WSS Agent Proxy avoidance detection
search cancel

WSS Agent Proxy avoidance detection


Article ID: 258682


Updated On:


Cloud Secure Web Gateway - Cloud SWG


As an administrator, I've set up an on-prem proxy, a local proxy or an application that acts as a proxy to handle requests.

When the WSS Agent is enabled, the proxy CONNECT requests are blocked or dropped.

When the WSS Agent is disabled, the proxy CONNECT requests work as expected.


Cloud Secure Web Gateway


To enforce proxy avoidance, the WSS Agent detects proxy HTTP requests in outbound streams for ports other than the ports configured to be forwarded to the service (typically 80 and 443).

Those connections are forwarded to Cloud SWG instead of the originally specified proxy.


To resolve this, you will need to add the IP / FQDN of the proxy to the Cloud SWG portal under its bypasses list under Connectivity > Bypassed Traffic > Bypassed IP/Subnets and Bypassed Domains tabs.

Additional Information

The WSS Agent does not interpret proxy auto-configuration (PAC) settings as a proxy avoidance attempt.

If your deployment uses a PAC control to manage outbound web connections, the WSS Agent detects it and uses this connection to forward web traffic on ports 80 and 443 by default (you can allow other ports).

If the WSS Agent cannot connect with the PAC settings, it attempts a direct connection to the Cloud SWG IP address.