• WSS Agent (WSSA) is enabled and connected to the Cloud SWG service (formerly known as WSS)
• With this configuration, all web traffic on ports 80 and 443 are tunneled through WSSA to the Cloud SWG data center
• All third-party VPN traffic (Cisco AnyConnect, Pulse Secure) is also tunneled into CloudSWG if that VPN client traffic is not properly bypassed

For third-party VPN client software to connect properly, that VPN traffic must be bypassed from the CloudSWG (WSS) service. 

You bypass VPN client traffic in one of two ways: 

• Bypass by Application
• Bypass by IP (all VPN server concentrator IP addresses must be bypassed)

Note: The VPN client software must be configured to use "Split-mode" VPN tunneling (not "Full-tunnel" mode).

For tunnel flapping issues see: WSS Agent turns on and off constantly when using multiple VPN clients