Domains and ports to allow
You must set up your firewall or proxy to allow the domains and ports listed here. This lets you protect your devices and manage them from Sophos Central.
All features route traffic using the same proxy.
Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.
This page tells you which domains and ports you need for the following products:
- Intercept X, XDR, or MDR. Use this section for your threat protection products.
- Sophos AD Sync. Use this section too if you use Sophos AD Sync to keep your Sophos Central users list up to date.
If you're setting up Sophos Email Security, see Email domain information.
Recommendations
-
Don't use firewall regional rules. These could override your allowed list and prevent Sophos products from working. For example, a block on non-US regions could stop services that sometimes run through European regions. This can happen because our products are hosted on Amazon Web Service (AWS), which uses non-static IP addresses. See AWS IP address ranges and Amazon IP addresses.
-
Check whether you can use wildcards in your firewall or proxy rules. If you can't, there are some features you can't use.
Intercept X, XDR, or MDR
Follow these instructions if you have any of these licenses:
- Intercept X Advanced
- Intercept X Advanced for Server
- Intercept X Advanced with XDR
- Intercept X Advanced for Server with XDR
- Managed Detection and Response Essentials
- Managed Detection and Response Complete
- Managed Detection and Response Essentials Server
- Managed Detection and Response Complete Server
Ports
Allow this port:
443 (HTTPS)
Domains
Allow the following domains. Ensure you complete all sections.
Sophos Central Admin domains
-
Allow these Sophos domains:
central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com
If your proxy or firewall supports wildcards, you can use the wildcard
*.sophos.com
to cover these addresses. -
Allow the following non-Sophos addresses:
az416426.vo.msecnd.net
dc.services.visualstudio.com
Sophos domains
The domains you need to allow depend on whether your firewall or proxy supports wildcards.
Click the appropriate tab for details.
Allow the following wildcards to cover the Sophos domains:
*.sophos.com
*.sophosupd.com
*.sophosupd.net
*.sophosxl.net
*.analysis.sophos.com
*.ctr.sophos.com
*.hydra.sophos.com
*.hitmanpro.com
Regex definitions
^.*\.sophos\.com
^.*\.sophosupd\.com
^.*\.sophosupd\.net
^.*\.sophosxl\.net
^.*\.analysis\.sophos\.com
^.*\.ctr\.sophos\.com
^.*\.hydra\.sophos\.com
^.*\.hitmanpro\.com
If your proxy or firewall doesn't support wildcards, you must manually add the exact domains you need.
Allow these Sophos domains:
central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com
You also need to identify the server addresses that the Sophos management communication system and the device installers use to communicate with Sophos Central Admin securely. Click the tab corresponding to your device's operating system and follow the steps to identify and allow these addresses.
On Windows devices, do as follows:
- Open
SophosCloudInstaller.log
. You can find it inC:\ProgramData\Sophos\CloudInstaller\Logs
. -
Look for the line starting
Opening connection to
.There will be at least two entries. The first will look like one of these:
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
mcs.stn100yul.ctr.sophos.com
mcs2.stn100yul.ctr.sophos.com
The second will look like one of these:
dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com
api-cloudstation-us-east-2.prod.hydra.sophos.com
api.stn100yul.ctr.sophos.com
Add both the domains to your rules.
-
Add the following addresses:
t1.sophosupd.com
sus.sophosupd.com
sdds3.sophosupd.com
sdds3.sophosupd.net
sdu-auto-upload.sophosupd.com
sdu-feedback.sophos.com
sophosxl.net
4.sophosxl.net
samples.sophosxl.net
cloud.sophos.com
id.sophos.com
central.sophos.com
downloads.sophos.com
amazonaws.com
alert.hitmanpro.com
ssp.sophos.com
sdu-auto-upload.sophosupd.com
rca-upload-cloudstation-us-west-2.prod.hydra.sophos.com
rca-upload-cloudstation-us-east-2.prod.hydra.sophos.com
rca-upload-cloudstation-eu-west-1.prod.hydra.sophos.com
rca-upload-cloudstation-eu-central-1.prod.hydra.sophos.com
rca-upload.stn100bom.ctr.sophos.com
