Web Security Service Announcement - Capacity Expansion San Jose (GUSSC) IP network
Scheduled Maintenance Report for Symantec Web Security Service
Completed
The scheduled maintenance has been completed.
Posted Jun 26, 2020 - 22:26 UTC
Scheduled
Broadcom Web Security Service will add a new IP network for the San Jose (GUSSC) data center on June 26, 2020. Content providers and customers will see connections to and from the new IP space after the network goes live on that date.

The new ingress IP address is:

148.64.18.164

The new egress network IP range is:

148.64.18.0/24

Impact
At the conclusion of the maintenance, all WSS traffic for non-IPsec methods will be processed using the new ingress IP address and the associated new egress network IP range in addition to any other ranges for non-IPsec traffic already in use at this site. The ingress IP address and egress network IP range for IPsec traffic will not change.

Please visit these KB articles for a full list of IP networks used by WSS including the new addresses being communicated in this service announcement:

  • Worldwide data center IP addresses:
    https://knowledge.broadcom.com/external/article?legacyId=TECH242979
  • Authentication / egress IP addresses:
    https://knowledge.broadcom.com/external/article?legacyId=TECH240889

    Required Action
    If end user connectivity to WSS is regulated by stringent firewall rules, those firewall rules should be adjusted to allow traffic to pass to the ingress and egress IP networks listed above prior to the maintenance window. In addition, any third party application provider who regulates connections by source IP should be updated to accept connections from the ingress and egress IP networks listed above to ensure WSS traffic passes unencumbered.

    IPsec: Customers should bring up their secondary tunnel prior during the maintenance window.

    Explicit over IPsec (“trans-proxy”): The underlying IP address for ep.threatpulse.net will NOT change as part of this migration. Customers that use explicit proxy through IPsec to ep.threatpulse.net should take the same action as IPsec customers and bring up their secondary tunnel during the maintenance.

    The access methods below all require firewall changes. The following use cases demonstrate why these access methods require firewall changes:

    Use case 1 - Connectivity: Users using the Unified-Agent/WSS Agent or explicit access methods may all be coming from the same IP address, and if your firewall is not allowing TCP/UDP 443 (Unified-Agent) or TCP 8080 (Explicit and SEP-WTR) to the new ingress IP addresses above, the tunnel will not come up (Unified-Agent) or connectivity to the explicit proxy (Explicit and SEP-WTR) will fail.

    Use case 2 - Group-based policies and authentication: Even in the case where users may be roaming and not coming from the same location, group based policies could fail if the auth connector cannot communicate with these new egress IP addresses.

    It is imperative that the firewall whitelist access to these ingress and egress IP addresses to avoid problems.

    Unified Agent and WSS Agent: Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window.

    Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR): The underlying IP address for sep-wtr.threatpulse.net will change as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customer traffic will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window. If customers are referencing the current data center ingress IP address directly (e.g., via a PAC file), please change to reference the sep-wtr.threatpulse.net domain name instead.

    Explicit proxy and proxy forwarding: The underlying IP address for proxy.threatpulse.net will change as a part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. Customers directing traffic to proxy.threatpulse.net will be automatically redirected by Broadcom to the nearest alternate site during the maintenance window. If customers are referencing the current data center ingress IP address directly (e.g., via a PAC file), please change to reference the proxy.threatpulse.net domain name instead.

    Others: Any customer, regardless of connection method, with a configuration pointing to a specific site or IP address must manually failover to a secondary site during the migration window to avoid an outage.

    Questions?
    If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

    For real time updates and status visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com
  • Posted Jun 10, 2020 - 23:07 UTC
    This scheduled maintenance affected: Data Centers - Americas (San Jose (GUSSC)).