Domains and ports to allow (central, EDR, MTR)
Zitat von mpca am 11. Mai 2021, 10:14 Uhrhttps://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html
You must set up your firewall or proxy to allow these domains and ports.
This lets you protect your devices and communicate between Sophos Central Admin and your managed endpoints.
NoteAll features route traffic using the same proxy.Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.
Sophos Central Admin domains
You must allow these domains and ports through your firewalls and proxies for your protection to work correctly.
If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy.
- central.sophos.com
- cloud-assets.sophos.com
- sophos.com
- downloads.sophos.com
NoteIf your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com to cover these addresses.Then enter the following non-Sophos addresses.
- az416426.vo.msecnd.net
- dc.services.visualstudio.com
- *.cloudfront.net
You must also review the other sections in this page and allow the appropriate domains and ports for all your licenses.
If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy, matching each customer's licenses.
Endpoint domains
If your proxy or firewall supports wildcards, use the following wildcards to cover these Sophos endpoint domains.
- *.sophos.com
- *.sophosupd.com
- *.sophosupd.net
- *.sophosxl.net
Then enter the following non-Sophos addresses.
- ocsp2.globalsign.com
- crl.globalsign.com
If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos endpoint domains you need, then enter them manually.
To identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely, do as follows:
- Open SophosCloudInstaller.log. You can find it in the following locations:
Windows 2008 R2 and later: C:\Documents and Settings\All Users\Application Data\Sophos\CloudInstaller\Logs
Windows 7 and later: C:\ProgramData\Sophos\CloudInstaller\Logs
- Look for the following lines:
- line starting
Model::server value changed to:
- line starting
Opening connection to
They should have a value that looks like this dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com.
You must add this address and the following addresses to your firewall or proxy allow list.
- dci.sophosupd.com
- d1.sophosupd.com
- d2.sophosupd.com
- d3.sophosupd.com
- dci.sophosupd.net
- d1.sophosupd.net
- d2.sophosupd.net
- d3.sophosupd.net
- t1.sophosupd.com
- sdu-feedback.sophos.com
- sophosxl.net
- 4.sophosxl.net
- samples.sophosxl.net
- cloud.sophos.com
- id.sophos.com
- central.sophos.com
- downloads.sophos.com
- amazonaws.com
- *.hydra.sophos.com
If you want to be more specific about the domains you allow for hydra.sophos.com you can use the following domains.
- *.mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
- *.mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
- *.mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- *.mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
You must also add the following non-Sophos domains. You must not use wildcards for these domains.
- ocsp.globalsign.com
- ocsp2.globalsign.com
- crl.globalsign.com
- crl.globalsign.net
- ocsp.digicert.com
- crl3.digicert.com
- crl4.digicert.com
NoteSome firewalls or proxies show reverse lookups with *.amazonaws.com addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.Endpoint ports
You must add the following ports.
- 80 (HTTP)
- 443 (HTTPS)
AD Sync
If you're using the Active Directory service, you must also add the following pre-signed s3 domains:
- tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
- tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
- tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
- tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com
If your proxy or firewall supports wildcards you can add the following wildcards:
- *.s3.eu-west-1.amazonaws.com
- *.s3.eu-central-1.amazonaws.com
- *.s3.us-east-2.amazonaws.com
- *.s3.us-west-2.amazonaws.com
Intercept X Advanced with EDR
NoteAdd the domains and ports listed inEndpoint domainsandEndpoint portsbefore adding the domains listed below.If you have an Intercept X Advanced with EDR license, you must also add the following domains:
- tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
- live-terminal-eu-west-1.prod.hydra.sophos.com
- live-terminal-eu-central-1.prod.hydra.sophos.com
- live-terminal-us-west-2.prod.hydra.sophos.com
- live-terminal-us-east-2.prod.hydra.sophos.com
- *.mcs-push-server-eu-west-1.prod.hydra.sophos.com
- *.mcs-push-server-eu-central-1.prod.hydra.sophos.com
- *.mcs-push-server-us-west-2.prod.hydra.sophos.com
- *.mcs-push-server-us-east-2.prod.hydra.sophos.com
Intercept X Advanced with EDR and MTR
NoteAdd the domains and ports listed inEndpoint domains,Endpoint ports, andIntercept X Advanced with EDRbefore adding the domains listed in this section.If you have an MTR license and are using TLS inspection or have a firewall that uses application filtering, you must also add these domains:
- prod.endpointintel.darkbytes.io
- kinesis.us-west-2.amazonaws.com
To confirm you need to add those exclusions, or to test that the exclusions are effective, you need to check your DNS and your connectivity on an endpoint.
On Windows, do as follows:
- To check your DNS, open PowerShell and enter the following commands:
Resolve-DnsName -Name prod.endpointintel.darkbytes.io
Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com
You should see a DNS response message from each domain.
- To check your connectivity, enter the following commands:
Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io
You should see the following response: {message: "running..."}.
Invoke-WebRequest -uri https://kinesis.us-west-2.amazonaws.com/
You should see a response containing "Missing Authentication Token".
On Linux, do as follows:
- To check your DNS, enter the following commands:
host prod.endpointintel.darkbytes.io
host kinesis.us-west-2.amazonaws.com
You should see a DNS response message from each domain.
