Due to security concerns, some organizations may rely on a safelisting approach to Internet communications. As Apex One as a Service relies on Internet communication for command and control management, the DNS Name/IPs used by Apex One as a Service may need to be approved to allow this communication.
Trend Micro recommends configuring your firewall Outbound filter rule to allow the following Apex One as a Service DNS Name, IPs, and URLs.
- URLs with http are port 80 as is the standard.
- URLs with https are port 443 as is the standard.
- All others both 80 and 443 should be allowed.
Additionally, hostnames are not based on region but on the version of the product. This means that -en is for the English version, -es is for the Spanish (Espanol) version, -jp for the Japanese version, etc.
These hostnames all point to global CDNs, so they should always route to a nearby regional server.
Regardless of whether the servers are approved by DNS or IP, the following ports are used.
- Apex One: TCP 443
Apex One (Mac):
- For Agent Version 3.5.3.x and later: TCP 443
- For Agent Version 3.5.2.x: TCP 8443
The recommended method of safelisting is by DNS name. Apex One as a Service resides on Microsoft’s Azure Cloud infrastructure. As such, there is not a set of IP or IPs that the Apex One as a Service server operates on. By approving the DNS name a large number of IP Subnets will not need to be approved as the IP can be dynamically approved based on DNS.
Click the image to enlarge.
The first DNS name is the name for the management login. This can be found in the address bar when logging into Apex One as a Service.
Two other required names are the Apex One server’s DNS Name and the Apex One (Mac) DNS Name.
To find the Apex One as a Service name:
- Log into the Apex One as a Service (Apex Central) web console.
- Click Directories.
- Click Product Servers.
- Verify that the Product is Apex One.
Click the image to enlarge.
Apex One (Mac)
To find the Apex One (Mac) as a Service name:
Apex One as a Service resides in Microsoft’s Azure Cloud infrastructure. As such, there is not a set of IP or IPs that the Apex One as a Service server operates on.
Currently, Apex One as a Service resides in several regions of the Azure Cloud. Microsoft provides a list of their datacenter IP ranges that can be used for safelisting in JSON format.
From this page, you can download the current Microsoft provided Public IP list. Customers only need to import the following Region Name in IP Range file:
- "name": "AzureCloud.australiaeast"
- "name": "AzureCloud.centralus"
- "name": "AzureCloud.westeurope"
- "name": "AzureCloud.southeastasia"
- “name”: "AzureCloud.japaneast"
- “name”: "AzureCloud.canadacentral"
- “name”: "AzureCloud.centralindia"
The following URLs will also need to be available for the agents:
- The following services were using CDN (Content Delivery Network) as cache so no static IPs can be provided.
- Some URLs are accessed depending on which product localization is used. If you are using English version, only the “*-en” URLs need to be approved.
Apex One as a Service with XDR
If the customer's Apex One SaaS is integrated with Trend Micro XDR, the following address should be allowed for agents uploading activity data up to datalake:
Data Center Location URL North America xdr2-nabu-prod-ap.etdl.trendmicro.com:443
Singapore xdr2-sg-prod-ap.etdl.trendmicro.com:443 Australia xdr2-au-prod-ap.etdl.trendmicro.com:443 India xlogr-as1.xdr.trendmicro.com
- Apex One Telemetry
- ActiveUpdate - https://osce14-p.activeupdate.trendmicro.com/activeupdate
- Global Smart Scan Server - https://osce14.icrc.trendmicro.com/tmcss
- License Server - https://licenseupdate.trendmicro.com/ollu/license_update.aspx
- Host Data Lake - xdr-nabu-prod.etdl.trendmicro.com
- PR Feedback Server - https://licenseupdate.trendmicro.com/fb/bifconnect.ashx
- Web Rating Server
- Smart Feedback
- NFC Server
- Census server
- Census server (Backup)
- Predictive Machine Learning (File)
- Predictive Machine Learning (Behavior)
- Predictive Machine Learning (Co-Exist Mode)
The following URLs are backend services related to Trend Micro Vision One to which Apex One agents would connect: