Web Security Service Announcement - Shanghai (SHA1) and Beijing (PEK1) Site Migration

Duration: 23 hours and 59 minutes
Scheduled
Scheduled

The Shanghai (SHA1) and Beijing (PEK1) WSS sites will be migrated from the current colocation-based data centers to new Azure-based data centers located in mainland China. The new Azure-based data centers provide improved capacity lead times and service agility consistent with our Google Cloud data centers outside of mainland China.

Following this migration, we are proud to announce that all Symantec Enterprise Cloud data centers will be located on top-tier hyperscale platforms with integrated global networks, maximizing connectivity to surrounding internet service providers and reducing exposure to inefficient public internet routes.

The migration will occur in 3 phases:

  1. October 10, 2022, the new data centers in Shanghai (ACNSH1) and Beijing (ACNBJ1) will officially go live for all customer-controlled redirection methods (like IPsec). After this date you are encouraged to test against the new sites and subsequently migrate as soon as possible.
  2. October 24, 2022 to November 4, 2022, traffic from WSS Agent, SEP agent, and explicit proxy traffic will be gradually migrated by Broadcom to the new data centers.
  3. November 15, 2022, the SHA1 and PEK1 data centers will be decommissioned. Therefore, it is critical that all customer traffic is migrated before this date.

Carefully review the information below to avoid disruption of service.

New POPs ACNSH1 and ACNBJ1 General Availability Date: October 10, 2022

SHA1 and PEK1 Decommissioning Date: November 15, 2022

Ingress IP Addresses (all Access Methods):

  • 163.228.64.112 - NEW - OCTOBER 10, 2022 (ACNSH1)
  • 159.27.93.192 - NEW - OCTOBER 10, 2022 (ACNBJ1)
  • 222.126.180.164 - TO BE RETIRED - NOVEMBER 15, 2022 (existing SHA1 ingress IP address)
  • 119.161.180.164 - TO BE RETIRED - NOVEMBER 15, 2022 (existing PEK1 ingress IP address)

Egress IP Addresses:

NEW - OCTOBER 10, 2022 (ACNSH1)

  • 163.228.64.112/28 - NEW
  • 163.228.64.128/28 - NEW
  • 163.228.64.144/28 - NEW
  • 163.228.64.176/28 - NEW
  • 163.228.64.192/28 - NEW
  • 163.228.64.208/28 - NEW
  • 163.228.64.224/28 - NEW
  • 163.228.64.240/28 - NEW
  • 163.228.65.0/28 - NEW
  • 163.228.65.16/28 - NEW
  • 163.228.65.32/28 - NEW
  • 163.228.65.48/28 - NEW
  • 163.228.65.64/28 - NEW
  • 163.228.65.80/28 - NEW
  • 163.228.65.96/28 - NEW

NEW - OCTOBER 10, 2022 (ACNBJ1)

  • 159.27.93.192/28 - NEW
  • 159.27.93.208/28 - NEW
  • 159.27.93.224/28 - NEW
  • 159.27.93.240/28 - NEW
  • 159.27.94.0/28 - NEW
  • 159.27.94.16/28 - NEW
  • 159.27.94.32/28 - NEW
  • 159.27.94.48/28 - NEW
  • 159.27.94.64/28 - NEW
  • 159.27.94.80/28 - NEW
  • 159.27.94.96/28 - NEW
  • 159.27.124.16/28 - NEW
  • 159.27.226.160/28 - NEW
  • 159.27.226.176/28 - NEW
  • 159.27.226.192/28 - NEW

TO BE RETIRED:

  • 222.126.180.0/23 - TO BE RETIRED - NOVEMBER 15, 2022 (SHA1)
  • 119.161.180.0/23 - TO BE RETIRED - NOVEMBER 15, 2022 (PEK1)

Required Action

Prior to October 10, 2022:

  • Firewall rules regulating connectivity to/from your network to WSS should be adjusted to allow traffic to pass to the new IP networks listed above.
  • Third party applications that regulate connections by source IP address should be updated to accept connections from the new egress IP networks listed above to ensure traffic proxied through WSS can reach the applications.
  • Auth Connector must be able to communicate with all egress ranges listed above on TCP 443, where applicable.

Failure to make these changes could prevent users from connecting to WSS, accessing third party web applications, or authenticating against the service using the Auth Connector (where applicable).

  • IPsec: Customers must update their tunnel configurations to point to the new ingress IP address before November 15, 2022. This change can be made after October 10, 2022.
  • WSS Agent, SEP Agent: Agent traffic will be automatically redirected to the new POP. No customer action is required.
  • Explicit proxy and proxy forwarding: Customers explicitly directing traffic to proxy.wss.broadcom.cn will be automatically redirected to the nearest new POP on November 4, 2022. No customer action is required.
  • Regardless of the connection method, any configuration pointing to a specific POP hostname or IP address (not recommended) must be manually switched to the new POP prior to the decommissioning date to avoid an outage.

Please visit these KB articles for a full list of IP networks used by WSS:

Questions?

If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

For real time updates and status visit and subscribe to Broadcom Service Status: https://status.broadcom.com

Affected components