A sensor can connect to the backend in a firewall-protected network in several ways.
URLs are used for the following purposes:
- Console/API — Console access and API requests
- Sensor — Communication between the sensor and the console/backend
- UBS download — Downloading Unified Binary Store (UBS) binaries and metadata
- Content management — Allowing the Carbon Black sensor to receive instructions (manifests) that configure a wide variety of the Carbon Black Cloud features and their underlying rules. Without the first manifest update, some features, including the following, might not be available.
- Carbon Black Cloud Enterprise EDR event collection
- Carbon Black XDR event collection
- Device control
- Host-based firewall
- Unified Binary Store (UBS)
- A large percent of Carbon Black Cloud Endpoint Standard blocking capabilities
When the initial manifest download completes, an access to content.carbonblack.io is required to receive configuration changes done by using the Carbon Black Cloud console (in the page) and to receive the most up-to-date rule sets.
- Signature — Updating signature packs
- Third-party certificate validation — Verifying sensor comm certificates
- Live Response Uploads - Used when performing the "get" command from Live Response
Configure the firewall to allow incoming and outgoing TCP/443 (default) and TCP/54443 (backup) connections to the following environment specific URLs:
Environment/AWS Region | Console/API URL | Sensor URL | UBS download URL |
---|---|---|---|
UK Pop | https://ew2.carbonblackcloud.vmware.com/ | https://ew2-device.carbonblackcloud.vmware.com/ | https://prd1ew2-ubs-binary-store-ubs-binary-store.s3.eu-west-2.amazonaws.com |
Additionally, all environments use the following URLs:
Category | URL | Protocol/Port | Notes |
---|---|---|---|
Content Management URL | https://content.carbonblack.io | TCP/443 | |
Signature URL | http://updates2.cdc.carbonblack.io/update2 | TCP/80 | Windows sensor versions prior to 3.3 |
Signature URL | https://updates2.cdc.carbonblack.io/update2 | TCP/443 | Windows sensor versions 3.3+ |
Third-party certificate validation URL | http://ocsp.digicert.com |
TCP/80 | Online Certificate Status Protocol (OCSP). Sensor version 3.3+: required unless CURL_CRL_CHECK is disabled. |
Third-party certificate validation URL | http://crl3.digicert.com http://crl4.digicert.com |
TCP/80 | Certificate Revocation List (CRL). Sensor version 3.3+: required unless CURL_CRL_CHECK is disabled. |
If you do not make specific network firewall changes to access the Carbon Black Cloud backend applications, the sensors try to connect through existing proxies. See Configure a Proxy.
Operational environments that implement a man-in-the-middle proxy should note that additional third-party certificate validation URLs can be needed depending on the server certificates that the proxy uses. Additional URLs include anything specified under the "CRL Distribution Points" and "Authority Information Access" extensions of the proxy server SSL certificate. Failing to allow communication to third-party certificate validation URLs on TCP port 80 can lead to communication failures between the sensor and the backend.
The Windows 3.3 and higher sensor relies on Windows to execute a CRL check. This sensor communication certificate verification is recommended but not required. If the sensor fails to validate its own communication certificate, installation will fail unless you setCURL_CRL_CHECK=0
(see
Disable CURL CRL CHECK).
Alternatively, you can set CURL_CRL_REVOKE_BEST_EFFORT=1
where the sensor will do a best effort attempt to verify the SSL certificate but will not reject the connection if revocation information cannot be obtained due to firewall or other network restrictions.
- Configure the Winhttp service to use the proxy for Windows CRL checks
- Configure the proxy or firewall to allow CRL traffic
- Allow port 80 traffic to crl.godaddy.com and ocsp.godaddy.com through the proxy or firewall
Carbon Black Cloud Workload Appliance
Carbon Black Service URL / Hostname | IP Address | Protocol/Port | Description |
---|---|---|---|
prod.cwp.carbonblack.io | Dynamic | TCP/443 | Appliance logging and updates. |
vCenter Server Host | User defined | TCP/443 | Communication with the vCenter Server . |
Carbon Black Cloud console URL (refer to Console/API URL) For example, https://defense-prod05.conferdeploy.net if you are a Prod05 user |
Dynamic | TCP/443 | Communication with the Carbon Black Cloud. |