Cannot access internet via WSS using SEP Web Traffic Redirection
search cancel

Cannot access internet via WSS using SEP Web Traffic Redirection


Article ID: 203959


Updated On:


Cloud Secure Web Gateway - Cloud SWG


All Windows workstations using SEP WTR to access internet via WSS

A handful of workstations claim that they cannot access anything when SEP WTR is enabled  

Users on these machines report "502 Bad Gateway" when attempting to access websites

http://localhost:2968/resolver.pac is showing empty for download, indicating no PAC file pointing to WSS can be downloaded

Manually going to the via browser reports an issuer certificate warning



SEP WSS agent with Web Traffic Redirection

PFMS server configured with PAC files to download


Digicert trusted root certificate missing from the browser trusted root store

The SEP agent would try and download the PAC file from PFMS server but fail. When this happens, there's no information on how to get to WSS.

PCAP from workstation when SEP WTR initialised shows that we connect to PFMS, negotiate a shared secret via SSL handshake but never send any GET request for the PAC file.


Manually copy the following certificate to the Trusted Root Certification Authorities store on the Windows host. This can be done by

- going to from a browser 

- exporting the trusted root certificate to file (CN = DigiCert Global Root G2, OU =, O = DigiCert Inc, C = US)

- importing the certificate into the Trusted Root Certification Authorities of the Windows host

   - Use Internet Explorer -> Internet Options -> COntent -> Certificates -> Trusted Root Certification Authorities

   - Select import and import the certificate exported above