How to configure WSSA to manually connect to a Data Center
search cancel

How to configure WSSA to manually connect to a Data Center


Article ID: 200262


Updated On:


Cloud Secure Web Gateway - Cloud SWG


WSS Agent users are typically connected to their nearest data center based on responses from Cloud SWG Cloud Traffic Controller service (CTC).

The CTC service determines the nearest data center to connect to based on the GEO location of the users egress IP.

In certain cases, it may be useful to test against a different data center to verify whether the issue/problem being experienced is specific to one data pod versus another.

This possible with WSSA, and helpful in terms of troubleshooting - It should only be done as part of the troubleshooting process to narrow down communication issues. 


WSS Agent connecting to Cloud SWG.


Note! This is meant for troubleshooting and debugging purposes only, and configuring this will require disabling Tamper Protection (which customers should NOT do long-term, and is a potential security risk).

To control where the WSSA client connects to, the wssad application is used. The admin must first disable tamper protection for WSSA in the WSS Portal, and then use the following syntax on the workstation:

Windows - run from Administrator command prompt

"C:\Program Files\Symantec\WSS Agent\wssad.exe" -p dpOverride=<IPAddr_Of_DataCenter>

where the data center IP addresses are available from the Cloud SWG support team when troubleshooting WSS Agent issues.

After completing the test, make sure that you remove the option else the user will continue to go to this IP address. To remove the option, simply run:

"C:\Program Files\Symantec\WSS Agent\wssad.exe" -e dpOverride

macOS (Catalina and prior) - using sudo to run as root

To switch to another data center use:

/opt/symantec/wssa/wssad -p dpOverride=<IPAddr_Of_DataCenter> 

 and to remove the change and revert to CTC:

/opt/symantec/wssa/wssad -e dpOverride

macOS (Big Sur and later) - using sudo to run as root

To switch to another data center use:

sudo "/Applications/Symantec WSS" -p dpOverride=<IPAddr_Of_DataCenter>

And to remove the change and revert to CTC:

sudo "/Applications/Symantec WSS" -e dpOverride

Additional Information

If this is needed for a handful of users on a regular basis, and Admin does not want to disable tamper detection globally for all users on tenant, the following install option will allow dpOverride changes without disabling tamper detection:

\path\to\install.msi TPE=0 

Once installed, dpOverride can be executed successfully even when tamper detection is enabled.

To install an agent and persistently send them automatically to the same DC, the following options can be used at install time

\path\to\install.msi TPE=0 CUSTOM_CONFIG=dpOverride=x.x.x.x 

where x.x.x.x is the IP address of the WSS data center user will connect to.


Note! All failover logic implemented via CTC fails when using this approach. Any data center failures will not result in an automatic switch to nearest available center. Only manual changes with dpOverride will switch data centers when in this mode.