Roaming captive portal page returned when using WSS Agent PFMS roaming PAC file
search cancel

Roaming captive portal page returned when using WSS Agent PFMS roaming PAC file


Article ID: 191089


Updated On:


Cloud Secure Web Gateway - Cloud SWG


WSS Agent (WSSA) or Unified Agent (UA)
PAC file management system (PFMS) is being used
There is a PFMS roaming profile configured on the tenant
When on premise, the agent detects it is on a protected network and goes passive
When off premise, the workstation is getting the roaming PFMS profile and getting a roaming captive portal (RCP) login page.  This is unexpected.
Removing the PFMS roaming profile addresses the issue
The roaming PFMS profile is being used to add Microsoft Office hosts to the WSSA/UA bypass list (not supported.  See Additional Information section below.)


WSSA 6.1.1 or 5.1.1 (any version of WSSA)
UA 4.10.6


WSSA or UA will add the IP addresses of the data centers it receives from Cloud Traffic Controller (CTC) into the IP bypass list.  Additionally, any proxy statements in a PAC file will also be added to the IP or hostname bypass list.  When the issue occurs, the workstation is downloading the PFMS roaming PAC file.  WSSA (or UA) is parsing the PAC file looking for proxy statements and is adding (or proxy IP address) to the bypass list.  Because is in the bypass list, that request is going direct to the data pod and not into the agent's user tunnel.  Because the workstation is not coming from a known location, tenancy has not been determined on the data pod, the RCP login page is being presented to the end user.  This is working as designed.


The issue is resolved if the PFMS roaming profile is removed.

Additional Information

Note:  In the above scenario, the PFMS solution was being used to manage the Office365 exceptions via the PAC file.  WSSA/UA does not honor the DIRECT statements found in PAC files.  The OS will not send that request to the proxy but will send it direct, but WSSA/UA will see that request going over port 80 or 443, intercept it, and send it to WSS.  The correct way to handle WSSA/UA bypasses are to enter them into the portal, specifically logging into the WSS portal and going to Service > Network > Bypassed sites.  That will prevent WSSA/UA from intercepting those IPs or hosts.