users accessing WSS via IPSEC access method

WSS configured using Management Center/UPE

Isolation enabled for suspicious sites

Users accessing these suspicious sites get access denied messages rather than Web site content

HAR file showing a lot of 403 responses that trigger the access denied message

UPE used to configure WSS

Web Isolation enabled

Requests to isolation endpoints blocked by WSS policies

Manually added ALLOW requests for all users to fire.glass, shared.fireglass and wss.prod.fire.glass domains

The WSS Isolation UPE documentation includes sample CPL code for isolation policies , but does not indicate that specify which domains to be explicitly allowed. Customers using the Portal have these enabled by default, but UPE enabled customers must add the exemptions manually.

If users still report issues after the policy has been pushed out, grab a HAR file from user host and confirm where the 403s are coming back from; it may be that the isolation endpoints are allowed through, but the back end site being isolated is blocked.