Samsung Knox firewall exceptions
Last updated March 18th, 2024
Configuring firewall exceptions is a crucial step in making sure your organization securely connects to the Knox servers and accesses the supporting resources. This process includes adding certain URLs and ports to your organization’s allowlist and accurately setting up your server and client firewalls to access different Knox cloud services.
For example, Knox Asset Intelligence enables you to get files from the supporting Amazon cloud infrastructure if you’ve configured your server firewall allowlist correctly. Similarly, adding TCP ports 5228-5230 to your client firewall allowlist ensures you can access Google services using Knox Manage. Check out the Networking requirements for Knox cloud services for more information.
To get started with configuring your firewalls:
-
Ensure ports 443 and 80 are open within your local network to reach Knox server resources.
-
Add Amazon Web Services or Google Firebase to your organization’s firewall allowlist, as Knox services might use either of these services:
-
See https://ip-ranges.amazonaws.com/ip-ranges.json for more information on IP ranges that you might have to allow to correctly use Amazon Web Services.
-
See Firebase Cloud Messaging for more information on Google Firebase services.
-
If your organization doesn’t permit connections with external servers, you can request an on-premises Knox server to handle license verification within your firewall. Samsung charges a fee for this service. For more information, contact your Samsung representative or reseller directly, or contact the Samsung Knox team.
Portal exceptions
The following table lists the URLs that you must create exceptions for in your organization’s firewall in order to use Knox services web portals on your desktop:
| URL | Port | Knox server resource |
|---|---|---|
|
*.samsungknox.com *.secb2b.com |
443, 80 |
Knox cloud service Knox Identity Management Single sign-on (SSO) Knox Admin Portal Knox Partner Portal |
| *.samsung.com | 443, 80 |
Samsung account |
Networking requirements for Knox cloud services
Depending on your enterprise’s IT policies, you might have to add the following network resources to your firewall allowlist:
If your enterprise’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, you might require the fully qualified domain name (FQDN) to reach a Knox network deployment resource.
Knox Mobile Enrollment
Server firewall
| Server | URL | Port |
|---|---|---|
| Samsung Account | *.samsung.com | 443, 80 |
| samsungknox.com |
*.samsungknox.com *.secb2b.com |
443, 80 |
| Knox Admin Portal | central.samsungknox.com | 443, 80 |
Client firewall
| Server | URL | Port |
|---|---|---|
| Pinning | pinning-02.secb2b.com | 443, 80 |
| GSL | gsl.samsunggsl.com | 443 |
| umc-cdn | umc-cdn.secb2b.com | 443, 80 |
| KSL |
eu-segd-api.secb2b.com us-segd-api.secb2b.com |
443 |
| Auth server |
eu-prod-bulk.secb2b.com us-prod-bulk.secb2b.com |
443 |
| Knox Mobile Enrollment server |
eu-kme.samsungknox.com us-kme.samsungknox.com |
443, 80 |
| Knox Mobile Enrollment APIs |
eu-kme-api-mssl.samsungknox.com us-kme-api-mssl.samsungknox.com |
443 |
Knox Manage
Server firewall
| Server | URL | Port |
|---|---|---|
| samsungknox.com |
*.samsungknox.com *.secb2b.com |
443, 80 |
| Samsung Account | *.samsung.com | 443, 80 |
| Google services | *.gstatic.com | 443, 80 |
Client firewall
| Platform | URL | Port |
|---|---|---|
