Datto Networking firewall requirements

Topic

This article describes network infrastructure and configuration requirements for the Datto Networking Appliance, Datto Access Points, Datto Switches, and Datto Managed Power devices.

Environment

  • Datto Networking Appliance (DNA)
  • Datto Access Points
  • Datto Switches
  • Datto Managed Power

Description

Datto Networking Portal

Access points and Managed Power devices

Access points and Managed Power devices must have access to the following host via HTTPS (port 443) for cloud management:

  • cloud_ap.cloudtrax.com

Switches must reach the following host via HTTPS (port 443) for cloud management.

  • cloud-switch.cloudtrax.com

D200 Routers must reach the following host via HTTPS (port 443) for cloud management:

  • router.cloudtrax.com

Managed Power devices must reach the following host via HTTPS (port 443) for cloud management:

  • powerstrip.cloudtrax.com

NG7 Access Points

NG7 Access Points must have access as above. Additionally, the latest firmware uses the following for check-in and tech support access:

  • Ports 80, 443, and 2200-2250
  • events-receiver.cloudtrax.com
  • ap-files-mirror.cloudtrax.com
  • device.cloudtrax.com
  • 52.13.65.115
  • 162.244.87.0/24
  • North America: 206.201.136.0/23
  • EMEA: 185.217.57.0/24
  • Asia Pacific:
    • 103.109.129.0/24
    • 203.22.186.0/24
    • 27.111.249.0/24

Datto Networking Appliance (DNA)

The DNA must be able to reach the following host and IP addresses:

  • hb.dna.datto.com
  • 8.8.8.8
  • 8.8.4.4
  • 162.244.87.115
  • 208.67.222.222
  • 208.67.222.220

Access point fallback

Access Points must reach the following host and IP address if the primary check-in server is unavailable.

  • checkin-fallback.cloudtrax.com
  • 54.245.251.231

Switch fallback

Switches must reach the following host and IP address if the primary check-in server is unavailable.

  • 54.245.115.10

Managed power fallback

Managed Power must reach the following host and IP address if the primary check-in server is unavailable.

Router fallback

Routers must have access to the following host and IP address if the primary check-in server is unavailable.

  • 54.68.39.120

Datto Connection Keeper

For a keepalive connection that transmits expedited reconfiguration events, devices must reach the following hosts:

  • connkeeper.cloudtrax.com
  • 35.165.84.99
  • 35.163.125.115
  • 35.162.249.62
We recommend that you set TCP and HTTP timeout settings on the firewall to at least 10 minutes for stable Connection Keeper performance. To connect to Connection Keeper, Calyptix brand firewalls may require that MP10 devices be allowlisted by IP.

Network Time Protocol

Access points and switches must reach the following hosts to synchronize time:

  • pool.ntp.org
  • 0.openwrt.pool.ntp.org
  • ntp.cloudtrax.com

The listed NTP servers must be accessible over port 123

Firmware updates

All Datto Networking devices must reach the following file servers via both HTTP (port 80) and HTTPS (port 443) for firmware updates:

  • dev.cloudtrax.com
  • files-mirror.cloudtrax.com

Advanced troubleshooting

All Datto Networking devices must reach the following host via TCP port 18991 for remote troubleshooting access and support intervention:

  • vpn.cloudtrax.com

For troubleshooting via RLY, devices should have access to IP range 206.201.136.0/23 over TCP ports 80,2200 and 443

Cisco router issues

Cisco router models RV350/RV345/RV345P/RV340W running firmware release 1.0.01.17 or older are unable to access all Datto Networking servers due to an issue with their content filtering system. Update to firmware release 1.0.01.1702 or newer to resolve this issue.