Skip to main content

Agent Firewall Allowlisting Rules

Valerie
  • Updated

Refer to this document for a list of addresses to optimize Automox agent functionality as well as addresses needed to patch Microsoft OS versions from Windows update.

Network and firewall requirements for running the Automox agent

If your organization has egress filtering on the firewall, you will need to allow access to the following hostnames / IP addresses for the Automox agent to communicate with the cloud platform. All agent communications take place over port 443 (https).

Agent access to the Automox platform, and some third-party patches:

  • api.automox.com

Agent access to content uploaded for use with Worklets and Required Software Policies:

  • automox-policy-files.s3.us-west-2.amazonaws.com

Note: The platform-IP addresses are subject to change. Add the hostnames to your list of trusted sites, if possible, or regularly check for the latest IPs assigned to the platform.

  • Recommended approach using URL:

    • Allow traffic on port 443 outbound to api.automox.com

    • Allow traffic on port 443 outbound to agent.automox.com

    • Allow traffic on port 80 outbound to *.digicert.com

    • Allow traffic on port 80 outbound to *.digicertcdn.com

    • Allow traffic on port 443 outbound to app.launchdarkly.com

    • Allow traffic on port 443 outbound to clientstream.launchdarkly.com

    • Allow traffic on port 443 outbound to events.launchdarkly.com

  • Additional recommendations for Automox Remote Control:

    • Allow traffic on port 7844 outbound to *.cfargotunnel.com

    • Allow traffic on port 7844 outbound to region1.v2.argotunnel.com

    • Allow traffic on port 7844 outbound to region2.v2.argotunnel.com

  • Alternative approach using IP addresses:

    • Check for current IP addresses by running the following command:
      nslookup api.automox.com

Proxy and Firewall Considerations

Windows

See Windows Update troubleshooting: Issues related to HTTP/Proxy

You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:

*.download.windowsupdate.com

*.dl.delivery.mp.microsoft.com

*.delivery.mp.microsoft.com

Firewall

See Windows Update troubleshooting: Device cannot access update files

Protocol

Endpoint URL

TLS 1.2

*.prod.do.dsp.mp.microsoft.com

HTTP

emdl.ws.microsoft.com

HTTP

*.dl.delivery.mp.microsoft.com

HTTP

*.windowsupdate.com

HTTPS

*.delivery.mp.microsoft.com

TLS 1.2

*.update.microsoft.com

TLS 1.2

tsfe.trafficshaping.dsp.mp.microsoft.com

 

Note: Make sure to not use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.

Note: When leveraging split-tunneling with a VPN, make sure to include these endpoints in your list of sites with direct access to the internet.

The Automox Agent Notifier must be added to the Windows Defender Firewall Allowed Applications.

Microsoft Windows 10 Connection Points

Microsoft provides a complete list of connection points per Windows 10 feature version. Here is a link to the connection point document for Windows 10 version 20H2 (refer to the links on the left for other feature versions).

https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints

macOS

See Use Apple products on enterprise networks.

Related articles

Comments

0 comments

Article is closed for comments.