| Google services |
*.google.com android.com google-analytics.com googleusercontent.com *gstatic.com *.gvt1.com *.ggpht.com *.gvt2.com *.gvt3.com |
TCP 443 TCP, UDP 5228-5230, 5235, 5236 |
| Google services | *.googleapis.com | TCP 443, 5228-5230 |
| Apple push notification services | *.push.apple.com | TCP 443, 5223, 2197 |
| Windows push notification services |
*.wns.windows.com *.notify.live.net |
443 |
Knox Remote Support
Server firewall
| Knox Remote Support server | URL | Port |
|---|---|---|
| Asia region | ap-rs-web.manage.samsungknox.com | 443 |
| US region | us-rs-web.manage.samsungknox.com | 443 |
| EU region | eu-rs-web.manage.samsungknox.com | 443 |
Client firewall
| Region | Server | Domain | IP address | Port | Connection |
|---|---|---|---|---|---|
| Asia |
Relay WAS |
ap-rs-relay.manage.samsungknox.com ap-rs-web.manage.samsungknox.com |
18.141.250.233 13.213.198.62 |
45001 |
Mobile Desktop |
| US |
Relay WAS |
us-rs-relay.manage.samsungknox.com us-rs-web.manage.samsungknox.com |
35.83.188.168 52.36.230.249 |
45001 |
Mobile Desktop |
| EU |
Relay WAS |
eu-rs-relay.manage.samsungknox.com eu-rs-web.manage.samsungknox.com |
54.155.132.151 63.34.35.115 |
45001 |
Mobile Desktop |
Exceptions to file upload restrction
You may have restrictions on uploading files from your protected network environment to the Knox server. If so, you must use the following domains and regional URLs:
| Region | Domain/IP |
|---|---|
| Asia | km-rs-ap.s3.ap-southeast-1.amazonaws.com |
| US | km-rs-us.s3.us-west-2.amazonaws.com |
| EU | km-rs-eu.s3.eu-west-1.amazonaws.com |
The maximum file transfer size allowed is 200 MB and the maximum number of files you can transfer at once is 100.
Additional information
For more information on Android network requirements, see Android Enterprise Network Requirements.
For more information on iOS network requirements, see Configure your network for MDM and Use Apple products on enterprise networks.
For more information on Windows network requirements, see Adding WNS Traffic to the Firewall Allowlist.
Knox E-FOTA
Server firewall
| Server | URL | Port |
|---|---|---|
| Samsung Account | *.samsung.com | 443, 80 |
| samsungknox.com |
*.samsungknox.com *.secb2b.com |
443, 80 |
| Knox Admin Portal | central.samsungknox.com | 443 |
Client firewall
| Server | URL | Port |
|---|---|---|
| GSL | gsl.samsunggsl.com | 443 |
| Firmware management server | http://eu-efm.samsungknox.com/ | 443 |
| S3 storage (firmware storage server) | http://kfm-prod.samsungknox.com/ | 443, 80 |
| KSL (old SEG) |
us-segd-api.secb2b.com us-segd-api.secb2b.com us-segp-api.secb2b.com eu-segd-api.secb2b.com eu-segm-api.secb2b.com eu-segp-api.secb2b.com |
443 |
| umc-cdn | umc-cdn.secb2b.com | 443, 80 |
| Knox Privacy Policy or Terms and Conditions | eula.secb2b.com | 443, 80 |
| Feedback | knoxservices.secb2b.com | 443, 80 |
| Pinning |
pinning.secb2b.com pinning-02.secb2b.com |
443, 80 |
| Firebase Cloud Messaging | Since the hostnames are revised periodically, see the Google Firebase documentation for the latest list. | 5228, 5229, 5230 |
Knox Asset Intelligence
Server firewall
| Server | URL | Port |
|---|---|---|
| Samsung Account | *.samsung.com | 443, 80 |
| samsungknox.com |
*.samsungknox.com *.secb2b.com |
443, 80 |
| Knox Admin Portal | central.samsungknox.com | 443, 80 |
| File retrieval from Amazon S3 |
https://usprd-knoxv2-dai.s3.us-west-2.amazonaws.com https://euprd-knoxv2-dai.s3.eu-west-1.amazonaws.com |
