Agent Firewall Allowlisting Rules

Refer to this document for a list of addresses to optimize Automox agent functionality as well as addresses needed to patch Microsoft OS versions from Windows update.

Regarding Ad Blockers - We recommended disabling ad blockers (such as uBlock Origin) for the Automox Console, as ad blockers can adversely impact the functionality of the product.

Network and firewall requirements for running the Automox agent

If your organization has egress filtering on the firewall, you will need to allow access to the following hostnames / IP addresses for the Automox agent to communicate with the cloud platform. All agent communications take place over port 443 (https).

Agent access to content uploaded for use with Worklets and Required Software Policies:

automox-policy-files.s3.us-west-2.amazonaws.com

Note: The platform-IP addresses are subject to change. Add the hostnames to your list of trusted sites, if possible, or regularly check for the latest IPs assigned to the platform.

Recommended approach using URL

URL List

Domain	Protocol(s)	Direction	Ports
*.automox.com	TCP	Outbound	443
*.digicert.com	TCP	Outbound	80
*.digicertcdn.com	TCP	Outbound	80

Additional recommendations for Automox Remote Control

Remote Control URL List

Domain	Protocol(s)	Direction	Ports
http://d1ovafk2iqpmhd.cloudfront.net/	TCP, UDP	Outbound	80
*.rc.automox.net	TCP, UDP	Outbound	7844
region1.v2.argotunnel.com	TCP, UDP	Outbound	7844
region2.v2.argotunnel.com	TCP, UDP	Outbound	7844
cftunnel.com	TCP, UDP	Outbound	7844
h2.cftunnel.com	TCP, UDP	Outbound	7844
quic.cftunnel.com	TCP, UDP	Outbound	7844
https://api.cloudflare.com	TCP, UDP	Outbound	443
update.cloudflare.com	TCP, UDP	Outbound	443
https://pqtunnels.cloudflareresearch.com	TCP, UDP	Outbound	443

Additional Recommendations for Analytics

Analytics URL List

Domain	Protocol(s)	Direction	Port
*.thoughtspot.cloud	TCP, UDP	Outbound	443
mp.proxy.thoughtspot.cloud	TCP, UDP	Outbound	443
automox.thoughtspot.cloud	TCP, UDP	Outbound	443

Alternative approach using IP addresses:
- Check for current IP addresses by running the following command: nslookup api.automox.com

Recommended Approach Using Specific URLs

In addition to the URLs shown above, the following URLs should be added to your allowlist, particularly if your firewall does not support the use of wildcards:

Non-Wildcard URL List

Domain	Protocol(s)	Direction	Ports
api.automox.com	TCP	Outbound	443
console.automox.com	TCP	Outbound	443
ct.automox.com	TCP	Outbound	443
rc.automox.com	TCP, UDP	Outbound	443
storage-cdn.prod.automox.com	TCP	Outbound	443
worklet-signing.prod.automox.com	TCP	Outbound	443
installation-reporting-service.prod.automox.com	TCP	Outbound	443
llm.automox.com	TCP	Outbound	443
downloadexport.automox.com	TCP	Outbound	443
policyreport.automox.com	TCP	Outbound	443
download-export-cdn.prod.automox.com	TCP	Outbound	443
rtt.automox.com	TCP	Outbound	443
agent-content-cdn.automox.com	TCP	Outbound	443
command-storage-cdn.prod.automox.com	TCP	Outbound	443

Recommendations for Static IPs

Static IP List

IP Address	Protocol(s)	Direction	Port
3.163.232.122	TCP	Outbound	443
3.163.232.67	TCP	Outbound	443
3.163.233.122	TCP	Outbound	443
3.163.233.67	TCP	Outbound	443
3.163.234.122	TCP	Outbound	443
3.163.234.67	TCP	Outbound	443
3.163.235.122	TCP	Outbound	443
3.163.235.67	TCP	Outbound	443
3.163.236.122	TCP	Outbound	443
3.163.236.67	TCP	Outbound	443
3.163.237.122	TCP	Outbound	443
3.163.237.67	TCP	Outbound	443
3.163.238.122	TCP	Outbound	443
3.163.238.67	TCP	Outbound	443
3.163.239.122	TCP	Outbound	443
3.163.239.67	TCP	Outbound	443
3.163.240.122	TCP	Outbound	443
3.163.240.67	TCP	Outbound	443
3.163.241.122	TCP	Outbound	443
3.163.241.67	TCP	Outbound	443
3.163.242.122	TCP	Outbound	443
3.163.242.67	TCP	Outbound	443
3.163.243.122	TCP	Outbound	443
3.163.243.67	TCP	Outbound	443
3.163.244.122	TCP	Outbound	443
3.163.244.67	TCP	Outbound	443
3.163.245.122	TCP	Outbound	443
3.163.245.67	TCP	Outbound	443
3.163.246.122	TCP	Outbound	443
3.163.246.67	TCP	Outbound	443
3.163.247.122	TCP	Outbound	443
3.163.247.67	TCP	Outbound	443
3.163.248.122	TCP	Outbound	443
3.163.248.67	TCP	Outbound	443
3.163.249.122	TCP	Outbound	443
3.163.249.67	TCP	Outbound	443
3.163.250.122	TCP	Outbound	443
3.163.250.67	TCP	Outbound	443
3.163.251.122	TCP	Outbound	443
3.163.251.67	TCP	Outbound	443
3.163.252.122	TCP	Outbound	443
3.163.252.67	TCP	Outbound	443
35.71.186.167	TCP	Outbound	443
35.71.186.167	TCP	Outbound	443
75.2.5.88	TCP	Outbound	443
162.159.141.119	TCP	Outbound	443
166.117.117.99	TCP	Outbound	443
166.117.254.67	TCP	Outbound	443
166.117.254.71	TCP	Outbound	443
166.117.56.92	TCP	Outbound	443
172.66.1.115	TCP	Outbound	443

Proxy and Firewall Considerations

Windows

See Windows Update troubleshooting: Issues related to HTTP/Proxy

You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:

*.download.windowsupdate.com

*.dl.delivery.mp.microsoft.com

*.delivery.mp.microsoft.com

Firewall

See Windows Update troubleshooting: Device cannot access update files

Microsoft Firewall URLs

Protocol	Endpoint URL
TLS 1.2	`*.prod.do.dsp.mp.microsoft.com`
HTTP	`emdl.ws.microsoft.com`
HTTP	`*.dl.delivery.mp.microsoft.com`
HTTP	`*.windowsupdate.com`
HTTPS	`*.delivery.mp.microsoft.com`
TLS 1.2	`*.update.microsoft.com`
TLS 1.2	`tsfe.trafficshaping.dsp.mp.microsoft.com`

Note: Make sure to not use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.

Note: When leveraging split-tunneling with a VPN, make sure to include these endpoints in your list of sites with direct access to the internet.

The Automox Agent Notifier must be added to the Windows Defender Firewall Allowed Applications.

Microsoft Windows 10 Connection Points

Microsoft provides a complete list of connection points per Windows 10 feature version. Here is a link to the connection point document for Windows 10 version 20H2 (refer to the links on the left for other feature versions).

https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints

macOS

See Use Apple products on enterprise networks.