cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Access VMworld content on-demand if you missed the event. 70+ security focused sessions were offered -- access requires registration.

Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?

Carbon Black Cloud: What Ports must be opened on the Firewall and Proxy Servers?

Environment

  • Carbon Black Cloud (Formerly PSC) Console: All Versions
  • Endpoint Standard (Formerly CB Defense) Sensor: All Versions
  • Microsoft Windows: All Supported Versions
  • Apple MAC OS: All Versions

Question

What ports must be opened on the Firewall or Proxy servers to allow the sensor to communicate with the various Carbon Black Cloud services?

Answer

Configure the firewall or proxy to allow outgoing and incoming connections to the following Service URL/Hostnames, Protocols, and Ports as determined by your Carbon Black Cloud Console URL or configuration

Allow Access to all Services

CB Service URL/HostnameCB IP AddressProtocol and PortDescription
ocsp.godaddy.comDynamic*TCP/80Online Certificate Status Protocol (OCSP)
crl.godaddy.comDynamic*TCP/80Certificate Revocation List (CRL)


Allow Access to Device Services Based on Carbon Black Cloud Console URL

Carbon Black Cloud Console URLCB Service URL/HostnameCB IP AddressProtocol and PortDescription
https://dashboard.confer.net/devices.confer.netDynamic*TCP/443 (default port), TCP/54443 (backup port)Device Services
https://defense.conferdeploy.net/dev5.conferdeploy.netDynamic*TCP/443 (default port), TCP/54443 (backup port)Device Services
https://defense-eu.conferdeploy.net/dev-prod06.conferdeploy.netDynamic*TCP/443 (default port), TCP/54443 (backup port)Device Services
https://defense-prod05.conferdeploy.net/dev-prod05.conferdeploy.netDynamic*TCP/443 (default port), TCP/54443 (backup port)Device Services
https://defense-prodnrt.conferdeploy.net/dev-prodnrt.conferdeploy.netDynamic*TCP/443 (default port), TCP/54443 (backup port)Device Services


Allow Access if Local Scanner is enabled in the Carbon Black Cloud Console

CB Service URL/HostnameCB IP AddressProtocol and PortDescription
updates2.cdc.carbonblack.io**Dynamic*TCP/80Default Definition Update Server
updates2.cdc.carbonblack.io**Dynamic*TCP/443Default Definition Update Server for 3.3+ Sensors

Required for sensors 3.6 and higher
 
CB Service URL/Hostname

CB IP Address

PortDescription
content.carbonblack.ioDynamic*TCP/443Content management system

Required for VMware Carbon Black Cloud Workload Appliance Logging and Upgrades
 
CB Service URL/Hostname

CB IP Address

PortDescription
prod.cwp.carbonblack.ioDynamic*TCP/443Appliance logging and upgrades

The current implementation of the Carbon Black Cloud service uses dynamically managed load balancers in order to provide the best possible levels of scalability, reliability, and performance, so the VMware Carbon Black Cloud Services Hostname will resolve to several possible IP addresses which will likewise change dynamically. See Cb Defense: What’s the static IP address or hostname used by Cb Defense? for details.
** Default signature update URL has been permanently updated in August, 2019 as part of Endpoint Standard: Signature Pack Version Has Not Updated Since August 1, 2019

Additional Notes

  • The Device Services allows the sensor to upload the latest events from the endpoint, look up a reputation of a new file or receive a configuration change from the Carbon Black Cloud Backend.
  • If the sensor cannot establish connectivity to the Device Services URL over the standard SSL port TCP/443, it will failover to the alternate port: TCP/54443
  • The Endpoint Standard Sensor relies on the Operating System for dynamic proxy detection. If proxy authentication is required, the user may be prompted for credentials if proxy exceptions are not made for the Carbon Black Cloud Services.
  • If "Submit unknown binaries for analysis" is enabled, all traffic goes through CB Defense Device Services before it is routed to the Carbon Black Cloud. The Carbon Black Cloud only uses third-party vendor, Avira Operations GmbH & Co. KG (“Avira”), as a subprocessor to assist with the threat analysis. The sensor will never directly communicate with Avira, so there are no additional network changes required.
  • To determine whether the agent is "onsite" or "offsite" the sensor sends a ICMP echo to see if the each DNS suffix address is reachable. In this case you may observe outbound connections to your Domain Controllers from the Sensor Service (RepMgr).
  • Some third party products (e.g. McAfee EPO Gateway) may attempt to validate the Carbon Black Cloud server certificate and terminate the connection due to a name mismatch between the certificate issued to the Carbon Black Cloud Login URL and Service that the Endpoint Standard Sensor is connected to. In this event of this situation, the third party must be configured to not validate the domain certificate.
  • Although TCP requires bi-directional/full duplex communications, only outbound traffic to the above domains is required from the sensor's perspective (the sensor initiates the TCP handshake), as the perimeter stateful firewall should perform NAT and route traffic accordingly.

Related Content


Was this article helpful? Yes No
59% helpful (7/12)
Article Information
Author:
Creation Date:
‎07-15-2016
Views:
26479