Agent Firewall Allowlisting Rules

Refer to this document for a list of addresses to optimize Automox agent functionality as well as addresses needed to patch Microsoft OS versions from Windows update.

Network and firewall requirements for running the Automox agent

If your organization has egress filtering on the firewall, you will need to allow access to the following hostnames / IP addresses for the Automox agent to communicate with the cloud platform. All agent communications take place over port 443 (https).

Agent access to content uploaded for use with Worklets and Required Software Policies:

• automox-policy-files.s3.us-west-2.amazonaws.com

Recommended approach using URL

Domain	Protocol(s)	Direction	Ports
*.automox.com	TCP	Outbound	443
*.digicert.com	TCP	Outbound	80
*.digicertcdn.com	TCP	Outbound	80
http://app.launchdarkly.com	TCP	Outbound	443
clientstream.launchdarkly.com	TCP	Outbound	443
events.launchdarkly.com	TCP	Outbound	443

Additional recommendations for Automox Remote Control

Domain	Protocol(s)	Direction	Ports
http://d1ovafk2iqpmhd.cloudfront.net/	TCP, UDP	Outbound	80
*.rc.automox.net	TCP, UDP	Outbound	7844
region1.v2.argotunnel.com	TCP, UDP	Outbound	7844
region2.v2.argotunnel.com	TCP, UDP	Outbound	7844
cftunnel.com	TCP, UDP	Outbound	7844
h2.cftunnel.com	TCP, UDP	Outbound	7844
quic.cftunnel.com	TCP, UDP	Outbound	7844
http://api.cloudflare.com	TCP, UDP	Outbound	443
update.cloudflare.com	TCP, UDP	Outbound	443
http://pqtunnels.cloudflareresearch.com	TCP, UDP	Outbound	443

• Alternative approach using IP addresses:
  • Check for current IP addresses by running the following command: nslookup api.automox.com

Recommended Approach Using Specific URLs

In addition to the URLs shown above, the following URLs should be added to your allowlist, particularly if your firewall does not support the use of wildcards:

Domain	Protocol(s)	Direction	Ports
api.automox.com	TCP	Outbound	443
console.automox.com	TCP	Outbound	443
ct.automox.com	TCP	Outbound	443
rc.automox.com	TCP, UDP	Outbound	443
storage-cdn.prod.automox.com	TCP	Outbound	443
worklet-signing.prod.automox.com	TCP	Outbound	443
installation-reporting-service.prod.automox.com	TCP	Outbound	443
llm.automox.com	TCP	Outbound	443
downloadexport.automox.com	TCP	Outbound	443
policyreport.automox.com	TCP	Outbound	443
download-export-cdn.prod.automox.com	TCP	Outbound	443
rtt.automox.com	TCP	Outbound	443
agent-content-cdn.automox.com	TCP	Outbound	443

Proxy and Firewall Considerations

Windows

See Windows Update troubleshooting: Issues related to HTTP/Proxy

You might choose to apply a rule to permit HTTP RANGE requests for the following URLs:

*.download.windowsupdate.com

*.dl.delivery.mp.microsoft.com

*.delivery.mp.microsoft.com

Firewall

See Windows Update troubleshooting: Device cannot access update files

Protocol	Endpoint URL
TLS 1.2	*.prod.do.dsp.mp.microsoft.com
HTTP	emdl.ws.microsoft.com
HTTP	*.dl.delivery.mp.microsoft.com
HTTP	*.windowsupdate.com
HTTPS	*.delivery.mp.microsoft.com
TLS 1.2	*.update.microsoft.com
TLS 1.2	tsfe.trafficshaping.dsp.mp.microsoft.com

Microsoft Windows 10 Connection Points

Microsoft provides a complete list of connection points per Windows 10 feature version. Here is a link to the connection point document for Windows 10 version 20H2 (refer to the links on the left for other feature versions).

https://docs.microsoft.com/en-us/windows/privacy/manage-windows-20h2-endpoints

macOS

See Use Apple products on enterprise networks.