Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=protect-devices-domains-ports

Domains and ports to allow

You must set up your firewall or proxy to allow the domains and ports listed here. This lets you protect your devices and manage them from Sophos Central.

All features route traffic using the same proxy.

Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.

This page tells you which domains and ports you need for the following products:

  • Intercept X, XDR, or MDR. Use this section for your threat protection products.
  • Sophos AD Sync. Use this section too if you use Sophos AD Sync to keep your Sophos Central users list up to date.

If you're setting up Sophos Email Security, see Email domain information.

Recommendations

  • Don't use firewall regional rules. These could override your allowed list and prevent Sophos products from working. For example, a block on non-US regions could stop services that sometimes run through European regions. This can happen because our products are hosted on Amazon Web Service (AWS), which uses non-static IP addresses. See AWS IP address ranges and Amazon IP addresses.

  • Check whether you can use wildcards in your firewall or proxy rules. If you can't, there are some features you can't use.

Intercept X, XDR, or MDR

Follow these instructions if you have any of these licenses:

  • Intercept X Advanced
  • Intercept X Advanced for Server
  • Intercept X Advanced with XDR
  • Intercept X Advanced for Server with XDR
  • Managed Detection and Response
  • Managed Detection and Response Complete
  • Managed Detection and Response Server
  • Managed Detection and Response Complete Server

Ports

Allow this port:

  • 443 (HTTPS)

Domains

Allow the following domains. Ensure you complete all sections.

Sophos Central Admin domains

  1. Allow these Sophos domains:

    • central.sophos.com
    • cloud-assets.sophos.com
    • sophos.com
    • downloads.sophos.com

    If your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com to cover these addresses.

  2. Allow the following non-Sophos addresses:

    • az416426.vo.msecnd.net
    • dc.services.visualstudio.com

Sophos domains

The domains you need to allow depend on whether your firewall or proxy supports wildcards.

Click the appropriate tab for details.

Allow the following wildcards to cover the Sophos domains:

  • *.sophos.com
  • *.sophosupd.com
  • *.sophosupd.net
  • *.sophosxl.net
  • *.analysis.sophos.com
  • *.ctr.sophos.com
  • *.hydra.sophos.com

Restriction

If your firewall doesn't allow wildcards, the XDR features Live Response and Live Discover won't work. That's because they require domains you can only allow by using a wildcard.

If your proxy or firewall doesn't support wildcards, you must manually add the exact domains you need.

Allow these Sophos domains:

  • central.sophos.com
  • cloud-assets.sophos.com
  • sophos.com
  • downloads.sophos.com

You also need to identify the server addresses that the Sophos management communication system and the device installers use to communicate with Sophos Central Admin securely. Click the tab corresponding to your device's operating system and follow the steps to identify and allow these addresses.

On Windows devices, do as follows:

  1. Open SophosCloudInstaller.log. You can find it in C:\ProgramData\Sophos\CloudInstaller\Logs.

  2. Look for the line starting Opening connection to.

    There will be at least two entries. The first will look like one of these:

    • dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
    • mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
    • mcs.stn100yul.ctr.sophos.com
    • mcs2.stn100yul.ctr.sophos.com

    The second will look like one of these:

    • dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com
    • api-cloudstation-us-east-2.prod.hydra.sophos.com
    • api.stn100yul.ctr.sophos.com

    Add both the domains to your rules.

  3. Add the following addresses:

    • dci.sophosupd.com
    • d1.sophosupd.com
    • d2.sophosupd.com
    • d3.sophosupd.com
    • dci.sophosupd.net
    • d1.sophosupd.net
    • d2.sophosupd.net
    • d3.sophosupd.net
    • t1.sophosupd.com
    • sus.sophosupd.com
    • sdds3.sophosupd.com
    • sdds3.sophosupd.net
    • sdu-feedback.sophos.com
    • sophosxl.net
    • 4.sophosxl.net
    • samples.sophosxl.net
    • cloud.sophos.com
    • id.sophos.com
    • central.sophos.com
    • downloads.sophos.com
    • amazonaws.com

  4. Add the domains required for Sophos Management Communication System:

    • dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
    • dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
    • mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
    • mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
    • mcs-cloudstation-us-east-2.prod.hydra.sophos.com
    • mcs-cloudstation-us-west-2.prod.hydra.sophos.com
    • mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
    • mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
    • mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
    • mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
    • mcs.stn100syd.ctr.sophos.com
    • mcs.stn100yul.ctr.sophos.com
    • mcs.stn100hnd.ctr.sophos.com
    • mcs2.stn100syd.ctr.sophos.com
    • mcs2.stn100yul.ctr.sophos.com
    • mcs2.stn100hnd.ctr.sophos.com
    • mcs.stn100gru.ctr.sophos.com
    • mcs2.stn100gru.ctr.sophos.com
    • mcs.stn100bom.ctr.sophos.com
    • mcs2.stn100bom.ctr.sophos.com

  5. Add the domains required for the SophosLabs Intelix service:

    • us.analysis.sophos.com
    • apac.analysis.sophos.com
    • au.analysis.sophos.com
    • eu.analysis.sophos.com

  6. You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:

    • ocsp.globalsign.com
    • ocsp2.globalsign.com
    • crl.globalsign.com
    • crl.globalsign.net
    • ocsp.digicert.com
    • crl3.digicert.com
    • crl4.digicert.com

On Linux devices, do as follows:

  1. Find SophosSetup.sh on your device.

  2. Run the following command to start the installer and print the output.

    sudo bash -x ./SophosSetup.sh

  3. Look for the following lines:

    • line starting + CLOUD_URL=https://
    • line starting + MCS_URL=https://

    Add the domains from both lines to your rules.

