A sensor can connect to the backend in a firewall-protected network in several ways.

URLs are used for the following purposes:

  • Console/API — Console access and API requests
  • Sensor — Communication between the sensor and the console/backend
  • UBS download — Downloading Unified Binary Store (UBS) binaries and metadata
  • Content management — UBS and dynamic rules engine updates
  • Signature — Updating signature packs
  • Third-party certificate validation — Verifying sensor comm certificates
  • Live Response Uploads - Used when performing the "get" command from Live Response

Configure the firewall to allow incoming and outgoing TCP/443 (default) and TCP/54443 (backup) connections to the following environment specific URLs:

Table 1. Environment-specific URLs
Environment/AWS Region Console/API Sensor UBS download Live Response Uploads

Prod01 (US-East-1)



https://cdc-file-storage-staging-us-east-1.s3.amazonaws.com https://defense-cblr-file-uploads-us-east-1.s3.amazonaws.com

Prod02 (US-East-1)


https://dev5.conferdeploy.net https://cdc-file-storage-staging-us-east-1.s3.amazonaws.com https://defense-cblr-file-uploads-us-east-1.s3.amazonaws.com

Prod05 (US-East-1)



https://cdc-file-storage-staging-us-east-1.s3.amazonaws.com https://defense-cblr-file-uploads-us-east-1.s3.amazonaws.com

Prod06 (EU-Central-1)



https://cdc-file-storage-staging-eu-central-1.s3.amazonaws.com https://defense-cblr-file-uploads-eu-central-1.s3.eu-central-1.amazonaws.com

ProdNRT (AP-Northwest-1)



https://cdc-file-storage-staging-ap-northeast-1.s3.amazonaws.com> https://defense-cblr-file-uploads-ap-northeast-1.s3.ap-northeast-1.amazonaws.com
ProdSYD (AP-Southwest-2) https://defense-prodsyd.conferdeploy.net/ https://dev-prodsyd.conferdeploy.net/ https://cdc-file-storage-staging-ap-southeast-2.s3.amazonaws.com https://defense-cblr-file-uploads-ap-southeast-2.s3.ap-southeast-2.amazonaws.com

Additionally, all environments use the following URLs:

Table 2. All environments
Category URL Protocol/Port Notes
Content Management URL https://content.carbonblack.io TCP/443
Signature URL http://updates2.cdc.carbonblack.io/update2 TCP/80 Windows sensor versions prior to 3.3
Signature URL https://updates2.cdc.carbonblack.io/update2 TCP/443 Windows sensor versions 3.3+
Third-party certificate validation URL http://ocsp.godaddy.com TCP/80 Online Certificate Status Protocol (OCSP). Sensor version 3.3+: required unless CURL_CRL_CHECK is disabled.
Third-party certificate validation URL http://crl.godaddy.com TCP/80 Certificate Revocation List (CRL). Sensor version 3.3+: required unless CURL_CRL_CHECK is disabled.

If you do not make specific network firewall changes to access the Carbon Black Cloud backend applications, the sensors try to connect through existing proxies. See Configure a Proxy.


Operational environments that implement a man-in-the-middle proxy should note that additional third-party certificate validation URLs can be needed depending on the server certificates that the proxy uses. Additional URLs include anything specified under the "CRL Distribution Points" and "Authority Information Access" extensions of the proxy server SSL certificate. Failing to allow communication to third-party certificate validation URLs on TCP port 80 can lead to communication failures between the sensor and the backend.

The Windows 3.3 and higher sensor relies on Windows to execute a CRL check. This sensor communication certificate verification is recommended but not required. If the sensor fails to validate its own communication certificate, installation will fail unless you set CURL_CRL_CHECK=0 (see Disable CURL CRL CHECK).

If installation fails for this reason and you do not want to disable the CRL check, you can implement one of the following options:
  • Configure the Winhttp service to use the proxy for Windows CRL checks
  • Configure the proxy or firewall to allow CRL traffic
  • Allow port 80 traffic to crl.godaddy.com and ocsp.godaddy.com through the proxy or firewall

Carbon Black Cloud Workload Appliance

Carbon Black Service URL / Hostname IP Address Protocol/Port Description
prod.cwp.carbonblack.io Dynamic TCP/443 Appliance logging and updates.
vCenter Server Host User defined TCP/443 Communication with the vCenter Server .
Carbon Black Cloud console URL (refer to Console/API URL)

For example, https://defense-prod05.conferdeploy.net if you are a Prod05 user

Dynamic TCP/443 Communication with the Carbon Black Cloud.