rca-upload.stn100yul.ctr.sophos.com
rca-upload.stn100hnd.ctr.sophos.com
rca-upload.stn100gru.ctr.sophos.com
rca-upload.stn100syd.ctr.sophos.com
-
Add the domains required for Sophos Management Communication System:
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs-cloudstation-us-east-2.prod.hydra.sophos.com
mcs-cloudstation-us-west-2.prod.hydra.sophos.com
mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
mcs.stn100syd.ctr.sophos.com
mcs.stn100yul.ctr.sophos.com
mcs.stn100hnd.ctr.sophos.com
mcs2.stn100syd.ctr.sophos.com
mcs2.stn100yul.ctr.sophos.com
mcs2.stn100hnd.ctr.sophos.com
mcs.stn100gru.ctr.sophos.com
mcs2.stn100gru.ctr.sophos.com
mcs.stn100bom.ctr.sophos.com
mcs2.stn100bom.ctr.sophos.com
mcs-push-server-eu-west-1.prod.hydra.sophos.com
mcs-push-server-eu-central-1.prod.hydra.sophos.com
mcs-push-server-us-west-2.prod.hydra.sophos.com
mcs-push-server-us-east-2.prod.hydra.sophos.com
mcs-push-server.stn100yul.ctr.sophos.com
mcs-push-server.stn100syd.ctr.sophos.com
mcs-push-server.stn100hnd.ctr.sophos.com
mcs-push-server.stn100gru.ctr.sophos.com
mcs-push-server.stn100bom.ctr.sophos.com
-
Add the domains required for the SophosLabs Intelix service:
us.analysis.sophos.com
apac.analysis.sophos.com
au.analysis.sophos.com
eu.analysis.sophos.com
-
Add these domains if your license includes XDR or MDR:
live-terminal-eu-west-1.prod.hydra.sophos.com
live-terminal-eu-central-1.prod.hydra.sophos.com
live-terminal-us-west-2.prod.hydra.sophos.com
live-terminal-us-east-2.prod.hydra.sophos.com
live-terminal.stn100yul.ctr.sophos.com
live-terminal.stn100syd.ctr.sophos.com
live-terminal.stn100hnd.ctr.sophos.com
live-terminal.stn100gru.ctr.sophos.com
live-terminal.stn100bom.ctr.sophos.com
-
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:
ocsp.globalsign.com
ocsp2.globalsign.com
crl.globalsign.com
crl.globalsign.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com
On macOS devices, do as follows:
- Download and extract SophosInstall.zip. See Before you install on macOS.
- Open
SophosCloudConfig.plist
. You can find it in theSophosInstall/Sophos Installer Components
directory. - Look for the
RegistrationServerURL
key. The string that follows it contains a URL. Add this domain to your rules. -
Add the following addresses:
t1.sophosupd.com
sus.sophosupd.com
sdds3.sophosupd.com
sdds3.sophosupd.net
sdu-auto-upload.sophosupd.com
sdu-feedback.sophos.com
sophosxl.net
4.sophosxl.net
samples.sophosxl.net
cloud.sophos.com
id.sophos.com
central.sophos.com
downloads.sophos.com
amazonaws.com
ssp.sophos.com
sdu-auto-upload.sophosupd.com
rca-upload-cloudstation-us-west-2.prod.hydra.sophos.com
rca-upload-cloudstation-us-east-2.prod.hydra.sophos.com
rca-upload-cloudstation-eu-west-1.prod.hydra.sophos.com
rca-upload-cloudstation-eu-central-1.prod.hydra.sophos.com
rca-upload.stn100bom.ctr.sophos.com
rca-upload.stn100yul.ctr.sophos.com
rca-upload.stn100hnd.ctr.sophos.com
rca-upload.stn100gru.ctr.sophos.com
rca-upload.stn100syd.ctr.sophos.com
-
Add the domains required for Sophos Management Communication System:
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs-cloudstation-us-east-2.prod.hydra.sophos.com
mcs-cloudstation-us-west-2.prod.hydra.sophos.com
mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
mcs.stn100syd.ctr.sophos.com
mcs.stn100yul.ctr.sophos.com
mcs.stn100hnd.ctr.sophos.com
mcs2.stn100syd.ctr.sophos.com
mcs2.stn100yul.ctr.sophos.com
mcs2.stn100hnd.ctr.sophos.com
mcs.stn100gru.ctr.sophos.com
mcs2.stn100gru.ctr.sophos.com
mcs.stn100bom.ctr.sophos.com
mcs2.stn100bom.ctr.sophos.com
-
Add the domains required for the SophosLabs Intelix service:
us.analysis.sophos.com
apac.analysis.sophos.com
au.analysis.sophos.com
eu.analysis.sophos.com
-
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:
ocsp.globalsign.com
ocsp2.globalsign.com
crl.globalsign.com
crl.globalsign.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com
On Linux devices, do as follows:
- Find
SophosSetup.sh
on your device. -
Run the following command to start the installer and print the output.
sudo bash -x ./SophosSetup.sh
-
Look for the following lines:
- line starting
+ CLOUD_URL=https://
- line starting
+ MCS_URL=https://
Add the domains from both lines to your rules.
