Important

Sophos Endpoint Agent for macOS is labeled Early Access, but it’s available to all Taegis users. No invitation or enrollment is required.

Sophos Endpoint Agent Installation Information and Prerequisites🔗

This document provides essential information and prerequisites for installing the Sophos Endpoint Agent. Setting up your firewall or proxy correctly is crucial to ensure the protection and management of your devices.

Domains and Ports Setup🔗

You must configure your firewall or proxy to allow the necessary domains and ports. This setup allows all features to route traffic using the same proxy. Some domains are owned by Sophos, while others are essential for operations such as verifying installations or recognizing certificates.

Note

Apply the configuration steps below only if your firewall blocks outbound traffic by default (default deny). If your environment allows outbound traffic by default, skip these steps.

Recommendations🔗

Avoid Regional Firewall Rules: These rules could override your allow list and prevent Sophos Agent from functioning correctly. For example, blocking non-US regions might hinder services running through European regions due to hosting on Amazon Web Services (AWS), which uses non-static IP addresses. See AWS IP address ranges and Amazon IP addresses.
Use Wildcards: If your firewall or proxy supports wildcards, it can simplify configuration. If not, some features may be unavailable.

Ports🔗

Allow this port: 443 (HTTPS)

Domains🔗

Sophos Central Admin Domains🔗

Allow these Sophos domains:

central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com

If your proxy or firewall supports wildcards, you can use the wildcard *.sophos.com to cover these addresses.

Non-Sophos Addresses🔗

Allow the following non-Sophos addresses:

az416426.vo.msecnd.net
dc.services.visualstudio.com

Sophos Domains🔗

The domains you need to allow depend on whether your firewall or proxy supports wildcards.

With Wildcards🔗

Allow the following wildcards to cover the Sophos domains:

*.sophos.com
*.sophosupd.com
*.sophosupd.net
*.sophosxl.net
*.analysis.sophos.com
*.ctr.sophos.com
*.hydra.sophos.com
*.hitmanpro.com

With Regex Wildcards🔗

Allow the following wildcards to cover the Sophos domains:

^sophos\.com/
^[A-Za-z0-9.-]*\.sophos\.com.?/
^[A-Za-z0-9.-]*\.sophosxl\.com.?/
^[A-Za-z0-9.-]*\.sophosxl\.net.?/
^[A-Za-z0-9.-]*\.sophosupd\.com.?/
^[A-Za-z0-9.-]*\.sophosupd\.net.?/
^[A-Za-z0-9.-]*\.hitmanpro\.com.?/

You may need to allow access to the following Certificate Authority sites if your firewall doesn't already allow them:

^[A-Za-z0-9.-]*\.globalsign\.com.?/
^[A-Za-z0-9.-]*\.globalsign\.net.?/
^[A-Za-z0-9.-]*\.digicert\.com.?/

Without Wildcards🔗

If your proxy or firewall doesn't support wildcards, manually add these exact Sophos domains:

central.sophos.com
cloud-assets.sophos.com
sophos.com
downloads.sophos.com

WindowsLinuxmacOS

On Windows devices, do as follows:

