Users successfully accessing internet sites via Cloud SWG using Proxy Forwarding access method for on-prem users, and WSS Agents for roaming users.
Azure admins can login and manage resources via the Azure Portals.
When Azure admins try and launch the Azure terminal, the operation fails and the following error is reported:
Terminal output - Error: Failed to connect terminal
Details: Cloud Shell requires the ability to establish a websocket connection to Cloud Shell infrastructure.
Resolution: Confirm that your network allows sending HTTPS and websocket requests to the following domains:
*.console.azure.com
*.servicebus.windows.net
Microsoft Azure.
Cloud SWG.
Azure not expecting additional proxy headers enabled when SSL inspection enabled (Via, X-Forwarded-For headers for example).
Disable SSL interception for management.azure.com domain.
Gathering a HAR file when the issue happens, we see the following error reported back to the user for one of the POST requests to the management.azure.com domain.
When the terminal is launched, the user-agent generates a request to portal.azure.com initially, get sent to ux.console.azure.com and eventually over to login.microsoftonline.com to authenticate and get an access token. Once the access token is available, the user-agent send a request to management.azure.com with the access token in the Authorization: Bearer header. All this seemed to work fine yet the operation would fail.
Disabling SSL interception for the domain removes any traces of proxy communication. In the above setup, it fixed the issue and the main difference in terms of the back end is that it gets exactly what is sent by the user-agent and does not include proxy added HTTP headers. These headers obviously impacted the Azure service.