Web Security Service (WSS) hostnames for explicit and proxy forwarding

book

Article ID: 208150

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

What are the in-country or POP-specific hostnames for explicit proxy, SEP WTR and/or proxy forwarding redirection methods?
What are the additional WSS endpoints to avoid port exhaustion issues using explicit or proxy forwarding access methods?

Cause

Users accessing WSS via SEP WTR, Explicit or Proxy Forwarding access methods GEO located to wrong WSS datacenter
Port exhaustion causing users to experience TCP connection and performance problems going through WSS service from on-premise NAT gateways, or on-premise ProxySG servers.

Environment

Explicit, SEP WTR and Proxy Forwarding Access methods

Resolution

The following guide offers WSS administrators the ability to

- Add custom entries into PAC files to force traffic to country specific WSS POPs (Alternate Options for Explicit Redirection),  and/or
- Point to multiple WSS explicit endpoints to balance traffic across multiple WSS pods and avoid port exhaustion issues with WSS (Multiple hostnames for Proxy Forwarding).


WARNING: These options should only be used by experienced individuals who understand the implications of manual traffic redirection. Manual data center selection may result in poor performance, reduced fault tolerance, and invalidation of relevant SLA claims. 


Alternate Options for Explicit Redirection

The table below provides POP and country-specific hostnames for explicit traffic redirection, allowing customers to force traffic to a specific POP or set of POPs within a country, where applicable. This method of redirection is not recommended because it limits the number of available POPs for fault tolerance, removes Symantec’s ability to control which POPs users connect to compensate for outages and maintenance events, and may result in poor performance for roaming users. In the unlikely event that all data centers within a country are simultaneously unavailable, the service will redirect traffic to the nearest alternate data center outside of the country.


Multiple hostnames for Proxy Forwarding

  • Customers experiencing port exhaustion issues with explicit or proxy forwarding access method described above, have the option to redirect explicit and proxy forwarding traffic to up to six hostnames per POP; each resolving to a unique IP address, per this naming convention:

[POP codename]-vip[1-6].threatpulse.net

  • Where [data center codename] is a codename from the table below.

  • Where [1-6] is a number 1 through 6 for each of the available six IP addresses.

  • Using the Tokyo (GJPTK1) POP as an example, the available hostnames, each resolving to a different public ingress IP address, are:

    gjptk1-vip1.threatpulse.net
    gjptk1-vip2.threatpulse.net
    gjptk1-vip3.threatpulse.net
    gjptk1-vip4.threatpulse.net
    gjptk1-vip5.threatpulse.net
    gjptk1-vip6.threatpulse.net

 

WSS hostnames

AMERICAS
Location (Codename) Ingress Hostname* (explicit and proxy forwarding) Country-specific ingress hostname
Buenos Aires, Argentina (GARBA1) garba1-vip1.threatpulse.net ar.proxy.threatpulse.net

