AWS Configuration Requirements for the Migration of VIP Services Platform to Amazon Web Services

Article Id: 150820
Status: Published
Updated On: 09-04-2019 12:50
Legacy Id: INFO4913
Products:
VIP Authentication Service , VIP Integrations , VIP Software Development Kit , VIP Enterprise Gateway
Issue/Introduction:

 

Resolution:

Symantec VIP services are hosted in multiple Amazon availability zones in the AWS Oregon [us-west-2] and Virginia [us-east-1] regions. To ensure uninterrupted connectivity from your VIP Enterprise Gateways and hosted custom applications to the Symantec VIP AWS-hosted cloud platform, review and update your configurations. 

Important: Organizations actively using VIP Enterprise Gateway or VIP Web Services WSDLs prior to version 9.3 should upgrade immediately. Symantec VIP has terminated use of *.verisign.com URLs on August 9, 2018

FIREWALL CONFIGURATION SETTINGS

  1. Use VIP Service domain name whitelisting. This is preferable to using IP netblocks. 

  2. Configure hostnames to recognize any sub-domain of *.vip.symantec.com. If you are unable to whitelist *.vip.symantec.com sub-domains, whitelist these specific hostnames:
    • services-auth.vip.symantec.com (port 443)
    • services.vip.symantec.com (port 443)
    • userservices-auth.vip.symantec.com (port 443)
    • goidservices-auth.vip.symantec.com (port 443)
    • liveupdate.symantecliveupdate.com (port 80)
    • liveupdate.symantec.com (port 80)
       
  3. If you are unable to whitelist hostnames, update your firewall configuration to allow all outbound connectivity to the following IP netblocks.  

 Symantec VIP high-availability data centers are located in multiple regions. DNS resolves traffic to the active location using the URLs listed below. IP address pinning puts your organization at risk of service disruption during a VIP datacenter\DNS switch.

Globally Load Balanced URLs
AWS Oregon (west) Region Netblocks
AWS Virginia (east) Region Netblocks

 services-auth.vip.symantec.com
 services.vip.symantec.com
 userservices-auth.vip.symantec.com
 userservices.vip.symantec.com

18.236.61.144/28

18.208.22.32/28

VIP ENTERPRISE GATEWAY, CUSTOM APPLICATIONS, AND ENTERPRISE INTEGRATION CONFIGURATION SETTINGS

The VIP Enterprise Gateway(s) and Web Services WSDL files are configured to use the following globally load-balanced URLs issued by Symantec VIP. Custom applications should point to these same relevant URLs. 

  • services-auth.vip.symantec.com
  • services.vip.symantec.com
  • userservices-auth.vip.symantec.com
  • goidservices-auth.vip.symantec.com
  • liveupdate.symantecliveupdate.com
  • liveupdate.symantec.com

TEST YOUR CONFIGURATION

Testing to determine if your VIP Enterprise Gateway, custom server applications, and any other components involved can communicate with the VIP Service can be performed from the application server host and VIP Enterprise Gateway hosts within your production environment. See Testing your VIP environment for the Migration of VIP Services Platform to Amazon Web Services for testing procedures.

ADDITIONAL RESOURCES

VIP Web Services best practice for high-availability and optimal performance