Cloud SWG Agent Traffic Manager (ATM) rules don't work on few devices
search cancel

Cloud SWG Agent Traffic Manager (ATM) rules don't work on few devices

book

Article ID: 378152

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Agent Traffic Manager (ATM) is configured with users and groups based rule. While testing on our VDI environment, all configured rules are being bypassed.

Environment

WSS Agent.
VDI/Virtual Machines.

Cause

ATM user-based or group-based rules do not work in VDI environment where agent is installed with MCU=1 option. As VDI is used for multi-user environment (with MCU option), WSS agent doesn't have the ability to certify that there is only one user on an VDI device. 

The problem is the conflicts between users on VDIs.  For an example, if user1 is CASB intercept only, user2 is web traffic intercept (port 80, 443, 8080, 8443), and user3 is custom port intercept, the agent can’t resolve if all three of those users are logged on to the machine at the same time. The core point of MCU being it is multi-user - so WSS Agent can’t prevent multiple users from logging in. WSS Agent can’t send per-user information to CTC (Cloud Traffic Controller) for atm rules (and the rules are applied in a single kernel).

Resolution

In VDI multiuser environments where WSS Agent installed with MCU flag, user-based or group-based ATM rules won't work reliably due to challenges in tracking and enforcing policies on individual users in a shared session environment. However, location-based, IP-based, and policies without a source filter (Any) can still be effectively enforced, ensuring that ATM can protect the VDI environment even without user-specific configurations.