Reference: Required Locations, Ports, and Protocols

Most Symantec Web Security Service connectivity and authentication methods require communication through specific ports, protocols, and locations. If you have firewall rules in place, use this reference to verify the ports and services that must be opened to allow connectivity.

Symantec Resource   Provides knowledge base articles and support information.

Connectivity Methods

Access Method Port(s) Protocol Resolves To

WSS portal access URL.

IP addresses for administration of your WSS policy and configuration.


Partner Portal Functionality

Firewall/VPN (IPsec)


UDP4500 if firewall is behind a NAT.

Proxy Forwarding

TCP 8080/8443

TCP 8084*


Use when the forwarding host is configured for local SSL interception.

Explicit Proxy

SEP PAC File Management System or Default PAC file

TCP 443










Default PAC file: TCP 8080


  • Firewall rules to allow PFMS access:

    • By
    • By IP Address: 

  • The default PAC file directs browser traffic to

Explicit Over IPsec (Trans-Proxy)

In this deployment method, all traffic is transmitted from your network to WSS. Two scenarios are common:

  • On-premises ProxySG appliance.

    Explicit browser settings direct traffic to the proxy, which forwards that traffic to WSS through a configured IPsec tunnel.

  • Explicit settings in the browser pointed to

    Direct all firewall traffic destined for to WSS through your configured IPsec tunnel.



UDP4500 if firewall is behind a NAT. resolves to returns the following. returns all IPs in a round-robin fashion; each two-minute Time-To-Live (TTL) period returns a different address.

WSS Agent TCP/UDP 443 SSL (for TCP, UDP, and software updates)

Unified Agent

TCP 80



Port 80/443 to ( (for captive network information and updates)

Port 443 to (
Port 443 to (DNS fallback)

TCP port 443 to (DNS fallback), UDP added for agent version v4.9.1 or above.

Mobile (SEP-Mobile iOS/Android app)


UDP 4500 (NAT-T)


Universal Policy Enforcement (UPE)/Hybrid Policy    

On-Premises Policy Management ( and

If connectivity to WSS is behind stringent firewall rules, adjust the rules to allow traffic to pass to these IP addresses on port 443.


Auth Method Port(s) Protocol Resolves To
Auth Connector TCP 443


Tip: Additional Required Information: Reference: Authentication IP Addresses.

Auth Connector to Active Directory TCP 139, 445 SMB  
TCP 389 LDAP  
TCP 135 Location Services  
TCP 88 Kerberos  
49152-65535 TCP Open when Auth Connector is installed on a new Windows Server 2012 Member rather than a Domain Controller.
AC-Logon App TCP 80   Port 80 from all clients to the server.
SAML TCP 8443 (over VPN) Explicit and IPSec
Roaming Captive Portal TCP 8080