WSS Agents used to access internet.
Onpremise proxy exists and PAC file pushed out to all WSS Agent hosts directing intranet traffic to onpremise proxy, and internet traffic to ep.threatpulse.com.
PAC file set for send Cloud SWG traffic direct to hosts using the following logic:
if (shExpMatch(host, "pfms.wss.symantec.com") ||
shExpMatch(host, "ctc.threatpulse.com") ||
shExpMatch(host, "saml.threatpulse.net") ||
shExpMatch(host, "pod.threatpulse.com") ||
After making a change to the SSL interception UPE layer, and enabling the "HTTP interception on exception flag" for all traffic, any WSS Agent user reconnecting would get the “Connected to CTC direct after failure to contact proxy server” message:
This message does not appear when disabling the SSL intercept "HTTP interception on exception" flag.
SSL interception policy.
Enable 'ignore proxy settings' in Cloud SWG WSS Agent configuration.
The PAC file should have sent traffic DIRECT anyway, but was somehow going into on-premise proxy and triggering the warning. When CTC fails through a discovered proxy, it will alway fallback to going direct.