WSS Agent (WSSA) client is on-premise and should connect to the Cloud SWG service through an on-prem proxy. 

All the hosts running the WSS Agent are configured with an explicit proxy configuration: 

• The WSS Agent clients are not allowed to resolve external hostnames using the DHCP configured DNS server.
• The WSS Agent is failing to connect to the service and the "No Route to CTC" error message is displayed in the agent status log.

Make sure that all WSS Agent clients can reach the CTC service at: ctc.threatpulse.com

NOTE: It is recommended that ctc.threatpulse.com go out to the Internet directly (and NOT be sent through any proxy).

If CTC requests are sent through an on-prem proxy (NOT recommended), then ctc.threatpulse.com must be resolvable locally and there must be a route to it.

Internal DNS servers can be configured to resolve the domain to an internal IP address (and the address does not need to be reachable).

If using this configuration, you may have to do a "programmatic reconnect" in your VPN client.  A forced reconnect will use the proxy server, even without recognizing the network change.