Web Security Service Announcement - Shanghai (SHA1) and Beijing (PEK1) Site Migration

Wednesday, 23 November 23 hours and 59 minutes
Complete
Complete

The maintenance is now complete. Thanks for your patience.

Underway

The scheduled maintenance is now underway. We'll keep you updated on our progress.

Update

Important Reminder

In order to avoid an outage, we kindly remind customers with customer-controlled redirection methods (like IPsec) to redirect your tunnels to the Azure data centers prior to the decommission date, November 23 2022.

Update

Update:

There has been a change in migration schedule. Please take a note of the revised dates and perform required actions accordingly:

  1. October 31, 2022 to November 16, 2022, traffic from WSS Agent, SEP agent, and explicit proxy traffic will be gradually migrated by Broadcom to the new data centers.
  2. November 23, 2022, the SHA1 and PEK1 data centers will be decommissioned. Therefore, it is critical that all customer traffic is migrated before this date.
Update

Update:

The intermittent connectivity issue with Auth Connectors located outside of China has been resolved. If you are using customer controlled redirection methods (like IPsec) you are strongly encouraged to test against the new sites.

Update

Update:

On October 17, 2022, the new data centers in Shanghai (ACNSH1) and Beijing (ACNBJ1) will officially go live for all customer-controlled redirection methods (like IPsec). After this date you are encouraged to test against the new sites. It is not recommended to migrate production traffic at this time.

Please know that we are experiencing intermittent connectivity issues with Auth Connectors located outside of China attempting to connect to these new data centers. Therefore, if you are using an Auth Connector outside of China, we recommend waiting for an announcement of resolution of the issue before migrating.

Update

Update:

There has been a change in migration schedule. Please take a note of the revised dates and perform required actions accordingly:

  1. October 17, 2022, the new data centers in Shanghai (ACNSH1) and Beijing (ACNBJ1) will officially go live for all customer-controlled redirection methods (like IPsec). After this date you are encouraged to test against the new sites and subsequently migrate as soon as possible.
  2. October 31, 2022 to November 11, 2022, traffic from WSS Agent, SEP agent, and explicit proxy traffic will be gradually migrated by Broadcom to the new data centers.
  3. November 22, 2022, the SHA1 and PEK1 data centers will be decommissioned. Therefore, it is critical that all customer traffic is migrated before this date.
Scheduled

The Shanghai (SHA1) and Beijing (PEK1) WSS sites will be migrated from the current colocation-based data centers to new Azure-based data centers located in mainland China. The new Azure-based data centers provide improved capacity lead times and service agility consistent with our Google Cloud data centers outside of mainland China.

Following this migration, we are proud to announce that all Symantec Enterprise Cloud data centers will be located on top-tier hyperscale platforms with integrated global networks, maximizing connectivity to surrounding internet service providers and reducing exposure to inefficient public internet routes.

The migration will occur in 3 phases:

  1. October 10, 2022, the new data centers in Shanghai (ACNSH1) and Beijing (ACNBJ1) will officially go live for all customer-controlled redirection methods (like IPsec). After this date you are encouraged to test against the new sites and subsequently migrate as soon as possible.
  2. October 24, 2022 to November 4, 2022, traffic from WSS Agent, SEP agent, and explicit proxy traffic will be gradually migrated by Broadcom to the new data centers.
  3. November 15, 2022, the SHA1 and PEK1 data centers will be decommissioned. Therefore, it is critical that all customer traffic is migrated before this date.

Carefully review the information below to avoid disruption of service.

New POPs ACNSH1 and ACNBJ1 General Availability Date: October 10, 2022

SHA1 and PEK1 Decommissioning Date: November 15, 2022

Ingress IP Addresses (all Access Methods):

  • 163.228.64.112 - NEW - OCTOBER 10, 2022 (ACNSH1)
  • 159.27.93.192 - NEW - OCTOBER 10, 2022 (ACNBJ1)
  • 222.126.180.164 - TO BE RETIRED - NOVEMBER 15, 2022 (existing SHA1 ingress IP address)
  • 119.161.180.164 - TO BE RETIRED - NOVEMBER 15, 2022 (existing PEK1 ingress IP address)

Egress IP Addresses:

NEW - OCTOBER 10, 2022 (ACNSH1)

  • 163.228.64.112/28 - NEW
  • 163.228.64.128/28 - NEW
  • 163.228.64.144/28 - NEW
  • 163.228.64.176/28 - NEW
  • 163.228.64.192/28 - NEW
  • 163.228.64.208/28 - NEW
  • 163.228.64.224/28 - NEW
  • 163.228.64.240/28 - NEW
  • 163.228.65.0/28 - NEW
  • 163.228.65.16/28 - NEW
  • 163.228.65.32/28 - NEW
  • 163.228.65.48/28 - NEW
  • 163.228.65.64/28 - NEW
  • 163.228.65.80/28 - NEW
  • 163.228.65.96/28 - NEW

NEW - OCTOBER 10, 2022 (ACNBJ1)

  • 159.27.93.192/28 - NEW
  • 159.27.93.208/28 - NEW
  • 159.27.93.224/28 - NEW
  • 159.27.93.240/28 - NEW
  • 159.27.94.0/28 - NEW
  • 159.27.94.16/28 - NEW
  • 159.27.94.32/28 - NEW
  • 159.27.94.48/28 - NEW
  • 159.27.94.64/28 - NEW
  • 159.27.94.80/28 - NEW
  • 159.27.94.96/28 - NEW
  • 159.27.124.16/28 - NEW
  • 159.27.226.160/28 - NEW
  • 159.27.226.176/28 - NEW
  • 159.27.226.192/28 - NEW

TO BE RETIRED:

  • 222.126.180.0/23 - TO BE RETIRED - NOVEMBER 15, 2022 (SHA1)
  • 119.161.180.0/23 - TO BE RETIRED - NOVEMBER 15, 2022 (PEK1)

Required Action

Prior to October 10, 2022:

  • Firewall rules regulating connectivity to/from your network to WSS should be adjusted to allow traffic to pass to the new IP networks listed above.
  • Third party applications that regulate connections by source IP address should be updated to accept connections from the new egress IP networks listed above to ensure traffic proxied through WSS can reach the applications.
  • Auth Connector must be able to communicate with all egress ranges listed above on TCP 443, where applicable.

Failure to make these changes could prevent users from connecting to WSS, accessing third party web applications, or authenticating against the service using the Auth Connector (where applicable).

  • IPsec: Customers must update their tunnel configurations to point to the new ingress IP address before November 15, 2022. This change can be made after October 10, 2022.
  • WSS Agent, SEP Agent: Agent traffic will be automatically redirected to the new POP. No customer action is required.
  • Explicit proxy and proxy forwarding: Customers explicitly directing traffic to proxy.wss.broadcom.cn will be automatically redirected to the nearest new POP on November 4, 2022. No customer action is required.
  • Regardless of the connection method, any configuration pointing to a specific POP hostname or IP address (not recommended) must be manually switched to the new POP prior to the decommissioning date to avoid an outage.

Please visit these KB articles for a full list of IP networks used by WSS:

Questions?

If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

For real time updates and status visit and subscribe to Broadcom Service Status: https://status.broadcom.com

Began at: