AWS Configuration Requirements for the Migration of VIP Services Platform to Amazon Web Services

Symantec VIP services are hosted in multiple Amazon availability zones in the AWS Oregon [us-west-2] and Virginia [us-east-1] regions. To ensure uninterrupted connectivity from your VIP Enterprise Gateways and hosted custom applications to the Symantec VIP AWS-hosted cloud platform, review and update your configurations. 

Important: Organizations actively using VIP Enterprise Gateway or VIP Web Services WSDLs prior to version 9.3 should upgrade immediately. Symantec VIP has terminated use of *.verisign.com URLs on August 9, 2018. 

FIREWALL CONFIGURATION SETTINGS

1. Use VIP Service domain name whitelisting. This is preferable to using IP netblocks. 

2. Configure hostnames to recognize any sub-domain of *.vip.symantec.com. If you are unable to whitelist *.vip.symantec.com sub-domains, whitelist these specific hostnames:
   • services-auth.vip.symantec.com (port 443)
   • services.vip.symantec.com (port 443)
   • userservices-auth.vip.symantec.com (port 443)
   • goidservices-auth.vip.symantec.com (port 443)
   • liveupdate.symantecliveupdate.com (port 80)
   • liveupdate.symantec.com (port 80)
      
3. If you are unable to whitelist hostnames, update your firewall configuration to allow all outbound connectivity to the following IP netblocks.  

 Symantec VIP high-availability data centers are located in multiple regions. DNS resolves traffic to the active location using the URLs listed below. IP address pinning puts your organization at risk of service disruption during a VIP datacenter\DNS switch.

VIP ENTERPRISE GATEWAY, CUSTOM APPLICATIONS, AND ENTERPRISE INTEGRATION CONFIGURATION SETTINGS

The VIP Enterprise Gateway(s) and Web Services WSDL files are configured to use the following globally load-balanced URLs issued by Symantec VIP. Custom applications should point to these same relevant URLs. 

• services-auth.vip.symantec.com
• services.vip.symantec.com
• userservices-auth.vip.symantec.com
• goidservices-auth.vip.symantec.com
• liveupdate.symantecliveupdate.com
• liveupdate.symantec.com

TEST YOUR CONFIGURATION

Testing to determine if your VIP Enterprise Gateway, custom server applications, and any other components involved can communicate with the VIP Service can be performed from the application server host and VIP Enterprise Gateway hosts within your production environment. See Testing your VIP environment for the Migration of VIP Services Platform to Amazon Web Services for testing procedures.

ADDITIONAL RESOURCES

VIP Web Services best practice for high-availability and optimal performance