![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 62%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDA%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Entra | Microsoft Entra Internet Access
Securing internet traffic from devices with identity-aware web filtering and threat protection
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 4%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Hello Dario ADMIN. Porru,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I will try to help you out in this scenario. So, the issue is a Protocol Mismatch or Traffic Interception Conflict. The GSAC acts as an Identity-Aware Proxy (IAP), inspecting and forwarding all traffic designated by the Internet Access traffic forwarding profile (by default, ports 80/443 TCP).
The ERR_HTTP2_PROTOCOL_ERROR indicates a failure in the communication layer between the client/proxy and the pics.io server over the HTTP/2 protocol. And this is highly common when an intervening proxy (the GSAC service) performs TLS/SSL inspection or otherwise modifies the request headers or the negotiated communication stream. The only reason the site works when the client is paused is that the traffic bypasses the Microsoft Entra Internet Access service entirely, proving the issue lies with the GSAC's traffic acquisition/forwarding.
Before we could proceed further could you please let us know below as:
"Does your organization have a Web Content Filtering policy configured within Global Secure Access (Microsoft Entra Internet Access)?" "Do you want to secure the traffic to pics.io, or is a simple exclusion acceptable?"
Till then will provide you some solution as:
You need to create a Custom Bypass rule in the Internet Access traffic forwarding profile for the problematic Fully Qualified Domain Name (FQDN). This tells the GSAC client to ignore traffic destined for pics.io and let it route directly, resolving the protocol conflict.
The steps below are performed in the Microsoft Entra admin center by a user with the Global Secure Access Administrator role.
- Navigate to Traffic Forwarding Profiles
Sign in to the Microsoft Entra admin center.
Navigate to Global Secure Access > Connect > Traffic forwarding.
- Create the Custom Bypass Rule
In the Internet Access traffic forwarding profile section, locate the Internet Access policies and select the View link and Expand the Custom Bypass policy. This is where you define traffic that should not be acquired by the GSAC client.
Then Select Add rule.
Configure the rule to exclude the website:
- Destination type: Select Fully Qualified Domain Name (FQDN).
- Destination value(s): Enter the domain name:
pics.io - Note: Ensure there are no spaces, and you can also add a wildcard for subdomains, if necessary, such as
*.pics.io.
Select Add.
- Verify the Change
The changes can take a few minutes (up to 20 minutes) to propagate to the GSAC clients, On the affected user's device, right-click the Global Secure Access client icon in the system tray and open Advanced Diagnostics.
Check the Forwarding Profile tab and confirm that pics.io is listed under the Bypass rules.
Attempt to access https://pics.io/. Access should now be successful because the client is bypassing the Microsoft cloud service for this destination.
Please do refer below:
https://learn.microsoft.com/en-us/entra/global-secure-access/concept-clients
Hope this helps!If you need more info or if the above did not work for you, feel free to ask in the comments with extra information asked. Happy to help!
Regards,
Monalisha