Configure a Firewall

A sensor can connect to the backend in a firewall-protected network in several ways.

URLs are used for the following purposes:

Console/API — Console access and API requests
Sensor — Communication between the sensor and the console/backend
UBS download — Downloading Unified Binary Store (UBS) binaries and metadata
Content management — Allowing the Carbon Black sensor to receive instructions (manifests) that configure a wide variety of the Carbon Black Cloud features and their underlying rules. Without the first manifest update, some features, including the following, might not be available.
- Carbon Black Cloud Enterprise EDR event collection
- VMware Carbon Black XDR event collection
- Device control
- Host-based firewall
- Unified Binary Store (UBS)
- A large percent of Carbon Black Cloud Endpoint Standard blocking capabilities
When the initial manifest download completes, an access to content.carbonblack.io is required to receive configuration changes done by using the Carbon Black Cloud console (in the Enforce > Policies page) and to receive the most up-to-date rule sets.
Signature — Updating signature packs
Third-party certificate validation — Verifying sensor comm certificates
Live Response Uploads - Used when performing the "get" command from Live Response

Configure the firewall to allow incoming and outgoing TCP/443 (default) and TCP/54443 (backup) connections to the following environment specific URLs:

Table 1. Environment-specific URLs
Environment/AWS Region	Console/API URL	Sensor URL	UBS download URL
GovCloud US	https://gprd1usgw1.carbonblack-us-gov.vmware.com/

Additionally, all environments use the following URLs:

Table 2. All environments
Category	URL	Protocol/Port	Notes
Content Management URL	https://content.carbonblack.io	TCP/443
Signature URL	http://updates2.cdc.carbonblack.io/update2	TCP/80	Windows sensor versions prior to 3.3
Signature URL	https://updates2.cdc.carbonblack.io/update2	TCP/443	Windows sensor versions 3.3+
Third-party certificate validation URL	http://ocsp.digicert.com	TCP/80	Online Certificate Status Protocol (OCSP). Sensor version 3.3+: required unless `CURL_CRL_CHECK` is disabled.
Third-party certificate validation URL	http://crl3.digicert.com http://crl4.digicert.com	TCP/80	Certificate Revocation List (CRL). Sensor version 3.3+: required unless `CURL_CRL_CHECK` is disabled.

If you do not make specific network firewall changes to access the Carbon Black Cloud backend applications, the sensors try to connect through existing proxies. See Configure a Proxy.

Note:

Operational environments that implement a man-in-the-middle proxy should note that additional third-party certificate validation URLs can be needed depending on the server certificates that the proxy uses. Additional URLs include anything specified under the "CRL Distribution Points" and "Authority Information Access" extensions of the proxy server SSL certificate. Failing to allow communication to third-party certificate validation URLs on TCP port 80 can lead to communication failures between the sensor and the backend.

The Windows 3.3 and higher sensor relies on Windows to execute a CRL check. This sensor communication certificate verification is recommended but not required. If the sensor fails to validate its own communication certificate, installation will fail unless you set CURL_CRL_CHECK=0 (see Disable CURL CRL CHECK).

Alternatively, you can set CURL_CRL_REVOKE_BEST_EFFORT=1 where the sensor will do a best effort attempt to verify the SSL certificate but will not reject the connection if revocation information cannot be obtained due to firewall or other network restrictions.

If installation fails for this reason and you do not want to disable the CRL check, you can implement one of the following options:

Configure the Winhttp service to use the proxy for Windows CRL checks
Configure the proxy or firewall to allow CRL traffic
Allow port 80 traffic to crl.godaddy.com and ocsp.godaddy.com through the proxy or firewall

Carbon Black Cloud Workload Appliance


Carbon Black Service URL / Hostname	IP Address	Protocol/Port	Description
prod.cwp.carbonblack.io	Dynamic	TCP/443	Appliance logging and updates.
vCenter Server Host	User defined	TCP/443	Communication with the vCenter Server.
Carbon Black Cloud console URL (refer to Console/API URL) For example, https://defense-prod05.conferdeploy.net if you are a Prod05 user	Dynamic	TCP/443	Communication with the Carbon Black Cloud.