  4. Add the following addresses:

    • dci.sophosupd.com
    • d1.sophosupd.com
    • d2.sophosupd.com
    • d3.sophosupd.com
    • dci.sophosupd.net
    • d1.sophosupd.net
    • d2.sophosupd.net
    • d3.sophosupd.net
    • t1.sophosupd.com
    • sus.sophosupd.com
    • sdds3.sophosupd.com
    • sdds3.sophosupd.net
    • sdu-feedback.sophos.com
    • sophosxl.net
    • 4.sophosxl.net
    • samples.sophosxl.net
    • cloud.sophos.com
    • id.sophos.com
    • central.sophos.com
    • downloads.sophos.com
    • amazonaws.com

  5. Add the domains required for Sophos Management Communication System:

    • dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
    • dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
    • mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
    • mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
    • mcs-cloudstation-us-east-2.prod.hydra.sophos.com
    • mcs-cloudstation-us-west-2.prod.hydra.sophos.com
    • mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
    • mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
    • mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
    • mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
    • mcs.stn100syd.ctr.sophos.com
    • mcs.stn100yul.ctr.sophos.com
    • mcs.stn100hnd.ctr.sophos.com
    • mcs2.stn100syd.ctr.sophos.com
    • mcs2.stn100yul.ctr.sophos.com
    • mcs2.stn100hnd.ctr.sophos.com
    • mcs.stn100gru.ctr.sophos.com
    • mcs2.stn100gru.ctr.sophos.com
    • mcs.stn100bom.ctr.sophos.com
    • mcs2.stn100bom.ctr.sophos.com

  6. Add the domains required for the SophosLabs Intelix service:

    • us.analysis.sophos.com
    • apac.analysis.sophos.com
    • au.analysis.sophos.com
    • eu.analysis.sophos.com

  7. You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:

    • ocsp.globalsign.com
    • ocsp2.globalsign.com
    • crl.globalsign.com
    • crl.globalsign.net
    • ocsp.digicert.com
    • crl3.digicert.com
    • crl4.digicert.com

Note

Some firewalls or proxies show reverse lookups with *.amazonaws.com addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.

Domains for XDR

Allow these domains if your license includes XDR:

  • live-terminal-eu-west-1.prod.hydra.sophos.com
  • live-terminal-eu-central-1.prod.hydra.sophos.com
  • live-terminal-us-west-2.prod.hydra.sophos.com
  • live-terminal-us-east-2.prod.hydra.sophos.com
  • live-terminal.stn100yul.ctr.sophos.com
  • live-terminal.stn100syd.ctr.sophos.com
  • live-terminal.stn100hnd.ctr.sophos.com
  • live-terminal.stn100gru.ctr.sophos.com
  • live-terminal.stn100bom.ctr.sophos.com

Domains for MDR

Allow these domains if your license includes MDR.

If you're using TLS inspection or have a firewall that uses application filtering, you must add these domains:

  • prod.endpointintel.darkbytes.io
  • kinesis.us-west-2.amazonaws.com

To confirm you need to add these domain exclusions, or to test that the exclusions are effective, check your DNS and your connectivity on a device.

Select the tab for your operating system.

On Windows, do as follows:

  1. To check your DNS, open PowerShell and enter the following commands:

    Resolve-DnsName -Name prod.endpointintel.darkbytes.io

    Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com

    You should see a DNS response message from each domain.

  2. To check your connectivity, enter the following command:

    Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io

    You should see the following response: {message: "running..."}.

On Linux, do as follows:

  1. To check your DNS, enter the following commands:

    host prod.endpointintel.darkbytes.io

    host kinesis.us-west-2.amazonaws.com

    You should see a DNS response message from each domain.

  2. To check your connectivity, enter the following command:

    `curl -v https://prod.endpointintel.darkbytes.io/`

    You should see the following response: {message: "running..."}.

Sophos AD Sync

If you use Sophos AD Sync to keep your Sophos Central users list up to date with Active Directory, you must also allow the domains in this section.

Restriction

If your firewall doesn't allow wildcards you can't use Sophos AD Sync utility.

  1. If you're using the Active Directory service, allow the following pre-signed s3 domains:

    • tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
    • tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
    • tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
    • tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com
    • tf-presigned-url-ca-central-1-prod-*-bucket.s3.ca-central-1.amazonaws.com
    • tf-presigned-url-ap-southeast-2-prod-*-bucket.s3.ap-southeast-2.amazonaws.com
    • tf-presigned-url-ap-northeast-1-prod-*-bucket.s3.ap-northeast-1.amazonaws.com
    • tf-presigned-url-ap-south-1-prod-*-bucket.s3.ap-south-1.amazonaws.com
    • tf-presigned-url-sa-east-1-prod-*-bucket.s3.sa-east-1.amazonaws.com

  2. Allow the following wildcards:

    • *.s3.eu-west-1.amazonaws.com
    • *.s3.eu-central-1.amazonaws.com
    • *.s3.us-east-2.amazonaws.com
    • *.s3.us-west-2.amazonaws.com
    • *.s3.ca-central-1.amazonaws.com
    • *.s3.ap-southeast-2.amazonaws.com
    • *.s3.ap-northeast-1.amazonaws.com
    • *.s3.ap-south-1.amazonaws.com
    • *.s3.sa-east-1.amazonaws.com