Open SophosCloudInstaller.log. You can find it in C:\ProgramData\Sophos\CloudInstaller\Logs.
Look for the line starting Opening connection to. There will be at least two entries. The first will look like one of these:
- dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
- mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs.stn100yul.ctr.sophos.com
- mcs2.stn100yul.ctr.sophos.com
The second will look like one of these:
- dzr-api-amzn-eu-west-1-9af7.api-upe.p.hmr.sophos.com
- api-cloudstation-us-east-2.prod.hydra.sophos.com
- api.stn100yul.ctr.sophos.com
Add both the domains to your rules.
Add the following addresses:
- t1.sophosupd.com
- sus.sophosupd.com
- sdds3.sophosupd.com
- sdds3.sophosupd.net
- sdu-auto-upload.sophosupd.com
- sdu-feedback.sophos.com
- sophosxl.net
- 4.sophosxl.net
- samples.sophosxl.net
- cloud.sophos.com
- id.sophos.com
- central.sophos.com
- downloads.sophos.com
- alert.hitmanpro.com
- ssp.sophos.com
- sdu-auto-upload.sophosupd.com
- rca-upload-cloudstation-us-west-2.prod.hydra.sophos.com
- rca-upload-cloudstation-us-east-2.prod.hydra.sophos.com
- rca-upload-cloudstation-eu-west-1.prod.hydra.sophos.com
- rca-upload-cloudstation-eu-central-1.prod.hydra.sophos.com
- rca-upload.stn100bom.ctr.sophos.com
- rca-upload.stn100yul.ctr.sophos.com
- rca-upload.stn100hnd.ctr.sophos.com
- rca-upload.stn100gru.ctr.sophos.com
- rca-upload.stn100syd.ctr.sophos.com
Add the domains required for Sophos Management Communication System:
- dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
- dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
- mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs.stn100syd.ctr.sophos.com
- mcs.stn100yul.ctr.sophos.com
- mcs.stn100hnd.ctr.sophos.com
- mcs2.stn100syd.ctr.sophos.com
- mcs2.stn100yul.ctr.sophos.com
- mcs2.stn100hnd.ctr.sophos.com
- mcs.stn100gru.ctr.sophos.com
- mcs2.stn100gru.ctr.sophos.com
- mcs.stn100bom.ctr.sophos.com
- mcs2.stn100bom.ctr.sophos.com
- mcs-push-server-eu-west-1.prod.hydra.sophos.com
- mcs-push-server-eu-central-1.prod.hydra.sophos.com
- mcs-push-server-us-west-2.prod.hydra.sophos.com
- mcs-push-server-us-east-2.prod.hydra.sophos.com
- mcs-push-server.stn100yul.ctr.sophos.com
- mcs-push-server.stn100syd.ctr.sophos.com
- mcs-push-server.stn100hnd.ctr.sophos.com
- mcs-push-server.stn100gru.ctr.sophos.com
- mcs-push-server.stn100bom.ctr.sophos.com
Add the domains required for the SophosLabs Intelix service:
- us.analysis.sophos.com
- apac.analysis.sophos.com
- au.analysis.sophos.com
- eu.analysis.sophos.com
- analysis.sophos.com
Add these domains if your license includes XDR or MDR:
- live-terminal-eu-west-1.prod.hydra.sophos.com
- live-terminal-eu-central-1.prod.hydra.sophos.com
- live-terminal-us-west-2.prod.hydra.sophos.com
- live-terminal-us-east-2.prod.hydra.sophos.com
- live-terminal.stn100yul.ctr.sophos.com
- live-terminal.stn100syd.ctr.sophos.com
- live-terminal.stn100hnd.ctr.sophos.com
- live-terminal.stn100gru.ctr.sophos.com
- live-terminal.stn100bom.ctr.sophos.com
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:
- ocsp.globalsign.com
- ocsp2.globalsign.com
- crl.globalsign.com
- crl.globalsign.net
- ocsp.digicert.com
- crl3.digicert.com
- crl4.digicert.com

On Linux devices, do as follows:

