search cancel

WSS Agent users accessing domains via WSS despite domains being included in WSS Bypass list

book

Article ID: 243069

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

- WSS Agent is sending internet traffic via the WSS Agent tunnel.
- WSS Bypass lists defined so that traffic for certain domains/IP addresses from WSS Agents go direct and not via WSS
   -  traffic to reasy.obbltd.com, preasy.obbltd.com, measy.obbltd.com domains bypassed from WSS.
   - Corresponding IPs (145.255.247.84, 145.255.247.87) bypasses from WSS


- No PAC file is configured on WSS Agent host

Cause

Browser was set to automatically detect proxy settings.

DHCP server was forwarding a legacy/redundant PAC file and due to the browser settings this was being picked up, even though there was no pac file defined in the browser proxy settings.

Environment

WSS Agent - all platforms

Resolution

Disable the browser option to automatically detect proxy settings.

After that change, the traffic started going to correct domain IP address and it was correctly bypassed as seen in the packet capture for direct traffic:

- and packet capture for in-tunnel traffic is not showing connectivity to that domain anymore:

Additional Information

Looking at SymDiag logs, this can be seen:

- dns answer is showing same IP address as nslookup in the packet capture for direct traffic:

- same packet capture is showing no request to obbltd.com domains:

- packet capture for in-tunnel traffic is showing connectivity to bypassed domain, but instead of pointing to domain IP (148.255.247.87), the destination IP is ep.threatpulse.net on port 80 (199.19.250.205) as it would be going via pac file:

- WSS Agent trace log is confirming that the bypasses are added correctly:
(...) 05/06/2022-14:06:07.4025388 Debug    Adding 145.255.247.87 for preasy.obbltd.com to domain bypass list

- since connection is going to different IP, the traffic is not bypassed

 

Attachments