There are significant advantages to having Orion able to access the Internet, however the last few days have shown that blanket access is not the best security stance to have.
I have collated the following list of URL's with my fellow MVP's assistance in order to help you put whitelist entries in to your firewall policies to give controlled external resource access to Orion.
I have broken these into categories, as some are module specific, and clearly you have the choice to replace many of these with a *.solarwinds.com, but I wanted to provide the full URL list for those that wish to be granular in their ruleset.
|These will allow centralised upgrades and license registrations to be performed|
|Core - THWACK||To allow display of THWACK feeds in widgets and direct import/export of templates|
|Core - WorldWide Map||For rendering the Worldwide map and for performing Geo lookups from SNMP data|
|NCM||Configuration Vulnerability Analysis|
|NCM||Cisco Smart Advisor|
|SAM||SAM hardware warranty lookups|
|Alerting (ServiceNow integration)||https://<API-SubDomain>.service-now.com||
If using ServiceNow alert integration. Replace API-SubDomain with your configured API URL
Add your own HelpDesk API URLS if you are using the GET/POST to URL or script actions to integrate your alerts
|Alerting (SolarWinds Service Desk integration)|
|For monitoring AWS and Azure clouds in Orion core. List was taken from this previous post|
|Meraki||For polling your Meraki infrastructure via central cloud management platform|
|NetPath||Used to perform BGP data lookups|
|AppOptics||If you have the integration to the SolarWinds AppOptics SaaS APM solution|
|Discovery Agent||SolarWinds Service Desk Discovery Agent for SolarWinds Orion|
You will also need to be conscious of the monitoring targets you configure in Orion and add those to your whitelist policy, where for example in SAM, if you wish to monitor your Salesforce instance via HTTPS monitors in WPM or SAM, add your Salesforce FQDN, to monitor O365 then https://*.office365.com and https://ps.outlook.com would be necessary. Ensure you bake your whitelist updates into your monitoring definition process.
If I have missed anything here, then please let me know via the comments, and I will update.