There have been a few tickets regarding issues with accessing resources from UKHSA when working from the office. Here's a brief explanation of why this happens:

UKHSA uses Direct Access, which is their VPN solution that allows connections to internal resources. They also have a PAC file that should route traffic correctly when users are working from the office. However, if the target domain or IP address is not included in the PAC file, users may not be able to access certain services.

The following scenarios occur:

1. When a user works from home, they don't have problems connecting to these services because the traffic is part of their VPN configuration. It bypasses Zscaler and goes through Direct Access to their environment, where it is forwarded to the Squid Proxy, which then sends the traffic to the correct domain with the IP address it is locked to.
   
2. When a user works from office 1 and the domain is included in the PAC file, Zscaler bypasses it, and the local routing sends the traffic to the Squid Proxy, allowing the user to connect to the resource.
   
3. When a user works from office 2 and the domain is not included in the PAC file, Zscaler sends the traffic to their data center (DC), but it tries to reach the destination with Zscaler's IP address, which is not permitted because the resource is behind a firewall that only allows traffic from specific IP addresses.
   

For point 3 - if a user can connect to a resource from home but not from the office, this is likely the culprit. However, it's essential to double-check and verify that this is the case before making any changes.