Firewall rules necessary to ensure IBM Security and Lotus Protector for Mail Security Products can update

Technote (FAQ)


Question

Which firewall rules should be in place to ensure that IBM Security and Lotus Protector for Mail Security products can obtain updates?

Answer

IBM Security products contact various update servers within the IBM Security infrastructure in order to receive content and product updates. In most customer environments, specific firewall rules are required to allow this communication. If these rules are not in place, it is likely that the IBM Security products will not be able to update. See Technote 1625720: The MyISS Download Center is migrating to a new system and configuration changes are necessary for further information.

Important: The IBM Security Download Centers (Automatic and Manual) hosted by Flexera Software will be ending support for SSL v3 by January 7, 2015. All access to the Download Centers should be via TLS 1.0 or higher. For most users, use of TLS 1.0 or higher is already in place so this is expected to have limited impact, if any. Customers should ensure that their web clients are not configured to use or require SSL v3 in order to avoid security issues. None of the supported IBM products will be impacted by the removal of SSL v3 support from the Download Centers.

The following tables lists the domain name and port combinations that should be allowed through the firewall for specific update types:

Security content updates

This section includes addresses that apply to SiteProtector updates, sensor firmware updates, AlertCon notifications, and security content updates such as XPUs.

Domain name
Port
esdhttp.flexnetoperations.com
443
esdhttp-dr.flexnetoperations.com
443
ibmdownload.flexnetoperations.com
443
ibmdownload-dr.flexnetoperations.com
443
ibms-ibmxpu.flexnetoperations.com
443
ibms-issupdate.flexnetoperations.com
443
ibms-issxpu.flexnetoperations.com
443
ibmxpu.flexnetoperations.com
443
ibmxpu-dr.flexnetoperations.com
443
update.iss.net
443
update.xforce-security.com
443
Note: For ip-based firewall rules, the following ranges cover all of the license and update servers mentioned above. The IP ranges are hosted by Flexera Software.



IP Address
Port
64.14.29.0/24
443
64.27.162.0/24
443

Onetrust license system

Domain name
IP Address
Port
onetrust.iss.net
129.33.206.231
443

Proventia MX products

Domain name
Port
filterdb.iss.net
443

Security Network Protection (XGS) products

Domain name
IP Address
Port
update.xforce-security.com
5.153.55.164, 50.23.177.148, 108.168.233.61
443
license.xforce-security.com
5.153.55.165, 50.23.177.149, 108.168.233.60
443

SiteProtector documentation features

Domain name
Port
443, 80

on-Demand Service customers

Domain name
Port
portal.mss.iss.net
443

Lotus Protector for Mail Security

Domain name
Port
license.cobion.com
443
update*.cobion.com
443
dnsblserver.cobion.com
53 (TCP and UDP)

Notes:
  • Zone transfers for the DNSBL zone use dnsbl.cobion.com.
  • The update*.cobion.com domain currently uses the following hosts: update1, update2, update3, update5, and update7.



  • Related information

    A Japanese translation is available


    Cross reference information
    Segment Product Component Platform Version Edition
    Security IBM Security Virtual Server Protection for VMware Not Applicable Platform Independent Version Independent
    Security IBM Security SiteProtector System Xpress Update Server Platform Independent Version Independent
    Security Proventia Network Enterprise Scanner License amd Update Module (LUM) Platform Independent Version Independent
    Security Proventia Network Multi-Function Security Licensing and Updates (LUM) Platform Independent Version Independent
    Security Lotus Protector for Mail Security Installation/Configuration Platform Independent Version Independent
    Security IBM RealSecure Server Sensor for AIX Not Applicable Platform Independent Version Independent
    Security IBM RealSecure Server Sensor for HP-UX Not Applicable Platform Independent Version Independent
    Security IBM RealSecure Server Sensor for Solaris Not Applicable Platform Independent Version Independent
    Security IBM RealSecure Server Sensor for Windows Not Applicable Platform Independent Version Independent
    Security IBM Security Host Protection RealSecure Server Sensor Platform Independent Version Independent
    Security IBM Security Host Protection Windows Desktop Platform Independent Version Independent
    Security IBM Security Host Protection Windows Server Platform Independent Version Independent
    Security IBM Security Network Intrusion Prevention System Updates Platform Independent Version Independent
    Security Proventia Virtualized Network Security Platform Not Applicable Platform Independent Version Independent

    Historical Number

    5573

    Document information


    More support for:

    IBM Security Network Protection
    Licensing and Updates (LUM)

    Software version:

    Version Independent

    Operating system(s):

    Platform Independent

    Reference #:

    1437057

    Modified date:

    2015-09-15

    Translate my page

    Content navigation