WSS Agent option: "Block legacy CTCv1 communications"
search cancel

WSS Agent option: "Block legacy CTCv1 communications"

book

Article ID: 259189

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Why are my WSS Agent endpoints (prior to WSSA version 8.3.1) not able to connect to Cloud SWG (formerly known as WSS)?

Resolution

In February 2023, Cloud SWG introduced an option to disable “legacy” CTC (Cloud Traffic Controller) communications, in favor of “enhanced” CTC.

CTC is the cloud-based system responsible for communicating agent policies created in the Cloud SWG portal to the agent (such as when to go active vs. passive, which data centers to connect to, etc.).  The new enhanced (CTCv2) setting is disabled by default. 

Enhanced CTC, which is only compatible with WSS Agent 8.3.1 and later, improves the security of the communications between WSS Agent and CTC.  The feature is controlled via the following Cloud SWG portal page: 


(Cloud SWG Portal)

Connectivity > Agent Settings: "Block legacy CTCv1 communications"


Activating the setting causes WSS Agent clients prior to version 8.3.1 to no longer be able to connect to the Cloud SWG service because they are not compatible with enhanced CTC.


"Block legacy CTCv1 communications" (checkbox) on the agent configuration screen: 

 

WARNING: Enabling this option will BLOCK WSS Agent versions prior to version 8.3.1.  Do not enable it until ALL of your agents have been upgraded to 8.3.1 or later.

 

NOTES: 

  • Enhanced CTC (CTCv2) is NOT backwards compatible with agent releases prior to 8.3.1 due to the enhancements to the CTC protocol.
  • Enabling the "Block legacy CTCv1 communications" checkbox while still having legacy WSS Agents running (prior to WSS Agent version 8.3.1) will result in those older agents being unable to connect to the Cloud SWG service.
  • It will appear to the end user that their WSS Agent is experiencing a connectivity failure and that the service is down.

 


Please also see: "Set Agent Network and Security Options"

 

Dialog warning when enabling checkbox: "Block legacy CTCv1 communications"



If you enable this option in the Portal ("Block legacy CTCv1 communications") before ALL of your WSS Agents are upgraded, then those older/unsupported agents will show the following message in red: 

"Invalid or expired customer, Internet access blocked" 

...and all network access will be blocked until reinstallation.

 

To resolve the issue: 

(1) Uncheck the "Block legacy CTCv1 communications" setting in the Cloud SWG portal

(2) Upgrade all your WSS Agent installations to v8.3.1 or newer

(3) Enable the "Block legacy CTCv1 communications" setting in the Cloud SWG portal

 

Powered by Wolken Software