenter.
Thanks for the suggestion, let me ask the sales rep about the same.
Thanks @fi-da, for the suggestion but I am looking for a proxy-based solution.
If you are OK to have a restricted category-based access, you can use the Proxy based Unified Agent (i.e. Unified Agent Local Enforcement). This is a free (last time I checked) option available along with ProxySG and can restrict access based on category. This used to be called as “Proxy Client” before. You can read more at https://support.symantec.com/us/en/documentation.1256836.html
Note: Even though the policy for this is created in a ProxySG (aka Client Manager), it is separate from your normal proxy policy.