Versions Compared

Old Version 1

changes.mady.by.user Sri Raghu

Saved on

compared with

New Version 2

changes.mady.by.user Gary Leicht

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Warning

Important Note

The minimum system requirements specified for NIOS-X server deployment must be dedicated to the server you plan to deploy. They cannot be shared with or used for other non-Infoblox applications. Sharing resources will negatively affect the performance of your Infoblox services. For more information, see Minimum System Requirements for Servers.

Before you deploy Infoblox services and servers, ensure that you prepare your environment according to the requirements for the supported platforms and open all necessary ports for unrestricted outbound access. All used IPs on the provided list require TCP 443 to be open when in use.  

Port Usage for Server Connectivity

For NIOS-X server connectivity to function properly, ensure that the following are in place:

...

Source

Destinations

Destination IPs

Protocol

Destination
Port

Description

Universal DDI

US Region

  • dns.bloxone.infoblox.com

  • csp.infoblox.com

  • cp.noa.infoblox.com

  • grpc.csp.infoblox.com

  • app.noa.infoblox.com

EU Region

  • dns.bloxone.eu.infoblox.com

  • csp.eu.infoblox.com

  • cp.noa.eu.infoblox.com

  • grpc.csp.eu.infoblox.com

  • app.noa.eu.infoblox.com

US Region

dns.bloxone.infoblox.com

  • 18.235.106.26

  • 54.224.108.101

  • 34.194.149.196

csp.infoblox.com

  • 18.235.149.1

  • 18.209.243.220

  • 18.233.189.178

cp.noa.infoblox.com

  • 3.209.116.255

  • 3.210.226.54

  • 3.212.42.44

grpc.csp.infoblox.com

  • 3.209.116.255

  • 3.210.226.54

  • 3.212.42.44

app.noa.infoblox.com

  • 3.213.214.20

  • 3.214.194.152

  • 3.214.29.106

EU Region

dns.bloxone.eu.infoblox.com

  • 18.153.44.29

  • 18.197.230.152

  • 18.184.150.241

csp.eu.infoblox.com

  • 3.70.109.229

  • 3.73.182.10

  • 3.66.44.28

cp.noa.eu.infoblox.com
grpc.csp.eu.infoblox.com

  • 3.124.178.19

  • 3.64.74.162

  • 3.73.242.251

app.noa.eu.infoblox.com

  • 3.71.171.160

  • 3.123.100.200

  • 18.193.177.184

TCP

443

Allow these IP addresses on the firewall for the NIOS-X servers to connect to the Infoblox Portal, and to ensure BloxOne Universal DDI services function properly in the respective regions.

NIOS-X Servers

DNS Forwarding Proxy

threatdefense.bloxone.infoblox.com

threatdefense.infoblox.com (and all subdomains)

Note: Communication with these destinations will bypass any proxy server setting.

In other words, if you configure a proxy, the DNS forwarding proxy service (threatdefense.bloxone.infoblox.com:443) is bypassed on the proxy.

If you configure a proxy, the BloxOne Universal DDI service destination (dns.bloxone.infoblox.com:443) is bypassed on the proxy.

Anycast IPs (IPv4 and IPv6)

  • 52.119.40.100 (default resolver)

  • 52.119.41.100

  • 103.80.5.100

  • 103.80.6.100

  • 2620:129:6000::100

  • 2400:4840::100

For geo-specific IP addresses, refer to the Infoblox geo-based Anycast IPs for POPs table in Forwarding DNS Traffic to BloxOne CloudInfoblox Platform.

TCP

443

53

BloxOne Infoblox uses 52.119.40.100 as the default local resolver for all NIOS-X servers.

However, you can use your own local resolver to resolve the destination domains. 

NIOS-X Servers

US Region

  • csp.infoblox.com

  • cp.noa.infoblox.com

  • grpc.csp.infoblox.com

  • app.noa.infoblox.com

  • tide.infoblox.com

  • threatdefense.infoblox.com (and all subdomains)

EU Region

  • csp.eu.infoblox.com

  • cp.noa.eu.infoblox.com

  • grpc.csp.eu.infoblox.com

  • app.noa.eu.infoblox.com

A complete list of the used IP addresses is available in a JSON file by clicking this link.

TCP

443

All listed IPs require TCP 443 port be open when being used.

End Client

N/A

Redirect IPs: 

For IPv4:

  • 3.215.231.251

  • 3.216.243.225

  • 35.168.95.233

  • 54.173.31.46

  • 3.220.140.235

For IPv6:

  • 2600:1f18:1043:dc00:8083:68e:ef0f:46de

  • 2600:1f18:1043:dc02:ed26:448b:247:90c9

  • 2600:1f18:1043:dc00:a339:63ac:4c02:9531

  • 2600:1f18:1043:dc00:5ee5:908d:8892:f214

  • 2600:1f18:1043:dc02:be4:9bb:7833:d9d4

TCP

443 or 80

For redirect purposes.

