users accessing WSS via IPSEC access method
WSS configured using Management Center/UPE
Isolation enabled for suspicious sites
Users accessing these suspicious sites get access denied messages rather than Web site content
HAR file showing a lot of 403 responses that trigger the access denied message
UPE used to configure WSS
Web Isolation enabled
Requests to isolation endpoints blocked by WSS policies
Manually added ALLOW requests for all users to fire.glass, shared.fireglass and wss.prod.fire.glass domains
The WSS Isolation UPE documentation includes sample CPL code for isolation policies , but does not indicate that specify which domains to be explicitly allowed. Customers using the Portal have these enabled by default, but UPE enabled customers must add the exemptions manually.
If users still report issues after the policy has been pushed out, grab a HAR file from user host and confirm where the 403s are coming back from; it may be that the isolation endpoints are allowed through, but the back end site being isolated is blocked.