WSS agent bypassing domains that should not be bypassed and causing users to fail to access sites from browser

book

Article ID: 224681

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Users accessing WSS using WSS agent

WSS bypass list includes certain corporate domains e.g. innerweb.corp.net but most domains are not e.g. *.corp.com

Azure front door hosting many external facing corporate domains

Some users accessing the www.corp.com domain Web servers get communication errors like 'site cannot be reached'

No traffic visible into WSS and a PCAP confirms that the traffic is going direct

IP ACLs exist on back end web servers only allowing access from certain egress IP addresses and the failing users were coming from IP addresses that were not allowed. 

 

 

Cause

Certain bypassed domains resolving to the same IP address as non bypassed domains 

WSS agent works at network level (IP addresses) and has no concept of application level traffic (DNS)

Environment

WSS agent

Users accessing bypassed domains and non bypassed domains resolving to the same IP address

Resolution

A few options exist to address the issue:

1. make sure that none of the bypassed DNS names resolves to the IP address of a non bypassed domain. In this case, we could have removed the corp.net domain from the bypass list as most of the IP addresses were RFC 1918 IP addresses and bypassed from WSS by default. If there is any doubt that non RFC 1918 IP addresses are assigned to these resources, the risk of the change is higher and may need more time to validate.

2. Use a PAC file on the WSS agent host, to either

   - send all traffic for the corp.net domain to an internal proxy (if possible and it was in this case) or

   - send all traffic for the corp.com domains users experiencing issue with to 199.19.250.205:80. This IP address is always sent into WSS by the agent, and will never be bypassed. 

Additional Information

https://knowledge.broadcom.com/external/article?legacyId=tech256422 includes information on the DNS caching