Auth Connector cannot communicate with Web Security Service

book

Article ID: 168434

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

You use the Firewall/VPN access method with Auth Connector (BCCA) for authentication. The connection between Auth Connector and Web Security Service (WSS) does not work correctly.

Cause

Auth Connector traffic might be routed through the WSS IPSec tunnel. Routed this way, the Auth Connector cannot properly talk with the authentication pods within the datacenters.

Environment

Web Security Service

Resolution

For the Firewall/VPN access method deployment, the Auth Connector must talk to the authentication IP addresses in each data center without going through the IPSec tunnel. It requires a direct connection over port 443. The following article provides the list of the authentication service IPs: Authentication IP Addresses by Data Center.

You must create a rule on the firewall that excludes the Auth Connector server traffic from the Web Security Service (WSS) IPSec tunnel.