Users accessing internet sites via Cloud SWG using WSS/SEP mobile agents.

ZTNA integration with Cloud SWG exists for the agent users to access internal applications.

Cloud SWG admin has been asked to bypass the Web traffic from the SEP mobile users from going into Cloud SWG - but the traffic destined for ZTNA segment applications must still go through Cloud SWG.

Looking at the SEP mobile policy, no options to bypass Web traffic exist.

Looking at the Cloud SWG ATM configuration, no 'Web traffic interception' rules exist that would allow the SEP mobile users to bypass web inspection, so that traffic could be sent DIRECTLY.

ATM traffic bypasses cannot be applied to mobile agents either.

SEP mobile.

SESC.

Cloud SWG.

ZTNA.

WSS Agents on Windows/macOS.

Cloud SWG admin UI limitation for SEP mobile devices.

If we need SEP mobile Web traffic to go direct, but the Windows/macOS Web traffic to go into Cloud SWG, the best option would be to install the Windows/macOS agents with device tags.

The Cloud admin would then

• create a Web traffic intercept rule for the Windows/macOS devices tags so that this traffic is intercepted and anything else is not and
• have a ZTNA traffic interception rule for all devices

NOTE that SAML authentication is enabled for all agents and the Entra traffic is to be sent via Cloud SWG, the SAML login domain e.g. 'login.microsoftonline.com' for Entra Identity provider should be added to the 'Always intercept' ATM policy. Since the SEP mobile agents are not intercepting Web traffic, the Entra traffic will be sent direct by default unless added to the 'Always intercept' ATM policy. If the Entra traffic must go through Cloud SWG, we should add. This will override the 'Traffic interception' rule and send it into the Cloud SWG proxy.