Find SophosSetup.sh on your device.
Run the following command to start the installer and print the output:
```
sudo bash -x ./SophosSetup.sh
```
Look for the following lines:
- line starting + CLOUD_URL=https://
- line starting + MCS_URL=https://
Add the domains from both lines to your rules.
Add the following addresses:
- t1.sophosupd.com
- sus.sophosupd.com
- sdds3.sophosupd.com
- sdds3.sophosupd.net
- sdu-feedback.sophos.com
- sophosxl.net
- sophosxl.net
- samples.sophosxl.net
- cloud.sophos.com
- id.sophos.com
- central.sophos.com
- downloads.sophos.com
Add the domains required for Sophos Management Communication System:
- dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
- dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
- mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs.stn100syd.ctr.sophos.com
- mcs.stn100yul.ctr.sophos.com
- mcs.stn100hnd.ctr.sophos.com
- mcs2.stn100syd.ctr.sophos.com
- mcs2.stn100yul.ctr.sophos.com
- mcs2.stn100hnd.ctr.sophos.com
- mcs.stn100gru.ctr.sophos.com
- mcs2.stn100gru.ctr.sophos.com
- mcs.stn100bom.ctr.sophos.com
- mcs2.stn100bom.ctr.sophos.com
- mcs-push-server-eu-west-1.prod.hydra.sophos.com
- mcs-push-server-eu-central-1.prod.hydra.sophos.com
- mcs-push-server-us-west-2.prod.hydra.sophos.com
- mcs-push-server-us-east-2.prod.hydra.sophos.com
- mcs-push-server.stn100yul.ctr.sophos.com
- mcs-push-server.stn100syd.ctr.sophos.com
- mcs-push-server.stn100hnd.ctr.sophos.com
- mcs-push-server.stn100gru.ctr.sophos.com
- mcs-push-server.stn100bom.ctr.sophos.com
Add the domains required for the SophosLabs Intelix service:
- us.analysis.sophos.com
- apac.analysis.sophos.com
- au.analysis.sophos.com
- eu.analysis.sophos.com
Add these domains if your license includes XDR or MDR:
- live-terminal-eu-west-1.prod.hydra.sophos.com
- live-terminal-eu-central-1.prod.hydra.sophos.com
- live-terminal-us-west-2.prod.hydra.sophos.com
- live-terminal-us-east-2.prod.hydra.sophos.com
- live-terminal.stn100yul.ctr.sophos.com
- live-terminal.stn100syd.ctr.sophos.com
- live-terminal.stn100hnd.ctr.sophos.com
- live-terminal.stn100gru.ctr.sophos.com
- live-terminal.stn100bom.ctr.sophos.com
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:
- ocsp.globalsign.com
- ocsp2.globalsign.com
- crl.globalsign.com
- crl.globalsign.net
- ocsp.digicert.com
- crl3.digicert.com
- crl4.digicert.com

On macOS devices, do as follows:

See macOS install prerequisites.
Open SophosCloudConfig.plist. You can find it in the SophosInstall/Sophos Installer Components directory.
Look for the RegistrationServerURL key. The string that follows it contains a URL. Add this domain to your rules.
Add the following addresses:
- t1.sophosupd.com
- sus.sophosupd.com
- sdds3.sophosupd.com
- sdds3.sophosupd.net
- sdu-auto-upload.sophosupd.com
- sdu-feedback.sophos.com
- sophosxl.net
- 4.sophosxl.net
- samples.sophosxl.net
- cloud.sophos.com
- id.sophos.com
- central.sophos.com
- downloads.sophos.com
- amazonaws.com
- ssp.sophos.com
- sdu-auto-upload.sophosupd.com
- rca-upload-cloudstation-us-west-2.prod.hydra.sophos.com
- rca-upload-cloudstation-us-east-2.prod.hydra.sophos.com
- rca-upload-cloudstation-eu-west-1.prod.hydra.sophos.com
- rca-upload-cloudstation-eu-central-1.prod.hydra.sophos.com
- rca-upload.stn100bom.ctr.sophos.com
- rca-upload.stn100yul.ctr.sophos.com
- rca-upload.stn100hnd.ctr.sophos.com
- rca-upload.stn100gru.ctr.sophos.com
- rca-upload.stn100syd.ctr.sophos.com
Add the domains required for Sophos Management Communication System:
- dzr-mcs-amzn-eu-west-1-9af7.upe.p.hmr.sophos.com
- dzr-mcs-amzn-us-west-2-fa88.upe.p.hmr.sophos.com
- mcs-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs2-cloudstation-eu-west-1.prod.hydra.sophos.com
- mcs2-cloudstation-eu-central-1.prod.hydra.sophos.com
- mcs2-cloudstation-us-east-2.prod.hydra.sophos.com
- mcs2-cloudstation-us-west-2.prod.hydra.sophos.com
- mcs.stn100syd.ctr.sophos.com
- mcs.stn100yul.ctr.sophos.com
- mcs.stn100hnd.ctr.sophos.com
- mcs2.stn100syd.ctr.sophos.com
- mcs2.stn100yul.ctr.sophos.com
- mcs2.stn100hnd.ctr.sophos.com
- mcs.stn100gru.ctr.sophos.com
- mcs2.stn100gru.ctr.sophos.com
- mcs.stn100bom.ctr.sophos.com
- mcs2.stn100bom.ctr.sophos.com
Add the domains required for the SophosLabs Intelix service:
- us.analysis.sophos.com
- apac.analysis.sophos.com
- au.analysis.sophos.com
- eu.analysis.sophos.com
You may need to allow access to the following Certificate Authority sites if they aren't allowed by your firewall:
- ocsp.globalsign.com
- ocsp2.globalsign.com
- crl.globalsign.com
- crl.globalsign.net
- ocsp.digicert.com
- crl3.digicert.com
- crl4.digicert.com

