If you have Sophos Firewall, you don't need to follow the steps here. All the domains and ports required for use of Sophos Central are allowed by default.
If you use a non-Sophos firewall or proxy, make sure that it allows the domains and ports listed here. This lets you protect your devices and manage them from Sophos Central.
All features route traffic using the same proxy.
Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.
This page tells you which domains and ports you need for the following products:
Don't use firewall regional rules. These could override your allowed list and prevent Sophos products from working. For example, a block on non-US regions could stop services that sometimes run through European regions. This can happen because our products are hosted on Amazon Web Service (AWS), which uses non-static IP addresses. See AWS IP address ranges and Amazon IP addresses.
Check whether you can use wildcards in your firewall or proxy rules. If you can't, there are some features you can't use.
Intercept X, XDR, or MDR
Follow these instructions if you have any of these licenses:
Intercept X Advanced
Intercept X Advanced for Server
Intercept X Advanced with XDR
Intercept X Advanced for Server with XDR
Managed Detection and Response Essentials
Managed Detection and Response Complete
Managed Detection and Response Essentials Server
Managed Detection and Response Complete Server
Ports
Allow this port:
443 (HTTPS)
Domains
Allow the following domains. Ensure you complete all sections.
Sophos Central Admin domains
Allow these Sophos domains:
central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com
If your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com to cover these addresses.
Allow the following non-Sophos addresses:
az416426.vo.msecnd.net
dc.services.visualstudio.com
Sophos domains
The domains you need to allow depend on whether your firewall or proxy supports wildcards.
Click the appropriate tab for details.
Allow the following wildcards to cover the Sophos domains:
*.sophos.com
*.sophosxl.com
*.sophosxl.net
*.sophosupd.com
*.sophosupd.net
*.darkbytes.com
*.darkbytes.io
*.hitmanpro.com
You may need to allow access to the following Certificate Authority sites if your firewall doesn't already allow them:
*.globalsign.com
*.globalsign.net
*.digicert.com
Note
Some firewalls or proxies show reverse lookups with *.amazonaws.com addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.
Domains for TLS inspection
If you're using TLS inspection or have a firewall that uses application filtering, you must add these domains.
prod.endpointintel.darkbytes.io
kinesis.us-west-2.amazonaws.com
To confirm you need to add these domain exclusions, or to test that the exclusions are effective, check your DNS and your connectivity on a device.
Select the tab for your operating system.
On Windows, do as follows:
To check your DNS, open PowerShell and enter the following commands:
If you have Sophos Firewall, you don't need to follow the steps here. All the domains and ports required for use of Sophos Central are allowed by default.
If you use a non-Sophos firewall or proxy, make sure that it allows the domains and ports listed here. This lets you protect your devices and manage them from Sophos Central.
All features route traffic using the same proxy.
Some of the domains you need to allow are owned by Sophos Central Admin. Others aren't, but are needed for essential operations such as checking that installations work or recognizing certificates.
This page tells you which domains and ports you need for the following products:
Don't use firewall regional rules. These could override your allowed list and prevent Sophos products from working. For example, a block on non-US regions could stop services that sometimes run through European regions. This can happen because our products are hosted on Amazon Web Service (AWS), which uses non-static IP addresses. See AWS IP address ranges and Amazon IP addresses.
Check whether you can use wildcards in your firewall or proxy rules. If you can't, there are some features you can't use.
Intercept X, XDR, or MDR
Follow these instructions if you have any of these licenses:
Intercept X Advanced
Intercept X Advanced for Server
Intercept X Advanced with XDR
Intercept X Advanced for Server with XDR
Managed Detection and Response Essentials
Managed Detection and Response Complete
Managed Detection and Response Essentials Server
Managed Detection and Response Complete Server
Ports
Allow this port:
443 (HTTPS)
Domains
Allow the following domains. Ensure you complete all sections.
Sophos Central Admin domains
Allow these Sophos domains:
central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com
If your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com to cover these addresses.
Allow the following non-Sophos addresses:
az416426.vo.msecnd.net
dc.services.visualstudio.com
Sophos domains
The domains you need to allow depend on whether your firewall or proxy supports wildcards.
Click the appropriate tab for details.
Allow the following wildcards to cover the Sophos domains:
*.sophos.com
*.sophosxl.com
*.sophosxl.net
*.sophosupd.com
*.sophosupd.net
*.darkbytes.com
*.darkbytes.io
*.hitmanpro.com
You may need to allow access to the following Certificate Authority sites if your firewall doesn't already allow them:
*.globalsign.com
*.globalsign.net
*.digicert.com
Note
Some firewalls or proxies show reverse lookups with *.amazonaws.com addresses. This is expected as we use Amazon AWS to host several servers. You must add these URLs to your firewall or proxy.
Domains for TLS inspection
If you're using TLS inspection or have a firewall that uses application filtering, you must add these domains.
prod.endpointintel.darkbytes.io
kinesis.us-west-2.amazonaws.com
To confirm you need to add these domain exclusions, or to test that the exclusions are effective, check your DNS and your connectivity on a device.
Select the tab for your operating system.
On Windows, do as follows:
To check your DNS, open PowerShell and enter the following commands:
When using wildcard FQDNs, make sure DNS requests go through your firewall. For more information, see Wildcard FQDN behavior.
Sophos Assistant
Sophos Assistant is a feature in Sophos Central and other Sophos products that helps you complete tasks and find information quickly.
Sophos Assistant is hosted in Whatfix. For the feature to work, you must allow Whatfix domains.
If your data center is outside the EU (European Union), allow these URLs:
https://cdn.whatfix.com/prod/*
https://whatfix.com/service/*
If your data center is in the EU (European Union), allow these URLs:
https://eucdn.whatfix.com/prod/*
https://eu.whatfix.com/service/*
x
Cookie-Zustimmung verwalten
Unser Webseiten Template mit den darin inkludierten Plugins verwendet Cookies. Sie stimmen der Nutzung von Cookies und unseren Datenschutzbestimmungen zu.
Funktional
Immer aktiv
Die technische Speicherung oder der Zugang ist unbedingt erforderlich für den rechtmäßigen Zweck, die Nutzung eines bestimmten Dienstes zu ermöglichen, der vom Teilnehmer oder Nutzer ausdrücklich gewünscht wird, oder für den alleinigen Zweck, die Übertragung einer Nachricht über ein elektronisches Kommunikationsnetz durchzuführen.
Vorlieben
Die technische Speicherung oder der Zugriff ist für den rechtmäßigen Zweck der Speicherung von Präferenzen erforderlich, die nicht vom Abonnenten oder Benutzer angefordert wurden.
Statistiken
Die technische Speicherung oder der Zugriff, der ausschließlich zu statistischen Zwecken erfolgt.Die technische Speicherung oder der Zugriff, der ausschließlich zu anonymen statistischen Zwecken verwendet wird. Ohne eine Vorladung, die freiwillige Zustimmung deines Internetdienstanbieters oder zusätzliche Aufzeichnungen von Dritten können die zu diesem Zweck gespeicherten oder abgerufenen Informationen allein in der Regel nicht dazu verwendet werden, dich zu identifizieren.
Marketing
Die technische Speicherung oder der Zugriff ist erforderlich, um Nutzerprofile zu erstellen, um Werbung zu versenden oder um den Nutzer auf einer Website oder über mehrere Websites hinweg zu ähnlichen Marketingzwecken zu verfolgen.
