Haifeng's Blog

Integrating Symantec Cloud SWG with SEP/SES

by · Published · Updated

This guide describes how to integrate Symantec Cloud SWG (formerly WSS) with Symantec Endpoint Protection (SEP) or Symantec Endpoint Security (SES) clients using a Provisioning Token and SAML authentication.
The integration ensures that all endpoint web traffic is redirected through Cloud SWG, with seamless user identification and consistent policy enforcement.

1. Prerequisites & Network Access

  • Client versions: SEP/SES 14.3 RU5 or later (required for Using WSS SAML Authentication mode).
  • Identity Provider (IdP): SAML-capable IdP such as Azure Entra ID, Okta, or SimpleSAMLphp, already integrated with Cloud SWG.

If endpoints connect through a corporate firewall or proxy, the following destinations and ports must be allowed without restrictions:

URLPort(s)Purpose
proxy.threatpulse.net8080Default Cloud SWG proxy endpoint
sep-wtr.threatpulse.net8080SEP/SES Web and Cloud Access Protection (WTR) proxy endpoint
client-id.wss.symantec.com/sso443Seamless identification (client ID exchange and token negotiation)

2. Configure Cloud SWG

The detailed SAML configuration depends on your chosen IdP (Azure Entra ID, Okta, SimpleSAMLphp, etc.).
You can reference these step-by-step guides for Cloud SWG + IdP integration:

  • Enable WSS Agent and SEP Authentication – SAML Captive Portal in the Cloud SWG Portal – Authentication Policy.
image-20250909083225778
  • Go to Connectivity → Symantec Endpoint Integrations, copy Network Integration Token(Tunnel Mode).
image-20250909083141802

3. Configure SEPM

If you manage endpoints with SEPM:

  • In SEPM console: go to Policies → Web and Cloud Access Protection.
  • Enable Web and Cloud Access Protection.
  • Under Network integration token, paste the Token obtained from Cloud SWG.
  • Select Identity traffic option: Using WSS SAML Authentication.
image-20250909083011371
  • Assign the policy to the appropriate client group.
  • Trigger a policy update on the client (right-click → Update Policy) or wait for heartbeat.

4. Configure SES Cloud Console

If you manage endpoints with SES (cloud console):

  • Navigate to the correct Domain.
  • Go to Policies → Create Policy → Web and Cloud Access Protection.
  • Enable the policy, paste the Network Integration Token, and choose Using WSS SAML Authentication.
image-20250909083448268
  • Assign the policy to the desired Device Groups.

5. Endpoint Behavior and Verification

Once the policy is applied, the SEP/SES client will attempt to establish a secure tunnel to Cloud SWG.

On first-time use, the client will trigger a SAML login flow.
The user will be redirected to the IdP login page to complete authentication.

image-20250909083724552

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *