What IP addresses need to be allowed on a firewall for CacheFlow to function properly


Article ID: 167260


Updated On:


CacheFlow Appliance Software


The CacheFlow appliance needs to access a number of IP addresses through a firewall in order to do the following functions:

1. Upload diagnostic information such as the sysinfo, eventlog, and sysinfo-stats snapshots

2. Download the Blue Coat WebFilter database

3. Download the Cachepulse database

4. Download software updates

5. Allow remote diagnostics

6. Download CacheFlow License

In most ISP deployments, client IP reflection is enabled and the firewall will allow the client IP addresses access to the internet.  However the firewall may not allow the CacheFlow's IP address to access the Internet.  The CacheFlow will use its IP address as the originating address for the tcp connection.  Therefore the CacheFlow's IP address must have access to the OCS over TCP_80 and TCP_443


The following is the list of hostnames that the CacheFlow appliance needs access to in order to perform the functions listed below:

1. hb.bluecoat.com
Allows the CacheFlow appliance to upload heartbeat information to the heartbeat server.

2. upload.bluecoat.com
Used when the send command uploads diagnostic information to Blue Coat.

3. cacheflow-remote-support.bluecoat.com
Used when a remote diagnostic sessions is required by support.

4. cacheflow-list.es.bluecoat.com
Used when downloading Cachepulse and Blue Coat WebFilter databases.  This server has several geographically-distributed PoPs, and is subject to occasional load-balancing changes. It doesn't change often (for a given deployment), but it has changed several times in the past.

5. bto.bluecoat.com
Used to download software updates directly to the CacheFlow appliance.

6. abrca.bluecoat.com
Used to retrieve the "birth-certificate" of a device.

7. device-services.es.bluecoat.com
Used to download the CacheFlow license for CF version 3.4 and newer