Web Endpoint Client Network Diagnostics

Hi

Sorry for mulitple posts, my posts don't seem to show up when posted through the cloud service - how ironic!

I'm new to Cloud Web Security Gateway product (although used on-premises Web Security for many years).

I am having a problem with the Web Endpoint client, in that it thinks the Internet is not available and thus remains in Override mode.  In our environment our perimeter firewall is locked down and denies most outbound traffic.  We opened up the stipulated ports, to the stipulated destinations as per the product evaluation guide.  Filtering by the cloud service works, albeit pretty clunky at the moment.

However the Endpoint Client sits in the systray with an exclamation mark on it, and when i run the Network Diagnostics test it fails saying 'Internet Access: No'.

The log file (C:\Program Files\Websense\Websense Endpoint\DebugDump.txt) is full of:

WSPXY   [ 10/22/2014 09:59:41.566 ] NetworkDetector[ProxyInternet]: send() failed with error code 10057!

As i said, filtering is working to some extent, if i go to say www.whatismyip.com it tells me i am proxied by 'webdefence.global.blackspider.com:8081', and if i try navigating to a more 'interesting' site... I receive the cloud blockpage as expected.

If i move the endpoint off of our corporate network to an unfiltered connection (ie. standard DSL) then the Endpoint network diagnostic completes successfully, the systray icon has a tick instead of the exclamation mark, and it is no longer in Override mode.

If I nmap the host webdefence.global.blackspider.com, on the relevant ports (tcp 80,443,8080-8100), i get the same results from both corporate network and DSL connection (same IP address returned, 85.115.54.180):

80 - open
443 - closed
8080 - filtered
8081 - open
8082 - open
8083-8087 - filtered
8088 - open
8089 - open
8090-8100 - filtered

If i run a network trace I can see that both wepsvc.exe and wepdiag.exe try and access www.msncsi.com/ncsi.txt (various IP addresses attempted).  The only discernable difference in connectivity between our corp net and the non-corp net is that the we don't allow traffic outbound to these IP addresses returned by DNS for www.msncsi.com. 

Does the Endpoint client require access to www.msncsi.com in order to be happy the Internet is available?  I can't see that requirement in the documentation.

Am I barking up the wrong tree?

Any advice or suggestions?

Thanks.

David