Users accessing internet site via Cloud SWG using WSS Agent access method.

ZTNA integration with Cloud SWG allows users access to internal applications via WSS Agent managed devices.

Customer has a main location and 100+ branch offices. The branch offices are connected using a SD-WAN/VPN solution.

If a user works from any of those locations, the WSS Agent / ZTNA should be passive as all applications can be reached directly.
The agent/ZTNA  should only be active in home offices or on the road.

Normally you would just create locations using the external IPs of each branch and put them into the Passive Agent Rules list of ATM. However, in this use case, 

• the external IPs of the branches are not fixed. The provider can change them whenever he sees fit. The SD-WAN solution will handle this.
• Having to create 100+ locations would be one thing - but changing them every day is not feasible.

Cloud SWG.

WSS / SEP Agents.

ZTNA Segment applications.

Per the Cloud SWG documentation, Cloud SWG admin cannot determine the location IP address for WSS Agent to go passive based on location egress ip or using device tags combination. Location and/or egress ip will not work because they could change every day; device tags would not work because they do not change – they would be the same if the user takes the laptop from his home to the office.

Using a GPO policy that gets executed at login time, one can determine whether user is in the office or not. If the user is in the office, the following steps can be applied to force the user to go passive.

• Add a location to the Cloud SWG Portal with any IP address (_Location_IP_Address) that the customer owns (we will not be sending any traffic from this IP address as it is purely a marker!)
• Make sure the Agent 'block legacy CTCv1 comms' setting is disabled
• Go to the CMD prompt in Admin mode and
  • add wssad.exe –p ctcurl=https://ctc.threatpulse.com/ctc/rest/v1/connectionLookup/ua?customerId=<tenant_ID>&clientIP=<_Location_IP_Address>
• Restart the WSS agent and confirm it goes passive

Other options may exists, but did not in this case:

• There is a slight chance that they use the same Internet provider for all of their locations and Cloud SWG admin could specify one or more huge subnets as locations which include all the public IPs the provider could possibly assign. This would only help if the users in the home offices all used the same providers.
• Enable the option to allow users to manually disable the Agent.