Connectivity: VPN Certificate Authentication

Also known as RSA-SIG, using certificate authentication (instead of a pre-shared key) to verify your network's identity when connecting to Web Security Service is very secure. This method is ideal if your VPN device is behind a NAT device, as it does not rely on the external IP address or FQDN of your organization's external IP.

Technical Requirements

This section provides a high-level set of technical requirements required for this this configuration.

  • Your organization has been provisioned with an account in the WSS, and you have successfully completed the registration of that account.

    To confirm this, browse to and log in. If you are unable to log in, verify your account details with Symantec support.

  • If you are not certain what type of connection is appropriate for your organization, see Connectivity—About Virtual Private Network (IPsec).
  • An understanding of how much user traffic will route to the WSS.

    The WSS is limited to 500mbit/s of bandwidth per IPSec tunnel. If you expect traffic to exceed that, you must plan your architecture to use an additional tunnel from an additional public IP address for each 500mbit/s block of bandwidth you expect to consume. For example, if one of your sites consumes 900mbit/s of traffic, it must connect to the WSS using at least two IPSec tunnels, each connecting from a unique public IP address. If you're not sure how to configure your VPN device to split your traffic between multiple connections, please contact Symantec support for assistance.

  • The following information is required to ensure a successful configuration.
    • The public IP address or fully qualified domain name (FQDN).

    • The two closest data center addresses.

      All VPN configurations must include a primary and secondary tunnel to the WSS. If one data center connection becomes unavailable, your site's traffic can be routed to a secondary tunnel to an alternate data center. See Reference: Web Security Service Data Center Ingress IPs for geographical IP address information.

    • The internal network addresses that is the source of data to send to the WSS.

      For example, as a best practice do not send intranet resources, such as email and internal web services, through the tunnel. Additionally, exclude the server where the Auth Connector is installed from the tunnel as it makes a direct connection to the WSS through port 443. See Forward Specific User and Group Names to the Service.

    • A list of intranet destinations to exclude from the IPsec VPN tunnel(s).

    • Ensure that your VPN device supports Dead Peer Detection. This feature ensures that if the primary VPN tunnel fails, that failure is detected and the secondary tunnel is used.
      • If your VPN device supports IPSLA (Internet protocol service level agreement) and DPD, Symantec suggests that you configure both to ensure maximum up-time.
    • Your VPN device is configured to permit the necessary traffic outbound for IPsec connections. These are destination UDP ports 500 and 4500, and also packets of type ESP if your network's edge firewall is not using NAT-T.

      For additional ports and URLs used in a connection between your network and the WSS, see Reference: Required Locations, Ports, and Protocols.

Blueprint Configuration—Configure Certificate Authentication for VPN Connection(s)

The following blueprint demonstrates a command line configuration. To see a user interface reference configuration for a Cisco ASA device, see

Note: The following recommended details are not specific to any VPN device. If you are not certain of your firewall or VPN appliance's supported capabilities, options, or configuration steps, consult Symantec support, as they might be able to advise the best configuration or help you work with your VPN device vendor's support team for assistance.

Next Selection