Due to security concerns, some organizations may rely on a safelisting approach to Internet communications. As Apex One as a Service relies on Internet communication for command and control management, the DNS Name/IPs used by Apex One as a Service may need to be approved to allow this communication.
Trend Micro recommends configuring your firewall Outbound filter rule to allow the following Apex One as a Service DNS Name, IPs, and URLs.
- URLs with https are port 443 as is the standard.
- Port 443 should be allowed.
Additionally, hostnames are not based on region but on the version of the product. This means that -en is for the English version, -es is for the Spanish (Espanol) version, -jp for the Japanese version, etc.
These hostnames all point to global CDNs, so they should always route to a nearby regional server.
Regardless of whether the servers are approved by DNS or IP, the following ports are used.
- Apex One: TCP 443
Apex One (Mac):
- For Agent Version 3.5.3.x and later: TCP 443
- For Agent Version 3.5.2.x: TCP 8443
The recommended method of safelisting is by DNS name. Apex One as a Service resides on Microsoft’s Azure Cloud infrastructure. As such, there is not a set of IP or IPs that the Apex One as a Service server operates on. By approving the DNS name a large number of IP Subnets will not need to be approved as the IP can be dynamically approved based on DNS.
Click the image to enlarge.
The first DNS name is the name for the management login. This can be found in the address bar when logging into Apex One as a Service.
Two other required names are the Apex One server’s DNS Name and the Apex One (Mac) DNS Name.
To find the Apex One as a Service name:
- Log into the Apex One as a Service (Apex Central) web console.
- Click Directories.
- Click Product Servers.
- Verify that the Product is Apex One.
Click the image to enlarge.
Apex One (Mac)
To find the Apex One (Mac) as a Service name:
Apex One as a Service resides in Microsoft’s Azure Cloud infrastructure. As such, there is not a set of IP or IPs that the Apex One as a Service server operates on.
Currently, Apex One as a Service resides in several regions of the Azure Cloud. Microsoft provides a list of their datacenter IP ranges that can be used for safelisting in JSON format.
From this page, you can download the current Microsoft provided Public IP list. Customers only need to import the following Region Name in IP Range file:
- "name": "AzureCloud.australiaeast"
- "name": "AzureCloud.centralus"
- "name": "AzureCloud.westeurope"
- "name": "AzureCloud.southeastasia"
- “name”: "AzureCloud.japaneast"
- “name”: "AzureCloud.canadacentral"
- “name”: "AzureCloud.centralindia"
The following URLs will also need to be available for the agents:
- The following services were using CDN (Content Delivery Network) as cache so no static IPs can be provided.
- Some URLs are accessed depending on which product localization is used. If you are using English version, only the “*-en” URLs need to be approved.
Apex One as a Service with Trend Micro Vision One
For customers who would like to integrate Apex One as a Service with Trend Micro Vision One Add-on services, the following common URLs need to be allowed for the server and agents:
In addition, the following address should be allowed for agents uploading activity data up to datalake:
Data Center Location URL North America xdr2-nabu-prod-prorca.etdl.trendmicro.com:8080
- Apex One Telemetry
- ActiveUpdate - https://osce14-p.activeupdate.trendmicro.com/activeupdate
- Global Smart Scan Server - https://osce14.icrc.trendmicro.com/tmcss
- License Server - https://licenseupdate.trendmicro.com/ollu/license_update.aspx
- PR Feedback Server - https://licenseupdate.trendmicro.com/fb/bifconnect.ashx
- Web Rating Server
- Smart Feedback
- NFC Server
- Census server
- Census server (Backup)
- Predictive Machine Learning (File)
- Predictive Machine Learning (Behavior)
- Predictive Machine Learning (Co-Exist Mode)