In May 2024 we are releasing new versions of Countercept Agents for Windows, Linux and Mac platforms. Managed clients will get all these changes automatically. A little later we will publish new release groups to switch clients using managed updates in collaboration with the WithSecure Engagement team.After the upgrade new versions of Countercept Agents will start using new addresses.
For many customers, WithSecure products will function correctly without needing to know which servers the products connect to.
However, some administrators tightly control which network addresses they allow their clients to connect to (“Egress control” or “outbound connections”), and it is mandatory that they allow connections to the following addresses. WithSecure cannot guarantee the functionality of the products if access to these addresses is blocked.
The product may not function correctly if access to these network addresses is not allowed.
Please note that all the following require outbound connections to TCP/443 unless otherwise stated.
Additionally, any products listed in this document also includes F-Secure branded versions of the same products.
Recommendations
WithSecure recommends, where possible, that administrators allow outbound access to all address under the withsecure.com and fsapi.com domains. We do appreciate that this is not always possible due to firewall configuration limitations, or even from an operational perspective, so we are publishing an explicit list of server addresses.
Please note that we do not guarantee this list of addresses is complete or will stay unchanged, so we strongly recommend bookmarking these articles for future reference. We will update these articles whenever needed.
WithSecure Countercept
New addresses
After the upgrade new versions of Countercept Agents will start using new addresses.
Please note that all the following services require outbound connections to TCP/443 unless otherwise stated.
In addition, the use of an asterisk (*) below means that all hosts under that subdomain should be allowed (wildcard allow).
- *.fsapi.com (also port 80)
- ac3ujg1ortm4c-ats.iot.eu-west-1.amazonaws.com (also port 8883, if the network includes Windows 7, Windows Server 2008 R2, or Windows Server 2012 endpoints)
- c3hquxgihnj763.credentials.iot.eu-west-1.amazonaws.com
- ew1-famp-prd-system-transfer.s3.eu-west-1.amazonaws.com
- *.digicert.com
If you are unable to allowlist wildcard, either from a technical or operational standpoint, please contact your WithSecure Engagement Manager who will be pleased to advise you further.
Connectivity Checker
We also provide tools that can assist you in checking whether your firewall allows the needed external connections.
For Microsoft Windows
Download the Connectivity Tool from WithSecure™ Support Tools library. Support Tools library, or using direct download link https://download.withsecure.com/connectivitytool/ConnectionChecker.exe
Run the tool on the machine where the installation is being attempted by double clicking on the tool through Windows Explorer. The tool will prompt for administrator credentials when it runs.
Select MDR product from the list.
If a proxy is going to be used for the installation, it must be defined when prompted. If a proxy is not going to be used, leave the proxy settings empty.
For Linux and Mac
Download the Connectivity Checker tool with the direct link https://download.withsecure.com/connectivitytool/wsconnectionchecker.zip
Unpack the tool with: unzip wsconnectionchecker.zip
Set execution bit if needed:
sudo chmod +rwx wsconnectionchecker
Run the tool in Linux or Mac mode depending on your needs. If a proxy is going to be used for the installation, it must be defined with the -p parameter. If a proxy is not going to be used use parameter ‘-d’ instead, for example:
.\wsconnectionchecker -o linux -p http://myproxy.com:3128
or
.\wsconnectionchecker -o mac -d