The on premise ProxySG is configured to use common policy. The workstations that use that common policy proxy have Unified Agent (UA) in Cloud mode installed.
Normally the workstations with UA installed behind a common policy proxy are in a passive state. The network location status in the Web Security Service (WSS) portal changes from green to red. After the network location status changes from green to red, any new UA connections will go active.
If there is a networking event, such as a change in IP address and the network location is red, UA goes active. When the network location status is green, then workstations with UA go into a passive state
When using a common policy deployment and Unified Agent (UA) is installed on the laptops or workstations, if the common policy proxy is unable to establish a connection to the portal for approximately 35 minutes, then the hybrid location status will change from green to red. Any workstations that have UA installed and are in a passive state, will remain passive unless a networking event occurs. Any new UA connections from that network location with the status red will cause UA to go to an active state. This is currently working as designed. The intent is if the on-premise proxy is having issues and is configured to fail open, then new UA connections will go active and the workstations will be protected by WSS.
NOTE: The above scenario only applies to common policy (aka hybrid) locations. Any workstations behind an explicit, proxy forwarding or IPsec locations will go passive, regardless of the connectivity status in the portal.
If UA is unexpectedly going active, then check the hybrid location in the portal. If the hybrid location status is red, please check connectivity between the on-premise ProxySG and the Web Security Service. You may need to take a packet capture from the on-premise ProxySG to see if it's able to communicate with the Web Security Service. You can run the update-now command while in the cloud-service configuration mode to generate traffic destined to the service.
It's crucial to have connectivity to the following domains/IPs to ensure proper integration between the solutions:
Unified Agent must be able to communicate with the following destinations from behind the Proxy:
Web Security Service IP addresses
In case the Proxy is behind another routing point in your network, for example, a Firewall, it's necessary to meet the same requirements listed above along with destinations required by the Hybrid solution: