Web Security Service will add capacity in the Tokyo (GJPTK) data center on July 2, 2020, starting at 14:00 UTC. This maintenance will last up to 8 hours.
As part of the maintenance activities a new egress IP network will be deployed in this site.
The new egress network IP range is:
No impact is expected during the maintenance.
At the conclusion of the maintenance, content providers and customers will see connections from the new IP space when the new egress network range goes live. Traffic for all access methods may be processed using the new egress network IP range in addition to any other ranges already in use at this site. The ingress IP addresses for the site will not change.
Please visit these KB articles for a full list of IP networks used by WSS including the new addresses being communicated in this service announcement: Worldwide data center IP addresses:
Authentication / egress IP addresses:
If end user connectivity to WSS is regulated by stringent firewall rules, those firewall rules should be adjusted to allow traffic to pass to and from the egress IP network listed above prior to the maintenance window. In addition, any third party application provider who regulates connections by source IP should be updated to accept connections from the egress IP network listed above to ensure WSS traffic passes unencumbered.
Explicit over IPsec (“trans-proxy”): The underlying IP address for ep.threatpulse.net will NOT change as part of this migration.
The access methods below all require firewall changes. The following use case demonstrates why these access methods require firewall changes:
Use case: Group-based policies and authentication: Even in the case where users may be roaming and not coming from the same location, group based policies could fail if the auth connector cannot communicate with these new egress IP addresses.
It is imperative that the firewall whitelist access to these egress IP addresses to avoid problems.
Unified Agent and WSS Agent: Firewall rules will need to be updated as described above to allow the new egress addresses.
Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR): The underlying IP address for sep-wtr.threatpulse.net will not change as part of this migration. Firewall rules will need to be updated as described above to allow the new egress addresses.
Explicit proxy and proxy forwarding: The underlying IP address for proxy.threatpulse.net will not change as a part of this migration. Firewall rules will need to be updated as described above to allow the new egress addresses.
If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security
For real time updates and status visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com
Start Date: July 2, 2020, at 14:00 UTC
End Date: July 2, 2020, at 22:00 UTC