IBM Support

Firewall rules necessary to ensure IBM Security and Lotus Protector for Mail Security Products can update

Technote (FAQ)


Question

Which firewall rules should be in place to ensure that IBM Security and Lotus Protector for Mail Security products can obtain updates?

Answer

IBM Security products contact various update servers within the IBM Security infrastructure in order to receive content and product updates. In most customer environments, specific firewall rules are required to allow this communication. If these rules are not in place, it is likely that the IBM Security products will not be able to update. See Technote 1625720: The MyISS Download Center is migrating to a new system and configuration changes are necessary for further information.

Important: The IBM Security Download Centers (Automatic and Manual) hosted by Flexera Software will be ending support for SSL v3 by January 7, 2015. All access to the Download Centers should be via TLS 1.0 or higher. For most users, use of TLS 1.0 or higher is already in place so this is expected to have limited impact, if any. Customers should ensure that their web clients are not configured to use or require SSL v3 in order to avoid security issues. None of the supported IBM products will be impacted by the removal of SSL v3 support from the Download Centers.

The following tables lists the domain name and port combinations that should be allowed through the firewall for specific update types:

Security content updates

This section includes addresses that apply to SiteProtector updates, sensor firmware updates, AlertCon notifications, and security content updates such as XPUs.

Domain name
Port
esdhttp.flexnetoperations.com
443
ibmdownload.flexnetoperations.com
443
ibms-ibmxpu.flexnetoperations.com
443
ibms-issupdate.flexnetoperations.com
443
ibms-issxpu.flexnetoperations.com
443
ibmxpu.flexnetoperations.com
443
update.iss.net
443
update.xforce-security.com
443
license.xforce-security.com
443
Note: For ip-based firewall rules, the following ranges cover all of the license and update servers mentioned above. The IP ranges are hosted by Flexera Software.



IP Address
Port
64.14.29.0/24
443
64.27.162.0/24
443
2620:122:f000::/44
443

Legacy licensing system (Onetrust)- Note: Scheduled to sun set Dec 20, 2016

Domain name
IP Address
Port
onetrust.iss.net
129.33.206.231
443
xpu.iss.net
64.14.29.87
443

Proventia MX products

Domain name
Port
filterdb.iss.net
443

Security Network Protection (XGS) products

Domain name
IP Address
Port
update.xforce-security.com
5.153.55.164, 50.23.177.148, 108.168.233.61
443
license.xforce-security.com
5.153.55.165, 50.23.177.149, 108.168.233.60
443

SiteProtector documentation features

Domain name
IP Address
Port
443, 80
update.xforce-security.com
5.153.55.164, 50.23.177.148, 108.168.233.61
443
license.xforce-security.com
5.153.55.165, 50.23.177.149, 108.168.233.60
443

on-Demand Service customers

Domain name
Port
portal.mss.iss.net
443

Lotus Protector for Mail Security

Domain name
Port
license.cobion.com
443
update*.cobion.com
443
dnsblserver.cobion.com
53 (TCP and UDP)

Notes:
  • Zone transfers for the DNSBL zone use dnsbl.cobion.com.
  • The update*.cobion.com domain currently uses the following hosts: update1, update2, update3, update5, and update7.



Related information

A Japanese translation is available


Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security Virtual Server Protection for VMware Not Applicable Platform Independent Version Independent
Security IBM Security SiteProtector System Xpress Update Server Platform Independent Version Independent
Security Proventia Network Enterprise Scanner License amd Update Module (LUM) Platform Independent Version Independent
Security Proventia Network Multi-Function Security Licensing and Updates (LUM) Platform Independent Version Independent
Security Lotus Protector for Mail Security Installation/Configuration Platform Independent Version Independent
Security IBM RealSecure Server Sensor for AIX Not Applicable Platform Independent Version Independent
Security IBM RealSecure Server Sensor for HP-UX Not Applicable Platform Independent Version Independent
Security IBM RealSecure Server Sensor for Solaris Not Applicable Platform Independent Version Independent
Security IBM RealSecure Server Sensor for Windows Not Applicable Platform Independent Version Independent
Security IBM Security Host Protection RealSecure Server Sensor Platform Independent Version Independent
Security IBM Security Host Protection Windows Desktop Platform Independent Version Independent
Security IBM Security Host Protection Windows Server Platform Independent Version Independent
Security IBM Security Network Intrusion Prevention System Updates Platform Independent Version Independent
Security Proventia Virtualized Network Security Platform Not Applicable Platform Independent Version Independent

Historical Number

5573

Document information

More support for: IBM Security Network Protection
Licensing and Updates (LUM)

Software version: Version Independent

Operating system(s): Platform Independent

Reference #: 1437057

Modified date: 2015-09-15