Firewall Settings Required by SpamSentinel version 12

SpamSentinel for Domino needs to access other servers on the internet to function properly.  If your organization controls outbound connection requests from the machine where SpamSentinel is installed then the following list of outbound connection destinations must be allowed.

HTTP/HTTPS ACCESS

SpamSentinel requires outbound communication via Port 80 and port 443 by default for these hosts. We use http, https and bin/hex data types.

1. Standard maysoft Servers for all configuration types

You can create rules for your firewall to allow access the required maysoft.com and maysoft.us servers in several ways:

Option 1

a. Create a single rule for our domain and all sub-domains at maysoft.com
b. Create a single rule for our domain and all sub-domains at maysoft.us

Option 2

a. Create individual rules for these specific FQDN's used by SpamSentinel within the maysoft.com domain.

apache-84.maysoft.com
checkin.maysoft.com
engines.qos.maysoft.com
install.maysoft.com
manager.maysoft.com
manager.qos.maysoft.com
monitor.qos.maysoft.com
router.qos.maysoft.com
scanner.qos.maysoft.com
www.maysoft.com

b. Create individual rules for these specific FQDNs used by SpamSentinel within the maysoft.us domain.

dws.maysoft.us
sscgw.maysoft.us

Option 3

Create rules for the IP addresses the above list of FQDNs resolve to. Note multiple FQDN's resolve to the same IP address so this is a shorter list.

20.242.211.14
74.235.117.69
104.43.254.102
199.103.5.142
199.103.5.143
199.103.6.9
208.85.190.141

2. AntiSpam and AntiVirus Data Servers for the SpamSentinel Duo Services

With the introduction of SpamSentinel 10.0.1.1 Maysoft included the option to have the SpamSentinel Scanner service use copies of the SpamSentinel Duo1 and Duo2 services located on our servers rather than on the local machine. This configuration is mandatory for customers running SpamSentinel on Windows 2003 or Windows XP. It is optional for other customers whose servers have difficulty running the latest SpamSentinel Duo1 and Duo2 services locally.

To determine if your server is using the Cloud Services, look at the 'Use Cloud Services' option on the 'Advanced / Port Options' tab of your SpamSentinel Server Configuration document in the SpamSentinel Administration database.

Configuration Option 1. Cloud Services ( Firewall must allow access to Maysoft servers only )

Servers using the Cloud Services will need to be allowed to contact the Maysoft servers located in the Microsoft Azure cloud in order to be able to scan messages as seen in the URL's above. If you cannot enter FQDN's into your firewall rules, then please ping this FQDN from the server where SpamSentinel is installed to get the IP address in use for your location.

sscgw.maysoft.us

NOTE: because the SpamSentinel Duo services being used are on our own servers, your servers will not need to directly access the anti-spam and anti-virus data servers.

Configuration Option 2. Local Services ( Firewall must allow access to Anti-Spam and Anti-Virus Data Servers )

Servers using the standard local installations of the SpamSentinel Duo 1 and Duo 2 services will need to connect directly to many other servers in order to access current anti-spam and anti-virus data.

a. Cloudmark/SpamNet Engine Servers:

For Cloudmark data, you need to create two firewall rules

Rule 1

Their main range of servers listed by IP address
208.83.136.0 - 208.83.139.255

This range of servers can also be expressed using CIDR notation with four entries as follows:
208.83.136.0/24
208.83.137.0/24
208.83.138.0/24
208.83.139.0/24

Rule 2

This address can be geographically dependent. If you cannot enter FQDN's into your firewall rules, then please ping this FQDN from the server where SpamSentinel is installed to get the IP address in use for your location. If this IP address is within the above range then creation of this rule is not necessary.

microupdates.cloudmark.com

b. BitDefender Anti-Virus Definitions Updates

BitDefender downloads anti-virus definitions periodically from selected servers in the Microsoft Azure network. These servers are geographically assigned.

This address can be geographically dependent. If you cannot enter FQDN's into your firewall rules, then please ping this FQDN from the server where SpamSentinel is installed to get the IP address in use for your location.

maysoft-e00af141-e983-4266-b2c7-4818cc5d8c71.2d7dd.cdn.bitdefender.net

c. BitDefender Anti-Spam Real-Time Data

The BitDefender anti-spam technology incorporated into SpamSentinel must be able to access the Amazon AWS cloud server in your region in order to perform real-time spam data queries and also to periodically download anti-virus definition updates.

Methodologies for keeping a firewall updated with the current list of addresses used to connect to Amazon AWS vary based on the type of firewall being used and the servers / operating system tools available to an adminstrator.

We have some quick-start advice which can be used to get you up and running quickly with an initial list (see below). However, for the best long-term solutions including change notifications and other options, you should read Amazon's own documentation at:

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

Advice on how to quickly get an initial IP4 AWS server list

1. Get your AWS Region name

a. From the Domino Server or Windows Checking Machine where SpamSentinel is installed, open a command prompt and ping nimbus.bitdefender.net

b. Ping will return the alias used for your region plus one of the many IP addresses available. Note: This could be a different IP address every time you ping.

c. From within the alias, you will see the text of the AWS region name as a sub-domain in a format like xx-xxx...-x.
Examples: us-east-1, cn-northwest-1, ap-southeast-1, cn-northwest-1

2. Use our Powershell example to generate a list of networks in CIDR format. Note: Powershell 5.1 or better is required for this example code.

a. Copy and paste the following Powershell code into a .ps1 file on a machine which can access the web.

$region = "us-east-1"
$fileName = "r:\temp\AWS-$region.txt"
#-------------------------------------------
$result = Invoke-RestMethod -Uri "https://ip-ranges.amazonaws.com/ip-ranges.json"
$ipList = $result.prefixes | where {$_.region -eq $region} | ForEach-Object {$_.ip_prefix} | Sort-Object | Get-Unique
#-------------------------------------------
$ipList | Out-File $fileName
#Write-Host $ipList

b. Modify the first line of the powershell to contain the ASW region name you obtained from the Ping information.

c. Modify the second line of the powershell so it specifies the path and name of the output file you will be creating.

d. Run the ps1 file from a Powershell prompt

3. Open the resulting file and check the results. For example, a file created using the us-east-1 region currently has over 450 entries

4. Configure your firewall to allow the machine where SpamSentinel is installed to make outbound connections to this list.