SEP RU9 Unable to Exclude Windows Sandbox from Cloud SWG traffic
Article ID: 381214
Updated On:
Products
Issue/Introduction
After upgrading to RU9, Windows Sandbox traffic is sent to CloudSWG from the Cloud Secure Access from WSSA within the RU9 SEP agent.
Before, when running RU8, the Windows Sandbox traffic was excluded from the CloudSWG tunnel.
Environment
SEP 14.3 RU9+
Cause
The Windows Sandbox uses virtual vSwitch for networking. Starting with WSSA 9.5.1 and in SEP 14.3 RU9 support was added for vSwitch filtering. It was a necessary update to close a hole that allowed traffic to egress the machine unprotected.
Due to the changes, executable bypass is not supported in for this setup.
vSwitch support was added by L2 (MAC frame) hooks in the WSSA Windows driver.
With WSSA 9.7.1 and later, there is an option to not install the L2 hooks. Without L2 hooks, the traffic from the virtual machine will not be filtered at all similar to pre-9.5.1 WSSA and SEP 14.3 RU8.
SEP does not currently support installations without L2 hooks.
Resolution
There are the following options available to resolve this issue:
- Use RU8 - which doesn't contain vSwitch filtering at all.
- Use standalone WSSA 9.7.1 instead of RU9 with the option to bypass installation of the L2 hooks.
With this option if you encounter a situation where L2 hooks are impacting you and you would like to disable those hooks, pass the SKIP_L2_FRAME_HOOKS=1 option to the msiexec command:
msiexec /I \Path\To\wssa-installer.msi [MSI_OPTIONS...] SKIP_L2_FRAME_HOOKS=1 - Bypass the traffic by destination address or domain.
Feedback
