Overview
This article lists all of the ports and IP addresses used by Incydr.
Insider risk agent
Firewall access
To ensure uninterrupted access to the Incydr cloud, open your firewall to allow outbound TCP/443 traffic to *.code42.com.
Insider risk agent ports
List of ports that require outbound traffic to Incydr.
|
Port |
Protocol |
Source |
Destination |
Description |
|---|---|---|---|---|
| 443 | HTTPS | Endpoint agents | Incydr cloud | Communication for user activity monitoring and deployment policy information |
IP address ranges used by Incydr data connections
All Incydr data connections are served out of Microsoft Azure data centers and do not use static IPs or fully qualified domain names (FQDNs). Instead, these IP address ranges are managed by Microsoft and can change over time. For more information, see Identify IP addresses used by Incydr data connectors.
IP addresses used by Incydr Flows
Incydr Flows are powered by Tines. To ensure Incydr Flows operate as expected, the service integrating with Incydr (for example, Workday or Crowdstrike) must allow requests from the following Tines IP addresses:
- 35.162.210.16
- 44.227.94.208
IP addresses used by API integrations and the Incydr CLI
Allow outbound TCP/443 traffic to *.code42.com.
Backup agent
Firewall access
Two firewall filtering methods are described below: FQDN-based and IP-based.
The FQDN-based method is simpler to manage for most customers. The IP-based method should be used with firewalls that do not support FQDN-based filtering.
FQDN-based filtering method
To ensure uninterrupted access to the Incydr cloud, open outbound access in your firewall as follows based on which cloud instance you use. (You must use the IP-based filtering method to allow traffic on port 4287.) For information about the Amazon Cognito Identity Pools endpoints, see Amazon's documentation.
-
US1: https://console.us.code42.com
- Allow outbound TCP/443 to *.code42.com
- Allow outbound TCP/443 to cognito-identity.us-east-1.amazonaws.com
- Allow outbound TCP/443 to cognito-identity-fips.us-east-1.amazonaws.com
-
US2: https://console.us2.code42.com
- Allow outbound TCP/443 to *.code42.com
- Allow outbound TCP/443 to cognito-identity.us-east-1.amazonaws.com
- Allow outbound TCP/443 to cognito-identity-fips.us-east-1.amazonaws.com
-
US3: https://console.gov.code42.com
- Allow outbound TCP/443 to *.code42.com
- Allow outbound TCP/443 to cognito-identity.us-east-1.amazonaws.com
- Allow outbound TCP/443 to cognito-identity-fips.us-east-1.amazonaws.com
-
EU1: https://console.ie.code42.com
- Allow outbound TCP/443 to *.code42.com
- Allow outbound TCP/443 to cognito-identity.eu-west-1.amazonaws.com
- Allow outbound TCP/443 to cognito-identity-fips.eu-west-1.amazonaws.com
IP-based filtering method
To ensure uninterrupted access to the Incydr cloud when your firewall does not support FQDN-based filtering or TLS inspection is being performed, open outbound access in your firewall as follows based on which cloud instance you use. For more information about AWS IP address ranges, see Amazon's documentation.
-
US1: https://console.us.code42.com
- Allow outbound TCP/443 and TCP/4287 to Incydr IP address ranges below
- Allow outbound TCP/443 to AWS us-east-1 IP addresses
-
US2: https://console.us2.code42.com
- Allow outbound TCP/443 and TCP/4287 to Incydr IP address ranges below
- Allow outbound TCP/443 to AWS us-east-1 IP addresses
-
US3: https://console.gov.code42.com
- Allow outbound TCP/443 and TCP/4287 to Incydr IP address ranges below
- Allow outbound TCP/443 to AWS us-east-1 IP addresses
-
EU1: https://console.ie.code42.com
- Allow outbound TCP/443 and TCP/4287 to Incydr IP address ranges below
- Allow outbound TCP/443 and TCP/4287 to AWS eu-west-1 IP addresses
IP address ranges required by the backup agent
To allow the backup agent to connect to the Incydr cloud when you use an IP-based filtering method, open outbound access in your firewall to the following IP address ranges:
- 38.127.80.0/24
- 50.93.246.0/23
- 50.93.255.0/24
- 64.207.196.0/22
- 64.207.204.0/23
- 67.222.248.0/22
- 216.9.199.0/24
- 216.17.8.0/24
This list represents all the IP-address ranges needed to allow access to the Incydr cloud. Remove from firewall rules any outdated Incydr IP address ranges not on this list. See Revision history for removed IP address ranges.
Ports
List of ports that require outbound traffic to Incydr. You must have ports 443, 4285, and 4287 open for use.
|
Port |
Protocol |
Source |
Destination |
Description |
|---|---|---|---|---|
| 443 | HTTPS | Endpoint agents | Incydr cloud | Communication for File Metadata Collection and deployment policy information |
| HTTPS | Web Browsers | Incydr cloud | Web restore (both zip file and device) and user activity profiles | |
| TLS | Endpoint agents | Incydr cloud |
Communication from device to the Incydr cloud. Only applies to environments that sign in to the Incydr console at: https://console.us2.code42.com. |
|
| 4285 | HTTPS | Web Browsers | Incydr cloud | Web restore (both zip file and device), user activity profiles, SSO sign in, and authentication API calls. |
| 4287 | TLS | Endpoint agents | Incydr cloud | Communication from the device to the Incydr cloud |
Additional services integrated with Incydr
These are some additional ports used by services that are commonly integrated with Incydr environments.
|
Port |
Protocol |
Source |
Destination |
Description |
|---|---|---|---|---|
|
8200 and 8201 |
TLS | Incydr cloud | Vault | Communication between a Vault instance and the Incydr cloud |
| 443 | HTTPS | Incydr cloud | AD FS server | Sync with AD FS |
| 636 | LDAPS | Your directory server | Used by the Code42 User Directory Sync tool to sync with your directory service |
IP address ranges used by Incydr data connections
All Incydr data connections are served out of Microsoft Azure data centers and do not use static IPs or fully qualified domain names (FQDNs). Instead, these IP address ranges are managed by Microsoft and can change over time. For more information, see Identify IP addresses used by Incydr data connectors.
Revision history
Comments
Please sign in to leave a comment.