Some URLs forwarded to Email Threat Isolation are blocked with 403 "Forbidden"
search cancel

Some URLs forwarded to Email Threat Isolation are blocked with 403 "Forbidden"


Article ID: 277992


Updated On:


Cloud Secure Web Gateway - Cloud SWG


Users access Web resources via Cloud SWG using WSS Agent.

Web isolation is used to sandbox risky websites when going through Cloud SWG - using a dedicated Cloud Web Isolation tenant.

Users access emails via Symantec Email Cloud service.

When a user clicks on a link embedded within an email, the web site is typically rendered on the users browser without any issues.

If the email link references some suspicious or risky sites, the site should be isolated via the dedicated Web isolation platform.

When this happens, a "Forbidden" string appears on a blank page instead of the page being accessed - no other information is available.


Email Cloud Security Service.

Cloud SWG.

Dedicated Web isolation tenant.


Double isolation occurs due to multiple isolation platforms.


A number of options exist:

1. Disable Web isolation via Cloud SWG policies for the endpoint. A sample CPL includes

<Proxy> isolate(no)

2. Create a policy on the dedicated isolation tenant to 'pass' and not 'isolate' traffic for Although Cloud SWG will send request into isolation service, isolation will not take place and the double isolation problem is not visible.

Additional Information

HAR files are key to troubleshooting interoperability issues like this.

HAR files show that the request to (triggered by clicking link within email) trigger a Web isolation event to happen (200 OK response includes links to dedicated Web isolation tenant endpoint) as expected.

However, during this isolated session, the user-agent generates a request to, one of the shared email Cloud isolation server endpoints. This 'double' isolation causes the email cloud isolation server to return the 403 forbidden.

Interoperability between Email Cloud, Cloud SWG and dedicated Web isolation tenants requires that the requests not be isolated by Web isolation and the bypass policy change addresses this.