- line starting
-
Add the following addresses:
t1.sophosupd.com
sus.sophosupd.com
sdds3.sophosupd.com
sdds3.sophosupd.net
sdu-feedback.sophos.com
sophosxl.net
4.sophosxl.net
samples.sophosxl.net
cloud.sophos.com
id.sophos.com
central.sophos.com
downloads.sophos.com
amazonaws.com
-
Add the domains required for Sophos Management Communication System:
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs-cloudstation-us-east-2.prod.hydra.sophos.com
mcs-cloudstation-us-west-2.prod.hydra.sophos.com
mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
mcs.stn100syd.ctr.sophos.com
mcs.stn100yul.ctr.sophos.com
mcs.stn100hnd.ctr.sophos.com
mcs2.stn100syd.ctr.sophos.com
mcs2.stn100yul.ctr.sophos.com
mcs2.stn100hnd.ctr.sophos.com
mcs.stn100gru.ctr.sophos.com
mcs2.stn100gru.ctr.sophos.com
mcs.stn100bom.ctr.sophos.com
mcs2.stn100bom.ctr.sophos.com
mcs-push-server-eu-west-1.prod.hydra.sophos.com
mcs-push-server-eu-central-1.prod.hydra.sophos.com
mcs-push-server-us-west-2.prod.hydra.sophos.com
mcs-push-server-us-east-2.prod.hydra.sophos.com
mcs-push-server.stn100yul.ctr.sophos.com
mcs-push-server.stn100syd.ctr.sophos.com
mcs-push-server.stn100hnd.ctr.sophos.com
mcs-push-server.stn100gru.ctr.sophos.com
mcs-push-server.stn100bom.ctr.sophos.com
-
Add the domains required for the SophosLabs Intelix service:
us.analysis.sophos.com
apac.analysis.sophos.com
au.analysis.sophos.com
eu.analysis.sophos.com
-
Add these domains if your license includes XDR or MDR:
live-terminal-eu-west-1.prod.hydra.sophos.com
live-terminal-eu-central-1.prod.hydra.sophos.com
live-terminal-us-west-2.prod.hydra.sophos.com
live-terminal-us-east-2.prod.hydra.sophos.com
live-terminal.stn100yul.ctr.sophos.com
live-terminal.stn100syd.ctr.sophos.com
live-terminal.stn100hnd.ctr.sophos.com
live-terminal.stn100gru.ctr.sophos.com
live-terminal.stn100bom.ctr.sophos.com
-
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:
ocsp.globalsign.com
ocsp2.globalsign.com
crl.globalsign.com
crl.globalsign.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com
Note
Some firewalls or proxies show reverse lookups with *.amazonaws.com
addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.
Domains for TLS inspection
If you're using TLS inspection or have a firewall that uses application filtering, you must add these domains.
prod.endpointintel.darkbytes.io
kinesis.us-west-2.amazonaws.com
To confirm you need to add these domain exclusions, or to test that the exclusions are effective, check your DNS and your connectivity on a device.
Select the tab for your operating system.
On Windows, do as follows:
-
To check your DNS, open PowerShell and enter the following commands:
Resolve-DnsName -Name prod.endpointintel.darkbytes.io
Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com
You should see a DNS response message from each domain.
-
To check your connectivity, enter the following command:
Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io
You should see the following response:
{message: "running..."}
.
On Linux and macOS, do as follows:
-
To check your DNS, enter the following commands:
host prod.endpointintel.darkbytes.io
host kinesis.us-west-2.amazonaws.com
You should see a DNS response message from each domain.
-
To check your connectivity, enter the following command:
`curl -v https://prod.endpointintel.darkbytes.io/`
You should see the following response:
{message: "running..."}
.
Sophos AD Sync
If you use Sophos AD Sync to keep your Sophos Central users list up to date with Active Directory, you must also allow the domains in this section.
Restriction
If your firewall doesn't allow wildcards you can't use Sophos AD Sync utility.
-
If you're using the Active Directory service, allow the following pre-signed s3 domains:
tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com
tf-presigned-url-ca-central-1-prod-*-bucket.s3.ca-central-1.amazonaws.com
tf-presigned-url-ap-southeast-2-prod-*-bucket.s3.ap-southeast-2.amazonaws.com
tf-presigned-url-ap-northeast-1-prod-*-bucket.s3.ap-northeast-1.amazonaws.com
tf-presigned-url-ap-south-1-prod-*-bucket.s3.ap-south-1.amazonaws.com
tf-presigned-url-sa-east-1-prod-*-bucket.s3.sa-east-1.amazonaws.com
-
Allow the following wildcards:
*.s3.eu-west-1.amazonaws.com
*.s3.eu-central-1.amazonaws.com
*.s3.us-east-2.amazonaws.com
*.s3.us-west-2.amazonaws.com
*.s3.ca-central-1.amazonaws.com
*.s3.ap-southeast-2.amazonaws.com
*.s3.ap-northeast-1.amazonaws.com
*.s3.ap-south-1.amazonaws.com
*.s3.sa-east-1.amazonaws.com
When using wildcard FQDNs, make sure DNS requests go through your firewall. For more information, see Wildcard FQDN behavior.
Remote assistance
Sophos Central, Sophos Central Partner, and Sophos Central Enterprise let you give Sophos Support staff remote access so that they can troubleshoot problems.
For remote access to work, you need to allow the port and domain shown below.
- Port:
22 TCP
- Domain:
*.apu.sophos.com