The WSSA is supposed to be in Passive mode when it is connecting from a known Location (If the egress IP of the network is added as a Portal Location).

In some specific cases, the agent would remain in Active mode even when it is coming from a known Location.

The agent talks to CTC (ctc.threatpulse.com) before establishing the connection to get the Active/Passive directions, the Bypass Lists and Connection Lists, and a few other agent configurations.

CTC determines Active/Passive mode by looking at the source egress IP. The last known good Connection List will be cached by the agent.

WSSA has no way of knowing it is on a known Location (and go Passive) unless the attempt to connect to CTC succeeds.

In the event that CTC fails through both the proxy and DIRECT paths, the agent uses the cached Connection List and connects to the last known good data-pods. In this case, the agent will remain in Active mode even if the Location is already protected.

Make sure that WSSA's connection attempts to the CTC service succeed (and "static bypass" entries are entered for CTC in any on-prem proxies): 

ctc.threatpulse.com: 130.211.30.2

Unless "Ignore Proxy Settings" is checked in the Portal for the customer, the CTC check will use the system proxy settings in its connection to ctc.threatpulse.com. 

By default, after two consecutive failures connecting to CTC, the system proxy is ignored and a direct connection is attempted instead.