This page outlines the connectivity requirements necessary for your configuration. The following connectivity requirements are covered:
NIOS-X Port Usage for Server Connectivity
Admin User Connectivity Requirements
Port Usage for Infoblox Services
Port Usage for Bare-Metal NIOS-X Servers
Connectivity Rules for DNS Forwarding Proxy
Forwarding DNS Traffic to Infoblox Platform
Infoblox Geo-Based Anycast IPs for POPs
Local DNS Request Processing Optimization
| Insert excerpt | ||
|---|---|---|
|
...
|
...
|
...
All destination domains, IPs, and ports listed in the following table must be available in your firewall.
Do not enable SSL inspection in your firewall for any of the destination domains and IPs.
...
Source
...
Destinations
...
Destination IPs
...
Protocol
...
Destination
Port
...
Description
...
Universal DDI
...
US Region
dns.bloxone.infoblox.com
http://csp.infoblox.com
cp.noa.infoblox.com
grpc.csp.infoblox.com
app.noa.infoblox.com
EU Region
dns.bloxone.eu.infoblox.com
http://csp.eu.infoblox.com
cp.noa.eu.infoblox.com
grpc.csp.eu.infoblox.com
app.noa.eu.infoblox.com
US Region
dns.bloxone.infoblox.com
18.235.106.26
54.224.108.101
34.194.149.196
http://csp.infoblox.com
18.235.149.1
18.209.243.220
18.233.189.178
cp.noa.infoblox.com
3.209.116.255
3.210.226.54
3.212.42.44
grpc.csp.infoblox.com
3.209.116.255
3.210.226.54
3.212.42.44
app.noa.infoblox.com
3.213.214.20
3.214.194.152
3.214.29.106
EU Region
dns.bloxone.eu.infoblox.com
18.153.44.29
18.197.230.152
18.184.150.241
http://csp.eu.infoblox.com
3.70.109.229
3.73.182.10
3.66.44.28
cp.noa.eu.infoblox.com
grpc.csp.eu.infoblox.com
3.124.178.19
3.64.74.162
3.73.242.251
app.noa.eu.infoblox.com
3.71.171.160
3.123.100.200
18.193.177.184
...
TCP
...
443
...
Allow these IP addresses on the firewall for the NIOS-X servers to connect to the Infoblox Portal, and to ensure Universal DDI services function properly in the respective regions.
...
NIOS-X Servers
DNS Forwarding Proxy
...
threatdefense.bloxone.infoblox.com
threatdefense.infoblox.com (and all subdomains)
ope.infobloxtd.com (and all subdomains) Note that this destination domain is required only if you plan to use the “Local On-Prem resolution” feature.
Note: Communication with these destinations will bypass any proxy server setting.
In other words, if you configure a proxy, the DNS forwarding proxy service (threatdefense.bloxone.infoblox.com:443) is bypassed on the proxy.
If you configure a proxy, the Universal DDI service destination (dns.bloxone.infoblox.com:443) is bypassed on the proxy.
...
US and EU Regions
Anycast IPs (IPv4 and IPv6)
52.119.40.100 (default resolver)
52.119.41.100
52.119.41.120
103.80.5.100
103.80.6.100
103.80.6.120
2620:129:6000::100
2400:4840::100
For geo-specific IP addresses, refer to the Infoblox geo-based Anycast IPs for POPs table in Forwarding DNS Traffic to Infoblox Platform.
...
TCP
...
443
53
...
Infoblox uses 52.119.40.100 as the default local resolver for all NIOS-X servers.
However, you can use your own local resolver to resolve the destination domains.
...
NIOS-X Servers
US Region
http://csp.infoblox.com
cp.noa.infoblox.com
grpc.csp.infoblox.com
app.noa.infoblox.com
tide.infoblox.com
threatdefense.infoblox.com (and all subdomains)
EU Region
http://csp.eu.infoblox.com
...
cp.noa.eu.infoblox.com
...
grpc.csp.eu.infoblox.com
...
app.noa.eu.infoblox.com
...
US Region
A complete list of the US region IP addresses is available in a JSON file by clicking this link.
EU Region
A complete list of the EU region IP addresses is available in a JSON file by clicking this link.
If the server type is NIOS, do the following:
For NIOS versions less than or equal to 8.6.4, or for NIOS versions less than or equal to 9.0.2: Allow US domains grpc.csp.infoblox.com (3.210.226.54, 3.209.116.255, 3.212.42.44) and
http://csp.infoblox.com
(18.233.189.178, 18.235.149.1, 18.209.243.220), along with all EU region destination IPs.
For NIOS versions greater than or equal to 8.6.5, or for NIOS versions greater than or equal to 9.0.3, do the following:
For NIOS DNS resolver: Allow external domain lookup and all EU region destination IPs.
For NIOS running behind HTTPS Proxy and if external domain lookup is denied: Allow domain
provision.ib-hub.na.csp.infoblox.comand this IP address44.218.80.45, along with all EU region destination IPs.
