Cloud Traffic controller (CTC) signals the WSS Agent (WSSA) to remain in an ACTIVE mode when coming from a known network location, registered under the Cloud portal.

• Cloud SWG (Cloud Secure Web Gateway)
• WSS Agent
• Third-party VPN provider

WSS Agent attempts to establish a connection to the Cloud Traffic Controller (CTC): ctc.threatpulse.com, which it must do to determine whether it is on a protected network. When WSS Agent detects that it is on a protected network, it goes into PASSIVE mode automatically.

If the WSS Agent remains ACTIVE, there could be multiple reasons for this behavior:

1. CTC request is routed via an IP that is not registered in the Cloud SWG portal as a known location.
2. CTC is responding incorrectly as ACTIVE, even though the request is coming from a registered/known network location by Cloud SWG

IMPORTANT: Please make sure that you are running the most current version of the WSSA client (version 8.1.1 or later) because older versions of the WSSA client (versions 6.x and 7.x) had bugs related to this issue.

=====
WSS Agent 7.5.1
Resolved an issue where network change events caused the passive or active status to not be correct.

=====
WSS Agent 7.4.2
Resolved an issue where WSS Agent would not remain in passive mode on known locations if network change events occurred.

=====

To resolve issue#1, where CTC request is routed via an IP that is not registered in the Cloud SWG portal as a known location.

Recommended configuration: WSS Agent enters into Passive Mode

1. Full-Tunnel: Add VPN server egress IP address.
2. Split-Tunnel: Add VPN server egress IP address and make sure that CTC is routed through the VPN tunnel

Recommended Configuration with PAC file: WSS Agent Enters into Passive Mode

If you must use PAC file to force WSS Agent into Passive and are sending CTC requests through a proxy/PAC file whether it is a full-tunnel or split-tunnel mode.

1.  Add the egress IP address of your proxy server instead of the address of your VPN server.
2. Make sure that CTC requests are SSL and Authentication exempted in your proxy configuration.
   
   Note: Even when using a PAC file on a split tunnel, the network routing for CTC MUST be sent through the tunnel even if the proxy or PAC file is unavailable. This allows the WSS Agent to detect network changes using operating system APIs.  
    
   Note: Split-tunnel on REVERSE mode where the traffic for intranet applications bypasses the VPN tunnel while other traffic goes through the VPN tunnel. It is not a supported deployment type as it is not a use case that Broadcom has tested, validated or qualify the WSS agent against. While It could work, Broadcom does not recommend the implementation of this type of VPN mode.

Add A Network Location

1. In the Cloud SWG Portal, Navigate to Connectivity > Locations.
2. Click on Add Location and follow the wizard.
   • For Full/Split-tunnel:  Add the location as an IPSec Location with a dummy pre-shared key.
   • For Full/Split-tunnel: Add the location as an Explicit location.

To resolve issue# 2, where CTC is responding incorrectly as ACTIVE, even though the request is coming from a registered/known network location by Cloud SWG

a Cloud SWG administrator can log in to the Cloud management Portal and take the following steps:

1. Navigate to Connectivity > Locations.
2. Locate the location using the Search option.
3. Select the location.
4. Click on Edit.
5. Click on Save.
6. Open the WSS Agent UI and press Reconnect.

Note: These steps will force a Cloud SWG portal configuration update to our Cloud SWG Cloud Traffic Controller (CTC)

If the issue still persists, gather a WSS Agent diagnostics using SymDiag for the respective Operating System while reproducing the issue:

• SymDiag Application For WSS Agent on Windows
• Debugging Script for WSS Agent on Mac Systems

If you have a current Support Case for this issue, attach the .sdbz file to the support case using Symdiag or save the .sdbz file locally. Exit SymDiag and send the file to your Support Contact.