Why are my WSS Agent endpoints (prior to WSSA version 8.3.1) not able to connect to Cloud SWG (formerly known as WSS)?
In February 2023, Cloud SWG introduced an option to disable “legacy” CTC (Cloud Traffic Controller) communications, in favor of “enhanced” CTC.
CTC is the cloud-based system responsible for communicating agent policies created in the Cloud SWG portal to the agent (such as when to go active vs. passive, which data centers to connect to, etc.). The new enhanced (CTCv2) setting is disabled by default.
Enhanced CTC, which is only compatible with WSS Agent 8.3.1 and later, improves the security of the communications between WSS Agent and CTC. The feature is controlled via the following Cloud SWG portal page:
(Cloud SWG Portal)
Connectivity -> WSS Agent: "Block legacy CTC communications"
Activating the setting causes WSS Agent clients prior to version 8.3.1 to no longer be able to connect to the Cloud SWG service because they are not compatible with enhanced CTC.
"Block legacy CTC communications" (checkbox) on the agent configuration screen:
WARNING: Enabling this option will BLOCK WSS Agent versions prior to version 8.3.1. Do not enable it until ALL of your agents have been upgraded to 8.3.1 or later.
Please also see: "Set WSS Agent Network and Security Options"
Dialog warning when enabling checkbox: "Block legacy CTC communications"
If you enable this option in the Portal ("Block legacy CTC communications") before ALL of your WSS Agents are upgraded, then those older/unsupported agents will show the following message in red:
"Invalid or expired customer, Internet access blocked"
...and all network access will be blocked until reinstallation.
To resolve the issue:
(1) Uncheck the "Block legacy CTC communications" setting in the Cloud SWG portal
(2) Upgrade all your WSS Agent installations to v8.3.1 or newer
(3) Enable the "Block legacy CTC communications" setting in the Cloud SWG portal