Introduction
This document describes important firewall changes that apply to the Umbrella roaming client.
Background Information
Update: All Umbrella roaming clients have been transitioned over to the new sync destination sync.hydra.opendns.com via a HTTP redirect from the api.opendns.com endpoint. In the new year, clients transition to sync with sync.hydra.opendns.com directly; however, since all clients already sync to this host, no impact is expected as a result.
As part of an upgrade to the underlying sync capabilities for roaming clients, a new domain for the Umbrella roaming client syncing to Umbrella has been created. This change enables faster sync responses and more up to date roaming client statuses in the dashboard. Action is required to ensure this domain is permitted in your firewall.
Firewall Changes
The change is: allow TCP 443 to sync.hydra.opendns.com (bidirectionally)
sync.hydra.opendns.com can resolve to several IP addresses, all within the 146.112.63.0/24 IP range. We recommend adding this entire range as the IP address(es) for sync.hydra.opendns.com are Anycast and can change. Currently, the 4 IP addresses this domain resolves to are: 146.112.63.3 to 146.112.63.9 and 146.112.63.11 to 146.112.63.13
Failure to make this change results in the roaming client being unable to sync and possibly lose the list of internal domains that it obtains from the dashboard.
If you utilize an HTTP proxy that is configured at the user-level (normally using GPO), you need to make sure the "SYSTEM" user is also configured to use the proxy. All of these rules are required in your firewall to have the roaming client successfully sync with the API:
|
Port
|
Protocol
|
Destination
|
|
80
|
TCP
|
ocsp.digicert.com and crl4.digicert.com
|
|
443
|
TCP
|
67.215.92.201, 67.215.92.210, sync.hydra.opendns.com, ocsp.digicert.com and crl4.digicert.com
|
Feedback