Domains and ports to allow
You must set up your firewall or proxy to allow these domains and ports.
This lets you protect your devices and communicate between Sophos Central Admin and your managed devices.
Note
All features route traffic using the same proxy.
Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.
Amazon Web Service
Sophos is hosted globally on Amazon Web Service (AWS). Applying additional regional firewall rules as well as the required domains and ports listed below could prevent Sophos products from functioning correctly. This is because Amazon uses a range of of non-static IP addresses to provide AWS services.
For more information see the following:
Sophos Email Security domain information
This page has domain information for device protection. To find out which domains and IP addresses to use when configuring or repairing links from Sophos Email Security to external email services, see Email domain information.
Sophos Central Admin domains
You must allow these domains and ports through your firewalls and proxies for your protection to work correctly.
If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy.
central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com
Note
If your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com
to cover these addresses.
Then enter the following non-Sophos addresses.
az416426.vo.msecnd.net
dc.services.visualstudio.com
*.cloudfront.net
You must also review the other sections in this page and allow the appropriate domains and ports for all your licenses.
If you're a partner managing accounts for customers, you must do this for each customer's firewall or proxy, matching each customer's licenses.
Sophos domains
If your proxy or firewall supports wildcards, add the following wildcards to cover these Sophos domains.
*.sophos.com
*.sophosupd.com
*.sophosupd.net
*.sophosxl.net
If your proxy or firewall doesn't support wildcards, you must identify the exact Sophos domains you need, then enter them manually.
You need to identify the server addresses that Sophos Management Communication System and the device installers use to communicate with Sophos Central Admin securely.
On Windows devices, do as follows:
- Open
SophosCloudInstaller.log
. You can find it inC:\ProgramData\Sophos\CloudInstaller\Logs
. -
Look for the following lines:
- line starting
Model::server value changed to:
- line starting
Opening connection to
There should be 2 values that look like one of each of the following examples:
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
mcs.stn100yul.ctr.sophos.com
mcs2.stn100yul.ctr.sophos.com
dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com
api-cloudstation-us-east-2.prod.hydra.sophos.com
api.stn100yul.ctr.sophos.com
- line starting
-
You must add this address and the following addresses to your firewall or proxy allow list.
dci.sophosupd.com
d1.sophosupd.com
d2.sophosupd.com
d3.sophosupd.com
dci.sophosupd.net
d1.sophosupd.net
d2.sophosupd.net
d3.sophosupd.net
t1.sophosupd.com
sus.sophosupd.com
sdds3.sophosupd.com
sdds3.sophosupd.net
sdu-feedback.sophos.com
sophosxl.net
4.sophosxl.net
samples.sophosxl.net
cloud.sophos.com
id.sophos.com
central.sophos.com
downloads.sophos.com
amazonaws.com
-
You must also add these addresses to your firewall or proxy allow list:
*.ctr.sophos.com
*.hydra.sophos.com
-
If you want to be more specific about the domains you allow for Sophos Management Communication System you can use the following domains.
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs-cloudstation-us-east-2.prod.hydra.sophos.com
mcs-cloudstation-us-west-2.prod.hydra.sophos.com
mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
mcs.stn100syd.ctr.sophos.com
mcs.stn100yul.ctr.sophos.com
mcs.stn100hnd.ctr.sophos.com
mcs2.stn100syd.ctr.sophos.com
mcs2.stn100yul.ctr.sophos.com
mcs2.stn100hnd.ctr.sophos.com
mcs.stn100gru.ctr.sophos.com
mcs2.stn100gru.ctr.sophos.com
mcs.stn100bom.ctr.sophos.com
mcs2.stn100bom.ctr.sophos.com
-
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall.
ocsp.globalsign.com
ocsp2.globalsign.com
crl.globalsign.com
crl.globalsign.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com
Note
Some firewalls or proxies show reverse lookups with *.amazonaws.com
addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.
Ports
-
You must add the following ports.
80 (HTTP)
443 (HTTPS)
Sophos AD Sync utility
Restriction
If your firewall doesn't allow wildcards you can't use Sophos AD Sync utility.
