Security Connect 2021 is coming Jun 3. Register for free today!

Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?

Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?


  • Carbon Black Cloud (Formerly PSC) Console: All Versions
  • Endpoint Standard (Formerly CB Defense) Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple MAC OS: All Versions


What ports must be opened on the Firewall or Proxy servers to allow the sensor to communicate with the various Carbon Black Cloud services?


Configure the firewall or proxy to allow outgoing and incoming connections to the following Service URL/Hostnames, Protocols, and Ports as determined by your Carbon Black Cloud Console URL or configuration

Allow Access to all Services

CB Service URL/HostnameCB IP AddressProtocol and PortDescription*TCP/80Online Certificate Status Protocol (OCSP)*TCP/80Certificate Revocation List (CRL)

Allow Access to Device Services Based on Carbon Black Cloud Console URL (It is not necessary to add all of the services below. Only add the Device Services which associated with the environment in use. For example, if the the org is hosted in then only needs to be allowed) 

Carbon Black Cloud Console URLCB Service URL/HostnameCB IP AddressProtocol and PortDescription*TCP/443 (default port), TCP/54443 (backup port)Device Services*TCP/443 (default port), TCP/54443 (backup port)Device Services*TCP/443 (default port), TCP/54443 (backup port)Device Services*TCP/443 (default port), TCP/54443 (backup port)Device Services*TCP/443 (default port), TCP/54443 (backup port)Device Services

Allow Access if Local Scanner is enabled in the Carbon Black Cloud Console

CB Service URL/HostnameCB IP AddressProtocol and PortDescription
updates2.cdc.carbonblack.ioDynamic*TCP/80Default Definition Update Server**
updates2.cdc.carbonblack.ioDynamic*TCP/443Default Definition Update Server for 3.3+ Sensors**

Required for sensors 3.6 and higher
CB Service URL/Hostname

CB IP Address

content.carbonblack.ioDynamic*TCP/443Content management system

Workload Appliance
CB Service URL/Hostname

IP Address


Appliance logging and upgrades

Host vCenterCustomer SetTCP/443Communication with vCenter
Carbon Black Cloud Console URL (See 2nd table above)Dynamic*TCP/443Communication with Carbon BlackCloud

The current implementation of the Carbon Black Cloud service uses dynamically managed load balancers in order to provide the best possible levels of scalability, reliability, and performance, so the VMware Carbon Black Cloud Services Hostname will resolve to several possible IP addresses which will likewise change dynamically. See Cb Defense: What’s the static IP address or hostname used by Cb Defense? for details.
** Default signature update URL has been permanently updated in August, 2019 as part of Endpoint Standard: Signature Pack Version Has Not Updated Since August 1, 2019

Additional Notes

  • The Device Services allows the sensor to upload the latest events from the endpoint, look up a reputation of a new file or receive a configuration change from the Carbon Black Cloud Backend.
  • If the sensor cannot establish connectivity to the Device Services URL over the standard SSL port TCP/443, it will failover to the alternate port: TCP/54443
  • The Endpoint Standard Sensor relies on the Operating System for dynamic proxy detection. If proxy authentication is required, the user may be prompted for credentials if proxy exceptions are not made for the Carbon Black Cloud Services.
  • If "Submit unknown binaries for analysis" is enabled, all traffic goes through CB Defense Device Services before it is routed to the Carbon Black Cloud. The Carbon Black Cloud only uses third-party vendor, Avira Operations GmbH & Co. KG (“Avira”), as a subprocessor to assist with the threat analysis. The sensor will never directly communicate with Avira, so there are no additional network changes required.
  • To determine whether the agent is "onsite" or "offsite" the sensor sends a ICMP echo to see if the each DNS suffix address is reachable. In this case you may observe outbound connections to your Domain Controllers from the Sensor Service (RepMgr).
  • Some third party products (e.g. McAfee EPO Gateway) may attempt to validate the Carbon Black Cloud server certificate and terminate the connection due to a name mismatch between the certificate issued to the Carbon Black Cloud Login URL and Service that the Endpoint Standard Sensor is connected to. In this event of this situation, the third party must be configured to not validate the domain certificate.
  • Although TCP requires bi-directional/full duplex communications, only outbound traffic to the above domains is required from the sensor's perspective (the sensor initiates the TCP handshake), as the perimeter stateful firewall should perform NAT and route traffic accordingly.
  • The workload appliance requires bi-directional firewall rules

Related Content

Was this article helpful? Yes No
65% helpful (9/14)
Article Information
Creation Date: