Users are accessing CloudSWG (formerly known as WSS) using the Explicit Proxy access method, but accessing https://pod.threatpulse.com from a browser shows that the user is NOT protected. Note that this is the SSL/HTTPS version of this URL.
Accessing the plain-text (non-SSL) version of the URL http://pod.threatpulse.com from the same browser shows the user is protected (and shows the data-center and pod the user is connected to).
In the user's CloudSWG Portal, TLS/SSL inspection is disabled for many domains (including for: pod.threatpulse.com).
To properly determine "Protected" versus "Not protected" state, the host "pod.threatpulse.com" must have SSL interception enabled.
With TLS/SSL inspection disabled, the additional information (added by the proxy via http headers) is missing so the pod.threatpulse.com processing cannot identify if the user is protected or which pod is used.
If you use the plain-text (non-SSL) version http://pod.threatpulse.com to check if you are protected, the result is always going to be accurate.
For the SSL/HTTPS version of the URL, make sure that TLS/SSL inspection is enabled for: https://pod.threatpulse.com