The customer is testing WSS Agent with their new Cloud SWG (formerly known as WSS) with a minimal policy (access layer is a simple allow statement).
The WSS Agent is connecting without issues to the local Cloud SWG pop yet Internet access from the computer is not working.
UPE Managed policy
WSS Agent (any version)
The customer UPE policy was set to bypass authentication for all traffic.
This caused the WSS Agent identification to be stripped of user data which prevented the agent from operating as expected.
Authentication exemption actively removes user related data that is sent from the WSS Agent to the service, and when this data is removed it is preventing the agent from operating nominally.
When no authentication is setup exemption is not necessary and as seen here is counter-productive.
Authentication exemption should be set for specific conditions to avoid such issues.