Required firewall ports for Web Security Service for each access method.

book

Article ID: 167455

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Symantec Web Security Service (WSS)

Some ports must be opened on your firewalls to allow connectivity to the various cloud service components and data centers.
The ports vary depending upon the configured WSS access methods.

For converting proxy.threatpulse.net to your relevant geographical IP address(es), refer to Data Center IP Addresses.

Resolution

All firewall rules must allow outbound connections to the following ports:

http://portal.threatpulse.com/docs/sol/reference/ref-openports.htm

Firewall/VPN (IPSEC):

  • 80/443
  • UDP 500 (ISAKMP)
  • UDP 4500 if firewall is behind a NAT.

Proxy Forwarding:

  • Port 8080 to proxy.threatpulse.net
  • Port 8443 to proxy.threatpulse.net
  • Port 8084 to proxy.threatpulse.net

Remote Users: (Mobility client)

  • Port 443 to client.threatpulse.net
  • Port 443 to proxy.threatpulse.net
  • Port 80 and 443 to portal.threatpulse.net (199.19.250.192)

Transproxy:

  • See link above.

Explicit Proxy:

  • See link above.

MDM Integration: (for example, Airwatch)

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT-T)

Authentication: (BCCA.exe)

  • Port 443 to auth.threatpulse.com (199.19.250.193 & 199.116.168.193)
  • Port 443 to portal.threatpulse.net (199.19.250.192)
  • Note: In an IPSEC deployment, BCCA must also be able to talk to the same data pods authentication servers where the IPSEC tunnel terminates. Please refer to Authentication IP addresses for Web Security Service data centers for more detail.

Authentication: (ACLogon.exe; log-in script for sending logged-in credentials directly to BCCA.)

  • Port 80 from all clients to BCCA server

SAML:

  • Port 8443 to saml.threatpulse.net

Roaming Captive Portal:

  • Port 8080 to proxy.threatpulse.com

Internal ports: (between BCCA server and Domain Controllers)