SOLVED (kind of): Figured this one out myself. After doing a Wireshark capture while downloading something from the CustomerPortal, I confirmed that the files are hosted at amazonaws.com, which was already added as a Trusted Site on the server, yet any file downloaded from there was still "Blocked" and had to be UnBlocked. This doesn't technically solve my main question which is "Is there a list of external Domains and IP Addresses that Orion polling engines contact?", but I at least solved the issue of Trusted Site downloads still being blocked.
For those interested in solving it, here is what I did:
Now, you can technically do this for the Internet Zone, but I highly recommend you don't. Instead, add the domains you know are trusted (like solarwinds.com, amazonaws.com, etc…) to your Trusted Sites list, then change this setting. As long as you don't have a domain group policy overriding this it should fix it for you.
There used to be a Support article that listed all of the Domains and IP's that SolarWinds uses to host their websites and downloadable content. This was useful for companies that had tight firewall restrictions since they could add exceptions for these to their ACL's. While we don't have heavy restrictions on our internet connections here, I do like to keep the Internet Control Panel Trusted Sites list on our SolarWinds servers filled in with all of the domains and sites that it contacts to insure that the Trusted Site policies are applied to the proper sites. However, even though I have *.SolarWinds.com added as a trusted site on all of our SolarWinds servers and my local workstation, any time I download something from the Customer Portal I still have to right-click on it and Unblock, making me think that the actual installers are hosted on a third party site. We have amazonaws and amazon added, so if it was hosted there it still wouldn't be blocked.
Is there still a list anywhere of all of the IP's/Domains that SolarWinds servers access, including the domain where the Customer Portal installer and hotfix files are hosted? Especially since we have the all-in-one online installers now, I'd really like the Trusted Site policy being applied to all of the downloads that the installer gets.
Message was edited by: J. Henson to indicate that the issue is mostly solved
Solved! Go to Solution.
I was about open a new thread on this exact topic, but specifically looking for IP addresses or SolarWinds AS blocks, rather than URL's, except for those where the IP has been defined in the link Serena provided, I'm assuming that the other addresses may be load balanced and could resolve to more than one address?
I'm in the middle of upgrading our NPM 11.5.2 platform to 12.2, MPE's and APE's which has required a migration from our Server 2008 to 2012 R2 first before undertaking an in place upgrade, I've managed to upgrade to NPM 12 and would now like to take advantage of the online installers for the minor upgrade. Our new hosting platform is far more restrictive by default as part of policy changes over the last couple of years, as such I need to provide our Server Hosting team with specific IP exceptions, not URLs or top level domains.
I've currently got a support ticket #33107 open since 9th Jan which I'm afraid has been a bit of challenge for the support team as this doesn't seem to be a readily available piece of information.
If I was to resolve those addresses provided are they likely going to always resolve to those addresses if that is all the platform needs to download, license, update and be supported?
Unfortunately not, with the hosting infrastructure firewall solution, they have to specify source IP, destination IP, source port, destination port, and service. Even if they could, one of the arguments I will get against this method is not being able to protect the machines against DNS spoofing/injection. Even if individual IP host addresses could not be provided, at the very least I would have thought it would be to ascertain the ASN's that Solarwinds have defining the possible range of IP's.
I've run into situations where I needed to know if IE trusted a site I was on but couldn't scroll around (due to group policy restriction) in the Internet Explorer Trusted Sites. Or I had to support people who needed a site to be trusted, had no power to set that themselves, and had to ensure the site really was trusted. For these situations, ALT-F-R comes in quite handy. Specifically the 'Zone' field.
Right-click a web page, select Properties shows same dialog box as ALT-F-R.
For NPM forum page, I can see:
When I am on a trusted site, the 'Zone' field shows 'Trusted sites'. Group policies at work would keep me from scrolling in Trusted Sites settings for IE. And the registry is not as convenient for checking compared to ALT-F-R or right-click page and go to Properties.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.