This knowledge base article provides information on the domains and ports that are required for successful installation, registration and subsequent communication of a Sophos Central endpoint to the Sophos Central Admin, and vice versa.
Note: All features will route via the same proxy.
Applies to the following Sophos product(s) Central Mac Endpoint Central Sophos Anti-Virus for Linux Central Windows Endpoint Sophos Central Admin Sophos Central Managed Server
central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com
az416426.vo.msecnd.net
dc.services.visualstudio.com
*.cloudfront.net
*.sophos.com
The below wildcards should be used to cover these endpoint domains if your proxy and/or firewall supports it.
*.sophos.com *.sophosupd.com *.sophosupd.net *.sophosxl.net ocsp2.globalsign.com crl.globalsign.com
If your proxy or firewall does not support the use of wildcards, the listed addresses should be added manually.
Identify the server address that the Sophos Management Communication System uses to securely communicate with Sophos Central.
SophosCloudInstaller.log
C:\Documents and Settings\All Users\Application Data\Sophos\CloudInstaller\Logs
C:\ProgramData\Sophos\CloudInstaller\Logs
Model::server value changed to:
dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
Opening connection to api-cloudstation
api-cloudstation-eu-central-1.prod.hydra.sophos.com
dci.sophosupd.com
d1.sophosupd.com
d2.sophosupd.com
d3.sophosupd.com
dci.sophosupd.net
d1.sophosupd.net
d2.sophosupd.net
d3.sophosupd.net
t1.sophosupd.com
sophosxl.net
4.sophosxl.net
samples.sophosxl.net
ocsp.globalsign.com
ocsp2.globalsign.com
crl.globalsign.com
crl.globalsign.net
ocsp.digicert.com
crl3.digicert.com
crl4.digicert.com
Note: Some firewalls may display reverse lookups that may show *.amazonaws.com urls, which may cause concern as it is not a *.sophos.com url. This is an expected behavior and by design. An example is the url above: https://dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com. This url in particular has the IP 52.209.238.119. If this IP address is reversed looked up, it will return ec2-52-209-238-119.eu-west-1.compute.amazonaws.com.
*.amazonaws.com
*.sophos.com url
https://dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com.
52.209.238.119.
ec2-52-209-238-119.eu-west-1.compute.amazonaws.com.
For customers with an Intercept X Advanced with EDR license, the following domains are also required:
tf-edr-message-upload-eu-central-1-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-eu-west-1-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-us-east-2-prod-bucket.s3.amazonaws.com
tf-edr-message-upload-us-west-2-prod-bucket.s3.amazonaws.com
live-terminal-eu-west-1.prod.hydra.sophos.com
live-terminal-eu-central-1.prod.hydra.sophos.com
live-terminal-us-west-2.prod.hydra.sophos.com
live-terminal-us-east-2.prod.hydra.sophos.com
mcs-push-server-eu-west-1.prod.hydra.sophos.com
mcs-push-server-eu-central-1.prod.hydra.sophos.com
mcs-push-server-us-west-2.prod.hydra.sophos.com
mcs-push-server-us-east-2.prod.hydra.sophos.com
If a customer has the MTR feature and is performing TLS inspection or has a firewall that is doing application filtering, these domains are also required:
kinesis.us-west-2.amazonaws.com
prod.endpointintel.darkbytes.io
To confirm if they need to do those exclusions, or to test that the exclusions are effective, test by navigating to https://prod.endpointintel.darkbytes.io from an endpoint inside the environment. You should see a message like the following return:
https://prod.endpointintel.darkbytes.io
{ message: "running..." }
80 (HTTP)
443 (HTTPS)
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.