The CloudSOC Gateway requires Web Security Service (WSS) as part of its infrastructure to decrypt, modify headers and steer traffic to the CloudSOC Gateway.
CloudSOC customers' who wish to use CASB Gateway services but do not have WSS require a lite version of WSS (WSS-lite).
CASB customers (without a paid WSS subscription) do not have a fully provisioned version of WSS. The Subscription ID used to activate was initially supplied via email to the tenant contact. Moving forward, the subscription ID is made available through the Cloud Portal. This document is a high-level overview of WSS-lite from the point of the customer having the subscription ID. These steps are high level, for detailed implementation steps, in-depth documentation should be consulted.
High-level steps:
Register the WSS-Lite Tenant.
Register WSS-Lite with URL: https://portal.threatpulse.com/register
The WSS subscription ID should have been received by email or obtained from the Cloud Portal.
The email used in activating should be from the primary or secondary domains in CloudSOC. If a different domain is used a new secondary domain in CloudSOC is created automatically and this may not be desired.
The email used for activation will deliver a link to verify the account and log in to portal.threatpulse.com.
Configure WSS
The login from the email will allow you to run through a configuration servlet.
Configure logging Privacy:
Suggested setting: Log all traffic normally.
The setting can be changed afterwards. The logs will report gatelet aware traffic in threatpulse using proxy style logging. This data will be sent to the CASB audit and will provide additional CASB audit detail. Alternatively, the users' IDs can be obfuscated. Support account access can be configured as needed at any time.
Do you have Roaming Mobile Users:
Suggested setting: Check the box for roaming users.
This is to enable the WSS Agent and not specifically mobile devices such as phones.
Static location:
Suggested setting: Do not set a static location unless you are proxy forwarding from your local proxy.
This is for proxy forwarding used to proxy forward from the on-prem proxy.
Auth Connector:
The auth connector is required when a policy is assigned via a Group in the case where CASB is unaware of the group. This can be configured after the fact as needed.
Integrate WSS with CASB
Settings, Products & Licensing, Linked Products CASB:
Settings:
Company domain: CASB primary domain as seen in CloudSOC Settings.
Integration ID: Support Can provide the ID. Email Sent to the customer during CloudSOC on-boarding.
Data storage location: the United States or EU Set it to the geographic location of the CASB tenant.
Retention Time: 1-3. The number of months that logs remain in CloudSOC.
WSS Agent Settings
WSS Agent setting can be configured to make testing easier and locked down when needed. For more detail on the WSS Agent configuration see Configuring WSS Agent Connectivity
The WSS sync that makes gatets available in WSS may happen automatically. If you do not see enabled gatelets appear in WSS;
Contact CASB Support to Enable Gatelet Support for WSS
Gatelet's can be seen in Policy.
This integration of CASB gatelets applies to both full WSS and WSS-lite (CASB only)