- To check your connectivity, enter the following commands:
curl -v https://prod.endpointintel.darkbytes.io/
You should see the following response: {message: "running..."}.
curl -v https://kinesis.us-west-2.amazonaws.com/
You should see a response containing "Missing Authentication Token".
https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/DomainsPorts.html
You must set up your firewall or proxy to allow these domains and ports.
This lets you protect your devices and communicate between Sophos Central Admin and your managed endpoints.
Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.
Sophos Central Admin domains
You must allow these domains and ports through your firewalls and proxies for your protection to work correctly.
If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy.
- central.sophos.com
- cloud-assets.sophos.com
- sophos.com
- downloads.sophos.com
Then enter the following non-Sophos addresses.
- az416426.vo.msecnd.net
- dc.services.visualstudio.com
- *.cloudfront.net
You must also review the other sections in this page and allow the appropriate domains and ports for all your licenses.
If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy, matching each customer's licenses.
Endpoint domains
If your proxy or firewall supports wildcards, use the following wildcards to cover these Sophos endpoint domains.
- *.sophos.com
- *.sophosupd.com
- *.sophosupd.net
- *.sophosxl.net
Then enter the following non-Sophos addresses.
- ocsp2.globalsign.com
- crl.globalsign.com
If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos endpoint domains you need, then enter them manually.
To identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely, do as follows:
- Open SophosCloudInstaller.log. You can find it in the following locations:
Windows 2008 R2 and later: C:\Documents and Settings\All Users\Application Data\Sophos\CloudInstaller\Logs
Windows 7 and later: C:\ProgramData\Sophos\CloudInstaller\Logs
- Look for the following lines:
- line starting
Model::server value changed to:
- line starting
Opening connection to
They should have a value that looks like this dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com.
- line starting
You must add this address and the following addresses to your firewall or proxy allow list.
- dci.sophosupd.com
- d1.sophosupd.com
- d2.sophosupd.com
- d3.sophosupd.com
- dci.sophosupd.net
- d1.sophosupd.net
- d2.sophosupd.net
- d3.sophosupd.net
- t1.sophosupd.com
- sdu-feedback.sophos.com
- sophosxl.net
- 4.sophosxl.net
- samples.sophosxl.net
- cloud.sophos.com
- id.sophos.com
- central.sophos.com
- downloads.sophos.com
- amazonaws.com
- *.hydra.sophos.com
If you want to be more specific about the domains you allow for hydra.sophos.com you can use the following domains.
- *.mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
- *.mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
- *.mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- *.mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
You must also add the following non-Sophos domains. You must not use wildcards for these domains.
- ocsp.globalsign.com
- ocsp2.globalsign.com
- crl.globalsign.com
- crl.globalsign.net
- ocsp.digicert.com
- crl3.digicert.com
- crl4.digicert.com
Endpoint ports
You must add the following ports.
- 80 (HTTP)
- 443 (HTTPS)
AD Sync
If you're using the Active Directory service, you must also add the following pre-signed s3 domains:
- tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
- tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
- tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
- tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com
If your proxy or firewall supports wildcards you can add the following wildcards:
- *.s3.eu-west-1.amazonaws.com
- *.s3.eu-central-1.amazonaws.com
- *.s3.us-east-2.amazonaws.com
- *.s3.us-west-2.amazonaws.com
Intercept X Advanced with EDR
Endpoint domainsand
Endpoint portsbefore adding the domains listed below.
If you have an Intercept X Advanced with EDR license, you must also add the following domains:
- tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
- live-terminal-eu-west-1.prod.hydra.sophos.com
- live-terminal-eu-central-1.prod.hydra.sophos.com
- live-terminal-us-west-2.prod.hydra.sophos.com
- live-terminal-us-east-2.prod.hydra.sophos.com
- *.mcs-push-server-eu-west-1.prod.hydra.sophos.com
- *.mcs-push-server-eu-central-1.prod.hydra.sophos.com
- *.mcs-push-server-us-west-2.prod.hydra.sophos.com
- *.mcs-push-server-us-east-2.prod.hydra.sophos.com
Intercept X Advanced with EDR and MTR
Endpoint domains,
Endpoint ports, and
Intercept X Advanced with EDRbefore adding the domains listed in this section.
If you have an MTR license and are using TLS inspection or have a firewall that uses application filtering, you must also add these domains:
- prod.endpointintel.darkbytes.io
- kinesis.us-west-2.amazonaws.com
To confirm you need to add those exclusions, or to test that the exclusions are effective, you need to check your DNS and your connectivity on an endpoint.
On Windows, do as follows:
- To check your DNS, open PowerShell and enter the following commands:
Resolve-DnsName -Name prod.endpointintel.darkbytes.io
Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com
You should see a DNS response message from each domain.
- To check your connectivity, enter the following commands:
Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io
You should see the following response: {message: "running..."}.
Invoke-WebRequest -uri https://kinesis.us-west-2.amazonaws.com/
You should see a response containing "Missing Authentication Token".
On Linux, do as follows:
- To check your DNS, enter the following commands:
host prod.endpointintel.darkbytes.io
host kinesis.us-west-2.amazonaws.com
You should see a DNS response message from each domain.
- To check your connectivity, enter the following commands:
curl -v https://prod.endpointintel.darkbytes.io/
You should see the following response: {message: "running..."}.
curl -v https://kinesis.us-west-2.amazonaws.com/
You should see a response containing "Missing Authentication Token".