Domains and ports
You must set up your firewall or proxy to allow these domains and ports.
This allows you to protect your devices and communicate between Sophos Central Admin and your managed endpoints.
Sophos Central Admin and Sophos Central Partner
If you're a partner managing accounts for customers, set up each customer's firewall or proxy to allow these domains or ports.
- central.sophos.com
- cloud-assets.sophos.com
- sophos.com
- downloads.sophos.com
- az416426.vo.msecnd.net
- dc.services.visualstudio.com
- *.cloudfront.net
You also must review the remaining sections and allow the appropriate domains and ports to cover your customers' licenses.
Endpoint domains
Use the following wildcards to cover the endpoint domains if your proxy or firewall support wildcards.
- *.sophos.com
- *.sophosupd.com
- *.sophosupd.net
- *.sophosxl.net
- ocsp2.globalsign.com
- crl.globalsign.com
If your proxy or firewall doesn't support wildcards, you must enter the addresses manually.
You must identify the server address that Sophos Management Communication System uses to communicate with Sophos Central Admin securely.
To find it, do as follows:
- Open SophosCloudInstaller.log. You can find it in the following
locations:
Windows 2008 R2 and later: C:\Documents and Settings\All Users\Application Data\Sophos\CloudInstaller\Logs
Windows 7 and later: C:\ProgramData\Sophos\CloudInstaller\Logs
- Look for the following lines:
- line starting
Model::server value changed to:
- line starting
Opening connection to
They should have a value that looks like this dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com.
- line starting
You must add this address and the following addresses to your firewall or proxy allow list.
- dci.sophosupd.com
- d1.sophosupd.com
- d2.sophosupd.com
- d3.sophosupd.com
- dci.sophosupd.net
- d1.sophosupd.net
- d2.sophosupd.net
- d3.sophosupd.net
- t1.sophosupd.com
- sdu-feedback.sophos.com
- sophosxl.net
- 4.sophosxl.net
- samples.sophosxl.net
- ocsp.globalsign.com
- ocsp2.globalsign.com
- crl.globalsign.com
- crl.globalsign.net
- ocsp.digicert.com
- crl3.digicert.com
- crl4.digicert.com
- cloud.sophos.com
- id.sophos.com
- central.sophos.com
- hydra.sophos.com
- amazonaws.com
Endpoint ports
You must add the following ports.
- 80 (HTTP)
- 443 (HTTPS)
AD Sync
If you're using the Active Directory service, you must add the following presigned s3 domains:
- tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
- tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
- tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
- tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com
Alternatively, you can add the following wildcards:
- *.s3.eu-west-1.amazonaws.com
- *.s3.eu-central-1.amazonaws.com
- *.s3.us-east-2.amazonaws.com
- *.s3.us-west-2.amazonaws.com
Intercept X Advanced with EDR
If you have an Intercept X Advanced with EDR license, you must add the following domains:
- tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
- tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
- live-terminal-eu-west-1.prod.hydra.sophos.com
- live-terminal-eu-central-1.prod.hydra.sophos.com
- live-terminal-us-west-2.prod.hydra.sophos.com
- live-terminal-us-east-2.prod.hydra.sophos.com
- mcs-push-server-eu-west-1.prod.hydra.sophos.com
- mcs-push-server-eu-central-1.prod.hydra.sophos.com
- mcs-push-server-us-west-2.prod.hydra.sophos.com
- mcs-push-server-us-east-2.prod.hydra.sophos.com
Intercept X Advanced with EDR and MTR
If you have a MTR license and are using TLS inspection or have a firewall that uses application filtering, you must add these domains:
- kinesis.us-west-2.amazonaws.com
- prod.endpointintel.darkbytes.io
To confirm you need to add those exclusions, or to test that the exclusions are effective, do as follows:
- On an endpoint, go to https://prod.endpointintel.darkbytes.io.
You should see a message like this
{ message: "running..." }