Web Security Service (WSS) ingress and egress IP addresses

book

Article ID: 167174

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

  • What are the IP addresses used to connect to the Symantec Web Security Service (WSS)?
  • What are the data center names and locations?
  • What are the WSS IP addresses and ranges that have to be permitted on firewalls?
  • What is a vPOP and where are they located?
  • What are the WSS ingress and egress subnet ranges?

Resolution

Best Practices based on Connection Type (Access Method)

IPsec:  For fault tolerance, each customer site should have IPsec tunnels established to at least two (2) WSS data centers in the table below, as well as:

  • Only IPsec connections should redirect traffic to an IP address.  All other connections should use WSS data center hostnames.
  • IPsec connections are only accepted by the IPsec specific ingress IP addresses in the table below.
  • IPsec configurations should have dead peer detection (DPD) enabled and a tunnel monitor (ie, IPSLA) configured.
  • IPsec phase 1 lifetime should be 24 hours, and phase 2 lifetime should be four hours.
    • IKEv2 FQDN phase 2 lifetime should be 50 minutes.
  • IPsec backup tunnels should never point to the same "compute POP" (data center) that the primary tunnel is going to.

Explicit over IPsec ("Trans-proxy" forwarding):  Explicit traffic redirection within an IPsec tunnel to WSS should always point to ep.threatpulse.net:80

Explicit and Proxy Forwarding:  For optimal performance and fault tolerance, explicit traffic should be redirected to proxy.threatpulse.net:8080.  This hostname automatically resolves to the nearest WSS data center based on the geo-location of the client's DNS resolver.  In the event of an outage (including planned maintenance), users will be automatically redirected to the nearest available data center.

Should the need to avoid GEO location services with explicit exists, the following WSS explicit IP addresses indicate the VIPs an admin can point to for explicit or Proxy Forwarded traffic.

SEP WTR:  For optimal performance and fault tolerance, explicit traffic should be redirected to sep-wtr.threatpulse.net:8080.  Nearest data center selection is performed automatically by the agent based on the geo location of the end user's public IP address.  No manual configuration is required.

WSS Agent, Unified Agent:  Nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address.  No manual configuration is required.

Portal Addresses
portal.threatpulse.com 35.245.151.224
34.82.146.64
Cloud Traffic Controller (CTC) addresses
ctc.threatpulse.com 130.211.30.2
Auth Manager
auth.threatpulse.com 35.245.151.226
34.82.146.65
PAC File Management Service
pfms.wss.symantec.com 34.120.17.44

 

WSS ingress and egress IP addresses

Note:  The "ingress ranges" in the third column are also the WSS "egress ranges".

Location (codename) Ingress IP address (IPsec and trans-proxy) Ingress and egress ranges for other access methods and for auth connector
AMERICAS
Buenos Aires, Argentina (GARBA1) - vPOP to Sao Paulo 34.95.226.164 34.95.226.0/24
Columbia, South Carolina (GUSCO1) formerly Miami (GUSMI) 168.149.137.164 168.149.135.0/24
168.149.137.0/24
168.149.138.0/23
168.149.140.0/23
Des Moines, Iowa (GUSDM1) formerly Chicago (GUSCH) 199.247.42.164 199.247.32.0/23
199.247.42.0/23

199.247.44.0/23
199.116.169.0/24
199.116.170.0/24
Des Moines, Iowa (GUSDM2) formerly Dallas (GUSDA) 98.158.240.164

98.158.240.0/23
199.116.168.0/24
199.116.171.0/24
199.116.173.0/24

98.158.240.0/22*
98.158.244.0/24*
199.19.252.0/24*

Des Moines, Iowa (GUSDM3) formerly Denver (GUSDV) 148.64.31.164 148.64.31.0/24
Las Vegas, Nevada (GUSLV1) 168.149.133.164 168.149.133.0/24
168.149.160.0/23
Mexico City, Mexico (GMXMC1) - vPOP to Los Angeles 170.176.246.164 170.176.246.0/24
Montreal, Canada (GCAMO1) 199.19.253.164 199.19.253.0/24

Los Angeles, California (GUSLA1) formerly San Jose, California (GUSSC)

199.19.248.164 148.64.18.0/24
148.64.20.0/24
199.19.248.0/24
Sao Paulo, Brazil (GBRSP1) 34.95.130.164 34.95.130.0/24
34.95.146.0/24
34.95.225.0/24

Portland, Oregon (GUSPO1) formerly Seattle (GUSSE)

170.176.241.164

170.176.241.0/24
168.149.164.0/24

34.82.226.0/24*

Toronto, Canada (GCATO1) - vPOP to Montreal 168.149.162.164 168.149.162.0/24
Washington, DC (GUSAS1) 170.176.240.164

168.149.143.0/24
168.149.144.0/24
168.149.146.0/24
168.149.151.0/24
168.149.152.0/23
170.176.240.0/24

34.86.67.0/24*
35.227.10.0/24*
168.149.146.0/24*
168.149.151.0/24*

Washington, DC (GUSAS2) - formerly New York, NY (GUSSA)

168.149.142.164

168.149.142.0/24
168.149.157.0/24

168.149.144.0/23*
35.227.4.0/24*

APAC

Auckland, New Zealand (GNZAU1) - vPOP to Sydney

168.149.170.164

168.149.170.0/24

Beijing, China (PEK1)

