Document toolboxDocument toolbox

Best Practices for Endpoint

Owned by Gary Leicht
Last updated: Sept 06, 2024
3 min read

Note

Infoblox does not support any VPN clients running on the same device along with Infoblox Mobile Endpoint.


Before you install Infoblox Endpoint, ensure that you check the following, otherwise endpoint might not function properly:

  • When installing Infoblox Endpoint from an install package, do ensure the install package was downloaded from the correct Organization in the Infoblox Portal. The install package contains a Customer ID that defines what organization the endpoint will be assigned.
  • It is recommended to not disable or delete any active devices that currently have Infoblox Endpoint installed via the Infoblox Portal. If the device is removed from the Infoblox Portal, the client device will not be protected, and the device will not show up on the Infoblox Portal's Endpoints page.
  • Your host machine must have enough capacity to run endpoint. On average, endpoint consumes less than 0.5% of CPU and less than 50 MB of memory. Note that these numbers vary based on the host hardware configuration.
  • Your local device is not running any DNS service.
  • If your device is running MAC OS X, ensure that you turn off Internet Sharing.
  • Do not apply any firewall rules to block TCP port 443 due to the following:
    • Endpoint should be able to access the Infoblox geo-based Anycast IP addresses using TCP port 443 as mentioned here
    • Endpoint must be able to access the following using TCP port 443:
      • 52.119.40.100
      • 52.119.41.100
      • 103.80.5.100
      • 103.80.6.100
    • Endpoint must be able to access the following using TCP port 443
      • csp.infoblox.com
      • threatdefense.infoblox.com and its subdomains
    • Endpoint listens on port 53 on the device's 127.0.0.1 loopback address for non-MAC devices
    • Endpoint listens on port 53 on the device's 127.0.0.2 loopback address for MAC devices, only.
  • Do not apply any firewall rules to block UDP port 53 due to the following:
    • Endpoint must be able to access 52.119.40.100 and 103.80.5.100 using UDP port 53The UDP port 53 query is used to identify (1) the public IP address of the endpoint and (2) the AWS region to which endpoint is connected.
  • HTTPS traffic must be permitted to s3.dualstack.us-east-1.amazonaws.com, as this is the endpoint clients must access in order to automatically upgrade.
  • If you have a VPN client, ensure that the VPN connection is established in the “Split tunnel” mode for every network protocol (IPv4 or IPv4/IPv6 for dual stack).

Note

For any deactivated and deleted devices, endpoint can be re-installed and the devices restored and reconfigured.

No Internet Access Warning Message in Windows

In some rare circumstances, Infoblox Endpoint can make Windows incorrectly display a “No Internet Access” warning, although the connectivity is working fine. This is caused by a limitation in Microsoft Network Connectivity Status Indicator (NCSI) feature.

NCSI uses Active DNS probes to validate internet connectivity on each network interface. However, these DNS checks are restricted and NCSI will refuse to send them to a DNS server on a different interface (such as the loopback IP). Since Infoblox Endpoint runs a DNS forwarder on the loopback interface as part of its core operation, these specific checks are not compatible with endpoint. This limitation does not cause any problem in majority of the environments, because Windows also performs some other checks to validate the connectivity.

To remedy this situation if it occurs in your configuration, do the following.  NOTE: This fix must be deployed to the Local Group Policy. 

  1. Locate gpedit.msc. The setting for gpedit.msc within "Computer Configuration > Administrative Templates > Network > Network Connectivity Status Indicator".
  2. Enable the 'Specify Global DNS' setting.
  3. Run gpupdate /force. 
  4. Reboot your system. A reboot is required to clear the existing issue.