Web Security Services

Hello folks,

 

IF we are deploying WSS and the client connection is explicit mode using PAC file, and if we create user-based rules in the portal, do we need to allow inbound connections from WSS to the On-Prem Auth-Connector?
My question is related to opening inbound ports in the perimeter firewall

I know there are 2 options: Captive Portal and SAML.
But I am wondering do we need to allow inbound connection? If yes, then which ports?

Regards
Fawaz Musthafa

Dear Fawaz,

 

Yes you need to open port 443 for Inbound connection on perimeter firewall in case of Captive Portal & SAML authentication

 

The WSS Auth Connector needs to connect to Symantec's servers in order to push Active Directory and login/logout data into the cloud.
Auth Connector will connect to Symantec's WSS servers using auth.threatpulse.net on a standard SSL connection (port 443)

You need to allow inbound connection for IP's or Domain auth.threatpulse.net or 199.116.168.193 &199.19.250.193

 

BR

Aboonaim

----------

If you are satisfied with an answer, please click "Accept Solution"

Dear Fawaz,

 

Also note, for SAML below is the port required to be open.

SAML    8443 (over VPN)    Explicit and IPSec    to saml.theatpulse.net

 

Hello Aboonaim,

 

Many Thanks for your responses. I have a doubt on your second comment, where you mentioned 8443 should be allowed to saml.threatpulse,net.

But that woudl be outbound fromAuth Connector to WSS right ?. Not inbound towards Auth Connector..

 

Regards

Fawaz

Dear Fawaz, Yes only outbound port need to be open. SAML Flow 1—The SP (Web Security Service) intercepts the user request and redirects the Web browser to the IdP. The redirect URL includes the SAML authentication request that is submitted to the IdP’s SSO service. 2—The IdP authenticates the user by asking for valid login credentials or checking for valid session cookies for stored credentials and sends the assertion to the browser. 3—The browser returns the assertion with the the authentication response, which contains the user's username, to the Web Security Service (however, the service is not aware of the user’s credentials). 4—The Web Security Service validates the request using the corresponding public key, which is embedded in the IdP's signing certificate, and then retrieves the user name from the Name ID attribute in the assertion. 5—The Web Security Service redirects the user to the website and creates an authenticated session for the user. BR Aboonaim ----------------------- If you are satisfied with my answer click on "Accepted" solution

Hello Aboonaim,

What is still confusing me is when the SP redirects the browser to the IdP, shouldn't inbound traffic be allowed towards the IdP for it to respond to this request ?

Regards

Fawaz

Dear Fawad, The SP (Symantec Web Security Service) intercepts the user request and redirects the web browser to the IdP (the Auth Connector). The redirect URL includes the SAML authentication request. The IdP listens on port 80 for SAML requests. The IdP returns a IWA 401-challenge to the client and sets the authentication headers both NTLM and Kerberos.

Dear Fawad, Yes we require inbound and outbound both. Only incase of UA deployment we require outbound if we don't enable captive portal.

Dear Fawad, Yes we require inbound and outbound both. Only incase of UA deployment we require outbound if we don't enable captive portal.