Reference: Required Locations, Ports, and Protocols

Most
Web Security Service
connectivity and authentication methods require communication through specific ports, protocols, and locations. If you have firewall rules in place, use this reference to verify the ports and services that must be opened to allow connectivity.

Symantec Enterprise Resource

support.broadcom.com
 Provides knowledge base articles and support information.

Connectivity Methods

Method
Port(s)
Protocol
Resolves To
Web Security Service
portal access URL
For administration of your
WSS
policy and configuration.
443
portal.threatpulse.com
35.245.151.224
34.82.146.64
Parnter Portal Functionality
35.245.151.231
34.82.146.71
Firewall/VPN (IPsec)
UDP 500 (ISAKMP)
UDP4500 if firewall is behind a NAT.
IPsec/ESP
Proxy Forwarding
TCP 8080/8443
TCP 8084*
HTTP/HTTPS
proxy.threatpulse.net
* Use when the forwarding host is configured for local SSL interception.
Explicit Proxy
SEP PAC File Management System or Default PAC file
TCP 443
Default PAC file: TCP 8080
  • Firewall rules to allow PFMS access:
    • By hostname:
      pfms.wss.symantec.com
    • By IP Address:
      • 34.120.17.44
      The following addresses were used before November 7, 2020. They are acceptable for backup and failover until
      Symantec
      announces their decommissioned status.
      • 35.155.165.94
      • 35.162.233.131
      • 52.21.20.251
      • 52.54.167.220
      • 199.247.42.187
      • 199.19.250.187
  • The default PAC file directs browser traffic to
    proxy.threatpulse.net
    .
Explicit Over IPsec (Trans-Proxy)
In this deployment method, all traffic is transmitted from your network to
WSS
. Two scenarios are common.
  • On-premesis
    ProxySG
    appliance.
    Explicit browser settings direct traffic to the proxy, which forwards that traffic to the
    WSS
    through a configured IPsec tunnel.
  • Explicit settings in the browser pointed to
    ep,threatpulse.net
    .
    Direct all firewall traffic destined for
    ep.threatpulse.net
    to
    WSS
    through your configured IPsec tunnel.
UDP 500 (ISAKMP)
UDP4500 if firewall is behind a NAT.
ep.threatpulse.net
resolves to
199.19.250.205
ep-all.threatpulse.net
returns the following.
199.19.248.205
199.19.250.205
199.19.250.206
199.19.250.207
199.19.250.208
199.19.250.209
199.19.250.210
199.19.250.211
199.19.250.212
199.19.250.213
199.19.250.214
ep-roundrobin.threatpulse.net
returns all IPs in a round-robin fashion; each two-minute Time-To-Live (TTL) period returns a different address.
WSS Agent
TCP/UDP 443
SSL
ctc.threatpulse.com
(for TCP, UDP, and software updates)
130.211.30.2
TCP port
443
for CTC requests and configuration.
portal.threatpulse.com
TCP port
443
for downloading updates.
SEP-Mobile (iOS/Android), which shares the same architecture as
WSS Agent
.
Honors the following settings on the
Connectivity > WSS Agent
page:
  • The
    Forwarding Ports
    .
  • The
    Failure Behavior
    setting.
  • If the Cloud Firewall Service (CFS) is entitled, traffic from all ports.
Hybrid Policy
On-Premises Policy Management (
sgapi.threatpulse.com
and
sgapi.es.bluecoat.com
)
35.245.151.229
34.82.146.69
If connectivity to
WSS
is behind stringent firewall rules, adjust the rules to allow traffic to pass to these IP addresses on port
443
.

Authentication

Auth Method
Port(s)
Protocol
Resolves To
Auth Connector
TCP 443
SSL
to
auth.threatpulse.com
:
35.245.151.226
34.82.146.65
portal.threatpulse.com
Additional Required Information:
Reference: Authentication IP Addresses.
Auth Connector
to Active Directory
TCP 139,445
SMB
TCP 389
LDAP
TCP 3268
ADSI LDAP
TCP 135
Location Services
TCP 88
Kerberos
49152-65535
TCP
If installed on a new Windows Server 2012 Member rather than a Domain Controller.
AC-Logon App
TCP 80
Port
80
from all clients to the server.
SAML
TCP 8443 (over VPN)
Explicit and IPSec
to
saml.threatpulse.net
Roaming Captive Portal
TCP 8080