WSS Agents running on a network where the assigned DNS server is on non-RFC-1918 IP space (like 8.8.8.8, 9.9.9.9 or 1.1.1.1).

WSS Agent is configured to forward all traffic (not just HTTP traffic) into WSS.

CFS license is enabled.

When users try to browse any website after establishing the tunnel, no response comes back.

Users report getting error pages referencing connection issues.

WSS Agent v8.1.1+.
CFS license active.
All ports intercept license active.

CFS default policy may be blocking user, generated DNS traffic so that no DNS query is resolved.

The WSS Agent 8.1.1+ behaviour changed from prior versions whereby DNS will be intercepted for non-RFC-1918 when all ports intercept is enabled for the WSS Agent. This deviates from WSSA v7 and prior, which would always ignore DNS. 

Create a CFS rule to ACCEPT TCP/UDP 53. Since users cannot predict what DNS servers will be assigned to their users in remote locations, this should be a default policy. 

Symantec are aware of the issue and will release a fix in an upcoming build.

This combination of factors should be rare since the vast majority of wifi hotspots and home routers assign themselves as the DNS resolver on RFC-1918 space.