-
If you're using the Active Directory service, you must also add the following pre-signed s3 domains:
tf-presigned-url-eu-west-1-prod-*-bucket.s3.eu-west-1.amazonaws.com
tf-presigned-url-eu-central-1-prod-*-bucket.s3.eu-central-1.amazonaws.com
tf-presigned-url-us-east-2-prod-*-bucket.s3.us-east-2.amazonaws.com
tf-presigned-url-us-west-2-prod-*-bucket.s3.us-west-2.amazonaws.com
tf-presigned-url-ca-central-1-prod-*-bucket.s3.ca-central-1.amazonaws.com
tf-presigned-url-ap-southeast-2-prod-*-bucket.s3.ap-southeast-2.amazonaws.com
tf-presigned-url-ap-northeast-1-prod-*-bucket.s3.ap-northeast-1.amazonaws.com
tf-presigned-url-ap-south-1-prod-*-bucket.s3.ap-south-1.amazonaws.com
tf-presigned-url-sa-east-1-prod-*-bucket.s3.sa-east-1.amazonaws.com
-
Add the following wildcards:
*.s3.eu-west-1.amazonaws.com
*.s3.eu-central-1.amazonaws.com
*.s3.us-east-2.amazonaws.com
*.s3.us-west-2.amazonaws.com
*.s3.ca-central-1.amazonaws.com
*.s3.ap-southeast-2.amazonaws.com
*.s3.ap-northeast-1.amazonaws.com
*.s3.ap-south-1.amazonaws.com
*.s3.sa-east-1.amazonaws.com
Intercept X Advanced with XDR
Restriction
You can only allow the mcs-push-server
addresses by using a wildcard. If your firewall doesn't allow wildcards Live Response and Live Discover won't work.
If you have an Intercept X Advanced with XDR license or Intercept X Advanced for Server with XDR license, do as follows:
- Add the domains and ports listed in “Sophos domains” and “Ports” before adding the domains listed below.
-
Add the following domains:
live-terminal-eu-west-1.prod.hydra.sophos.com
live-terminal-eu-central-1.prod.hydra.sophos.com
live-terminal-us-west-2.prod.hydra.sophos.com
live-terminal-us-east-2.prod.hydra.sophos.com
live-terminal.stn100yul.ctr.sophos.com
live-terminal.stn100syd.ctr.sophos.com
live-terminal.stn100hnd.ctr.sophos.com
live-terminal.stn100gru.ctr.sophos.com
live-terminal.stn100bom.ctr.sophos.com
*.mcs-push-server-eu-west-1.prod.hydra.sophos.com
*.mcs-push-server-eu-central-1.prod.hydra.sophos.com
*.mcs-push-server-us-west-2.prod.hydra.sophos.com
*.mcs-push-server-us-east-2.prod.hydra.sophos.com
*.mcs-push-server.stn100yul.ctr.sophos.com
*.mcs-push-server.stn100syd.ctr.sophos.com
*.mcs-push-server.stn100hnd.ctr.sophos.com
*.mcs-push-server.stn100gru.ctr.sophos.com
*.mcs-push-server.stn100bom.ctr.sophos.com
Intercept X Advanced with XDR and Managed Detection and Response
You need to add these domains if you have one of the following licenses:
- Managed Detection and Response
- Managed Detection and Response Complete
- Managed Detection and Response Server
-
Managed Detection and Response Complete Server
-
Add the domains and ports listed in Sophos domains, Ports, and Intercept X Advanced with XDR before adding the domains listed in this section.
-
If you have an MDR license and are using TLS inspection or have a firewall that uses application filtering, you must also add these domains:
prod.endpointintel.darkbytes.io
kinesis.us-west-2.amazonaws.com
To confirm you need to add those exclusions, or to test that the exclusions are effective, you need to check your DNS and your connectivity on a device.
On Windows, do as follows:
-
To check your DNS, open PowerShell and enter the following commands:
`Resolve-DnsName -Name prod.endpointintel.darkbytes.io` `Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com`
You should see a DNS response message from each domain.
-
To check your connectivity, enter the following command:
`Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io`
You should see the following response:
{message: "running..."}
.
On Linux, do as follows:
-
To check your DNS, enter the following commands:
`host prod.endpointintel.darkbytes.io` `Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com`
You should see a DNS response message from each domain.
-
To check your connectivity, enter the following command:
`curl -v https://prod.endpointintel.darkbytes.io/`
You should see the following response:
{message: "running..."}
.