Web Security Service (WSS) ingress and egress IP addresses
Article ID: 167174
Updated On:
Products
Issue/Introduction
- What are the IP addresses used to connect to the Symantec Web Security Service (WSS)?
- What are the data center names and locations?
- What are the WSS IP addresses and ranges that have to be permitted on firewalls?
- What is a vPOP and where are they located?
- What are the WSS ingress and egress subnet ranges?
- What are the IP addresses used by Integrated Services?
Resolution
Best Practices based on Connection Type (Access Method)
IPsec: For fault tolerance, each customer site should have IPsec tunnels established to at least two (2) WSS data centers in the table below, as well as:
- Only IPsec connections should redirect traffic to an IP address. All other connections should use WSS data center hostnames.
- IPsec connections are only accepted by the IPsec specific ingress IP addresses in the table below.
- IPsec configurations should have dead peer detection (DPD) enabled and a tunnel monitor (ie, IPSLA) configured.
- IPsec phase 1 lifetime should be 24 hours, and phase 2 lifetime should be four hours.
- IKEv2 FQDN phase 2 lifetime should be 50 minutes.
- IPsec backup tunnels should never point to the same "compute POP" (data center) that the primary tunnel is going to.
Explicit over IPsec ("Trans-proxy" forwarding): Explicit traffic redirection within an IPsec tunnel to WSS should always point to ep.threatpulse.net:80
Explicit and Proxy Forwarding: For optimal performance and fault tolerance, explicit traffic should be redirected to proxy.threatpulse.net:8080. This hostname automatically resolves to the nearest WSS data center based on the geo-location of the client's DNS resolver. In the event of an outage (including planned maintenance), users will be automatically redirected to the nearest available data center.
Should the need to avoid GEO location services with explicit exists, the following WSS explicit IP addresses indicate the VIPs an admin can point to for explicit or Proxy Forwarded traffic.
SEP WTR: For optimal performance and fault tolerance, explicit traffic should be redirected to sep-wtr.threatpulse.net:8080. Nearest data center selection is performed automatically by the agent based on the geo location of the end user's public IP address. No manual configuration is required.
WSS Agent, Unified Agent: Nearest data center selection is performed automatically by the agent based on the geo-location of the end user's public egress IP address. No manual configuration is required.
IP Addresses for WSS-Integrated Services
- Web Isolation: The egress IPs used for Web Isolation sessions triggered by WSS policy will differ from the list below and are documented here: Web Isolation Cloud Ingress and Egress IP Addresses.
| Portal Addresses | |
| portal.threatpulse.com | 35.245.151.224 34.82.146.64 |
| Cloud Traffic Controller (CTC) addresses | |
| ctc.threatpulse.com | 130.211.30.2 |
| Auth Manager | |
| auth.threatpulse.com | 35.245.151.226 34.82.146.65 |
| PAC File Management Service | |
| pfms.wss.symantec.com | 34.120.17.44 |
WSS ingress and egress IP addresses
Note: The "ingress ranges" in the third column are also the WSS "egress ranges".
