search cancel

WSS agent bypassing domains that should not be bypassed and causing users to fail to access sites from browser


Article ID: 224681


Updated On:


Web Security Service - WSS


Users accessing WSS using WSS agent

WSS bypass list includes certain corporate domains e.g. but most domains are not e.g. *

Azure front door hosting many external facing corporate domains

Some users accessing the domain Web servers get communication errors like 'site cannot be reached'

No traffic visible into WSS and a PCAP confirms that the traffic is going direct

IP ACLs exist on back end web servers only allowing access from certain egress IP addresses and the failing users were coming from IP addresses that were not allowed. 




Certain bypassed domains resolving to the same IP address as non bypassed domains 

WSS agent works at network level (IP addresses) and has no concept of application level traffic (DNS)


WSS agent

Users accessing bypassed domains and non bypassed domains resolving to the same IP address


A few options exist to address the issue:

1. make sure that none of the bypassed DNS names resolves to the IP address of a non bypassed domain. In this case, we could have removed the domain from the bypass list as most of the IP addresses were RFC 1918 IP addresses and bypassed from WSS by default. If there is any doubt that non RFC 1918 IP addresses are assigned to these resources, the risk of the change is higher and may need more time to validate.

2. Use a PAC file on the WSS agent host, to either

   - send all traffic for the domain to an internal proxy (if possible and it was in this case) or

   - send all traffic for the domains users experiencing issue with to This IP address is always sent into WSS by the agent, and will never be bypassed. 

Additional Information includes information on the DNS caching