This article lists the different addresses and ports of the services used by Trend Micro XDR that should have the "Allow" rule on firewall.
The following list contains the addresses and ports that should be allowed through the firewall:
For customers who have never had a Full/Trial iES license or EDR license can get complimentary XDR licenses for 10% of the licensed seats.
The following common URLs will need to be available for the server and agents:
For customers who have Apex One as a Service, Cloud App Security, Cloud One - Workload Security, Deep Discovery Director with corresponded paid XDR Add-on.
Apex One Apex One as a Service
If customer's Apex One SaaS is integrated with Trend Micro XDR, the following address should be allowed for agents uploading activity data up to datalake:
As for accessing the Apex One SaaS manage portal, and the communication between server and agent, refer to KB 1119967.
Cloud App Security
If customer integrates Cloud App Security with Trend Micro XDR, no additional URL need to be allowed.
As for access the Cloud App Security's manage portal, the following URL should be available to customer:
CloudOne Workload Security
If customer integrates with Trend Micro XDR with Cloud One - Workload Security, the agent basically utilizes the existing connection to the manager.
For URLs that should be allowed between agent and manager or backend services, refer to the Workload Security URLs section in the Cloudone Documentation page.
If customer integrates with Trend Micro XDR with Deep Discovery Director On-Prem, the extra addresses should be allowed are the following:
If customer integrates with Trend Micro XDR with Deep Discovery Director Cloud, the extra addresses should be allowed are the following:
For more details, refer to the KB article: URLs to be allowed through the firewall of Deep Discovery Inspector (DDI) 5.6 Service Pack 1 (SP1).