Web Security Service Announcement New York (GUSSA) Maintenance March 23, 2021
Scheduled Maintenance Report for Symantec Web Security Service
Completed
The scheduled maintenance has been completed.
Posted Mar 23, 2021 - 15:00 UTC
In progress
Scheduled maintenance is currently in progress. We will provide updates as necessary.
Posted Mar 23, 2021 - 03:00 UTC
Scheduled
The New York (GUSSA) WSS site will undergo maintenance beginning on March 23, 2021 at 03:00 UTC, lasting for a duration of up to 12 hours.

• IP address changes will occur so it is imperative to adjust access control lists appropriately.
• Carefully review the information below to avoid disruption of service.

Ingress IP Addresses
The IP addresses you forward traffic to for filtering. The IP address must match the connection method. For example, do not connect IPsec tunnels to the IP address for WSS Agent.

IPsec / Proxy-forwarding / Explicit / SEP Agent (Explicit Mode):

• 168.149.142.164 - NO CHANGE

WSS Agent / Unified Agent:

• 168.149.143.164 - NO CHANGE
• 168.149.144.164 - CAN BE RETIRED AFTER THE MAINTENANCE
• 168.149.145.164 - CAN BE RETIRED AFTER THE MAINTENANCE
• 35.227.4.164 - CAN BE RETIRED AFTER THE MAINTENANCE

Egress IP Ranges
The IP addresses WSS will use to access content on your behalf and to deliver filtered content to your users. If you use application or firewall access control lists, add new IP ranges prior to the maintenance:

• 168.149.142.0/24 - NO CHANGE
• 168.149.143.0/24 - NO CHANGE
• 168.149.144.0/24 - NO CHANGE
• 168.149.145.0/24 - CAN BE RETIRED AFTER THE MAINTENANCE
• 35.227.4.0/24 - CAN BE RETIRED AFTER THE MAINTENANCE
• 168.149.157.0/24 - NEW

Impact
No impact to WSS traffic is expected during the maintenance window. However, it is important to make sure that your connection method aligns to the correct ingress IP address to avoid loss of connectivity. For example, following this maintenance IPsec connections will no longer be allowed to connect to IP addresses designated for WSS Agent (see ingress IP address detail above).

Required Action
Failure to make these changes could prevent users from connecting to WSS, accessing third party web applications, or authenticating against the service using the Auth Connector (where applicable).

• Firewall rules regulating connectivity to/from your network to WSS should be adjusted to allow traffic to pass to the IP networks listed above.
• Third party applications that regulate connections by source IP address should be updated to accept connections from the egress IP networks listed above to ensure traffic proxied through WSS can reach the application.
• Auth Connector must be able to communicate with all egress ranges listed above on TCP 443, where applicable.

Guidance by Connection Method
• IPsec: No action is needed unless your tunnel is connecting to the incorrect ingress IP address (see Impact section above).
• WSS Agent, Unified Agent, SEP Agent: User traffic will be automatically redirected by the service to the nearest alternate site during the maintenance window.
• SEP Agent (Explicit Mode): No action is needed unless your traffic is directed to the incorrect ingress IP address (see Impact section above).
• Explicit proxy and proxy forwarding: No action is needed unless your traffic is directed to the incorrect ingress IP address (see Impact section above).

WARNING:
Any customer, regardless of connection method, with a configuration pointing to a specific site or IP address must manually failover to a secondary site during the migration window to avoid an outage. Explicit redirection should never point to an IP address. Only IPsec connections should be directed to IP addresses.

Support
Questions? Contact technical support by visiting: https://support.broadcom.com/security.
For service status and maintenance updates visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com.
Posted Mar 05, 2021 - 22:49 UTC
This scheduled maintenance affected: Data Centers - Americas (Washington, DC (GUSAS2)).