119.161.180.164

119.161.180.0/23

Hong Kong (GCNHK1) 103.246.38.164

103.246.38.0/24

Mumbai, India (GINMU1) 148.64.4.164

148.64.1.0/24
148.64.4.0/23
148.64.12.0/23
148.164.22.0/24
168.149.165.0/24
168.149.169.0/24
168.149.172.0/23

34.93.66.0/24*
34.93.160.0/24*
34.93.162.0/24*
34.93.226.0/24*

Mumbai, India (GINMU2) formerly Chennai, India (GINCH) 148.64.6.164

148.64.6.0/23
168.149.166.0/23
168.149.168.0/24
168.149.174.0/24

34.87.172.0/24*
34.93.96.0/24*
34.93.99.0/24*
34.93.130.0/24*

34.93.163.0/24*

Osaka, Japan (GJPOS1) 98.158.245.164

98.158.245.0/24
98.158.246.0/24
103.9.96.0/23
103.9.98.0/24

Seoul, South Korea (GKRSE1)
168.149.154.164

168.149.154.0/24

Shanghai, China (SHA1) 222.126.180.164

222.126.180.0/23

Singapore (GSGRS1) 103.246.37.164

103.246.37.0/24
148.64.3.0/24
168.149.150.0/24

Sydney (GAUSY1)
103.246.36.164

103.246.36.0/24
103.246.39.0/24
148.64.2.0/24

170.176.245.0/24

Taipei, Taiwan (GTWTA1)
168.149.155.164

168.149.155.0/24

Tokyo, Japan (GJPTK) 223.29.216.164

223.29.216.0/22
43.229.32.0/24

170.176.244.0/24*

Wellington, New Zealand (GNZWL1) - vPOP to Sydney 168.149.171.164

168.149.171.0/24

EMEA

Abu Dhabi, UAE (GAEAD1) - vPOP to Mumbai

Available on April 29, 2021

168.149.175.164

168.149.175.0/24

Amsterdam, the Netherlands (GNLAM1) 98.158.252.164

98.158.252.0/23

Bucharest, Romania (GROBU1) - vPOP to Frankfurt 168.149.148.164

168.149.148.0/24 

Copenhagen, Denmark (GDKCP1) - vPOP to Amsterdam
148.64.14.164

148.64.14.0/24

Dubai, UAE (GAEDX1) - vPOP to Zurich

To be decommissioned on May 15, 2021 - Replaced by GAEAD1

34.65.98.164

34.65.98.0/24

Dublin, Ireland (GIEDU1) -  vPOP to London 148.64.15.164

148.64.15.0/24

Frankfurt, Germany (GDEFR1) 199.247.38.164

199.247.34.0/24
199.247.38.0/23
199.247.40.0/23

Frankfurt, Germany (GDEFR2) formerly GDEMU

98.158.248.164

98.158.248.0/23

Helsinki, Finland (GFIHE1) 168.149.149.164

168.149.149.0/24

Johannesburg, South Africa (GZAJB1) - vPOP to London

Available on April 29, 2021

109.68.58.164

109.68.58.0/24

Johannesburg, South Africa (JNB2)

To be decommissioned on May 15, 2021 - Replaced by GZAJB1

148.64.24.164

148.64.24.0/24

Madrid, Spain (GESMA1) - vPOP to Zurich 185.180.48.164

185.180.48.0/24
185.180.50.0/23

Middlesex, England (GGBLO1) 148.64.26.164

148.64.9.0/24
148.64.26.0/23
148.64.28.0/23
148.64.30.0/24

Middlesex, England (GGBLO2), formerly GGBLR 

148.64.8.164

148.64.8.0/24

Milan, Italy (GITMI1) - vPOP to Frankfurt 46.235.159.164

46.235.159.0/24
148.64.10.0/24
168.149.159.0/24
170.176.243.0/24

Oslo, Norway (GNOOS1) - vPOP to Helsinki 109.68.63.164

109.68.63.0/24

Paris, France (GFRPA1) - vPOP to Belgium 46.235.153.164

46.235.153.0/24
148.64.19.0/24
168.149.163.0/24

Stockholm, Sweden (GSESK1) - vPOP to Helsinki 199.247.35.164

199.247.35.0/24
199.247.37.0/24

Tel Aviv, Israel (GILTA1) - vPOP to London 198.135.124.164

198.135.124.0/24

Turin, Italy (GITTU1) - vPOP to Frankfurt 148.64.23.164

148.64.23.0/24

Zurich, Switzerland (GCHZU1) 148.64.11.164

148.64.11.0/24

*NOTE:  IP addresses marked with an asterisk* will be removed from use as a part of the WSS 2021 POP Optimization.  Please also refer to the WSS Status Page to view the announcements of these IP address changes.

POP Types

Compute POP - A point of presence that contains physical compute infrastructure (aka: data center).

vPOP - Virtual point of presence.  vPOPs are hosted in a "Compute POP" (data center) in another locale and provide content localization for users in a specific country.  Performance is maintained for vPOP transactions thanks to our global private network that minimizes use of congested public Internet routes.