| Location (codename) | Ingress IP address (IPsec and trans-proxy) | Ingress and egress ranges for other access methods and for auth connector |
| AMERICAS | ||
| Buenos Aires, Argentina (GARBA1) - vPOP to Sao Paulo | 34.95.226.164 | 34.95.226.0/24 |
| Columbia, South Carolina (GUSCO1) | 168.149.137.164 | 168.149.135.0/24 168.149.137.0/24 168.149.138.0/23 168.149.140.0/23 |
| Des Moines, Iowa (GUSDM1) | 199.247.42.164 | 199.247.32.0/23 199.247.42.0/23 199.247.44.0/23 199.116.169.0/24 199.116.170.0/24 98.158.240.0/23 199.116.168.0/24 199.116.171.0/24 199.116.173.0/24 148.64.31.0/24 |
| Las Vegas, Nevada (GUSLV1) | 168.149.133.164 | 168.149.133.0/24 168.149.160.0/23 |
| Los Angeles, California (GUSLA1) | 199.19.248.164 | 148.64.18.0/24 148.64.20.0/24 199.19.248.0/24 |
| Mexico City, Mexico (GMXMC1) - vPOP to Los Angeles | 170.176.246.164 | 170.176.246.0/24 |
| Montreal, Canada (GCAMO1) | 199.19.253.164 | 199.19.253.0/24 |
| Portland, Oregon (GUSPO1) | 170.176.241.164 | 170.176.241.0/24 168.149.164.0/24 |
| Sao Paulo, Brazil (GBRSP1) | 34.95.130.164 | 34.95.130.0/24 34.95.146.0/24 34.95.225.0/24 |
| Toronto, Canada (GCATO1) - vPOP to Montreal | 168.149.162.164 | 168.149.162.0/24 |
| Washington, DC (GUSAS1) | 170.176.240.164 |
168.149.142.0/23 |
|
APAC |
||
|
Auckland, New Zealand (GNZAU1) - vPOP to Sydney |
168.149.170.164 |
168.149.170.0/24 |
|
Bangkok, Thailand (GTHBA11) - vPOP to Singapore |
- |
168.149.179.64/27 |
|
Beijing, China (PEK1) |
119.161.180.164 |
119.161.180.0/23 |
| Hanoi, Vietnam (GVNHA11) - vPOP to Singapore | - |
168.149.179.96/27 |
| Hong Kong (GCNHK1) | 103.246.38.164 |
103.246.38.0/24 |
| Jakarta, Indonesia (GIDJK11) | - |
168.149.180.0/24 |
| Kuala Lumpur, Malaysia (GMYKL11) - vPOP to Singapore | - |
168.149.179.0/26 |
| Manila, Philippines (GPHMA11) - vPOP to Jakarta | - |
168.149.181.0/25 |
| Mumbai, India (GINMU1) | 148.64.4.164 |
148.64.1.0/24 |
| Osaka, Japan (GJPOS1) | 98.158.245.164 |
98.158.245.0/24 |
| Seoul, South Korea (GKRSE1) |
168.149.154.164 |
168.149.154.0/24 |
| Shanghai, China (SHA1) | 222.126.180.164 |
222.126.180.0/23 |
| Singapore (GSGRS1) | 103.246.37.164 |
103.246.37.0/24 |
| Sydney, Australia (GAUSY1) |
103.246.36.164 |
103.246.36.0/24 |
| Taipei, Taiwan (GTWTA1) |
168.149.155.164 |
168.149.155.0/24 |
| Tokyo, Japan (GJPTK) | 223.29.216.164 |
223.29.216.0/22 |
| Wellington, New Zealand (GNZWL1) - vPOP to Sydney | 168.149.171.164 |
168.149.171.0/24 |
|
EUROPE AND THE MIDDLE EAST |
||
|
Abu Dhabi, UAE (GAEAD1) - vPOP to Mumbai |
168.149.175.164 |
168.149.175.0/24 |
| Amsterdam, the Netherlands (GNLAM1) | 98.158.252.164 |
98.158.252.0/23 |
| Ankara, Turkey (GTRAN11) - vPOP to Frankfurt |
- |
46.235.157.0/26 |
| Athens, Greece (GGRAT11) - vPOP to Frankfurt |
- |
46.235.156.128/27 |
| Brussels, Belgium (GBEBR11) | - |
46.235.155.0/24 |
| Bucharest, Romania (GROBU1) - vPOP to Frankfurt | 168.149.148.164 |
168.149.148.0/24 |
| Copenhagen, Denmark (GDKCP1) - vPOP to Amsterdam |
148.64.14.164 |
148.64.14.0/24 |
|
