Phish Threat - White list question

Question

The IP addresses that are listed - according to the video tutorial - are supposed to be added to the firewall. 
 Is this the MSP's firewall or the client's firewall? 
 And if it is the latter, then does this have to be done at every client/customer site?

byron · Answer

Hi Larry, 
 It would be the client side where our IPs and Domains for Phish Threat will need to be white-listed as the simulation emails are coming from us not the MSP. So to allow your phishing emails through to a recipient, i.e John.Smith@exampledomain.com, Johns company would need to white-list our IPs and Domains across all firewalls/gateways that email passes through, including any spam filters so that the phishing emails get through to him. Obviously if you're an MSP and you manage Johns network for him, you'd complete this work. Then you'd have to do that for every customer that you support and wish to send out phishing emails to. Bit of leg work to begin with but after the IPs and Domains are allowed through, you can pretend to phish them and start gathering data on how well each employee does. 
 Details on which IP and Domains are used by Sophos Phish Threat can be found under 'Settings' > 'Domain List' while logged into the Phish threat portal. 
 Best Regards, 
 Byron

byron · Answer

Hey Larry, 
 With regards to trials then yes, it's over to the customer or their MSP to correctly configure the environment so they can receive these types of email. 
 Your mileage is going to vary when you ask prospects to set this up. For some, it's an easy task to allow xyz through their network and for others they may have to jump through some corporate hoops. 
 It's important to note that when using a trial Phish Threat account, you can only send emails to the domain that was used to sign up for the account. For example, if I sign up using John.Smith@sophos.com, I can only send out phishing emails to employees with a @sophos.com domain. Regards, 
 Byron