Required firewall ports for Web Security Service for each access method.


Article ID: 167455


Updated On:


Web Security Service - WSS


Symantec Web Security Service (WSS)

Some ports must be opened on your firewalls to allow connectivity to the various cloud service components and data centers.
The ports vary depending upon the configured WSS access methods.

For converting to your relevant geographical IP address(es), refer to Data Center IP Addresses.


All firewall rules must allow outbound connections to the following ports:

Reference: Required Locations, Ports, and Protocols

Firewall/VPN (IPSEC):

  • 80/443
  • UDP 500 (ISAKMP)
  • UDP 4500 if firewall is behind a NAT.

Proxy Forwarding:

  • Port 8080 to
  • Port 8443 to
  • Port 8084 to

Remote Users: (Mobility client)

  • Port 443 to
  • Port 443 to
  • Port 80 and 443 to (


  • See link above.

Explicit Proxy:

  • See link above.

MDM Integration: (for example, Airwatch)

  • UDP 500 (ISAKMP)
  • UDP 4500 (NAT-T)

Authentication: (BCCA.exe)

  • Port 443 to ( &
  • Port 443 to (
  • Note: In an IPSEC deployment, BCCA must also be able to talk to the same data pods authentication servers where the IPSEC tunnel terminates. Please refer to Authentication IP addresses for Web Security Service data centers for more detail.

Authentication: (ACLogon.exe; log-in script for sending logged-in credentials directly to BCCA.)

  • Port 80 from all clients to BCCA server


  • Port 8443 to

Roaming Captive Portal:

  • Port 8080 to

Internal ports: (between BCCA server and Domain Controllers)