WSSA machine is on-premise and should connect to the service through an explicit proxy. All the endpoints are configured with an explicit proxy configuration.
The endpoints are not allowed to resolve external names using the DHCP configured DNS server.
The agent is failing to connect to the service and "No Route to CTC" error message is displayed on the agent status.
Although CTC requests will be sent through the proxy, in order to set up the network detection system with the operating system, ctc.threatpulse.com MUST be resolvable, and there must be a route to it.
Internal DNS servers can be configured to resolve it to an internal IP address (and the address does not need to be reachable).
A forced reconnect will use the proxy server, even without recognizing the network change. Details on how to do a programmatic reconnect can be found here