A client/end user should be connecting to the redirect server.

NIOS-X Servers

ntp.ubuntu.com (optional)

pool.ntp.org (optional)

N/A

UDP

123

For NTP server synchronization.

Needed only when ESXi time sync is disabled. This is optional.

...

Source

Destinations

Destination IPs (if applicable)

Protocol

Destination
Port

Description

BloxOne Infoblox admins

US Region

  • csp.infoblox.com

  • auth.infoblox.com

  • *.oktacdn.com

  • infoblox-external.okta.com

  • cdnjs.cloudflare.com

  • d21fqoalzyz7ml.cloudfront.net

EU Region

  • csp.eu.infoblox.com

N/A

TCP (TLS)

443

  • For HTTPS traffic to all domains

  • For URL filtering to access the Infoblox Portal

Port Usage for

...

Infoblox Services

The following table lists the ports that must be available in your firewall for BloxOne Infoblox services to function properly.

...

Services

Protocol

Destination Port

Description

All BloxOne Infoblox services

TCP

443

  • For Infoblox Portal access. (unrestricted outbound access to TCP 443)

  • For NIOS-X server platform and application management.

  • All listed IPs require TCP 443 port be open when being used.

DNS Forwarding Proxy

TCP

UDP

53

DNS forwarding proxy uses 52.119.40.100 as the default resolver. However, you can use your own local resolver to resolve the destination domains.

DHCP server

UDP

68

N/A

BloxOne Infoblox DNS

TCP

443

For BloxOne Universal DDI authoritative DNS cloud services.

  • 54.224.108.101

  • 18.235.106.26

  • 34.194.149.196

Sending peer of the DHCP HA (High Availability)

TCP

647

This is an incoming port for the HA (High Availability) feature.

The receiving peer must be able to receive traffic on the port, and the sending peer must be able to send traffic to the port, generally from other random ports.

Sending peer of the DHCP cluster

TCP

647 or 847

For DHCP cluster load balancing.

The receiving peer must be able to receive traffic on the port, and the sending peer must be able to send traffic to the port, generally from other random ports.

Data Connector

TCP

22

Open this port if you want to send data using SCP from the Infoblox NIOS appliance (if configured) to Data Connector. 

The NIOS UI provides a mechanism to filter the domains it sends to Data Connector. Since NIOS is sending cache logs, when configuring NIOS for use with Data Connector, make sure to configure Data Connector to exclude internal corporate and authoritative domains (*.<corp>/Authorititative). By excluding corporate and authoritative domains, internal traffic logs will not be added.

Required for incoming SCP data transfer from NIOS to Data Connector when deployed as a container. When you deploy Data Connector as a container, ensure that there are no SSH processes listening on port 22. You must terminate these SSH processes for Data Connector to collect data from NIOS.

If you deploy Data Connector as a container, ensure that there are no SSH processes listening on port 22. You must terminate these SSH processes for Data Connector to collect data from NIOS.

Data Connector

TCP

514

Open this port if you want to send syslog and secure syslog for RPZ from the Infoblox NIOS appliance (if configured) to Data Connector. Note: Port 514 is an insecure port.

The NIOS UI provides a mechanism to filter the domains it sends to Data Connector. Since NIOS is sending cache logs, when configuring NIOS for use with Data Connector, make sure to configure Data Connector to exclude internal corporate and authoritative domains (*.<corp>/Authoritative). By excluding corporate and authoritative domains, internal traffic logs will not be added.

Required for Data Connector secure syslog for RPZ hits data. If you deploy Data Connector as a container, ensure that this port is not used by other processes.

If you deploy Data Connector as a container, ensure that this port is not used by other processes for Data Connector to collect data from NIOS.

Data Connector

TCP

6514

Open this port if you want to send syslog and secure syslog for RPZ from the Infoblox NIOS appliance (if configured) to Data Connector. 
Note: Port 6514 is a secure port.

The NIOS UI provides a mechanism to filter the domains it sends to Data Connector. Since NIOS is sending cache logs, when configuring NIOS for use with Data Connector, make sure to configure Data Connector to exclude internal corporate and authoritative domains (*.<corp>/Authoritative). By excluding corporate and authoritative domains, internal traffic logs will not be added.

Used for transferring syslog data from NIOS to Data container. Port 6514 is a default secure port. If you deploy Data Connector as a container, ensure that this port is not used by other processes.

If you deploy Data Connector as a container, ensure that this port is not used by other processes for Data Connector to collect data from NIOS.

...

For additional information on requirements for the BloxOne Infoblox connectivity service, see the following:

...