Windows 10 machine running WSS agent to access web traffic via WSS

Users reporting 'Limited internet connectivity' warning message on network status icon when running WSS agent (bottom right notification bar)

www.msftconnecttest.com seems to trigger the warning message but cannot see this traffic in WSS logs and user cannot access www.msftconnecttest.com/connecttest.txt from browser.

WSS Agent appears to be bypassing the traffic for www.msftconnecttest.com  

WSS agent

Windows and MacOS bypasses certain sites for network checks

www.msftconnecttest.com is always bypassed from WSS, along with certain other domains, and routing/firewall rules must allow this traffic out

Allow traffic destined for www.msftconnecttest.com to go out directly without being blocked. In the above case, the requests were getting blocked at the edge firewall and triggering the error.

If the WSS agent users are never going to be going through a Captive Portal, one additional option would be to leverage PAC files on the host to send traffic to the ep.threatpulse.net:80 endpoint using the following logic

if (shExpMatch(host, "www.msftconnecttest.com"))
    return "PROXY ep.threatpulse.net:80"

Applying this change will trigger an explicit request from the browser to WSS, and the agent always forwards any requests destined for this ep.threatpulse.net endpoint into WSS even if that host is bypassed.

The following sites are always bypassed from WSS when using the WSS agent, and any bypass or firewall rules should handle all these domains:

• Windows:
  • "dns.msftncsi.com"
  • "www.msftconnecttest.com"
  • "ipv6.msftconnecttest.com"
• MacOS: "captive.apple.com"

The bypassed sites are used for captive portal detection e.g. we try and detect whether we need to login to a portal (hotel wifi) before establishing WSS agent connection, and these sites are needed as part of this process.