Endpoint firewall and networking requirements for the Endpoint Security agent

SECURITY Service account or administrator-level rights on the target endpoint

This article describes the networking infrastructure required to enable successful communication between your monitored endpoints and the EDR cloud.

To learn about the files you'll need to allowlist in your infrastructure security policies, refer to Endpoint allowlisting and antivirus considerations for the Endpoint Security agent.

Index

General
Datto EDR and Datto AV allowlisting
Datto AV allowlisting
- Datto AV running on macOS and Linux
- Datto AV running on Windows
Geo-blocked regions

General

For each agent deployed in your environment, bidirectional communication from TCP port 443 to the URL for your instance must be permitted.

Datto EDR and Datto AV allowlisting

Datto EDR and Datto AV subscribers will need to allowlist the following URLs in their security infrastructure:

URL	Description
*.infocyte.com	Secured with TLS 1.2/1.3 (HTTPS); if you are on a network with SSL inspection or decryption, you might need to bypass decryption for the infocyte.com CNAME of your instance, along with dl.infocyte.com
dl.infocyte.com	Amazon CloudFront; IP range can vary based on location; recommended for optimal performance
wss://servalot-prod.es.datto.net	Brokers communication with EDR cloud infrastructure; can alternatively allowlist *.es.datto.net
wss://servalot-prod.es.datto.net:3030	Required ports for communication with EDR cloud infrastructure
wss://servalot-prod.es.datto.net:3031
https://mcb1jewkpb.execute-api.us-east-2.amazonaws.com/	Amazon S3 webhosts for Datto EDR cloud infrastructure
https://rollbackinstallers.s3.us-east-2.amazonaws.com/
https://staging.rollbackcommands.s3.us-east-2.amazonaws.com/
https://s3.us-east-2.amazonaws.com
https://staging.rollback.log.s3.us-east-2.amazonaws.com/
https://rwdlogs.s3.us-east-2.amazonaws.com/
https://7j3e2hyns2.execute-api.us-east-2.amazonaws.com/
https://rbinstallers.s3.us-east-2.amazonaws.com
https://prod-rollbacklogs.s3.us-east-2.amazonaws.com/
https://s3.us-east-2.amazonaws.com/
https://prod-rollbackmetrics.s3.us-east-2.amazonaws.com/
https://rwdlogs.s3.us-west-2.amazonaws.com/

Datto AV allowlisting

Datto EDR + Datto AV and standalone Datto AV subscribers who are deploying the Endpoint Security agent will need to allowlist the following URLs in their local network. If URL or domain allowlisting is not possible, consider a proxy solution or integrate the device into a DMZ.

Datto AV running on macOS and Linux

URL	Description
prod-auth.eu1.apc.avira.com	Required URLs for communication with Datto AV cloud infrastructure
prod-query.eu1.apc.avira.com
prod-upload.eu1.apc.avira.com
prod.tl.avira.com

Datto AV running on Windows

URL	Description
query-api.eu1.apc.avira.com	Required URLs for communication with Datto AV cloud infrastructure
fpc-rest.tl.avira.com
v2.web-rep.auc.avira.com
download.avira.com
api.mixpanel.com

Geo-blocked regions

To protect the safety of all customers, we restrict inbound internet traffic from certain countries and regions where cyberattacks are known to originate. As a result, any user attempting to log in to Datto AV or Datto EDR from these locations, whether directly or through proxy servers or VPNs, will be denied access. This filtering applies globally to all Kaseya data centers and public cloud environments.

Currently, the following countries are geo-blocked:

Russia
China

Cuba
Iran
North Korea
Syria

We will continue to curate this list as the cybersecurity landscape evolves.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the Ideas forum!
	Provide feedback for the Documentation team.