Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Routing Web Traffic to PoPs

Find the IP addresses of the best and second-best available Points of Presence (PoPs) and use them when configuring the primary and secondary IPsec or GRE tunnels.

Secure Web Gateway is delivered from the Skyhigh Security Cloud platform, which consists of globally distributed nodes called Points of Presence (PoPs). The Global Routing Manager (GRM) is a DNS service that is responsible for intelligent traffic routing, load sharing, and failover. The GRM routes traffic to the best available point of presence.

For a global map of PoPs with setup, status, and support information, see Skyhigh Security Status.

Finding the Best-available PoPs

You can find the best-available Points of Presence (PoPs) using the nslookup command-line tool to query the Global Routing Manager (GRM). GRM returns the IP addresses of the best-available PoPs based on your location.

You need these addresses when configuring IPsec or GRE tunnel interfaces on your networking device or in your SD-WAN service.

To find these IP addresses, run the tool from your network, as shown in the examples below. Each of the examples shows two PoPs, which are first and second with regard to their availability.

  • For IPsec
  • For GRE
nslookup 1.c<customer_id>
nslookup 2.c<customer_id>

Use the IP addresses returned by nslookup. Do not use the FQDNs to configure the VPN gateway address in SD-WAN. The use of FQDNs is not supported by all vendors' routers or SD-WAN profile configurations and may result in connectivity issues.


Secure Web Gateway (replacing the legacy Web Gateway Cloud Service and SaaS Web Protection web security products) as part of the Security Service Edge (SSE) solution.


The Global Routing Manager (GRM) routes traffic to the best-available Point of Presence (PoP). For example, if a user works from an endpoint in Italy, traffic is routed to the closest PoP in Europe, rather than to North America or Asia. If that same user travels to New York City, traffic is routed to the PoP in New York, unless restricted by your web policy.

The GRM is a DNS-based load-balancing service that returns to the endpoint through the route to the closest PoP. It considers the following information:

  • Geo-location of the user or endpoint

  • DNS request IP address

  • PoP availability

  • Proxy DNS name

The geo-location is needed to achieve the best performance and provide localized internet content to improve user experience. To achieve a good approximation of the geo-location of the endpoint, the IP address of the endpoint sent with a DNS request to the GRM is important.

The IP address seen on the GRM is typically not the same as the client IP address of an HTTP request. Instead, it is the IP address of the DNS resolver that the endpoint uses.


If you use cloud DNS services, such as Google DNS or OpenDNS, the geo-location reported for an endpoint might not be the correct geo-location in which the endpoint is located. These cloud DNS services use outbound IP addresses that are geo-located within the United States.

The same behavior applies if you manage your own centralized DNS infrastructure in a specific country or region. This behavior can also impact user experience while receiving webpage content in a foreign language.

NOTE: There is no issue if you are using a decentralized DNS infrastructure.


When using cloud DNS services or a centralized DNS infrastructure, you can work with prefixes to specify the preference for a Point of Presence (PoP) in a country or a region within a country. 

Use prefixes only if needed. Use of a prefix overrules the dynamic routing that would be performed by the GRM. This means that users might experience performance issues when traveling. Network latency, dynamic failover, and load-balancing issues can also occur.

Use of a prefix for proxy settings to specify the preference for a Point of Presence (PoP) in a country or region within a country will result in the following:

  • Country-specific prefix  The best-available PoP within the country is selected.

  • Region-specific prefix — The best-available PoP within the region is selected.  

Review these examples:

  • — Country-specific prefix for the United Kingdom when using SSE 

  • — Country-specific prefix for the United Kingdom when using the Web Protection Suite Hybrid solution with Skyhigh Client Proxy (SCP)

If no PoP is available in the country or region specified in the proxy host name, the preconfigured fallback is to use the closest PoP regardless of the country or region. It is quite unlikely then that no PoP would be available.

Tables of Prefixes

For your configuration, use the prefixes shown in the following tables.

Africa Prefix
South Africa za


Asia Prefix
Hong Kong hk
India in
India North in-north
India West in-west
Japan jp
Korea kr
Philippines ph
Singapore sg
Taiwan tw
Thailand th


Europe Prefix
Austria at
Belgium be
Croatia hr
Czech Republic cz
Denmark dk
Finland fi
France fr
Germany de
Greece gr
Hungary hu
Ireland ie
Italy it
Netherlands nl
Norway no
Poland pl
Portugal pt
Romania ro
Serbia rs
Slovakia sk
Slovenia si
Spain es
Sweden se
Switzerland ch
Turkey tr
United Kingdom uk


Middle East Prefix
Israel il
Saudi Arabia sa
United Arab Emirates ae


North America Prefix
Canada ca
Mexico  mx
North America East Coast na-east
North America West Coast na-west
USA East us-east
USA Midwest us-midwest
USA South us-south
USA West us-west


Pacific Prefix
Australia au
Australia East au-east
Australia West au-west
New Zealand nz


South America Prefix
Argentina ar
Bolivia bo
Brazil br
Chile cl
Colombia co
Paraguay py
Peru pe
Uruguay uy
Venezuela ve
  • Was this article helpful?