Back to top

Samsung Knox firewall exceptions

Last updated March 18th, 2024

Configuring firewall exceptions is a crucial step in making sure your organization securely connects to the Knox servers and accesses the supporting resources. This process includes adding certain URLs and ports to your organization’s allowlist and accurately setting up your server and client firewalls to access different Knox cloud services.

For example, Knox Asset Intelligence enables you to get files from the supporting Amazon cloud infrastructure if you’ve configured your server firewall allowlist correctly. Similarly, adding TCP ports 5228-5230 to your client firewall allowlist ensures you can access Google services using Knox Manage. Check out the Networking requirements for Knox cloud services for more information.

To get started with configuring your firewalls:

  1. Ensure ports 443 and 80 are open within your local network to reach Knox server resources.

  2. Add Amazon Web Services or Google Firebase to your organization’s firewall allowlist, as Knox services might use either of these services:

Important

If your organization doesn’t permit connections with external servers, you can request an on-premises Knox server to handle license verification within your firewall. Samsung charges a fee for this service. For more information, contact your Samsung representative or reseller directly, or contact the Samsung Knox team.

Portal exceptions

The following table lists the URLs that you must create exceptions for in your organization’s firewall in order to use Knox services web portals on your desktop:

URL Port Knox server resource

*.samsungknox.com

*.secb2b.com

443, 80

Knox cloud service

Knox Identity Management

Single sign-on (SSO)

Knox Admin Portal

Knox Partner Portal

*.samsung.com 443, 80

Samsung account

Networking requirements for Knox cloud services

Depending on your enterprise’s IT policies, you might have to add the following network resources to your firewall allowlist:

Important

If your enterprise’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, you might require the fully qualified domain name (FQDN) to reach a Knox network deployment resource.

Knox Mobile Enrollment

Server firewall

Server URL Port
Samsung Account *.samsung.com 443, 80
samsungknox.com

*.samsungknox.com

*.secb2b.com

443, 80
Knox Admin Portal central.samsungknox.com 443, 80

Client firewall

Server URL Port
Pinning pinning-02.secb2b.com 443, 80
GSL gsl.samsunggsl.com 443
umc-cdn umc-cdn.secb2b.com 443, 80
KSL

eu-segd-api.secb2b.com

us-segd-api.secb2b.com

443
Auth server

eu-prod-bulk.secb2b.com

us-prod-bulk.secb2b.com

443
Knox Mobile Enrollment server

eu-kme.samsungknox.com

us-kme.samsungknox.com

443, 80
Knox Mobile Enrollment APIs

eu-kme-api-mssl.samsungknox.com

us-kme-api-mssl.samsungknox.com

443

Knox Manage

Server firewall

Server URL Port
samsungknox.com

*.samsungknox.com

*.secb2b.com

443, 80
Samsung Account *.samsung.com 443, 80
Google services *.gstatic.com 443, 80

Client firewall

Platform URL Port
Google services

*.google.com

android.com

google-analytics.com

googleusercontent.com

*gstatic.com

*.gvt1.com

*.ggpht.com

*.gvt2.com

*.gvt3.com

TCP 443

TCP, UDP 5228-5230, 5235, 5236

Google services *.googleapis.com TCP 443, 5228-5230
Apple push notification services *.push.apple.com TCP 443, 5223, 2197
Windows push notification services

*.wns.windows.com

*.notify.live.net

443

Knox Remote Support

Server firewall

Knox Remote Support server URL Port
Asia region ap-rs-web.manage.samsungknox.com 443
US region us-rs-web.manage.samsungknox.com 443
EU region eu-rs-web.manage.samsungknox.com 443

Client firewall

Region Server Domain IP address Port Connection
Asia

Relay

WAS

ap-rs-relay.manage.samsungknox.com

ap-rs-web.manage.samsungknox.com

18.141.250.233

13.213.198.62

45001

Mobile

Desktop

US

Relay

WAS

us-rs-relay.manage.samsungknox.com

us-rs-web.manage.samsungknox.com

35.83.188.168

52.36.230.249

45001

Mobile

Desktop

EU

Relay

WAS

eu-rs-relay.manage.samsungknox.com

eu-rs-web.manage.samsungknox.com

54.155.132.151

63.34.35.115

45001

Mobile

Desktop

Exceptions to file upload restrction

You may have restrictions on uploading files from your protected network environment to the Knox server. If so, you must use the following domains and regional URLs:

Region Domain/IP
Asia km-rs-ap.s3.ap-southeast-1.amazonaws.com
US km-rs-us.s3.us-west-2.amazonaws.com
EU km-rs-eu.s3.eu-west-1.amazonaws.com

Note

The maximum file transfer size allowed is 200 MB and the maximum number of files you can transfer at once is 100.

Additional information

For more information on Android network requirements, see Android Enterprise Network Requirements.

For more information on iOS network requirements, see Configure your network for MDM and Use Apple products on enterprise networks.

For more information on Windows network requirements, see Adding WNS Traffic to the Firewall Allowlist.

