Users are unable to browse the internet using explicit access methods including Proxy forwarding and SEP-WTR
Article ID: 189049
Updated On:
Products
Web Security Service - WSS
Issue/Introduction
Users are unable to browse the internet via WSS when in explicit mode (explicit, proxy forwarding or SEP WTR access methods)
Users get 'page not found error'
Users get connectivity error in browser accessing traffic via WSS
Disabling explicit mode and going to internet directly works fine
Modifying workstation PAC file to point specifically at the local data center VIP (versus proxy.threatpulse.net) works fine
Cause
Firewall not allowing traffic to TCP 8080 to new GCP data center IP address referenced via proxy.threatpulse.net.
Resolution
Make sure that local firewall allows TCP 8080 traffic to the IP address ranges defined in the following two KB articles
1. any of the WSS ingress IP addresses defined at https://knowledge.broadcom.com/external/article/167174/data-center-ip-addresses-for-web-securit.html and
2. any of the WSS egress and authentication networks defined at https://knowledge.broadcom.com/external/article/165389/authentication-ip-addresses-by-data-cent.html.
1. any of the WSS ingress IP addresses defined at https://knowledge.broadcom.com/external/article/167174/data-center-ip-addresses-for-web-securit.html and
2. any of the WSS egress and authentication networks defined at https://knowledge.broadcom.com/external/article/165389/authentication-ip-addresses-by-data-cent.html.
Additional Information
With the GCP data center roleout, the IP address ranges for explicit and Unified-Agent/WSS agent may have changed. It is imperitive that corresponding firewall rules are changed to allow traffic to these new GCP IP addresses.
Feedback
Yes
No
Powered by