Dubai, UAE (GAEDX1) - vPOP to Zurich |
34.65.98.164 |
34.65.98.0/24 |
| Dublin, Ireland (GIEDU1) - vPOP to London | 148.64.15.164 |
148.64.15.0/24 |
| Frankfurt, Germany (GDEFR1) | 199.247.38.164 |
199.247.34.0/24 |
| Helsinki, Finland (GFIHE1) | 168.149.149.164 |
168.149.149.0/24 |
| Lisbon, Portugal (GPTLI1) - vPOP to Zurich | - |
46.235.158.96/27 |
| London, England (GGBLO1) | 148.64.26.164 |
148.64.8.0/23 |
| Madrid, Spain (GESMA1) - vPOP to Zurich | 185.180.48.164 |
185.180.48.0/24 |
| Milan, Italy (GITMI1) - vPOP to Frankfurt | 46.235.159.164 |
46.235.159.0/24 |
| Nicosia, Cyprus (GCYNI11) - vPOP to Frankfurt |
46.235.156.64/27 |
|
| Oslo, Norway (GNOOS1) - vPOP to Helsinki | 109.68.63.164 |
109.68.63.0/24 |
| Paris, France (GFRPA1) - vPOP to Belgium | 46.235.153.164 |
46.235.153.0/24 |
| Stockholm, Sweden (GSESK1) - vPOP to Helsinki | 199.247.35.164 |
199.247.35.0/24 |
| Tel Aviv, Israel (GILTA1) - vPOP to London | 198.135.124.164 |
198.135.124.0/24 |
| Vienna, Austria (GATVI11) - vPOP to Frankfurt | - |
46.235.156.32/27 |
| Valletta, Malta (GMTVA11) - vPOP to Frankfurt | - |
46.235.156.160/27 |
| Zurich, Switzerland (GCHZU1) | 148.64.11.164 |
148.64.11.0/24 |
| AFRICA | ||
|
Abuja, Nigeria (GNGAB11) - vPOP to Zurich |
- |
46.235.158.64/27 |
|
Accra, Ghana (GGHAC11) - vPOP to Zurich |
- |
46.235.158.0/27 |
|
Algiers, Algeria (GDZAL11) - vPOP to Frankfurt |
- |
46.235.156.0/27 |
|
Cairo, Egypt (GEGCA11) - vPOP to Frankfurt |
- |
46.235.156.96/27 |
|
Dakar, Senegal (GSNDA1) - vPOP to Zurich |
- |
46.235.158.128/27 |
| Gaborone, Botswana (GBWGA11) - vPOP to London | - |
109.68.57.32/27 |
| Harare, Zimbabwe (GZWHA11) - vPOP to London | - |
109.68.56.0/27 |
|
Johannesburg, South Africa (GZAJB1) - vPOP to London |
109.68.58.164 |
109.68.58.0/24 |
|
Lilongwe, Malawi (GMWLI11) - vPOP to London |
- |
109.68.57.96/27 |
|
Luanda, Angola (GAOLU11) - vPOP to London |
- |
109.68.57.0/27 |
|
Lusaka, Zambia (GZMLU11) - vPOP to London |
- |
109.68.57.224/27 |
| Maputo, Mozambique (GMZMA11) - vPOP to London | - |
109.68.57.160/27 |
| Nairobi, Kenya (GKENA11) - vPOP to London | - |
109.68.57.64/27 |
| Port Louis, Mauritius (GMUPL11) - vPOP to London | - |
109.68.57.128/27 |
Rabat, Morocco (GMARA1) - vPOP to Zurich |
- |
46.235.158.32/27 |
| Tunis, Tunesia (GTNTU11) - vPOP to Frankfurt | - |
46.235.156.192/27 |
| Windhoek, Namibia (GNAWI11) - vPOP to London | - |
109.68.57.192/27 |
POP Types
Compute POP - A point of presence that contains physical compute infrastructure (aka: data center).
vPOP - Virtual point of presence. vPOPs are physically hosted in a "Compute POP" (data center) in another locale and provide content localization for users in a specific country. For example: "Paris - vPOP to Belgium" causes users that connect to the Paris vPOP to experience content localized to Paris even though the transaction is physically processed in Belgium. Performance is maintained for vPOP transactions thanks to our global private network that minimizes use of congested public Internet routes.
Feedback