Columbia, South Carolina (GUSCO1) formerly GUSMI

gusco1-vip1.threatpulse.com us.proxy.threatpulse.net

Des Moines, Iowa (GUSDM1) formerly GUSCH

gusdm1-vip1.threatpulse.net us.proxy.threatpulse.net
Des Moines, Iowa (GUSDM2) formerly GUSDA gusdm2-vip1.threatpulse.net us.proxy.threatpulse.net
Des Moines, Iowa (GUSDM3) formerly GUSDV gusdm3-vip1.threatpulse.net us.proxy.threatpulse.net
Las Vegas, Nevada (GUSLV1) guslv1-vip1.threatpulse.net us.proxy.threatpulse.net
Los Angeles, California (GUSLA1) formerly GUSSC gusla1-vip1.threatpulse.net us.proxy.threatpulse.net
Mexico City, Mexico (GMXMC1) gmxmc1-vip1.threatpulse.net mx.proxy.threatpulse.net
Montreal, Canada (GCAMO1) gcamo1-vip1.threatpulse.net ca.proxy.threatpulse.net
Portland, Oregon (GUSPO1) formerly GUSSE guspo1-vip1.threatpulse.net us.proxy.threatpulse.net
Sao Paolo, Brazil (GBRSP1) gbrsp1-vip1.threatpulse.net br.proxy.threatpulse.net
Toronto, Canada (GCATO1) gcato1-vip1.threatpulse.net ca.proxy.threatpulse.net
Washington, DC (GUSAS1) gusas1-vip1.threatpulse.net us.proxy.threatpulse.net
Washington, DC (GUSAS2) formerly GUSSA gusas2-vip1.threatpulse.net us.proxy.threatpulse.net
APAC
Auckland, New Zealand (GNZAU1) gnzau1-vip1.threatpulse.net nz.proxy.threatpulse.net
Beijing, China (PEK1) pek1-vip1.threatpulse.net cn.proxy.threatpulse.net
Hong Kong, China (GCNHK1) gcnhk1-vip1.threatpulse.net hk.proxy.threatpulse.net
Mumbai, India (GINMU1) ginmu1-vip1.threatpulse.net in.proxy.threatpulse.net
Mumbai, India (GINMU2) ginmu2-vip1.threatpulse.net in.proxy.threatpulse.net
Osaka, Japan (GJPOS1) gjpos1-vip1.threatpulse.net jp.proxy.threatpulse.net
Seoul, South Korea (GKRSE1) gkrse1-vip1.threatpulse.net kr.proxy.threatpulse.net
Shanghai, China (SHA1) sha1-vip1.threatpulse.net cn.proxy.threatpulse.net
Singapore (GSGRS1) gsgrs1-vip1.threatpulse.net sg.proxy.threatpulse.net
Sidney, Australia (GAUSY1) gausy1-vip1.threatpulse.net au.proxy.threatpulse.net
Taipei, Taiwan (GTWTA1) gtwta1-vip1.threatpulse.net tw.proxy.threatpulse.net
Tokyo, Japan (GJPTK1) gjptk1-vip1.threatpulse.net jp.proxy.threatpulse.net
Wellington, New Zealand (GNZWL1) gnzwl1-vip1.threatpulse.net nz.proxy.threatpulse.net
EMEA

Abu Dhabi, UAE (GAEAD1)

gaead1-vip1.threatpulse.net ae.proxy.threatpulse.net
Amsterdam, the Netherlands (GNLAM1) gnlam1-vip1.threatpulse.net nl.proxy.threatpulse.net
Bucharest, Romania (GROBU1) grobu1-vip1.threatpulse.net ro.proxy.threatpulse.net
Copenhagen, Denmark (GDKCP1) gdkcp1-vip1.threatpulse.net dk.proxy.threatpulse.net

Dubai, UAE (GAEDX1)

gaedx1-vip1.threatpulse.net ae.proxy.threatpulse.net
Dublin, Ireland (GIEDU1) giedu1-vip1.threatpulse.net ie.proxy.threatpulse.net
Frankfurt, Germany (GDEFR1) gdefr1-vip1.threatpulse.net de.proxy.threatpulse.net
Frankfurt, Germany (GDEFR2) formerly GDEMU gdefr2-vip1.threatpulse.net de.proxy.threatpulse.net
Helsinki, Finland (GFIHE1) gfihe1-vip1.threatpulse.net fi.proxy.threatpulse.net

Johannesburg, South Africa (GZAJB1)

gzajb1-vip1.threatpulse.net za.proxy.threatpulse.net
Madrid, Spain (GESMA1) gesma1-vip1.threatpulse.net es.proxy.threatpulse.net
Middlesex, England (GGBLO1) ggblo1-vip1.threatpulse.net uk.proxy.threatpulse.net
Middlesex, England (GGBLO2) formerly GGBLR ggblo2-vip1.threatpulse.net uk.proxy.threatpulse.net
Milan, Italy (GITMI1) gitmi1-vip1.threatpulse.net it.proxy.threatpulse.net
Oslo, Norway (GNOOS1) gnoos1-vip1.threatpulse.net no.proxy.threatpulse.net
Paris, France (GFRPA1) gfrpa1-vip1.threatpulse.net fr.proxy.threatpulse.net
Stockholm, Sweden (GSESK1) gsesk1-vip1.threatpulse.net se.proxy.threatpulse.net
Tel Aviv, Israel (GILTA1) gilta1-vip1.threatpulse.net il.proxy.threatpulse.net
Turin, Italy (GITTU1) gittu1-vip1.threatpulse.net it.proxy.threatpulse.net
Zurich, Switzerland (GCHZU1) gchzu1-vip1.threatpulse.net ch.proxy.threatpulse.net

* Before redirecting explicit or proxy-forwarding traffic to POP or country-specific hostnames, be sure to review the information at the top of this article to avoid performance and fault tolerance issues. IPsec connections must use the IPsec ingress IP address.  Please see article 167174 for details.

 

POP Types

Compute POP - A point of presence that contains physical compute infrastructure.

VPOP - Virtual point of presence.  VPOPs are hosted in a compute POP in another locale and provide content localization for users in a specific country. Performance is maintained for VPOP transactions thanks to our global private network that minimizes use of congested public internet routes.