Whilst testing Block Notification service and newer version of the agent the service is not working at all. The agent does not show the "WSSNS" on the agent status UI at all.
WSS Agent 7.x and above
The customer environment had some firewall rules in place that blocked requests going to the 192.0.2.0/24 network.
This network is designated as TEST-NET-1  and is used by the WSS Agent internally to route traffic from the wssad.exe process (which normally sends all traffic directly to the Internet as this process maintains the OpenSSL tunnel to Cloud-SWG pop) to Broadcom Cloud SWG (like the WSSNS traffic as well as SAML related traffic).
When the TEST-NET-1 is blocked the some agent checks to validate if WSSNS can be used fail and WSSNS is not used and is not showing on the WSS Agent.
Make sure the TEST-NET-1 network is not blocked on the WSS Agent computers.
The TEST-NET-1 assigned range does not appear on the Internet (and as such is not Internet routable).
192.0.2.0/24 - This block is assigned as "TEST-NET-1" for use in documentation and example code. It is often used in conjunction with domain names example.com or example.net in vendor and protocol documentation. As described in [RFC5737], addresses within this block do not legitimately appear on the public Internet and can be used without any coordination with IANA or an Internet registry. See [RFC1166].