Agent Firewall Allowlisting Rules
Refer to this document for a list of addresses to optimize Automox agent functionality as well as addresses needed to patch Microsoft OS versions from Windows update.
Network and firewall requirements for running the Automox agent
If your organization has egress filtering on the firewall, you will need to allow access to the following hostnames / IP addresses for the Automox agent to communicate with the cloud platform. All agent communications take place over port 443 (https).
Recommended approach using URL
| Domain | Protocol(s) | Direction | Ports |
|---|---|---|---|
|
*.automox.com |
TCP |
Outbound |
443 |
|
*.digicert.com |
TCP |
Outbound |
80 |
|
*.digicertcdn.com |
TCP |
Outbound |
80 |
| automox-policy-files.s3.us-west-2.amazonaws.com | TCP | Outbound | 443 |
Additional Recommendations for Automox Remote Control with Splashtop
| Domain | Protocols | Direction | Ports |
|---|---|---|---|
| *.api.splashtop.com | TCP | Outbound | 443 |
| *.relay.splashtop.com | TCP | Outbound | 443 |
| update.splashtop.com | TCP | Outbound | 443 |
| update-g3.splashtop.com | TCP | Outbound | 443 |
Optional and Performance Ports for Automox Resolve, powered by Splashtop
| Port | Purpose |
|---|---|
| 6783 (TCP) |
For local connections on the same network, direct connections are point-to-point via TCP port 6783(configurable port). Only required if internal device-to-device communication is being blocked locally. No external access needed. |
| 9527-9528 (TCP) | Used only for local (loopback) communication between components. No firewall action is typically required. |
| 3749 (UDP) and all UDP Ports | Splashtop uses QUIC for optimized end-to-end connections. This requires outbound UDP port 3479 and dynamic UDP port allocation. |
Additional Recommendations for Analytics
| Domain | Protocol(s) | Direction | Port |
|---|---|---|---|
| *.thoughtspot.cloud | TCP, UDP | Outbound | 443 |
| mp.proxy.thoughtspot.cloud | TCP, UDP | Outbound | 443 |
| automox.thoughtspot.cloud | TCP, UDP | Outbound | 443 |
- Alternative approach using IP addresses:
- Check for current IP addresses by running the following command:
nslookup api.automox.com
- Check for current IP addresses by running the following command:
Recommended Approach Using Specific URLs
In addition to the URLs shown above, the following URLs should be added to your allowlist, particularly if your firewall does not support the use of wildcards:
| Domain | Protocol(s) | Direction | Ports |
|---|---|---|---|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
|
TCP |
Outbound |
443 |
|
| third-party-cdn.automox.com | TCP | Outbound | 443 |
Automox Platform and Splashtop Static IP List
We offer static IPs for customers who need to allowlist according to specific IP addresses. As our platform IP addresses are subject to change, please refer to our Static IP List. This file is updated as needed.
Proxy and Firewall Considerations
Windows
See Windows Update troubleshooting: Issues related to HTTP/Proxy
You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:
*.download.windowsupdate.com
*.dl.delivery.mp.microsoft.com
*.delivery.mp.microsoft.com
Firewall
See Windows Update troubleshooting: Device cannot access update files
| Protocol | Endpoint URL |
|---|---|
|
TLS 1.2 |
|
|
HTTP |
|
|
HTTP |
|
|
HTTP |
|
|
HTTPS |
|
|
TLS 1.2 |
|
|
TLS 1.2 |
|
- Make sure to not use HTTPS for those endpoints that specify HTTP, and vice-versa. The connection will fail.
- When leveraging split-tunneling with a VPN, make sure to include these endpoints in your list of sites with direct access to the internet.
Microsoft Windows 11 Connection Points
Microsoft provides a complete list of connection points per Windows 11 feature version. Here is a link to the connection point document for Windows 11 Enterprise (refer to the links on the left for other feature versions).
Connection Endpoints for Windows 11 Enterprise - Windows Privacy
