search cancel

Users are unable to browse the internet using explicit access methods including Proxy forwarding and SEP-WTR

book

Article ID: 189049

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users are unable to browse the internet via WSS when in explicit mode (explicit, proxy forwarding or SEP WTR access methods)
Users get 'page not found error'
Users get connectivity error in browser accessing traffic via WSS
Disabling explicit mode and going to internet directly works fine
Modifying workstation PAC file to point specifically at the local data center VIP (versus proxy.threatpulse.net) works fine

Cause

Firewall not allowing traffic to TCP 8080 to new GCP data center IP address referenced via proxy.threatpulse.net.

Resolution

Make sure that local firewall allows TCP 8080 traffic to the IP address ranges defined in the following two KB articles

1. any of the WSS ingress IP addresses defined at https://knowledge.broadcom.com/external/article/167174/data-center-ip-addresses-for-web-securit.html and
2. any of the WSS egress and authentication networks defined at https://knowledge.broadcom.com/external/article/165389/authentication-ip-addresses-by-data-cent.html.

Additional Information

With the GCP data center roleout, the IP address ranges for explicit and Unified-Agent/WSS agent may have changed. It is imperitive that corresponding firewall rules are changed to allow traffic to these new GCP IP addresses.