WSS Agent CTC warning visible when 'HTTPS interception on exceptions' flag enabled in UPE
search cancel

WSS Agent CTC warning visible when 'HTTPS interception on exceptions' flag enabled in UPE

book

Article ID: 261147

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

WSS Agents used to access internet.

Onpremise proxy exists and PAC file pushed out to all WSS Agent hosts directing intranet traffic to onpremise proxy, and internet traffic to ep.threatpulse.com.

PAC file set for send Cloud SWG traffic direct to hosts using the following logic:

    if (shExpMatch(host, "pfms.wss.symantec.com") ||
        shExpMatch(host, "ctc.threatpulse.com") ||
        shExpMatch(host, "saml.threatpulse.net") ||
        shExpMatch(host, "pod.threatpulse.com") ||
        shExpMatch(host, "client-id.wss.symantec.com"))
         {return "DIRECT";}

After making a change to the SSL interception UPE layer, and enabling the "HTTP interception on exception flag" for all traffic, any WSS Agent user reconnecting would get the “Connected to CTC direct after failure to contact proxy server” message:

This message does not appear when disabling the SSL intercept "HTTP interception on exception" flag.

Environment

WSS Agent.

SSL interception policy.

UPE.

Resolution

Enable 'ignore proxy settings' in Cloud SWG WSS Agent configuration. 

The PAC file should have sent traffic DIRECT anyway, but was somehow going into on-premise proxy and triggering the warning. When CTC fails through a discovered proxy, it will alway fallback to going direct.

Powered by Wolken Software