If the tenant running WSS Agent AND the tenant has SAC enabled, the CTC response will send users to a non-China POP.

If the tenant running WSS Agent is sending all traffic into Cloud SWG (not just TCP ports 80, 8080, 443 or 8443), and the tenant has CFS (Client Firewall Service) policies enabled, the CTC response will send users to a non-China POP.

If the tenant has dedicated IP address feature enabled, the CTC response will send users to a non-China POP.

The China Cloud SWG infrastructure does not have routing to SAC, CFS or Dedicated IP address environments.

Make sure local firewall settings allow WSS Agent users in China access POPs outside of China.

It is on our roadmap to create SAC, CFS and dedicated IP infrastructure in China. There is no ETA for now.

Great firewall of China may block access to non-China POP's and hence users from China region will be unable to connect to Cloud SWG.

Agent Traffic Manager (ATM) - currently in private preview - can be used to disable SAC/CFS features for certain users/groups, which could be used to workaround the above use case for users in China. Please contact your local SE for more details.