HTTP proxy configured on NIOS-X server
When a HTTP proxy is configured on NIOS-X server, Data Connector is able to pull the log data from Infoblox cloud source through configured proxy. However, do note that as of now the logs sent from data connector to the configured destination will still bypass the proxy.
...
TCP
...
443
...
All listed IPs require TCP 443 port be open when being used.
...
End Client
...
N/A
...
Redirect IPs:
For IPv4:
3.215.231.251
3.216.243.225
35.168.95.233
54.173.31.46
3.220.140.235
For IPv6:
2600:1f18:1043:dc00:8083:68e:ef0f:46de
2600:1f18:1043:dc02:ed26:448b:247:90c9
2600:1f18:1043:dc00:a339:63ac:4c02:9531
2600:1f18:1043:dc00:5ee5:908d:8892:f214
2600:1f18:1043:dc02:be4:9bb:7833:d9d4
...
TCP
...
443 or 80
...
For redirect purposes.
A client/end user should be connecting to the redirect server.
...
NIOS-X Servers
...
ntp.ubuntu.com (optional)
http://pool.ntp.org
(optional)
...
N/A
...
UDP
...
123
...
For NTP server synchronization.
Needed only when ESXi time sync is disabled. This is optional.
Admin User Connectivity Requirements
Source | Destinations | Destination IPs (if applicable) | Protocol | Destination | Description |
|---|---|---|---|---|---|
Infoblox admins | US Region
http://auth.infoblox.com
http://cdnjs.cloudflare.com
EU Region
| N/A | TCP (TLS) | 443 |
|
Port Usage for Infoblox Services
The following table lists the ports that must be available in your firewall for Infoblox services to function properly.
All ports listed below are outbound only, except for transferring logs from NIOS to Data Connector, which requires inbound communication.
Services | Protocol | Destination Port | Description |
|---|---|---|---|
All Infoblox services | TCP
| 443
|
|
DNS Forwarding Proxy | TCP UDP
| 53
| DNS forwarding proxy uses 52.119.40.100 as the default resolver. However, you can use your own local resolver to resolve the destination domains. |
DHCP server | UDP | 68 | N/A |
Infoblox DNS | TCP | 443 | For Universal DDI authoritative DNS cloud services.
|
Sending peer of the DHCP HA (High Availability) | TCP | 647 | This is an incoming port for the HA (High Availability) feature. The receiving peer must be able to receive traffic on the port, and the sending peer must be able to send traffic to the port, generally from other random ports. |
Sending peer of the DHCP cluster | TCP
| 647 or 847 | For DHCP cluster load balancing. The receiving peer must be able to receive traffic on the port, and the sending peer must be able to send traffic to the port, generally from other random ports. |
Data Connector | TCP | 22 | Open this port if you want to send data using SCP from the Infoblox NIOS appliance (if configured) to Data Connector. The NIOS UI provides a mechanism to filter the domains it sends to Data Connector. Since NIOS is sending cache logs, when configuring NIOS for use with Data Connector, make sure to configure Data Connector to exclude internal corporate and authoritative domains (*.<corp>/Authorititative). By excluding corporate and authoritative domains, internal traffic logs will not be added. Required for incoming SCP data transfer from NIOS to Data Connector when deployed as a container. When you deploy Data Connector as a container, ensure that there are no SSH processes listening on port 22. You must terminate these SSH processes for Data Connector to collect data from NIOS. If you deploy Data Connector as a container, ensure that there are no SSH processes listening on port 22. You must terminate these SSH processes for Data Connector to collect data from NIOS. |
Data Connector | TCP | 514 | Open this port if you want to send syslog and secure syslog for RPZ from the Infoblox NIOS appliance (if configured) to Data Connector. Note: Port 514 is an insecure port. The NIOS UI provides a mechanism to filter the domains it sends to Data Connector. Since NIOS is sending cache logs, when configuring NIOS for use with Data Connector, make sure to configure Data Connector to exclude internal corporate and authoritative domains (*.<corp>/Authoritative). By excluding corporate and authoritative domains, internal traffic logs will not be added. Required for Data Connector secure syslog for RPZ hits data. If you deploy Data Connector as a container, ensure that this port is not used by other processes. If you deploy Data Connector as a container, ensure that this port is not used by other processes for Data Connector to collect data from NIOS. |
Data Connector | TCP | 6514 | Open this port if you want to send syslog and secure syslog for RPZ from the Infoblox NIOS appliance (if configured) to Data Connector. The NIOS UI provides a mechanism to filter the domains it sends to Data Connector. Since NIOS is sending cache logs, when configuring NIOS for use with Data Connector, make sure to configure Data Connector to exclude internal corporate and authoritative domains (*.<corp>/Authoritative). By excluding corporate and authoritative domains, internal traffic logs will not be added. Used for transferring syslog data from NIOS to Data container. Port 6514 is a default secure port. If you deploy Data Connector as a container, ensure that this port is not used by other processes. If you deploy Data Connector as a container, ensure that this port is not used by other processes for Data Connector to collect data from NIOS. |
...
|
For additional information on requirements for the Infoblox connectivity service, see the following:
...