WSS Agent does not go into passive mode
search cancel

WSS Agent does not go into passive mode

book

Article ID: 168621

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

The organization has an on-premises Symantec Edge Secure Web Gateway (Edge SWG, formerly ProxySG) that protects the corporate network. To enforce the local policies while users are connected to the corporate network, WSS Agent (WSSA) must go into a passive mode. Passive mode ensures that the on-premise policies take effect on all user devices.

The following log entry indicates where the connection is forcibly closed by the remote host.

<16>[05-24-2016 10:35:05 (UTC+5:30)]: Tunnel error on tunnel(non-interactive-user): (10054) An existing connection was forcibly closed by the remote host

The host does not mean only the data center, but includes intermediate devices such as firewalls, proxies, and so on. If the proxy does not allow the connection to the data center, the WSSA won't be able to establish the connection. The agent is unable to enter passive mode in this case.

Environment

Environment protected with Edge SWG, WSSA on laptops for remote users

Cause

WSSA attempts to establish a connection to  ctc.threatpulse.com, and portal.threatpulse.com, which it must do to determine whether it is on a protected network. When WSSA detects that it is on a protected network, it goes into passive mode automatically.

Resolution

Enforce passive mode on WSSA

Log in to the Cloud SWG portal.

Create an Explicit Proxy location that specifies the public egress IP address for the corporate network following the steps bellow:

  1. Go to "Connectivity > Locations" and select "Add Location"



  2. In the "Add Location" window enter the details into these fields:
    • "Location Name"
    • "Access Method" - select "Explicit Proxy"
    • Specify the the public egress IP address for the corporate network
    • Fill the rest of required information (*) and Save.



  3. Ensure that:

    • Authentication on the on-premises Edge SWG is disabled for: client.threatpulse.net, ctc.threatpulse.com and portal.threatpulse.com
    • SSL interception is disabled for: client.threatpulse.net, ctc.threatpulse.com and portal.threatpulse.com
    • Traffic is allowed on: client.threatpulse.net, ctc.threatpulse.com and portal.threatpulse.com
    • Intermediate devices are checked. If the proxy or firewall does not allow the connection to data center, WSSA cannot detect itself from the portal.
    • Add the Cloud SWG (formerly known as WSS) ingress and egress IP addresses to the ALLOW rule of the proxy or firewall.
Powered by Wolken Software