Required ports, protocols, and services for the Cloud SWG (Web Security Service) appliance

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Most Cloud SWG connectivity and authentication methods require communication through specific ports, protocols, and locations. If you have firewall rules in place, use this reference to verify the ports and services that must be opened to allow connectivity.

Resolution

Connectivity Methods

Method	Port(s)	Protocol	Resolves To
Cloud SWG portal access URL For the administration of your Cloud SWG policy and configuration.	443		portal.threatpulse.com 35.245.151.224 34.82.146.64 Partner Portal Functionality 35.245.151.231 34.82.146.71
Firewall/VPN (IPsec)	UDP 500 (ISAKMP) UDP 4500 if the firewall is behind a NAT.	IPsec/ESP
Proxy Forwarding	TCP 8080/8443 TCP 8084*	HTTP/HTTPS	proxy.threatpulse.net * Use when the forwarding host is configured for local SSL interception.
Explicit Proxy SEP PAC File Management System or Default PAC file	TCP 443 Default PAC file: TCP 8080		Firewall rules to allow PFMS access: By hostname: pfms.wss.symantec.com\ By IP Address: 34.120.17.44 The following addresses were used before November 7, 2020. They are acceptable for backup and failover until Broadcom announces their decommissioned status. 35.155.165.94 35.162.233.131 52.21.20.251 52.54.167.220 199.247.42.187 199.19.250.187 The default PAC file directs browser traffic to proxy.threatpulse.net
Explicit Over IPsec (Trans-Proxy) All traffic is transmitted from your network to Cloud SWG in this deployment method. Two scenarios are common. On-premises ProxySG appliance. Explicit browser settings direct traffic to the proxy, which forwards that traffic to the Cloud SWG through a configured IPsec tunnel. Explicit settings in the browser pointed to ep.threatpulse.net Direct all firewall traffic destined for ep.threatpulse.net to Cloud SWG through your configured IPsec tunnel.	UDP 500 (ISAKMP) UDP 4500 if the firewall is behind a NAT.		ep.threatpulse.net resolves to 199.19.250.205 ep-all.threatpulse.net returns the following response. 199.19.248.205 199.19.250.205 199.19.250.206 199.19.250.207 199.19.250.208 199.19.250.209 199.19.250.210 199.19.250.211 199.19.250.212 199.19.250.213 199.19.250.214 ep-roundrobin.threatpulse.net returns all IPs in a round-robin fashion; each two-minute Time-To-Live (TTL) period returns a different address.
WSS Agent	TCP/UDP 443	TLS/SSL	ctc.threatpulse.com on TCP port 443 (for configuration) portal.threatpulse.com on TCP port 443 (for downloading updates) TCP port 80, TCP port 443, and UDP port 443 to all the datapods listed in the following article (see the Ingress and Egress section)
SEP Web and Cloud Protection			See Web and Cloud Access Protection Settings.
Hybrid Policy			On-Premises Policy Management (sgapi.threatpulse.com and sgapi.es.bluecoat.com). 35.245.151.229 34.82.146.69 If connectivity to Cloud SWG is behind stringent firewall rules, adjust the rules to allow traffic to pass to these IP addresses on port 443.

Authentication

Authentication Method	Port(s)	Protocol	Resolves To
Auth Connector	TCP 443	TLS/SSL	to auth.threatpulse.com: 35.245.151.226 34.82.146.65 portal.threatpulse.com Additional Required Information: Cloud SWG Authentication IP Addresses
Auth Connector to Active Directory	TCP 139 , 445	SMB
	TCP 389	LDAP
	TCP 3268	ADSI LDAP
	TCP 135	Location Services
	TCP 88	Kerberos
	49152 - 65535	TCP	If installed on a new Windows Server 2012 Member rather than a Domain Controller.
AC-Logon App	TCP 80		Port 80 from all clients to the server.
SAML	TCP 8443 (over VPN)	Explicit and IPSec	to saml.threatpulse.net
Roaming Captive Portal	TCP 8080

Additional Information

For an index of ports and protocols articles, refer to the following article: Required ports, protocols, and services for Broadcom appliances.

For details about earlier versions and legacy products, see the PDF document Required Ports, Protocols, and Services for Symantec Enterprise Security Products.