A sensor can connect to the backend in a firewall-protected network in several ways.

URLs are used for the following purposes:

  • Console/API — Console access and API requests
  • Sensor — Communication between the sensor and the console/backend
  • UBS download — Downloading Unified Binary Store (UBS) binaries and metadata
  • Content management — Allowing the Carbon Black sensor to receive instructions (manifests) that configure a wide variety of the Carbon Black Cloud features and their underlying rules. Without the first manifest update, some features, including the following, might not be available.
    • Carbon Black Cloud Enterprise EDR event collection
    • Carbon Black XDR event collection
    • Device control
    • Host-based firewall
    • Unified Binary Store (UBS)
    • A large percent of Carbon Black Cloud Endpoint Standard blocking capabilities

    When the initial manifest download completes, an access to content.carbonblack.io is required to receive configuration changes done by using the Carbon Black Cloud console (in the Enforce > Policies page) and to receive the most up-to-date rule sets.

  • Signature — Updating signature packs
  • Third-party certificate validation — Verifying sensor comm certificates
  • Live Response Uploads - Used when performing the "get" command from Live Response

Configure the firewall to allow incoming and outgoing TCP/443 (default) and TCP/54443 (backup) connections to the following environment specific URLs:

Table 1. Environment-specific URLs
Environment/AWS Region Console/API URL Sensor URL UBS download URL
UK Pop https://ew2.carbonblackcloud.vmware.com/ https://ew2-device.carbonblackcloud.vmware.com/ https://prd1ew2-ubs-binary-store-ubs-binary-store.s3.eu-west-2.amazonaws.com

Additionally, all environments use the following URLs:

Table 2. All environments
Category URL Protocol/Port Notes
Content Management URL https://content.carbonblack.io TCP/443
Signature URL http://updates2.cdc.carbonblack.io/update2 TCP/80 Windows sensor versions prior to 3.3
Signature URL https://updates2.cdc.carbonblack.io/update2 TCP/443 Windows sensor versions 3.3+
Third-party certificate validation URL

http://ocsp.digicert.com

TCP/80 Online Certificate Status Protocol (OCSP). Sensor version 3.3+: required unless CURL_CRL_CHECK is disabled.
Third-party certificate validation URL

http://crl3.digicert.com

http://crl4.digicert.com

TCP/80 Certificate Revocation List (CRL). Sensor version 3.3+: required unless CURL_CRL_CHECK is disabled.

If you do not make specific network firewall changes to access the Carbon Black Cloud backend applications, the sensors try to connect through existing proxies. See Configure a Proxy.

Note:

Operational environments that implement a man-in-the-middle proxy should note that additional third-party certificate validation URLs can be needed depending on the server certificates that the proxy uses. Additional URLs include anything specified under the "CRL Distribution Points" and "Authority Information Access" extensions of the proxy server SSL certificate. Failing to allow communication to third-party certificate validation URLs on TCP port 80 can lead to communication failures between the sensor and the backend.

The Windows 3.3 and higher sensor relies on Windows to execute a CRL check. This sensor communication certificate verification is recommended but not required. If the sensor fails to validate its own communication certificate, installation will fail unless you set CURL_CRL_CHECK=0 (see Disable CURL CRL CHECK).

Alternatively, you can set CURL_CRL_REVOKE_BEST_EFFORT=1 where the sensor will do a best effort attempt to verify the SSL certificate but will not reject the connection if revocation information cannot be obtained due to firewall or other network restrictions.

If installation fails for this reason and you do not want to disable the CRL check, you can implement one of the following options:
  • Configure the Winhttp service to use the proxy for Windows CRL checks
  • Configure the proxy or firewall to allow CRL traffic
  • Allow port 80 traffic to crl.godaddy.com and ocsp.godaddy.com through the proxy or firewall

Carbon Black Cloud Workload Appliance

Carbon Black Service URL / Hostname IP Address Protocol/Port Description
prod.cwp.carbonblack.io Dynamic TCP/443 Appliance logging and updates.
vCenter Server Host User defined TCP/443 Communication with the vCenter Server .
Carbon Black Cloud console URL (refer to Console/API URL)

For example, https://defense-prod05.conferdeploy.net if you are a Prod05 user

Dynamic TCP/443 Communication with the Carbon Black Cloud.