search cancel

Access denied message browsing to isolated sites configured through UPE


Article ID: 228527


Updated On:


Cloud Secure Web Gateway - Cloud SWG


users accessing WSS via IPSEC access method

WSS configured using Management Center/UPE

Isolation enabled for suspicious sites

Users accessing these suspicious sites get access denied messages rather than Web site content

HAR file showing a lot of 403 responses that trigger the access denied message


UPE used to configure WSS

Web Isolation enabled


Requests to isolation endpoints blocked by WSS policies


Manually added ALLOW requests for all users to, shared.fireglass and domains

Additional Information

The WSS Isolation UPE documentation includes sample CPL code for isolation policies , but does not indicate that specify which domains to be explicitly allowed. Customers using the Portal have these enabled by default, but UPE enabled customers must add the exemptions manually.


If users still report issues after the policy has been pushed out, grab a HAR file from user host and confirm where the 403s are coming back from; it may be that the isolation endpoints are allowed through, but the back end site being isolated is blocked.