Haifeng's Blog

Symantec ZTNA Segment Application Integration Guide(with SES + Cloud SWG + Azure Entra ID)

by · Published · Updated

1. Overview

This is a technically complex integration project, involving multiple product layers:
Symantec Endpoint Security (SES) for device posture and identity assurance,
Cloud SWG for user authentication and outbound security, and
ZTNA for secure access to private applications and segments.
Azure Entra ID provides SAML and SCIM integration as the central identity provider.

2. Objectives

  • Achieve seamless access to ZTNA Segment Applications after identity validation via WSS/SES.
  • Ensure that user identity and device posture are securely propagated across the ZTNA session.
  • Lay the groundwork for later integration of ZTNA Access Policies, Application objects, and Cloud SWG ATM configuration.
  • Prepare the environment for centralized reporting and verification.

3. Prerequisites

Before proceeding, the following configurations must already be in place:

  1. Cloud SWG + SES integration with ZTNA
    Integrating Cloud SWG (WSS) and SES with ZTNA
    👉 https://lihaifeng.net/integrating-cloud-swg-wss-and-ses-with-ztna/
  2. Cloud SWG integration with SEP/SES endpoint
    Integrating Symantec Cloud SWG with SEP/SES
    👉 https://lihaifeng.net/integrating-symantec-cloud-swg-with-sep-ses/
  3. ZTNA platform and application fundamentals
    Symantec ZTNA Application Configuration Guide
    👉 https://lihaifeng.net/symantec-ztna-configuration-guide/
  4. Azure Entra ID integration with ZTNA (SAML + SCIM)
    Integrating Azure Entra ID with Symantec ZTNA Using SAML + SCIM
    👉 https://lihaifeng.net/integrating-azure-entra-id-with-symantec-ztna-using-saml-scim/
  5. Azure Entra ID integration with Cloud SWG (SAML SSO)
    Integrating Symantec Cloud SWG with Azure Entra ID (SAML SSO)
    👉 https://lihaifeng.net/integrating-symantec-cloud-swg-with-azure-entra-id-saml-sso/

Once these configurations are complete, ZTNA can identify the user and verify the device’s security status based on information passed from the Cloud SWG session.

4. Implementation Concept

When a device connects through Cloud SWG:

  • The user is authenticated via Azure Entra ID (SAML).
  • SES checks the device’s security condition and makes this information available for access control decisions.
  • With both user identity and device trust verified, ZTNA grants transparent access to Segment Applications.

Therefore, when a user on a managed, compliant device accesses a ZTNA segment,
ZTNA recognizes the user and device trust state automatically, without re-authentication.

5. Configuration Flow

Step 1: Create Segment Application in ZTNA

  1. Navigate to Applications → New → Segment Application.
  2. Define the Target Address that includes the ip mask(s) or IP ranges to protect.
  3. Save and verify the status is Online.

Step 2: Map Segment to Access Policy

Add a condition to restrict access only to managed devices:

  • Condition: Managed Device
  • Authentication: SES Agent

This ensures only compliant, managed endpoints can access the protected segment.

Go to Assigned Applications and add one or more Segment Applications that this policy will control.
For example:

  • HF_Segment_Application_01172.16.20.0/24
  • HF_Segment_Application_02172.16.30.101

Under Assigned Entities, select users or groups synchronized from Azure Entra ID (via SAML/SCIM).
In this example, the entity student (Generic SAML User) is linked to the policy.

Step 3: Configure ZTNA Traffic Intercept in Cloud SWG

To enable the Cloud SWG agent (WSS Agent) to forward ZTNA Segment Application traffic, you must add a ZTNA traffic intercept rule in the Agent Traffic Manager.

  1. In the Cloud SWG Portal, go to
    Connectivity → Agent Traffic Manager → Traffic Intercept Rules.
  2. Open the ZTNA tab.
  3. Click Add Rule, then set:
    • Source: user/group/device tag/location
    • Verdict: Intercept
    • Services/Ports: ZTNA
  4. Save and verify that the rule appears above any “Do Not Intercept” entries.

After this step, Cloud SWG will automatically intercept and tunnel all ZTNA Segment Application traffic for authenticated users, enabling seamless access through ZTNA Connectors.

Step 4: Validate Seamless Access

  1. From a managed device connected to SES, try to access a host/IP inside the defined Segment.
  2. Confirm:
    • No login prompt appears.
    • The traffic passes through the ZTNA Connector.

Step 5: Verify in ZTNA

  1. Navigate to Logs → Forensics in the ZTNA portal.
  2. Filter by the user or device you tested.
  3. Confirm that the session shows:
    • Application: your Segment Application name (e.g., HF_Segment_Application_01)
    • Access Policy: the policy you configured (e.g., HF_Home_Segment_Policy_01)
    • Agent type: sep-agent

✅ This confirms that ZTNA successfully detected the user’s identity and trusted device status provided by SES, and enforced the correct Segment Access Policy.

Step 6: Verify in Cloud SWG

  1. In the Cloud SWG Portal, go to Reports → ZTNA Logs.
  2. Search for the same user or hostname.
  3. Check that the ZTNA traffic is logged with:
    • Application: your Segment Application name (e.g., HF_Segment_Application_01)
    • Application Type: Segment

✅ If the entry appears under ZTNA Logs, it means the WSS Agent successfully intercepted and redirected the traffic through to the ZTNA service.

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *