Endpoint firewall and networking requirements for the Endpoint Security agent
SECURITY Service account or administrator-level rights on the target endpoint
This article describes the networking infrastructure required to enable successful communication between your monitored endpoints and the EDR cloud.
To learn about the files you'll need to allowlist in your infrastructure security policies, refer to Endpoint allowlisting and antivirus considerations for the Endpoint Security agent.
Index
General
-
For each agent deployed in your environment, bidirectional communication from TCP port 443 to the URL for your instance must be permitted.
Datto EDR and Datto AV allowlisting
Datto EDR and Datto AV subscribers will need to allowlist the following URLs in their security infrastructure:
URL | Description |
*.infocyte.com |
Secured with TLS 1.2/1.3 (HTTPS); if you are on a network with SSL inspection or decryption, you might need to bypass decryption for the infocyte.com CNAME of your instance, along with dl.infocyte.com |
dl.infocyte.com | Amazon CloudFront; IP range can vary based on location; recommended for optimal performance |
wss://servalot-prod.es.datto.net |
Brokers communication with EDR cloud infrastructure; can alternatively allowlist *.es.datto.net |
wss://servalot-prod.es.datto.net:3030 |
Required ports for communication with EDR cloud infrastructure |
wss://servalot-prod.es.datto.net:3031 | |
https://mcb1jewkpb.execute-api.us-east-2.amazonaws.com/ |
Amazon S3 webhosts for Datto EDR cloud infrastructure
|
https://rollbackinstallers.s3.us-east-2.amazonaws.com/ | |
https://staging.rollbackcommands.s3.us-east-2.amazonaws.com/ | |
https://s3.us-east-2.amazonaws.com | |
https://staging.rollback.log.s3.us-east-2.amazonaws.com/ | |
https://rwdlogs.s3.us-east-2.amazonaws.com/ | |
https://7j3e2hyns2.execute-api.us-east-2.amazonaws.com/ | |
https://rbinstallers.s3.us-east-2.amazonaws.com | |
https://prod-rollbacklogs.s3.us-east-2.amazonaws.com/ | |
https://s3.us-east-2.amazonaws.com/ | |
https://prod-rollbackmetrics.s3.us-east-2.amazonaws.com/ | |
https://rwdlogs.s3.us-west-2.amazonaws.com/ |
Datto AV allowlisting
Datto EDR + Datto AV and standalone Datto AV subscribers who are deploying the Endpoint Security agent will need to allowlist the following URLs in their local network. If URL or domain allowlisting is not possible, consider a proxy solution or integrate the device into a DMZ.
Datto AV running on macOS and Linux
URL | Description |
prod-auth.eu1.apc.avira.com |
Required URLs for communication with Datto AV cloud infrastructure |
prod-query.eu1.apc.avira.com | |
prod-upload.eu1.apc.avira.com | |
prod.tl.avira.com |
Datto AV running on Windows
URL | Description |
query-api.eu1.apc.avira.com |
Required URLs for communication with Datto AV cloud infrastructure |
fpc-rest.tl.avira.com | |
v2.web-rep.auc.avira.com | |
download.avira.com | |
api.mixpanel.com |
Geo-blocked regions
To protect the safety of all customers, we restrict inbound internet traffic from certain countries and regions where cyberattacks are known to originate. As a result, any user attempting to log in to Datto AV or Datto EDR from these locations, whether directly or through proxy servers or VPNs, will be denied access. This filtering applies globally to all Kaseya data centers and public cloud environments.
Currently, the following countries are geo-blocked:
-
Russia
-
China
-
Cuba
-
Iran
-
North Korea
-
Syria
We will continue to curate this list as the cybersecurity landscape evolves.