Users migrating from on-premise edge proxy to Cloud based solution.

Management center used to configure Cloud SWG service.

Users will use WSS Agents to access internet sites via the Cloud SWG service.

A subset of users, that should be allowed access youtube educational videos are blocked from doing so when going through the Cloud proxy. These same users can access the same sites using on-premise proxy.

Cloud SWG.

Edge SWG.

Youtube API enabled.

Management Center/UPE.

Cloud proxy does not leverage the youtube APIs to provide level of granularity needed here.

As a workaround, identify specific videos that need access and allow access to these youtube URLs only.

The policy pushed out to the cloud proxy included following snippet:

define condition YoutubeCategory
    request.header.Referer.url.category=("Education","Howto","Tech","none")
    url.category=("Education","Howto","Tech","none")
end
define condition YoutubeDeniedCats
    request.header.Referer.url.category=!("Education","Howto","Tech")
end

<proxy>
  url.domain=youtube.com condition=YoutubeCategory allow  

With Cloud based youtube access, all youtube sites will return the category of Audio/Video Clips and Mixed Content/Potentially Adult, causing the above policy to fail to match and ultimately trigger a DENY.

Adding a rule explicitly allowing access to educational videos, before the global DENY, will work around the issue.