Some users in remote locations are having issues accessing certain YouTube videos. This is not happening for all YouTube videos.

A HAR file shows HTTP 403 responses coming from googlevideo.com.

There are 2 URLs in play while watching Youtube videos, youtube.com and googlevideo.com. First connection is made on "youtube.com" and then redirection happens to "googlevideo.com" which is responsible for loading the videos.

Youtube.com traffic is not bypassed (by default), making it go through WSS. However, googlevideo.com is bypassed from WSS by default, therefore, all traffic to this domain goes DIRECT for access methods such as WSS Agent and Explicit proxy.

Therefore, the traffic is being split and YouTube is issuing HTTP 403 - Forbidden error, for the googlevideo.com requests.

In the case of YouTube web app all links / requests are loaded from the base.js file. It is most likely that YouTube is requiring the base.js file to be loaded from the same location (or at least country) that makes the requests for googlevideo.com.

We need to make egress location/IP the same for both youtube.com and googlevideo.com in order to resolve this. There are basically two ways to accomplish this. You can follow step# 2 if step# 1 does not work for any reason.

1. Make explicit proxy configuration to same geo-located WSS Datapod as your egress IP. You can refer to the below document to configure it,
   
   •  Web Security Service (WSS) hostnames for explicit and proxy forwarding (broadcom.com)
2. Remove bypass for "googlevideo.com" as below,
   
   • Remove googlevideo.com from the WSS bypasses in the WSS portal > Connectivity > Bypassed Traffic > Domains.
   • Add googlevideo.com to the TLS/SSL exemptions list - Set to Do Not Intercept.