WSS Agent used to access web applications via Cloud SWG.

SAC tenant enabled with Cloud SWG, as well as CFS (Client Firewall Service), and all traffic sent into Cloud SWG from agent hosts.

SAML authentication enabled on Cloud SWG, with IDP server running in Azure.

Roaming users can authenticate and access internet traffic without problems.

Office users can establish tunnel but cannot authenticate and send traffic.

Firewall allows traffic to Azure directly, as well as to CLoud SWG VIPs.

Cloud Firewall Service.

Secure Access Cloud.

Cloud SWG.

Azire IDP server.

WSS Agent.

DNS resolver on clients pointing to public DNS server 9.9.9.9, which was not bypassed from Cloud SWG.

Since authentication was not complete, the agent was not sending traffic into the tunnel ... but to authenticate, we needed the DNS response!

A number of options exist here:

1. bypass any public DNS server that WSS Agent users are likely to go to.

2. if there are concerns about not knowing which public servers to bypass, send the DNS traffic into Cloud SWG using the Split DNS closed network APIs. This is what we did here to address the issue.

3. Install WSS Agent 9.1.1 or greater. With this version of WSS Agent, the logic has changed to give CFS and SAC generated DNS requests a higher priority than before, allowing requests to be resolved before allowing traffic through the tunnel (which typically happens after the user has successfully authenticated).