Knox E-FOTA

Server firewall

Server URL Port
Samsung Account *.samsung.com 443, 80
samsungknox.com

*.samsungknox.com

*.secb2b.com

443, 80
Knox Admin Portal central.samsungknox.com 443

Client firewall

Server URL Port
GSL gsl.samsunggsl.com 443
Firmware management server http://eu-efm.samsungknox.com/ 443
S3 storage (firmware storage server) http://kfm-prod.samsungknox.com/ 443, 80
KSL (old SEG)

us-segd-api.secb2b.com

us-segd-api.secb2b.com

us-segp-api.secb2b.com

eu-segd-api.secb2b.com

eu-segm-api.secb2b.com

eu-segp-api.secb2b.com

443
umc-cdn umc-cdn.secb2b.com 443, 80
Knox Privacy Policy or Terms and Conditions eula.secb2b.com 443, 80
Feedback knoxservices.secb2b.com 443, 80
Pinning

pinning.secb2b.com

pinning-02.secb2b.com

443, 80
Firebase Cloud Messaging Since the hostnames are revised periodically, see the Google Firebase documentation for the latest list. 5228, 5229, 5230

Knox Asset Intelligence

Server firewall

Server URL Port
Samsung Account *.samsung.com 443, 80
samsungknox.com

*.samsungknox.com

*.secb2b.com

443, 80
Knox Admin Portal central.samsungknox.com 443, 80
File retrieval from Amazon S3

https://usprd-knoxv2-dai.s3.us-west-2.amazonaws.com

https://euprd-knoxv2-dai.s3.eu-west-1.amazonaws.com

443

Client firewall

Server URL Port
Knox Asset Intelligence server

us-dai.samsungknox.com

eu-dai.samsungknox.com

443
Amazon S3 storage (for debug log file uploads)

https://usprd-knoxv2-dai.s3.us-west-2.amazonaws.com

https://euprd-knoxv2-dai.s3.eu-west-1.amazonaws.com

443
umc-cdn umc-cdn.secb2b.com 443, 80
Knox Privacy Policy or Terms and Conditions eula.secb2b.com 443, 80
GSL gsl.samsunggsl.com 443
Security center

us-securitycenter.samsungknox.com

eu-securitycenter.samsungknox.com

443
Pinning

pinning.secb2b.com

pinning-02.secb2b.com

443, 80
Firebase Cloud Messaging

See Google Firebase documentation for hostnames. These hostnames are subject to change.

5228, 5229, 5230

Knox Configure

Server firewall

Server URL Port
Samsung Account *.samsung.com 443, 80
samsungknox.com

*.samsungknox.com

*.secb2b.com

443, 80
Knox Admin Portal central.samsungknox.com 443, 80

Client firewall

Server URL Port
Pinning pinning-02.secb2b.com 443, 80
GSL gsl.samsunggsl.com 443
umc-cdn umc-cdn.secb2b.com 443, 80
KSL

eu-segd-api.secb2b.com

us-segd-api.secb2b.com

443
Auth server

eu-prod-bulk.secb2b.com

us-prod-bulk.secb2b.com

443
Knox Configure server

eu-kc.samsungknox.com

us-kc.samsungknox.com

eu-kc-portal.samsungknox.com

us-kc-portal.samsungknox.com

443, 80
Firebase Cloud Messaging

See Google Firebase documentation for hostnames. These hostnames are subject to change.

5228, 5229, 5230

Samsung Care+ for Business

Server firewall

Server URL Port
Samsung Account *.samsung.com 443, 80
samsungknox.com

*.samsungknox.com

*.secb2b.com

443, 80
Knox Admin Portal central.samsungknox.com 443, 80

License servers for Knox products

Depending on your enterprise’s IT policies, you might have to add the following Knox license server resources to your firewall allowlist, listed by server destinations per region:

Important

If your enterprise’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, you might require the FQDN to reach a Knox license server.

Global

URL Port
analytics.samsungknox.com All
prod-knoxlog.secb2b.com All
account.samsung.com 80, 443
gslb.secb2b.com 443
gsl.samsunggsl.com 443

Americas

URL Port
us-elm.secb2b.com 443
us-prod-klm-b2c.secb2b.com 443
us-prod-klm.secb2b.com 443
usprod-knoxlog.secb2b.com All

EMEA

URL Port
eu-elm.secb2b.com 443
eu-prod-klm-b2c.secb2b.com 443
eu-prod-klm.secb2b.com 443
euprod-knoxlog.secb2b.com All

Firewall exceptions for Knox Configure in China

Depending on your enterprise’s IT policies, you might have to add the following resources to your firewall allowlist to access Knox Configure.

Important

If your enterprise’s IT policy restricts the use of a wildcard (*) to abbreviate a domain name, you might require the FQDN to reach a Knox network deployment resource.

License servers

URL Port
china-gslb.secb2b.com.cn 443
china-elm.secb2b.com.cn 443
china-b2c-klm.secb2b.com.cn 443
china-prod-klm.secb2b.com.cn 443
china-klm.secb2b.com.cn 443

Network requirements

URL Port
china-segd-api.secb2b.com.cn 443
myknoxapk.blob.core.chinacloudapi.cn 80, 443

Is this page helpful?