Domains and ports

Sophos Central Admin and Sophos Central Partner

If you're a partner managing accounts for customers, set up each customer's firewall or proxy to allow these domains or ports.

central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com
az416426.vo.msecnd.net
dc.services.visualstudio.com
*.cloudfront.net

Note You can use the wildcard *.sophos.com to cover all of these addresses if your firewall or proxy supports it.

You also must review the remaining sections and allow the appropriate domains and ports to cover your customers' licenses.

Endpoint domains

Use the following wildcards to cover the endpoint domains if your proxy or firewall support wildcards.

*.sophos.com
*.sophosupd.com
*.sophosupd.net
*.sophosxl.net
ocsp2.globalsign.com
crl.globalsign.com

If your proxy or firewall doesn't support wildcards, you must enter the addresses manually.

You must identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely.

To find it, do as follows:

Open SophosCloudInstaller.log. You can find it in the following locations:
Windows 2008 R2 and later: C:\Documents and Settings\All Users\Application Data\Sophos\CloudInstaller\Logs
Windows 7 and later: C:\ProgramData\Sophos\CloudInstaller\Logs
Look for the following lines:
- line starting Model::server value changed to:
- line starting Opening connection to
They should have a value that looks like this dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com.

You must add this address and the following addresses to your firewall or proxy allow list.

dci.sophosupd.com
d1.sophosupd.com
d2.sophosupd.com
d3.sophosupd.com
dci.sophosupd.net
d1.sophosupd.net
d2.sophosupd.net
d3.sophosupd.net
t1.sophosupd.com
sdu-feedback.sophos.com
sophosxl.net
4.sophosxl.net
samples.sophosxl.net
ocsp.globalsign.com
ocsp2.globalsign.com
crl.globalsign.com
crl.globalsign.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com
cloud.sophos.com
id.sophos.com
central.sophos.com
hydra.sophos.com
amazonaws.com
mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
mcs2-cloudstation-us-west-2.prod.hydra.sophos.com

Note Some firewalls may show reverse look ups that have *.amazonaws.com URLs. Don't worry that they aren't *.sophos.com URLs. This is the expected behavior. You must add the listed URL to the firewall.

Endpoint ports

You must add the following ports.

80 (HTTP)
443 (HTTPS)

AD Sync

If you're using the Active Directory service, you must also add the following presigned s3 domains:

tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com

Alternatively, you can add the following wildcards:

*.s3.eu-west-1.amazonaws.com
*.s3.eu-central-1.amazonaws.com
*.s3.us-east-2.amazonaws.com
*.s3.us-west-2.amazonaws.com

Intercept X Advanced with EDR

Note Add the domains and ports listed in Endpoint domains and Endpoint ports before adding the domains listed below.

If you have an Intercept X Advanced with EDR license, you must also add the following domains:

tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
live-terminal-eu-west-1.prod.hydra.sophos.com
live-terminal-eu-central-1.prod.hydra.sophos.com
live-terminal-us-west-2.prod.hydra.sophos.com
live-terminal-us-east-2.prod.hydra.sophos.com
mcs-push-server-eu-west-1.prod.hydra.sophos.com
mcs-push-server-eu-central-1.prod.hydra.sophos.com
mcs-push-server-us-west-2.prod.hydra.sophos.com
mcs-push-server-us-east-2.prod.hydra.sophos.com

Intercept X Advanced with EDR and MTR

Note Add the domains and ports listed in Endpoint domains, Endpoint ports, and Intercept X Advanced with EDR before adding the domains listed in this section.

If you have a MTR license and are using TLS inspection or have a firewall that uses application filtering, you must also add these domains:

prod.endpointintel.darkbytes.io
kinesis.us-west-2.amazonaws.com

To confirm you need to add those exclusions, or to test that the exclusions are effective you need to check your DNS and your connectivity on an endpoint.

On Windows, do as follows:

To check your DNS, open PowerShell and enter the following commands:
```
Resolve-DnsName -Name prod.endpointintel.darkbytes.io
```
```
Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com
```
You should see a DNS response message from each domain.
To check your connectivity, enter the following commands:
```
Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io
```
You should should see the following response: {message: "running..."}.
```
Invoke-WebRequest -uri https://kinesis.us-west-2.amazonaws.com/
```
You should see a response containing “Missing Authentication Token”.

On Linux, do as follows:

To check your DNS, enter the following commands:
```
host prod.endpointintel.darkbytes.io
```
```
host kinesis.us-west-2.amazonaws.com
```
You should see a DNS response message from each domain.
To check your connectivity, enter the following commands:
```
curl -v https://prod.endpointintel.darkbytes.io/
```
You should should see the following response: {message: "running..."}.
```
curl -v https://kinesis.us-west-2.amazonaws.com/
```
You should see a response containing “Missing Authentication Token”.