Domains and ports to allow

You must set up your firewall or proxy to allow these domains and ports.

This lets you protect your devices and communicate between Sophos Central Admin and your managed devices.

Note All features route traffic using the same proxy.

Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.

Sophos Central Admin domains

You must allow these domains and ports through your firewalls and proxies for your protection to work correctly.

If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy.

central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com

Note If your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com to cover these addresses.

Then enter the following non-Sophos addresses.

az416426.vo.msecnd.net
dc.services.visualstudio.com
*.cloudfront.net

You must also review the other sections in this page and allow the appropriate domains and ports for all your licenses.

If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy, matching each customer's licenses.

Sophos domains

If your proxy or firewall supports wildcards, add the following wildcards to cover these Sophos domains.

*.sophos.com
*.sophosupd.com
*.sophosupd.net
*.sophosxl.net

If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos domains you need, then enter them manually.

You need to identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely.

On Windows devices, do as follows:

Open SophosCloudInstaller.log. You can find it in C:\ProgramData\Sophos\CloudInstaller\Logs.
Look for the following lines:
- line starting Model::server value changed to:
- line starting Opening connection to
They should have a value that looks like one of the following:
- dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
- mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs.stn100yul.ctr.sophos.com
- mcs2.stn100yul.ctr.sophos.com
You must add this address and the following addresses to your firewall or proxy allow list.
- dci.sophosupd.com
- d1.sophosupd.com
- d2.sophosupd.com
- d3.sophosupd.com
- dci.sophosupd.net
- d1.sophosupd.net
- d2.sophosupd.net
- d3.sophosupd.net
- t1.sophosupd.com
- sus.sophosupd.com
- sus.sophosupd.net
- sdds3.sophosupd.com
- sdds3.sophosupd.net
- sdu-feedback.sophos.com
- sophosxl.net
- 4.sophosxl.net
- samples.sophosxl.net
- cloud.sophos.com
- id.sophos.com
- central.sophos.com
- downloads.sophos.com
- amazonaws.com
You must also add these addresses to your firewall or proxy allow list:
- *.ctr.sophos.com
- *.hydra.sophos.com
If you want to be more specific about the domains you allow for Sophos Management Communication System you can use the following domains.
- dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
- dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
- mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs.stn100syd.ctr.sophos.com
- mcs.stn100yul.ctr.sophos.com
- mcs.stn100hnd.ctr.sophos.com
- mcs2.stn100syd.ctr.sophos.com
- mcs2.stn100yul.ctr.sophos.com
- mcs2.stn100hnd.ctr.sophos.com
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall.
- ocsp.globalsign.com
- ocsp2.globalsign.com
- crl.globalsign.com
- crl.globalsign.net
- ocsp.digicert.com
- crl3.digicert.com
- crl4.digicert.com

Note Some firewalls or proxies show reverse lookups with *.amazonaws.com addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.

Ports

You must add the following ports.
- 80 (HTTP)
- 443 (HTTPS)

Sophos AD Sync utility

Restriction If your firewall doesn't allow wildcards you can't use Sophos AD Sync utility.

If you're using the Active Directory service, you must also add the following pre-signed s3 domains:
- tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
- tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
- tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
- tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com
- tf-presigned-url-ca-central-1-prod-*-bucket.s3.ca-central-1.amazonaws.com
- tf-presigned-url-ap-southeast-2-prod-*-bucket.s3.ap-southeast-2.amazonaws.com
- tf-presigned-url-ap-northeast-1-prod-*-bucket.s3.ap-northeast-1.amazonaws.com
Add the following wildcards:
- *.s3.eu-west-1.amazonaws.com
- *.s3.eu-central-1.amazonaws.com
- *.s3.us-east-2.amazonaws.com
- *.s3.us-west-2.amazonaws.com
- *.s3.ca-central-1.amazonaws.com
- *.s3.ap-southeast-2.amazonaws.com
- *.s3.ap-northeast-1.amazonaws.com

Intercept X Advanced with XDR

Restriction You can only allow the mcs-push-server addresses by using a wildcard. If your firewall doesn't allow wildcards Live Response and Live Discover won't work.

If you have an Intercept X Advanced with XDR license or Intercept X Advanced for Server with XDR license, do as follows:

Add the domains and ports listed in Sophos domains and Ports before adding the domains listed below.
Add the following domains:
- live-terminal-eu-west-1.prod.hydra.sophos.com
- live-terminal-eu-central-1.prod.hydra.sophos.com
- live-terminal-us-west-2.prod.hydra.sophos.com
- live-terminal-us-east-2.prod.hydra.sophos.com
- live-terminal.stn100yul.ctr.sophos.com
- live-terminal.stn100syd.ctr.sophos.com
- live-terminal.stn100hnd.ctr.sophos.com
- *.mcs-push-server-eu-west-1.prod.hydra.sophos.com
- *.mcs-push-server-eu-central-1.prod.hydra.sophos.com
- *.mcs-push-server-us-west-2.prod.hydra.sophos.com
- *.mcs-push-server-us-east-2.prod.hydra.sophos.com
- *.mcs-push-server.stn100yul.ctr.sophos.com
- *.mcs-push-server.stn100syd.ctr.sophos.com
- *.mcs-push-server.stn100hnd.ctr.sophos.com

Intercept X Advanced with XDR and MTR Standard

You need to add these domains if you have one of the following licenses:

Intercept X Advanced with XDR and MTR Standard
Intercept X Advanced with XDR and MTR Advanced
Intercept X Advanced for Server with XDR and MTR Standard
Intercept X Advanced for Server with XDR and MTR Advanced
Managed Threat Detection
Managed Threat Detection for Server

Add the domains and ports listed in Sophos domains, Ports, and Intercept X Advanced with XDR before adding the domains listed in this section.
If you have an MTR license and are using TLS inspection or have a firewall that uses application filtering, you must also add this domain:
- prod.endpointintel.darkbytes.io

To confirm you need to add those exclusions, or to test that the exclusions are effective, you need to check your DNS and your connectivity on a device.

On Windows, do as follows:

To check your DNS, open PowerShell and enter the following command:
```
Resolve-DnsName -Name prod.endpointintel.darkbytes.io
```
You should see a DNS response message from the domain.
To check your connectivity, enter the following command:
```
Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io
```
You should see the following response: {message: "running..."}.

On Linux, do as follows:

To check your DNS, enter the following command:
```
host prod.endpointintel.darkbytes.io
```
You should see a DNS response message from the domain.
To check your connectivity, enter the following command:
```
curl -v https://prod.endpointintel.darkbytes.io/
```
You should see the following response: {message: "running..."}.

Last updated: September 13, 2021.