Datto Networking firewall requirements

Topic

This article describes network infrastructure and configuration requirements for the Datto Networking Appliance, Datto Access Points, Datto Switches, and Datto Managed Power devices.

Environment

  • Datto Networking Appliance (DNA)
  • Datto Access Points
  • Datto Switches
  • Datto Managed Power

Requirements

Devices must meet the following requirements for checkin, remote management, and fallback operations.

Datto Connection Keeper

For a keepalive connection that transmits expedited reconfiguration events, devices must reach the following hosts:

  • connkeeper.cloudtrax.com
  • 35.165.84.99
  • 35.163.125.115
  • 35.162.249.62

We recommend that you set TCP and HTTP timeout settings on the firewall to at least 10 minutes for stable Connection Keeper performance. To connect to Connection Keeper, Calyptix brand firewalls may require that MP10 devices be allowlisted by IP.

Network Time Protocol

Access points and switches must reach the following hosts to synchronize time:

  • pool.ntp.org (port 123)
  • 0.openwrt.pool.ntp.org (port 123)
  • ntp.cloudtrax.com (port 123)

Firmware updates

All Datto Networking devices must reach the following file servers for firmware updates:

  • dev.cloudtrax.com, HTTP (port 80) and HTTPS (port 443)
  • files-mirror.cloudtrax.com, HTTP (port 80) and HTTPS (port 443)

Support Access

All Datto Networking devices must reach the following host for remote troubleshooting access and support intervention:

  • vpn.cloudtrax.com (TCP port 18991)

For troubleshooting via RLY, devices should have access to:

  • IP range 206.201.136.0/23 (TCP ports 80, 10000 - 10001, 2200, and 443)

IMPORTANT  Cisco router models RV350/RV345/RV345P/RV340W running firmware release 1.0.01.17 or older are unable to access all Datto Networking servers due to an issue with their content filtering system. Update to firmware release 1.0.01.1702 or newer to resolve this issue.

  • cloud-switch.cloudtrax.com via HTTPS (port 443) (cloud management)
  • 54.245.115.10 (checkin fallback)
  • powerstrip.cloudtrax.com via HTTPS (port 443) (cloud management)
  • cloud_ap.cloudtrax.com via HTTPS (port 443) (cloud management)
  • 34.210.223.70 (checkin fallback)
  • 54.212.250.242 (checkin fallback)
  • https://iot.cloudtrax.com (checkin fallback)
  • cloud_ap.cloudtrax.com via HTTPS (port 443) (cloud management)
  • TCP ports 8081 - 8084 (Splash page for SSIDs 1 - 4)
  • TCP & UDP ports 1101 - 1104 (DNS Intercept for SSIDs 1 - 4)
  • checkin-fallback.cloudtrax.com (checkin fallback)
  • 54.245.251.231 (checkin fallback)

NG7 Access Points must have access as above. Additionally, the latest firmware uses the following for check-in and tech support access:

  • Ports 80, 443, and 2200-2250
  • events-receiver.cloudtrax.com
  • ap-files-mirror.cloudtrax.com
  • device.cloudtrax.com
  • 52.13.65.115
  • 162.244.87.0/24
  • North America: 206.201.136.0/23
  • EMEA: 185.217.57.0/24
  • Asia Pacific:
    • 103.109.129.0/24
    • 203.22.186.0/24
    • 27.111.249.0/24
  • router.cloudtrax.com via HTTPS (port 443) (cloud management)
  • 54.68.39.120 (checkin fallback)
  • hb.dna.datto.com
  • 8.8.8.8
  • 8.8.4.4
  • 162.244.87.115
  • 208.67.222.222
  • 208.67.222.220
  • 54.68.39.120 (checkin fallback)