search cancel

Access denied message browsing to isolated sites configured through UPE

book

Article ID: 228527

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

users accessing WSS via IPSEC access method

WSS configured using Management Center/UPE

Isolation enabled for suspicious sites

Users accessing these suspicious sites get access denied messages rather than Web site content

HAR file showing a lot of 403 responses that trigger the access denied message

Cause

Requests to isolation endpoints blocked by WSS policies

Environment

UPE used to configure WSS

Web Isolation enabled

Resolution

Manually added ALLOW requests for all users to fire.glass, shared.fireglass and wss.prod.fire.glass domains

Additional Information

The WSS Isolation UPE documentation includes sample CPL code for isolation policies , but does not indicate that specify which domains to be explicitly allowed. Customers using the Portal have these enabled by default, but UPE enabled customers must add the exemptions manually.

 

If users still report issues after the policy has been pushed out, grab a HAR file from user host and confirm where the 403s are coming back from; it may be that the isolation endpoints are allowed through, but the back end site being isolated is blocked.