Testing WSS accessibility in an agentless CASB-Only deployment would help Admins and support to gather more information about the session, WSS offers a way to do that using a dedicated URL (pod.threatpulse.com)  but it needs some configuration change on the environment, this article goes through the details on how do it.

The agentless deployment relies on the pre-defined domains shared by Cloudsoc, pod.threatpulse.com is not one of them, for this reason, the requests to an undefined domain get blocked since it is not part of the domain-of-interest list.

• WSS CASB-Only tenants (lite)
• Proxy chaining deployment (agentless)
• Endpoints does not have an agent installed

1- Add the WSS testing url's to the proxy forwarding lists

The general guidance on how to configure the proxy chaining for WSS CASB-Only is listed (here)

Add "pod.threatpulse.com" to the domains of interest in the forwarding condition - custom condition name in the KB article is: "CloudSOC_Forward_List" - 

2- Define a new custom gatelet with the WSS testing url's

Log in to Cloudsoc admin console

Define a new custom gatelet (Store > Gatelets > Custom Apps > click on "Create Custom Apps")

Give the custom gatelet any name

Add "pod.threatpulse.com" as a domain for the newly created custom gatelet

Click "Save and Activate"

Allow 5-10 minutes for the auto-sync between Cloudsoc and WSS to take place

3- Test the result on an endpoint

on an agentless endpoint, browse to https://pod.threatpulse.com or http://threatpulse.com 

the expected result is to get a response from WSS saying that "You are Protected!" with the details of the connection (Pod, IP's ..etc)

This solution assumes that the custom gatelet license is purchased and valid.