Connectivity—About Virtual Private Network (IPsec)

This topic provides details to help you build a robust, fault tolerant IPSec deployment for the Symantec Web Security Service (WSS). The configurations explained in this section are essential for a successful deployment and to ensure that your organization enjoys the maximum up-time per your Service Level Agreement (SLA).

Each section linked from this topic provides a set of technical requirements that go beyond simple best practices. For example, it is critical that your sites are configured with at least one backup tunnel to a secondary data center. Failure to configure a backup tunnel or adhere to other configuration recommendations will increase the likelihood of service issues as well as invalidate relevant SLA claims.

With the Firewall/VPN access method found in the location settings in the WSS portal, you configure your web gateway firewall or router (referred to from here on as VPN device) to send the web traffic to the WSS via an IPSec VPN tunnel for policy compliance and security.

Warning: It is essential that all recommendations in this guide be implemented, without exception, prior to your production deployment.

Advantages of IPSec VPN Tunnels

IPSec VPN tunnels provide confidentiality, data-integrity, data origin authentication and anti-replay protection for the traffic sent to the WSS by encapsulating WSS traffic in a virtual tunnel from your network's edge to a WSS data center.

This type of configuration provides the following benefits:

  • Does not require an agent on the client device.
  • Client IP addresses are preserved for policy, authentication, and reporting.
  • Confidentiality is achieved through the use of encryption algorithms, such as AES-256 and HMAC-SHA256, to encrypt the traffic sent over the IPSec tunnel to the WSS.
  • Anti-replay protection that is built into the IPSec protocol protects against someone replaying IP packets sent to the WSS. (See complete list of algorithms supported by Symantec for IPSec connections in each of the blueprint configuration topics linked below).

IPSec Pre-deployment Considerations

Before you configure your VPN device to connect to the WSS, consider the following points:

  • VPN Tunnel redundancy.

    In the extremely rare event that the connection to your primary WSS data center fails, your VPN device is responsible for diverting your web traffic to a backup WSS data center by way of a secondary VPN tunnel.

  • IPSec does not permit stateful failover.

    For most web applications, this is not a problem. However, clients using streaming media and conferencing applications may experience a brief disruption as your VPN device initiates your backup VPN tunnel.

  • The WSS is best suited to handle traffic destined for standard web resources.

    If your organization handles traffic that you do not want to send to the WSS, (such as Voice over IP, or private Intranet traffic) you must ensure that your firewall is configured to bypass that traffic.

  • The WSS supports up to 500 mb/s of bandwidth per IPSec tunnel.
    Exceeding this limitation may result in performance issues. If you're unsure how to split traffic between multiple public IPs exiting your network, contact Symantec support for assistance.

IPSec supports two modes: Transport mode and Tunnel mode. WSS supports Tunnel mode using ESP (Encryption Security Payload) packets only. Interesting traffic, as defined in your VPN device, is encapsulated and sent inside the tunnel using ESP packets.

IPSec tunnel endpoints must authenticate each other before they exchange packets. This is done using the Internet Key Exchange (IKE) protocol. WSS supports both IKE version 1 (IKEv1) and IKE version 2 (IKEv2), but only under the conditions detailed under VPN Method Overviews, below.

WSS supports three different options to configure your VPN device to send traffic through IPSec VPN tunnels. This topic provides conceptual information to help you determine which is the most appropriate for your network, then provides links to topics that provide best practice guidance for configuring your IPSec VPN tunnels.

  • If you need to understand the methods before deciding, continue reading the following sections.

About Supported VPN Tunnel Methods

Expand the following sections to learn more about each supported VPN connection method.

Firewall/VPN PDF