search cancel

Cannot access internal network resources when WSS Agent active with SAC segment applications

book

Article ID: 256006

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG Secure Access Cloud

Issue/Introduction

Accessing Secure Access Cloud (SAC) Segment Applications via WSS Agent functions normally.

However, when trying to access resources (such as an Active Directory server or network printer) on the local network, connectivity fails. 

The issue could also affect the ability for a client machine to resolve domains required to authenticate against a SAML IdP server, if using a local DNS server.

 

 

Environment

Cloud SWG.

SAC with Segment Applications.

WSS Agent v8.2.3 and earlier; and WSS Agent v9.0.62.

Symantec Endpoint Protection (SEP) 14.3 RU6 with Web and Cloud Access Protection enabled.

 

Cause

When WSS Agent is running on an IP network that overlaps with IPs used on a SAC Segment Application network, the SAC Segment Application network is preferred. For example, if WSS Agent is running on a local network that uses 10.1.1.0/24, and it is connected via SAC to a Segment Application network defined on 10.0.0.0/8, then there are overlapping segments. When overlap occurs, traffic destined to 10.1.1.0/24 (the local network) will be sent through the tunnel to SAC to be routed to the Segment Application network.

This can cause a variety of problems including some less obvious issues related to DNS. For example, if the DNS server is part of the local network, then DNS requests will all be sent through SAC to the Segment Application network, likely resulting in DNS lookup failures for services like SAML authentication servers or local print servers.

Resolution

A future release of WSS Agent and SEP will provide additional capabilities to more elegantly deconflict IP overlap between the local network and SAC Segment Applications. 

In the meantime, please consider one of the following workarounds:

- Change the IP addresses used by either the local network or the SAC Segment Application network so that they do not overlap with each other. 

- If the machine running WSS Agent doesn’t need to access any hosts on the local network, switch to a public DNS server (like 8.8.8.8) so that DNS requests are not sent to the SAC Segment Application network.

- Add the internal / local IP addresses that the host needs to access locally to the SAC WSS Excluded IP Addresses configuration. This feature has the effect of forcing the WSS Agent to bypass (not redirect to SAC) the local network IP addresses listed in the SAC portal. 

Please note that in this configuration, the following apply: 

- Local IP addresses cannot overlap with SAC segment application IP addresses
- WSS Agent devices may be subject to different local network needs, making this difficult to scale given that the exclusions cannot be set at a per-user level.

 

 

Additional Information

Starting with WSS Agent 9.0.65 (expected December 2022), you can configure WSS Agent to bypass internal local addresses that do not need to be routed to the SAC Segment Application from within the Cloud SWG Portal. This preserves local network access without disrupting access to Segment Applications. This workaround is less feasible if applications are hosted on the same /24 network on both networks.

Attachments