Reference: Required Locations, Ports, and Protocols

Depending on your configured Symantec Web Security Service Access Methods, some ports, protocols, and locations must be opened on your firewalls to allow connectivity to the various cloud service components and data centers.

Symantec Resource

support.symantec.com   Support site links to support tools and documentation.

Access Methods

Access Method Port(s) Protocol Resolves To

Web Security Service Portal Access


For administration of your WSS policy and configuration.

443

 

portal.threatpulse.com

199.19.250.192
199.116.168.192

Firewall/VPN (IPsec)

UDP 500 (ISAKMP)

UDP4500 if firewall is behind a NAT.

IPsec/ESP  
Proxy Forwarding

TCP 8080/8443

TCP 8084*

HTTP/HTTPS

proxy.threatpulse.net

If this forwarding host is configured for local SSL interception.

Explicit Proxy

SEP PAC File Management System or Default PAC file

TCP 443

 

 

 

 

 

 

 

 

 

Default PAC file: TCP 8080

 

  • Firewall rules to allow PFMS access:

    • By hostname:pfms.wss.symantec.com
    • By IP Address: 

      • 35.155.165.94
      • 35.162.233.131
      • 52.21.20.251
      • 52.54.167.220
      • 199.247.42.187
      • 199.19.250.187
  • The default PAC file directs browser traffic to proxy.threatpulse.net.

Explicit Over IPsec (Trans-Proxy)

In this deployment method, all traffic is transmitted from your network to WSS. Two scenarios are common. 

  • On-premesis ProxySG appliance.

    Explicit browser settings direct traffic to the proxy, which forwards that traffic to the WSS through a configured IPsec tunnel.

  • Explicit settings in the browser pointed to ep,threatpulse.net.

    Direct all firewall traffic destined for ep.threatpulse.net to WSS through your configured IPsec tunnel.

 

UDP 500 (ISAKMP)

UDP4500 if firewall is behind a NAT.

 

ep.threatpulse.net resolves to 199.19.250.205

ep-all.threatpulse.net returns the following.

199.19.248.205
199.19.250.205
199.19.250.206
199.19.250.207
199.19.250.208
199.19.250.209
199.19.250.210
199.19.250.211
199.19.250.212
199.19.250.213
199.19.250.214

ep-roundrobin.threatpulse.net returns all IPs in a round-robin fashion; each two-minute Time-To-Live (TTL) period returns a different address.

WSS Agent TCP/UDP 443 SSL ctc.threatpulse.com (for TCP, UDP, and software updates)
Unified Agent

TCP 80

TCP/UDP 443

TCP, SSL

Port 80/443 to portal.threatpulse.com (199.19.250.192) (for captive network information and updates)

Port 443 to ctc.threatpulse.com
Port 443 to client.threatpulse.net (DNS fallback)

TCP port 443 to client.threatpulse.net (DNS fallback), UDP added for agent version v4.9.1 or above.

Mobile (SEP-Mobile iOS/Android app)

UDP 500 (ISAKMP)

UDP 4500 (NAT-T)

IPSec/ESP  
Hybrid Policy    

199.19.250.195

199.116.168.195

If connectivity to the WSS is behind stringent firewall rules, adjust the rules to allow traffic to pass to these IP addresses on port 443.

Authentication

Auth Method Port(s) Protocol Resolves To
Auth Connector TCP 443

SSL

to auth.threatpulse.com:

199.19.250.193
199.116.168.193

portal.threatpulse.com:

199.19.250.192

Tip: Additional Required Information: Reference: Authentication IP Addresses.

Auth Connector to Active Directory TCP 139,445 SMB  
TCP 389 LDAP  
TCP 3268 ADSI LDAP  
TCP 135 Location Services  
TCP 88 Kerberos  
49152-65535 TCP If installed on a new Windows Server 2012 Member rather than a Domain Controller.
AC-Logon App TCP 80   Port 80 from all clients to the server.
SAML TCP 8443 (over VPN) Explicit and IPSec to saml.threatpulse.net
Roaming Captive Portal TCP 8080    

Cloud-to-Premises DLP

For connection coordination and management status.

  • Port 443 (traffic from client device)
  • XMPP port 5222 to comm.threatpulse.com