Domains for TLS Inspection🔗

If you're using TLS inspection or have a firewall that uses application filtering, add these domains:

prod.endpointintel.darkbytes.io
kinesis.us-west-2.amazonaws.com

Checking DNS and Connectivity🔗

Use the commands below to confirm domain exclusions or test their effectiveness.

WindowsLinuxmacOS

To check your DNS, open PowerShell and enter:

Resolve-DnsName -Name prod.endpointintel.darkbytes.io
Resolve-DnsName -Name kinesis.us-west-2.amazonaws.com

You should see a DNS response message from each domain.

To check your connectivity, enter:

Invoke-WebRequest -uri https://prod.endpointintel.darkbytes.io

You should see the response: {message: "running..."}.

To check your DNS, enter:

host prod.endpointintel.darkbytes.io
host kinesis.us-west-2.amazonaws.com

You should see a DNS response message from each domain.

To check your connectivity, enter:

curl -v https://prod.endpointintel.darkbytes.io/

You should see the response: {message: "running..."}.

To check your DNS, enter:

dig +short prod.endpointintel.darkbytes.io
dig +short kinesis.us-west-2.amazonaws.com

You should see a DNS response message from each domain.

To check your connectivity, enter:

curl -v https://prod.endpointintel.darkbytes.io/

You should see the response: {message: "running..."}.

Proxy Configuration🔗

You can configure Sophos Agent to connect to Sophos Central or download Sophos updates through a proxy server. This section explains how to configure proxy settings in Sophos Central.

If you prefer, you can configure the proxy settings directly on each device. For details, see Configure Devices to Use Proxy Server Settings.

Configure the Proxy🔗

These steps enable both computers and servers to use the proxy server.

Select My Products → General Settings → Proxy Configuration.
On the Proxy Configuration page, turn on Proxy Configuration.
Enter the proxy settings:
- Hostname. For example, proxy.example.net.
- Port. For example, 8080.
- Username and Password for the proxy.
Select Save.

Note

For security reasons, we can't recover the password. When you select Save, you may overwrite an existing password.

How Devices Connect🔗

Sophos Agent devices connect to the internet using the first working configuration they find. Devices attempt to connect in the following order:

Use a Sophos Central Message Relay.
Use the proxy configuration detailed here.
Use the default system proxy.
Use an automatically discovered proxy (WPAD).
Connect without using a proxy.

Managing Endpoint Software🔗

You can manage your Sophos Agent installation directly from Sophos Central. This feature enables you to easily upgrade from Sophos Agent Detection Only to Sophos Endpoint Agent to add advanced preventative controls when needed. If necessary, you can also downgrade from Sophos Endpoint Agent to Sophos Agent Detection Only.

You can apply these actions to both computers and servers.

ComputersServers

Go to My Products → Endpoint → Computers.
Use the checkboxes to select individual computers, or use the select-all checkbox to manage all computers.
Click Manage Endpoint Software to open the configuration modal.

In the modal, use Agent Mode to switch the selected agents to a different software mode or to remotely uninstall the agent.

You can also use the Encryption option to enforce encryption on the selected endpoint(s).

Go to My Products → Endpoint → Servers.
Use the checkboxes to select individual servers, or use the select-all checkbox to manage all servers.
Click Manage Endpoint Software to open the configuration modal.

In the modal, use Agent Mode to switch the selected agents to a different software mode or to remotely uninstall the agent.

Note

The Encryption option is not available for servers.