Web Security Service Announcement - Frankfurt, Germany (FRA3) Data Center Migration
Scheduled for May 29, 17:00 UTC  -  May 30, 23:00 UTC
Scheduled
As part of the previously announced final phase of WSS migration to Google Cloud Platform (GCP), the Frankfurt, Germany (FRA3) WSS site will be migrated on May 29, 2020, starting at 17:00 UTC. This maintenance will last up to 30 hours.

At the conclusion of the maintenance, all WSS traffic for the Frankfurt site will be processed in the new GCP-based POP designated Frankfurt, Germany (GDEFR).

The ingress IP address for IPSec access for Frankfurt (GDEFR) will be:

  • 199.247.38.164 (Existing address, no change should be required)

    The ingress IP addresses for all other access methods for Frankfurt (GDEFR) will be:

  • 199.247.38.164 (Existing address, no change should be required)
  • 199.247.40.164 (New ingress address, change may be required)
  • 199.247.41.164 (New ingress address, change may be required)

    The egress network IP ranges for Frankfurt (GDEFR) will be:

  • 199.247.38.0/23 (Existing range, no change should be required)
  • 199.247.40.0/23 (Existing range, no change should be required)


    Impact
    Expect the site to be completely unavailable during the maintenance window.

    Required Action
    If end user connectivity to WSS is regulated by stringent firewall rules, those firewall rules should be adjusted to allow traffic to pass to the ingress and egress IP networks listed above prior to the maintenance window. In addition, any third party application provider who regulates connections by source IP should be updated to accept connections from the ingress and egress IP networks listed above to ensure WSS traffic passes unencumbered.

    IPsec: Customers should bring up their secondary tunnel prior during the maintenance window.

    Explicit over IPsec (“trans-proxy”): The underlying IP address for ep.threatpulse.net will NOT change as part of this migration. Customers that use explicit proxy through IPsec to ep.threatpulse.net should take the same action as IPsec customers and bring up their secondary tunnel during the maintenance.

    The access methods below all require firewall changes. The following use cases demonstrate why these access methods require firewall changes:

    Use case 1 - Connectivity: Users using the Unified-Agent/WSS Agent or explicit access methods may all be coming from the same IP address, and if your firewall is not allowing TCP/UDP 443 (Unified-Agent) or TCP 8080 (Explicit and SEP-WTR) to the new ingress IP addresses above, the tunnel will not come up (Unified-Agent) or connectivity to the explicit proxy (Explicit and SEP-WTR) will fail.

    Use case 2 - Group-based policies and authentication: Even in the case where users may be roaming and not coming from the same location, group based policies could fail if the auth connector cannot communicate with these new egress IP addresses.

    It is imperative that the firewall whitelist access to these ingress and egress IP addresses to avoid problems.

    Unified Agent and WSS Agent: Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window.

    Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR): The underlying IP address for sep-wtr.threatpulse.net will change as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window. If customers are referencing the current data center ingress IP address directly (e.g., via a PAC file), please change to reference the sep-wtr.threatpulse.net domain name instead.

    Explicit proxy and proxy forwarding: The underlying IP address for proxy.threatpulse.net will change as a part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customers directing traffic to proxy.threatpulse.net will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window. If customers are referencing the current data center ingress IP address directly (e.g., via a PAC file), please change to reference the proxy.threatpulse.net domain name instead.

    Others: Any customer, regardless of connection method, with a configuration pointing to a specific site or IP address must manually failover to a secondary site during the migration window to avoid an outage.

    Please visit these KB articles for a full list of IP networks used by WSS:
    Worldwide data center IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH242979
    Authentication / egress IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH240889

    Questions?
    Please visit this KB article for additional details on the Web Security Service Migration to Google Cloud Platform: https://knowledge.broadcom.com/external/article?legacyId=tech257356

    If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

    For real time updates and status visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com
  • Posted May 22, 2020 - 16:50 UTC
    This scheduled maintenance affects: Data Centers - Europe, Middle East & Africa (Frankfurt (GDEFR), Frankfurt (FRA3)).