443 |
Client firewall
| Server | URL | Port |
|---|---|---|
| Knox Asset Intelligence server |
us-dai.samsungknox.com eu-dai.samsungknox.com |
443 |
| Amazon S3 storage (for debug log file uploads) |
https://usprd-knoxv2-dai.s3.us-west-2.amazonaws.com https://euprd-knoxv2-dai.s3.eu-west-1.amazonaws.com |
443 |
| umc-cdn | umc-cdn.secb2b.com | 443, 80 |
| Knox Privacy Policy or Terms and Conditions | eula.secb2b.com | 443, 80 |
| GSL | gsl.samsunggsl.com | 443 |
| Security center |
us-securitycenter.samsungknox.com eu-securitycenter.samsungknox.com |
443 |
| Pinning |
pinning.secb2b.com pinning-02.secb2b.com |
443, 80 |
| Firebase Cloud Messaging |
See Google Firebase documentation for hostnames. These hostnames are subject to change. |
5228, 5229, 5230 |
Knox Configure
Server firewall
| Server | URL | Port |
|---|---|---|
| Samsung Account | *.samsung.com | 443, 80 |
| samsungknox.com |
*.samsungknox.com *.secb2b.com |
443, 80 |
| Knox Admin Portal | central.samsungknox.com | 443, 80 |
Client firewall
| Server | URL | Port |
|---|---|---|
| Pinning | pinning-02.secb2b.com | 443, 80 |
| GSL | gsl.samsunggsl.com | 443 |
| umc-cdn | umc-cdn.secb2b.com | 443, 80 |
| KSL |
eu-segd-api.secb2b.com us-segd-api.secb2b.com |
443 |
| Auth server |
eu-prod-bulk.secb2b.com us-prod-bulk.secb2b.com |
443 |
| Knox Configure server |
eu-kc.samsungknox.com us-kc.samsungknox.com eu-kc-portal.samsungknox.com us-kc-portal.samsungknox.com |
443, 80 |
| Firebase Cloud Messaging |
See Google Firebase documentation for hostnames. These hostnames are subject to change. |
5228, 5229, 5230 |
Samsung Care+ for Business
Server firewall
| Server | URL | Port |
|---|---|---|
| Samsung Account | *.samsung.com | 443, 80 |
| samsungknox.com |
*.samsungknox.com *.secb2b.com |
443, 80 |
| Knox Admin Portal | central.samsungknox.com | 443, 80 |
License servers for Knox products
Depending on your enterprise’s IT policies, you might have to add the following Knox license server resources to your firewall allowlist, listed by server destinations per region:
If your enterprise’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, you might require the FQDN to reach a Knox license server.
Global
| URL | Port |
|---|---|
| analytics.samsungknox.com | All |
| prod-knoxlog.secb2b.com | All |
| account.samsung.com | 80, 443 |
| gslb.secb2b.com | 443 |
| gsl.samsunggsl.com | 443 |
Americas
| URL | Port |
|---|---|
| us-elm.secb2b.com | 443 |
| us-prod-klm-b2c.secb2b.com | 443 |
| us-prod-klm.secb2b.com | 443 |
| usprod-knoxlog.secb2b.com | All |
EMEA
| URL | Port |
|---|---|
| eu-elm.secb2b.com | 443 |
| eu-prod-klm-b2c.secb2b.com | 443 |
| eu-prod-klm.secb2b.com | 443 |
| euprod-knoxlog.secb2b.com | All |
Firewall exceptions for Knox Configure in China
Depending on your enterprise’s IT policies, you might have to add the following resources to your firewall allowlist to access Knox Configure.
If your enterprise’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, you might require the FQDN to reach a Knox network deployment resource.
License servers
| URL | Port |
|---|---|
| china-gslb.secb2b.com.cn | 443 |
| china-elm.secb2b.com.cn | 443 |
| china-b2c-klm.secb2b.com.cn | 443 |
| china-prod-klm.secb2b.com.cn | 443 |
| china-klm.secb2b.com.cn | 443 |
Network requirements
| URL | Port |
|---|---|
| china-segd-api.secb2b.com.cn | 443 |
| myknoxapk.blob.core.chinacloudapi.cn | 80, 443 |
On this page
Is this page helpful?