There is requirement from Cloud SWG admin that specific domain should only be accessible when WSS Agent users connected to third-party split-tunnel vpn. When users are not connected to third-party VPN same domain traffic should be blocked.

WSS Agent

Third-party VPN with split-tunnel

To ensure the target domain is accessible specifically when WSS Agent users are connected to the third-party VPN with split-tunnel, follow these configuration steps:

Step 1: Route CTC Traffic via third-party VPN

• Configure the third-party VPN client to route traffic for the domain ctc.threatpulse.com through the VPN gateway.

Step 2: Identify third-party VPN Egress IP

• Once the configuration in Step 1 is complete, identify the public egress IP address by following these instructions:
   
  1. Connect to the third-party VPN.
  2. Reconnect the WSS Agent.
  3. Open the Support tab in the WSS Agent and check the logs.
  4. Search for the line beginning with "CTC Response".
   
  The IP address shown in the log (e.g., CTC Response ACTIVE(GEOIP) - egress: [XXX.XXX.XXX.XXX]) is your third-party VPN egress IP.
   

Step 3: Configure Traffic Bypass rule in Agent Traffic Manager(ATM)

• Configure an Traffic Bypass rule in ATM with egress IP determined in Step-2 and target domain (e.g., example.com) in Destination. For detailed steps refer link.

Step 4: Configure Content Filtering rule to block traffic for target domain (e.g., example.com)

1. Navigate to Policy > Content Filtering.
2. Create a rule to Block the target domain (e.g., example.com) based on the desired Source criteria.