search cancel

Cannot get SAC Segment Applications to work via Cloud SWG

book

Article ID: 256003

calendar_today

Updated On:

Products

Secure Access Cloud Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Both SAC and Cloud SWG (formerly known as WSS) setups working fine independently of one another.

Integration between the two completed but when users access the SAC segment application via the WSS agent, connectivity fails e.g. a telnet client cannot telnet to server using IP address or hostname when launched on WSS Agent host.

No IP subnet address overlap between WSS Agent host and SAC Segment host/subnet which could cause connectivity issues.

Both WSS and SAC logs do not show up any requests for the Application.

Application requests appeared to go out local network rather than into WSS (Wireshark trace confirmed this).

Environment

SAC Segment based Application.

Cloud SWG integration with SAC.

WSS Agent.

Cause

WSS Agent missing SAC information required to direct traffic into SAC.

Resolution

Remove segment application IP host/subnet address from the WSS exclude IP address field within the SAC Portal. Any IP addresses defined here will not receive any traffic via WSS, and will therefor fail if they are defined as part of the SAC Segment application.

Additional Information

When the Cloud SWG tenant integrates with SAC and the WSS Agent is initialised successfully, a list of directives are pushed to the WSS Agent that are used to support the SAC communication e.g. which DNS servers to go to to resolve SAC Application IP addresses (splitDNS), what SAC segment hosts need to be pushed out via WSS (markIpAddresses). The following example includes an example of all WSS Agent directives one can expect integrating with WSS (with IP/DNS/Application bypass examples too):

{"bypassIpAddresses":["127.0.0.1"],"bypassDomains":["windowsupdate.com","okta.com","nflxso.net","echo.websocket.com","googlevideo.com","webex.com","zoom.us","websocket.org","oktapreview.com","wbx2.com","oktacdn.com","nflxext.com","thegrand.ie","nflxvideo.net"],"bypassExecutables":[{"executablePath":"C:\\Program Files\\Amazon\\AWS VPN Client\\Resources\\openvpn\\2.4.5-aws-2\\acvc-openvpn.exe"}],"splitDNS":[{"host":"ncred.net","ip":"192.168.1.10"},{"host":"ncred.net","ip":"10.0.3.10"}],"markIpAddresses":["10.0.3.10/32","192.168.1.0/24","192.168.1.10/32"]}

In the above problem, the expected IP address information under markIpAddresses directive did not include the telnet server IP address/subnet as a result of the WSS Exclude IP address and hence the traffic was never sent into WSS. PCAPs would show the TCP SYN request for the telnet server go out the local network instead, where it would never get any response.

Attachments