WSS Agent (WSSA) client is on-premise and should connect to the Cloud SWG service through an on-prem proxy.
All the hosts running the WSS Agent are configured with an explicit proxy configuration:
Make sure that all WSS Agent clients can reach the CTC service at: ctc.threatpulse.com
NOTE: It is recommended that ctc.threatpulse.com go out to the Internet directly (and NOT be sent through any proxy).
If CTC requests are sent through an on-prem proxy (NOT recommended), then ctc.threatpulse.com must be resolvable locally and there must be a route to it.
Internal DNS servers can be configured to resolve the domain to an internal IP address (and the address does not need to be reachable).
If using this configuration, you may have to do a "programmatic reconnect" in your VPN client. A forced reconnect will use the proxy server, even without recognizing the network change.