Most Cloud SWG connectivity and authentication methods require communication through specific ports, protocols, and locations. If you have firewall rules in place, use this reference to verify the ports and services that must be opened to allow connectivity.
Method
|
Port(s)
|
Protocol
|
Resolves To
|
---|---|---|---|
Cloud SWG portal access URL
|
443
|
|
portal.threatpulse.com
35.245.151.224
34.82.146.64
Partner Portal Functionality
35.245.151.231
34.82.146.71
|
Firewall/VPN (IPsec)
|
UDP 500 (ISAKMP)
UDP 4500 if the firewall is behind a NAT.
|
IPsec/ESP
|
|
Proxy Forwarding
|
TCP 8080/8443
TCP
8084*
|
HTTP/HTTPS
|
proxy.threatpulse.net
* Use when the forwarding host is configured for local SSL interception.
|
Explicit Proxy
SEP PAC File Management System or Default PAC file
|
TCP
443
Default PAC file:
TCP 8080
|
|
|
Explicit Over IPsec (Trans-Proxy)
All traffic is transmitted from your network to Cloud SWG in this deployment method. Two scenarios are common.
|
UDP 500 (ISAKMP)
UDP 4500 if the firewall is behind a NAT.
|
|
ep.threatpulse.net resolves to 199.19.250.205
ep-all.threatpulse.net returns the following response.
199.19.248.205
199.19.250.205
199.19.250.206
199.19.250.207
199.19.250.208
199.19.250.209
199.19.250.210
199.19.250.211
199.19.250.212
199.19.250.213
199.19.250.214
ep-roundrobin.threatpulse.net returns all IPs in a round-robin fashion; each two-minute Time-To-Live (TTL) period returns a different address.
|
WSS Agent
|
TCP/UDP 443
|
TLS/SSL
|
ctc.threatpulse.com on TCP port
443 (for configuration)
portal.threatpulse.com on TCP port 443 (for downloading updates)
TCP port 80, TCP port 443, and UDP port 443 to all the datapods listed in the following article (see the Ingress and Egress section)
|
SEP Web and Cloud Protection
|
|
|
|
Hybrid Policy
|
|
|
On-Premises Policy Management (sgapi.threatpulse.com and sgapi.es.bluecoat.com).
35.245.151.229
34.82.146.69
If connectivity to Cloud SWG is behind stringent firewall rules, adjust the rules to allow traffic to pass to these IP addresses on port 443.
|
Authentication Method
|
Port(s)
|
Protocol
|
Resolves To
|
---|---|---|---|
Auth Connector
|
TCP 443
|
TLS/SSL
|
to auth.threatpulse.com:
35.245.151.226
34.82.146.65
portal.threatpulse.com
Additional Required Information:
Cloud SWG Authentication IP Addresses |
Auth Connector to Active Directory
|
TCP 139
,
445
|
SMB
|
|
TCP 389
|
LDAP
|
|
|
TCP 3268
|
ADSI LDAP
|
|
|
TCP 135
|
Location Services
|
|
|
TCP 88
|
Kerberos
|
|
|
49152 - 65535
|
TCP
|
If installed on a new Windows Server 2012 Member rather than a Domain Controller.
|
|
AC-Logon App
|
TCP 80
|
|
Port 80 from all clients to the server. |
SAML
|
TCP 8443 (over VPN)
|
Explicit and IPSec
|
to saml.threatpulse.net |
Roaming Captive Portal
|
TCP 8080
|
For an index of ports and protocols articles, refer to the following article: Required ports, protocols, and services for Broadcom appliances.
For details about earlier versions and legacy products, see the PDF document Required Ports, Protocols, and Services for Symantec Enterprise Security Products.