Endpoint Protection

  • Private Community
 View Only

  • 1.  TCP Connections To "ent-shasta-rrs-symantec.com"

    Posted Aug 08, 2017 08:41 AM

    We have found an enormous amount of blocked traffic on our proxies that is going to tcp://ent-shasta-rrs.symantec.com

    I know what the URL is used for, that is not the question.
    The big question mark for me is the TCP:// connection that is being blocked. This is expected behaviour by the proxy. Question is why TCP?

    The client as in the configuration is using the IE proxy config, which is a PAC-file in the end.
    After testing with the URLs listed under https://support.symantec.com/en_US/article.TECH163042.html, I can tell that one of the links is being blocked and the other works.

    Is there anyone with an idea why these connections happen?



  • 2.  RE: TCP Connections To "ent-shasta-rrs-symantec.com"

    Posted Aug 08, 2017 12:59 PM
    Not sure what you're asking. It uses the TCP protocol to connect. Why is the link not allowed on the proxy?


  • 3.  RE: TCP Connections To "ent-shasta-rrs-symantec.com"

    Posted Aug 09, 2017 03:43 AM

    Just have been wondering why it is logged as TCP request and not HTTP request explicitly. I know HTTP is TCP, but it seems to be a proxy "issue".

    And it is not allowed since it has been decided not to send any information to the outside world.

    Which then leads to the other question: Which components are affected when blocking this URL? Most likely the download protection and SONAR - But does this blocking then rendering the affected components completely worthless?



  • 4.  RE: TCP Connections To "ent-shasta-rrs-symantec.com"

    Posted Aug 09, 2017 06:56 AM

    SEP isn't proxy aware in that it can't see true source/destination when it comes to the IPS and firewall, has been like this every since 11.x. I can't say for sure in this case, but, it may also apply. Support may need to confirm.



  • 5.  RE: TCP Connections To "ent-shasta-rrs-symantec.com"

    Trusted Advisor
    Posted Aug 09, 2017 11:22 AM

    Hello,

    Could you try Testing connectivity to Symantec's Download Insight and licensing servers

    https://support.symantec.com/en_US/article.TECH163042.html

    Regards,



  • 6.  RE: TCP Connections To "ent-shasta-rrs-symantec.com"

    Posted Aug 10, 2017 04:05 AM

    The solution to actually get rid of all this traffic is to disable the Insight Lookups in External Communication Settings.

    Nevertheless, it's obviously not the best idea to do that as it reduces the functionality of Download Insight and SONAR.
    But ever since the directive is not to communicate with these services, that's the only thing to do.

    Question now is if it is possible to configure the whole system that clients are not contacting these Insight servers directly but via SEPM and from there the requests are being sent in a consolidated way.



  • 7.  RE: TCP Connections To "ent-shasta-rrs-symantec.com"

    Broadcom Employee
    Posted Aug 10, 2017 04:14 AM

    clients reach to insight servers directly or through the Symantec ATP for EndPoint.