CRL Infrastructure Upgrade on May 6, 2013
Important Service Announcement
Symantec has upgraded their SSL Certificate Revocation List (CRL) infrastructure on May 6, 2013 to provide faster responses and a better experience for customers.
Here's how you'll benefit
Faster response time – CRL requests will be served from the closest location to the user with a dramatically improved average response time. 100+ additional new sites – more sites handling CRL request means improved availability and reliability all over the globe.
What this means to you
It is strongly recommended that any firewall policies and/or access control devices use URLs and not IP addresses. Symantec can change these IP addresses at any time without notification. If possible white list the following entries on your firewall policies and/or access control devices to ensure seamless access to our CRL services.
*.ws.ssl247.com *.ssl247a.com *.ssl247b.com
Note:
If white listing wildcard entries is not permitted, you can white list the following specific fully qualified domain names (FQDNs).
If your corporate firewall is configured to allow only a certain set of IP addresses to be accessed from your network, you'll need to take the following actions:
- Install or add the IP addresses to your existing list – do not replace the old IP addresses and your existing rules for Symantec CRL IP addresses should not be deleted.
- Test outbound connectivity.
Note: When you are testing the IP’s, please note that not all 128 IP's are 'up' all the time. When testing connectivity with one of the IP’s you may not get a response from the IP. This is by design because those IP's are technically 'out of rotation' and won't be resolved to when a DNS query is made against the CRL service.