As a DLP Admin I need to identify the logic behind the automatic assignment of 'off the corporate network' by the DLP agent. 

All aforementioned settings are included in the Advanced Agent Settings

An agent is considered 'off' the corporate network when it cannot connect to the endpoint server.

An agent will attempt to connect to their designated endpoint server as provided in the agent packaging(ENDPOINTSERVER="" in the install_agent.bat or agent.plist file) every ServerCommunicator.CONNECT_ POLLING_INTERVAL_SECONDS.int. It will also attempt to connect to it's designated endpoint server on network change, such as joining the VPN.  If this connection fails the agent will then be considered off the network until a successful connection is made. This includes during, and after the time period in which the agent is attempting to fail over to the 2nd server included in the agent install package. 

Scenario 1 Endpoint agent settings controlling server failover procedures:
Agent is installed with the following server list
InternalServer1:10443
InternalServer2:10443
DMZServer1:10444
DMZServer2:10444.

Agent attempts to connect while the user is at home, prior to connecting to the DMZ

Step 1: Endpoint Agent attempts to connect to InternalServer1:10443 but is not connected to VPN so this connection fails. The agent will be off the corporate network.
Step 2: Endpoint Agent backs off for 30 seconds based on ServerCommunicator.INITIAL_ CONNECT_BACKOFF_DURATION_SECONDS.int. The agent will be off the corporate network.
Step 3: Endpoint Agent attempts to connect to InternalServer1:10443 but is not connected to VPN so this connection fails. The agent will be off the corporate network.
Step 4: Endpoint Agent backs off for 60 seconds based on the previous 30 seconds and ServerCommunicator.CONNECT_ BACKOFF_DURATION_MULTIPLIER.int. The agent will be off the corporate network.
Step 5: Endpoint Agent attempts to connect to InternalServer1:10443 but is not connected to VPN so this connection fails. The agent will be off the corporate network.
Step 6: The ServerCommunicator.CONNECT_ BACKOFF_DURATION_MULTIPLIER.int will keep backing off on the connection attempts until ServerCommunicator.MAX_ CONNECT_BACKOFF_DURATION_SECONDS.int(default 1800 seconds i.e. 30 minutes) At which point it will Switch to InternalServer2:10443, this will also fail as it is also an internal server and the user has still not yet connected to the VPN  The agent will be off the corporate network.
Step 7: After failing to connect to InternalServer2:10443 for 1800 seconds it will then attempt to connect to DMZServer1. Because this server is in the DMZ the connection succeeds. The agent will transition to being on the corporate network 

Scenario 2 Endpoint has round-robin DNS in place. 
Agent is installed with the following server list
EndpointServer:
EndpointServer will round robin resolve to
InternalServer1:10443
InternalServer2:10443
DMZServer1:10444
DMZServer2:10444


Agent attempts to connect while the user is at home, prior to connecting to the DMZ

Step 1: Agent attempts to connect to 'EndpointServer' as specified in it's installation parameters, this resolves to InternalServer1:10443 per round robin DNS. The connection fails. The agent will be off the corporate network.
Step 2: Endpoint Agent backs off for 30 seconds based on ServerCommunicator.INITIAL_ CONNECT_BACKOFF_DURATION_SECONDS.int. The agent will be off the corporate network.
Step 3: Agent attempts to connect to 'EndpointServer, this resolves to InternalServer2:10443 and the connection fails. The agent will be off the corporate network.
Step 4: The ServerCommunicator.CONNECT_ BACKOFF_DURATION_MULTIPLIER.int will keep backing off on the connection attempts until ServerCommunicator.MAX_ CONNECT_BACKOFF_DURATION_SECONDS.int(default 1800 seconds i.e. 30 minutes) At which point it will Switch to InternalServer2:10443, this will also fail as it is also an internal server and the user has still not yet connected to the VPN  The agent will be off the corporate network.
Step 5: On the third connection attempt, DNS round robin will point 'EndpointServer' to DMZServer1 Because this server is in the DMZ the connection succeeds. The agent will transition to being on the corporate network 

While failing to resolve internal servers while off VPN an agent will generate:  Libcurl Error: '6'. Error Message: Couldn't resolve host name.