What IP addresses need to be allowed on a firewall for CacheFlow to function properly
book
Article ID: 167260
calendar_today
Updated On:
Products
CacheFlow Appliance Software
Issue/Introduction
The CacheFlow appliance needs to access a number of IP addresses through a firewall in order to do the following functions:
1. Upload diagnostic information such as the sysinfo, eventlog, and sysinfo-stats snapshots
2. Download the Blue Coat WebFilter database
3. Download the Cachepulse database
4. Download software updates
5. Allow remote diagnostics
6. Download CacheFlow License
In most ISP deployments, client IP reflection is enabled and the firewall will allow the client IP addresses access to the internet. However the firewall may not allow the CacheFlow's IP address to access the Internet. The CacheFlow will use its IP address as the originating address for the tcp connection. Therefore the CacheFlow's IP address must have access to the OCS over TCP_80 and TCP_443
Resolution
The following is the list of hostnames that the CacheFlow appliance needs access to in order to perform the functions listed below:
1. hb.bluecoat.com Allows the CacheFlow appliance to upload heartbeat information to the heartbeat server.
2. upload.bluecoat.com Used when the send command uploads diagnostic information to Blue Coat.
3. cacheflow-remote-support.bluecoat.com Used when a remote diagnostic sessions is required by support.
4. cacheflow-list.es.bluecoat.com Used when downloading Cachepulse and Blue Coat WebFilter databases. This server has several geographically-distributed PoPs, and is subject to occasional load-balancing changes. It doesn't change often (for a given deployment), but it has changed several times in the past.
5. bto.bluecoat.com Used to download software updates directly to the CacheFlow appliance.
6. abrca.bluecoat.com Used to retrieve the "birth-certificate" of a device.
7. device-services.es.bluecoat.com Used to download the CacheFlow license for CF version 3.4 and newer