IBM Support

Firewall rules necessary to ensure that IBM Security and Lotus Protector for Mail Security Products can update

Technote (FAQ)


Question

Which firewall rules should be in place to ensure that IBM Security and Lotus Protector for Mail Security products can obtain updates?

Answer

IBM Security products contact various update servers within the IBM Security infrastructure to receive content and product updates. In most customer environments, specific firewall rules are required to allow this communication. If these rules are not in place, it is likely that the IBM Security products will not be able to update. See Technote 1625720: The MyISS Download Center is migrating to a new system and configuration changes are necessary for further information.

Important: The IBM Security Download Centers (Automatic and Manual) hosted by Flexera Software require TLS 1.2. Your environment must allow TLS 1.2 connections to the internet in order for communication with the download servers to function.

The following tables list the domain name and port combinations that should be allowed through the firewall for specific update types:

Security content updates

This section includes addresses that apply to SiteProtector updates, sensor firmware updates, and security content updates such as XPUs.

Domain name
Port
esdhttp.flexnetoperations.com
443
ibmdownload.flexnetoperations.com
443
ibms-ibmxpu.flexnetoperations.com
443
ibms-issupdate.flexnetoperations.com
443
ibms-issxpu.flexnetoperations.com
443
ibmxpu.flexnetoperations.com
443
update.xforce-security.com
443
license.xforce-security.com
443

Note: For IP-based firewall rules, the following ranges cover all of the license and update servers that are mentioned above. The IP ranges are hosted by Flexera Software.

IP address
Port
64.14.29.0/24
443
64.27.162.0/24
443
2620:122:f000::/44
443

Security Network Protection (XGS) products & SiteProtector

Domain name
IP address
Port
update.xforce-security.com
2607:f0d0:2002:108::3
2a03:8180:1002:2b::3
2607:f0d0:2103:f9::3
5.153.55.164
158.85.222.64
443
license.xforce-security.com
2607:f0d0:2002:108::2
2607:f0d0:2103:f9::2
2a03:8180:1002:2b::2
5.153.55.166
158.85.222.65
443

SiteProtector documentation features

Domain name
IP address
Port
443, 80

OnDemand Service customers

Domain name
Port
portal.mss.iss.net
443

Lotus Protector for Mail Security

Domain name
Port
license.cobion.com
443
update*.cobion.com
443
dnsblserver.cobion.com
53 (TCP and UDP)

Notes:
  • Zone transfers for the DNSBL zone use dnsbl.cobion.com.
  • The update*.cobion.com domain currently uses the following hosts: update1, update2, update3, update5, and update7.


Related information

A Japanese translation is available


Cross reference information
Segment Product Component Platform Version Edition
Security IBM Security SiteProtector System Xpress Update Server Platform Independent Version Independent
Security Lotus Protector for Mail Security Installation/Configuration Platform Independent Version Independent
Security IBM Security Network Intrusion Prevention System Updates Platform Independent Version Independent
Security Proventia Virtualized Network Security Platform Not Applicable Platform Independent Version Independent

Historical Number

5573

Document information

More support for: IBM Security Network Protection
Licensing and Updates (LUM)

Software version: Version Independent

Operating system(s): Platform Independent

Reference #: 1437057

Modified date: 19 December 2016