You have whitelisted the URL sp.cwfservice.net as per our Guidance on External URLs required for Endpoint Protection (SEP) and Endpoint Protection (SES)

The client uses a direct connection to IP address i.e:

168.149.132.80, Port 443
168.149.132.96, Port 443
168.149.132.144, Port 443

Proxy logs shows:

2021-06-24 05:53:51 14 10.xxx.xxx.xxx - - - - "None" - authentication_failed DENIED "Web Infrastructure" -  407 TCP_DENIED CONNECT -tcp 168.149.132.96 443 / - - - 10.xxx.xx.xxx xx 95 - "none" "none" "none" unavailable xxxxxxxxxxxxxxxxxxxxxxxx - -
2021-06-24 05:53:51 14 10.xxx.xxx.xxx - - - - "None" - authentication_failed DENIED "Web Infrastructure" -  407 TCP_DENIED CONNECT -tcp 168.149.132.144 443 / - - - 10.xxx.xx.xx 294 97 - "none" "none" "none" unavailable xxxxxxxxxxxxxxxxxxxxxxxxxx 

SEP 14.3 RU1 and later

Proxy server

The WebPulse SEP engine does a DNS query for sp.cwfservice.net and expects to get back multiple IP addresses from the resolution. WebPulse has many servers worldwide, so the DNS is supposed to return the few Geo-located nearest to the client, which they achieve with this DNS query.

It then basically has internal logic to use whichever of those Geo-located IPs that provides the best response times, and also is able to fallback to the others if one goes down.

This is by design and this is how it's intended to work.

The IPs to Whitelist can be found here: Updates to Critical WebPulse Service Endpoint Under the "Various" and "WebPulse Service". 

You can also whitelist the following IPs besides the domain name: 168.149.132.0/24