Web Security Service Announcement - New Data Center - Dubai, UAE (GAEDX)

1 minute
Complete
Complete

The scheduled maintenance has been completed.

Underway

Scheduled maintenance is currently in progress. We will provide updates as necessary.

Scheduled

As part of the previously announced migration to Google Cloud Platform (GCP), the Symantec Web Security Service Team is pleased to announce a new data center in Dubai, UAE (designated GAEDX).

Impact The new Dubai (GAEDX) data center is available now. On June 28, 2020 the Dubai (GAEDX) will completely replace the current Dubai (DXB1) data center, which will remain open for IPsec traffic in parallel with Dubai (GAEDX) through June 27, 2020.

Traffic from Unified Agent, WSS Agent, Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR), Explicit proxy, and proxy forwarding destined to Dubai (DXB1) will be moved to Dubai (GAEDX) on April 30, 2020.

IPsec tunnels and firewall rules will need to be updated as described in the required action section below.

The ingress IP address for all access methods for Dubai (GAEDX) is:

34.65.98.164 <b>(New ingress address, announced April 10, change may be required)</b>

The egress network IP ranges for Dubai (GAEDX) is:

34.65.98.0/24  <b>(New range, announced April 10, change may be required)</b>

Required Action If end user connectivity to WSS is regulated by stringent firewall rules, those firewall rules must be adjusted to allow traffic to pass to the ingress and egress IP networks listed above. In addition, any third party application provider who regulates connections by source IP must be updated to accept connections from the ingress and egress IP networks listed above to ensure WSS traffic passes unencumbered.

IPsec: Customers must migrate their tunnel(s) to the new Dubai (GAEDX) data center ingress IP address by June 27, 2020 before the old Dubai (DXB1) data center shuts down.

Explicit over IPsec (“trans-proxy”): Customers must migrate their tunnel(s) to the new Dubai (GAEDX) data center ingress IP address by June 27, 2020 before the old Dubai (DXB1) data center shuts down.

The access methods below all require firewall changes. The following use cases demonstrate why these access methods require firewall changes:

Use case 1 - Connectivity: Users using the Unified-Agent/WSS Agent or explicit access methods may all be coming from the same IP address, and if your firewall is not allowing TCP/UDP 443 (Unified-Agent) or TCP 8080 (Explicit and SEP-WTR) to the new VIPs above, the tunnel will not come up (Unified-Agent) or connectivity to the explicit proxy (Explicit and SEP-WTR) will fail.

Use case 2 - Group-based policies and authentication: Even in the case where users may be roaming and not coming from the same location, group based policies could fail if the auth connector cannot communicate with these new egress IP addresses.

It is imperative that the firewall whitelist access to these ingress and egress IP addresses to avoid problems.

Unified Agent and WSS Agent: Firewall rules will need to be updated as described above to allow the new ingress and egress addresses.

Symantec Endpoint Protection Web Traffic Redirector (SEP-WTR): The underlying IP address for sep-wtr.threatpulse.net will be updated as part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. If customers are referencing the current data center VIP directly (e.g., via a PAC file), please change to reference the sep-wtr.threatpulse.net domain name instead.

Explicit proxy and proxy forwarding: The underlying IP address for proxy.threatpulse.net will change as a part of this migration. Firewall rules will need to be updated as described above to allow the new ingress and egress addresses. If customers are referencing the current data center VIP directly (e.g., via a PAC file), please change to reference the proxy.threatpulse.net domain name instead.

Others: Any customer, regardless of connection method, with a configuration pointing to a specific site or IP address must manually move to the new Dubai (GAEDX) site failover to a secondary site during the migration window to avoid an outage.

All customers should continue to trust the existing Dubai (DXB1) data center IP network, because it will continue to be utilized by WSS services through June 27.

Please visit these KB articles for a full list of IP networks used by WSS: Worldwide data center IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH242979 Authentication / egress IP addresses: https://knowledge.broadcom.com/external/article?legacyId=TECH240889

Questions? If you have further questions regarding this announcement, contact Technical Support. Support information is located at: https://support.broadcom.com/security

For real time updates and status visit and subscribe to Broadcom Service Status: https://wss.status.broadcom.com

Began at:

Affected components