When you have a WSS integration policy assigned to your SEP client, you need to know if the network traffic, which leaves SEP client towards WSS proxy, is encrypted.
Endpoint Protection and Web Security Services integration
With WTR (Web Traffic Redirection) there are two loopback proxies setup.
The first is to go out to pull down "resolver.pac". This conversation is not encrypted.
The second loopback proxy via resolver.pac is encrypted.
The first connection established by the client to go to WSS is not encrypted, this is only the request to pull resolver.pac. It is not the actual session with the website. The second time through the loopback the traffic during the browsing session is encrypted.
Best Practices SEP and WSS integration: https://knowledge.broadcom.com/external/article/173381/best-practices-for-endpoint-protection-a.html