IP addresses and ports used by Incydr

Updated May 27, 2026 13:25

Overview

This article lists all of the ports and IP addresses used by Incydr.

Insider risk agent

Firewall access

To ensure uninterrupted access to the Incydr cloud, open your firewall to allow outbound TCP/443 traffic to *.code42.com.

Insider risk agent ports

List of ports that require outbound traffic to Incydr.

Port	Protocol	Source	Destination	Description
443	HTTPS	Endpoint agents	Incydr cloud	Communication for user activity monitoring and deployment policy information

Incydr console

To ensure the Incydr console displays the newest features and functionality, open your firewall to allow outbound TCP/443 traffic to *.launchdarkly.com.

The Incydr console uses LaunchDarkly to control the rollout and visibility of some features.

IP address ranges used by Incydr data connections

All Incydr data connections are served out of Microsoft Azure data centers and do not use static IPs or fully qualified domain names (FQDNs). Instead, these IP address ranges are managed by Microsoft and can change over time. For more information, see Identify IP addresses used by Incydr data connectors.

IP addresses used by Incydr Flows

Incydr Flows are powered by Tines. To ensure Incydr Flows operate as expected, the service integrating with Incydr (for example, Workday or Crowdstrike) must allow requests from the following Tines IP addresses:

35.162.210.16
44.227.94.208

IP addresses used by API integrations and the Incydr CLI

Allow outbound TCP/443 traffic to *.code42.com.

Backup agent

To ensure uninterrupted backup traffic to the Incydr cloud, configure your firewall to allow outbound access on TCP/443 and TCP/4287.

TCP/443

If your firewall supports FQDN-based filtering, allow outbound TCP/443 to *.code42.com. If your firewall does not support FQDN-based filtering, allow outbound TCP/443 to the following based on your cloud instance:

US1, US2, and US3: AWS us-east-1 and AWS CloudFront (global) IP addresses
EU1: AWS eu-west-1 IP addresses and AWS CloudFront (global) IP addresses

For more information about AWS IP address ranges, see Amazon's documentation.

TCP/4287

Allow outbound TCP/4287 to the Incydr IP address ranges listed below.

38.127.80.0/24
50.93.246.0/23
50.93.255.0/24
64.207.196.0/22
64.207.204.0/23
67.222.248.0/22
216.9.199.0/24
216.17.8.0/24

These are up-to-date IP address ranges
This list represents all the IP-address ranges needed to allow access to the Incydr cloud. Remove from firewall rules any outdated Incydr IP address ranges not on this list. See Revision history for removed IP address ranges.

Ports

List of ports that require outbound traffic to Incydr. You must have ports 443, 4285, and 4287 open for use.

Port	Protocol	Source	Destination	Description
443	HTTPS	Endpoint agents	Incydr cloud	Communication for File Metadata Collection and deployment policy information
	HTTPS	Web Browsers	Incydr cloud	Web restore (both zip file and device) and user activity profiles
	TLS	Endpoint agents	Incydr cloud	Communication from device to the Incydr cloud. Only applies to environments that sign in to the Incydr console at: https://console.us2.code42.com.
4285	HTTPS	Web Browsers	Incydr cloud	Web restore (both zip file and device), user activity profiles, SSO sign in, and authentication API calls.
4287	TLS	Endpoint agents	Incydr cloud	Communication from the device to the Incydr cloud

Additional services integrated with Incydr

These are some additional ports used by services that are commonly integrated with Incydr environments.

Port	Protocol	Source	Destination	Description
8200 and 8201	TLS	Incydr cloud	Vault	Communication between a Vault instance and the Incydr cloud
443	HTTPS	Incydr cloud	AD FS server	Sync with AD FS
636	LDAPS	The Code42 User Directory Sync tool	Your directory server	Used by the Code42 User Directory Sync tool to sync with your directory service

IP address ranges used by Incydr data connections

Revision history

The table below lists previous updates to this page.

Date	Updates
May 27, 2026	Updated and simplified the backup agent requirements: For firewalls that do not support FQDN-based filtering, added AWS CloudFront (global) IP addresses as a requirement for outbound TCP/443. Removed the outbound TCP/443 requirement to allow Amazon Cognito Identity Pools endpoints. Specifically, the backup agent no longer requires outbound TCP/443 access to: cognito-identity.us-east-1.amazonaws.com cognito-identity-fips.us-east-1.amazonaws.com cognito-identity.eu-west-1.amazonaws.com cognito-identity-fips.eu-west-1.amazonaws.com
February 2, 2026	Added requirement to allow outbound TCP/443 traffic to *.launchdarkly.com to ensure the Incydr console displays the newest features and functionality.
November 17, 2022	Updated the Code42 IP address ranges to be used when performing IP address-based filtering for backup agents: Removed the following IP address ranges: 64.207.222.0/23 68.65.192.0/21 103.8.239.0/24 149.5.7.0/24 162.222.40.0/21 216.9.196.0/22 216.223.38.0/24 Changed 67.222.248.0/21 to 67.222.248.0/22. Added the following IP address ranges. (These address ranges will not be used until May 1, 2023. Please update any firewall rules to allow access to the full set of published Code42 network address ranges by that date): 38.127.80.0/24 216.9.199.0/24
September 22, 2022	Added details regarding the IP address ranges used by Code42 data connections.
June 29, 2022	Added the following IP address range: 216.9.196.0/22 These addresses will not be used until December 1, 2022. Please update any firewall rules to allow access to the full range of published Code42 network addresses by that date.
April 25, 2022	Removed instructions to allow outbound TCP/443 to .crashplan.com. All URLs to the Code42 cloud for Incydr are now .code42.com.
September 3, 2021	Added firewall access sections.
August 16, 2021	Added the Insider risk agent section.
May 5, 2021	Added the following IP address ranges: 64.207.196.0/22 64.207.204.0/23 64.207.222.0/23 If your instance in the Code42 cloud was provisioned on or before May 5, 2021, you have until November 5, 2021 to open firewall access to these ranges.
January 21, 2021	Added Amazon Cognito Identity endpoints addresses for firewall access.
November 27, 2020	Added client login addresses.
August 12, 2020	Added a note that IP address range 149.5.44.0/24 is retired.
June 3, 2020	Revised the Code42 IP address usage details for each Code42 cloud environment.
May 8, 2020	Noted that IP address ranges are scheduled to be updated August 11, 2020. For more information, see IP address updates in August 2020.
March 12, 2020	Added details for the Code42 federal environment.
January 7, 2020	Added an attention box stating that port 4282 is no longer supported.
March 13, 2019	Added new IP address range: 67.222.248.0/21 Published all IP address ranges. Previously, IP address ranges were only available by contacting our Technical Support Engineers or your Customer Success Manager (CSM).

IP addresses and ports used by Incydr

Overview

Insider risk agent

Firewall access

Insider risk agent ports

Incydr console

IP address ranges used by Incydr data connections

IP addresses used by Incydr Flows

IP addresses used by API integrations and the Incydr CLI

Backup agent

TCP/443

TCP/4287

Revision history

Related topics

Comments