Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=DNS-protection-add-a-location

Add a location (Workspace Protection EAP)

This page shows you how to add a location if you've joined the Workspace Protection early access program (EAP). If you haven't, see Add a location (legacy).

To add a location, you must select how you want to connect to DNS Protection from this location. You can use the secure DNS method, which redirects DNS traffic over HTTPS, or use the traditional DNS method, which redirects unencrypted DNS traffic to DNS Protection.

To add a location with secure DNS, turn on Secure DNS. DNS Protection will detect your current location's IP address.

To add a location with traditional DNS, turn Traditional DNS over IPv4 on and specify the external or public IP address, or FQDN used for traffic going to the internet. This may be the IP address of your firewall or router.

Note

You can add a maximum of 50 locations to DNS Protection.

To get step-by-step instructions, click the tab for your DNS connection method below.

This method redirects DNS traffic over HTTPS to DNS Protection. Use this for locations that can process secure DNS traffic.

Note

To use Sophos Endpoint with DNS Protection, you must select Secure DNS.

To add a location, do as follows:

  1. Go to My Products > DNS Protection > Locations.
  2. Click Add.

  3. Enter a name and description for the location.

    Note

    You can't use "Default" as the location name. It's reserved for use by DNS Protection.

  4. Under Connection method, turn Secure DNS on.

    The DNS over HTTPS URL is generated when you click Save.

    This is the secure DNS Protection URL. You may need it to configure your users' devices to use DNS Protection. If you're using Sophos Endpoint, it automatically configures your devices to use DNS Protection.

  5. Copy the IP addresses shown under IPv4 addresses.

    These are the DNS Protection IP addresses. You may need these IP addresses to configure your users' devices to use DNS Protection. If you're using Sophos Endpoint, it automatically configures your devices to use DNS Protection.

  6. Turn Traditional DNS over IPv4 on or off.

    If you want to include locations that can't process secure DNS traffic or if you're adding a firewall as a location, turn this option on and add the IP addresses of the location. For details, see the Traditional DNS over IPv4 tab.

  7. Click Save.

  8. Copy the DNS over HTTPS URL and click Close.

This method sends unencrypted DNS traffic to DNS Protection. Use this method for locations that can't process secure DNS traffic or if you're adding a firewall as a location.

To add a location, do as follows:

  1. Go to My Products > DNS Protection > Locations.
  2. Click Add.

  3. Enter a name and description for the location.

    Note

    You can't use "Default" as the location name. It's reserved for use by DNS Protection.

  4. Under Connection method, turn Traditional DNS over IPv4 on.

  5. In IPv4 addresses or FQDNs, you can add auto-detected IP addresses or manually add the public IP addresses or FQDNs of your location.

    Take one of the following steps:

    • Add auto-detected IP address: To add auto-detected IP addresses to your location, do as follows:

      1. Click Add known IPs.

        Sophos Central shows a list of suggested IP addresses, including your licensed firewalls' known public IP addresses and the IP address from which you're currently connecting to Sophos Central.

        Note

        Sophos Central only detects the IP addresses of the firewalls with an Xstream Protection license.

      2. If you're adding the IP address of your current location, under Your Current Location, select the IP address and click Add.

        If you're accessing Sophos Central through a VPN, Your Current Location shows the IP address of your VPN server, not the IP address of the network you're connected to.

      3. If you're adding Sophos Firewall as a location, under Your Firewalls, select the firewall's IP address and click Add.

        Your Firewalls shows the IP address the firewall is using to connect to Sophos Central. If your firewall has multiple WAN interfaces, we recommend you manually add any IP addresses that aren't auto-detected.

        Note

        DNS Protection doesn't automatically update your detected IP address if it changes in the future. If your IP address is likely to change, we recommend you set up a Dynamic DNS service and manually add the Dynamic DNS hostname to the location. See Dynamic DNS.

      4. Click Save.

    • Manually add IP addresses or FQDNs: To manually add IP addresses or FQDNs, do as follows:

      1. In IPv4 addresses or FQDNs, type in or paste the IPv4 addresses or FQDNs for the location.

        These must be external IP addresses of your network or gateway device. They're usually the IP addresses of your router's WAN interface.

        Note

        Don't enter internal IP addresses in ranges such as 10.x.x.x, 192.168.x.x, and 172.16.x.x.

        If you're adding Sophos Firewall as a location, depending on your firewall configuration, take one of the following actions:

        • If your firewall has a single WAN interface, add the WAN interface's IP address.
        • If your firewall has multiple WAN interfaces, add all of those IP addresses or add an IP address range.
        • If your firewall's IP address is dynamic, add the firewall's hostname that's registered with the Dynamic DNS (DDNS) provider. See Dynamic DNS.

        You can add multiple IP addresses or FQDNs. You can add a maximum of 100 items.

        Press Enter or Tab after you add each item, even if you're adding a single item. If you're copying and pasting, ensure the copied list has a line break between each item.

      2. Click the Copy icon Copy icon. to copy these IPv4 addresses or FQDNs and paste them elsewhere.

      3. Click Save.