Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?
Carbon Black Cloud (Formerly PSC) Console: All Versions
Endpoint Standard (Formerly CB Defense) Sensor: All Versions
Microsoft Windows: All Supported Versions
Apple MAC OS: All Versions
What ports must be opened on the Firewall or Proxy servers to allow the sensor to communicate with the various Carbon Black Cloud services?
Configure the firewall or proxy to allow outgoing and incoming connections to the following Service URL/Hostnames, Protocols, and Ports as determined by your Carbon Black Cloud Console URL or configuration
Allow Access to all Services
CB Service URL/Hostname
CB IP Address
Protocol and Port
Online Certificate Status Protocol (OCSP)
Certificate Revocation List (CRL)
Allow Access to Device Services Based on Carbon Black Cloud Console URL
The Device Services allows the sensor to upload the latest events from the endpoint, look up a reputation of a new file or receive a configuration change from the Carbon Black Cloud Backend.
If the sensor cannot establish connectivity to the Device Services URL over the standard SSL port TCP/443, it will failover to the alternate port: TCP/54443
The Endpoint Standard Sensor relies on the Operating System for dynamic proxy detection. If proxy authentication is required, the user may be prompted for credentials if proxy exceptions are not made for the Carbon Black Cloud Services.
If "Submit unknown binaries for analysis" is enabled, all traffic goes through CB Defense Device Services before it is routed to the Carbon Black Cloud. The Carbon Black Cloud only uses third-party vendor, Avira Operations GmbH & Co. KG (“Avira”), as a subprocessor to assist with the threat analysis. The sensor will never directly communicate with Avira, so there are no additional network changes required.
To determine whether the agent is "onsite" or "offsite" the sensor sends a ICMP echo to see if the each DNS suffix address is reachable. In this case you may observe outbound connections to your Domain Controllers from the Sensor Service (RepMgr).
Some third party products (e.g. McAfee EPO Gateway) may attempt to validate the Carbon Black Cloud server certificate and terminate the connection due to a name mismatch between the certificate issued to the Carbon Black Cloud Login URL and Service that the Endpoint Standard Sensor is connected to. In this event of this situation, the third party must be configured to not validate the domain certificate.
Although TCP requires bi-directional/full duplex communications, only outbound traffic to the above domains is required from the sensor's perspective (the sensor initiates the TCP handshake), as the perimeter stateful firewall should perform NAT and route traffic accordingly.